From 85abbd48a811a1f3af8210a66f1aa164fa0090bd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 26 Jul 2024 12:00:58 +0200 Subject: [PATCH 1/4] Update yara-generator.py --- bin/yara-generator/yara-generator.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/bin/yara-generator/yara-generator.py b/bin/yara-generator/yara-generator.py index 0d8fc7b28..a474198bc 100644 --- a/bin/yara-generator/yara-generator.py +++ b/bin/yara-generator/yara-generator.py @@ -148,6 +148,10 @@ def generate_yara_rules(header_infos, yaml_infos, debug, driver_filter, strict, for hi in header_infos: # Get YAML info to determine the type of rule yaml_info = get_yaml_info_for_sample(hi['sha256'][0], yaml_infos) + # If no YAML info is found, skip the rule generation + if not yaml_info: + Log.info("No YAML info found for %s - skipping YARA rule generation" % hi['file_names']) + continue # Category and values type_driver = "vulnerable driver" type_string = "PUA_VULN" @@ -243,6 +247,7 @@ def get_yaml_info_for_sample(sample_hash, yaml_infos): # Loop over YAML infos and find the sample using its hash for yi in yaml_infos: for sample_info in yi['KnownVulnerableSamples']: + # print(sample_info) sample_hashes = [] if 'MD5' in sample_info: sample_hashes.append(sample_info['MD5']) @@ -309,6 +314,7 @@ def removeNonAsciiDrop(s): parser.add_argument('-y', nargs='*', help='Path to YAML files with information on the drivers (can be used multiple times)', metavar='yaml-files', default=['../../yaml/']) + parser.add_argument('-f', help="Write a log file)", metavar='log-file', default='yara-generator.log') parser.add_argument('-o', help="Output folder for rules", metavar='output-folder', default='../../detections/yara/') parser.add_argument('--debug', action='store_true', default=False, help='Debug output') @@ -321,6 +327,10 @@ def removeNonAsciiDrop(s): Log.setLevel(logging.INFO) if args.debug: Log.setLevel(logging.DEBUG) + # File Handler + fileHandler = logging.FileHandler(args.f) + fileHandler.setFormatter(logFormatter) + Log.addHandler(fileHandler) # Console Handler consoleHandler = logging.StreamHandler() consoleHandler.setFormatter(logFormatter) @@ -372,5 +382,3 @@ def removeNonAsciiDrop(s): fh.write("\n".join(yara_rules_vulnerable_drivers_strict_renamed)) # The single rules for each driver output_path_single_rules = os.path.join(args.o, '/single-rules') - - \ No newline at end of file From 1e7ee0fae9ba54709fa8d6777fe5086b48a8d290 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 29 Jul 2024 17:00:41 +0200 Subject: [PATCH 2/4] refactor: generator update --- bin/yara-generator/requirements.txt | 1 + bin/yara-generator/yara-generator.py | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) create mode 100644 bin/yara-generator/requirements.txt diff --git a/bin/yara-generator/requirements.txt b/bin/yara-generator/requirements.txt new file mode 100644 index 000000000..fae34db43 --- /dev/null +++ b/bin/yara-generator/requirements.txt @@ -0,0 +1 @@ +pefile diff --git a/bin/yara-generator/yara-generator.py b/bin/yara-generator/yara-generator.py index a474198bc..5c368e617 100644 --- a/bin/yara-generator/yara-generator.py +++ b/bin/yara-generator/yara-generator.py @@ -359,8 +359,8 @@ def removeNonAsciiDrop(s): yara_rules_vulnerable_drivers_strict_renamed = generate_yara_rules(file_infos, yaml_infos, args.debug, driver_filter="vulnerable driver", strict=True, renamed=True) # Write the output files - # The sets - output_file = os.path.join(args.o, 'yara-rules_vuln_drivers.yar') + # we write the recommended files to the root folder and other sets to a sub folder named 'other' + output_file = os.path.join(args.o, 'other', 'yara-rules_vuln_drivers.yar') with open(output_file, 'w') as fh: Log.info("[+] Writing %d YARA rules to the output file %s" % (len(yara_rules_vulnerable_drivers), output_file)) fh.write("\n".join(yara_rules_vulnerable_drivers)) @@ -372,11 +372,11 @@ def removeNonAsciiDrop(s): with open(output_file, 'w') as fh: Log.info("[+] Writing %d YARA rules to the output file %s" % (len(yara_rules_vulnerable_drivers_strict), output_file)) fh.write("\n".join(yara_rules_vulnerable_drivers_strict)) - output_file = os.path.join(args.o, 'yara-rules_mal_drivers_strict.yar') + output_file = os.path.join(args.o, 'other', 'yara-rules_mal_drivers_strict.yar') with open(output_file, 'w') as fh: Log.info("[+] Writing %d YARA rules to the output file %s" % (len(yara_rules_malicious_drivers_strict), output_file)) fh.write("\n".join(yara_rules_malicious_drivers_strict)) - output_file = os.path.join(args.o, 'yara-rules_vuln_drivers_strict_renamed.yar') + output_file = os.path.join(args.o, 'other', 'yara-rules_vuln_drivers_strict_renamed.yar') with open(output_file, 'w') as fh: Log.info("[+] Writing %d YARA rules to the output file %s" % (len(yara_rules_vulnerable_drivers_strict_renamed), output_file)) fh.write("\n".join(yara_rules_vulnerable_drivers_strict_renamed)) From 0d5983cdc1c75f4804197d4fb7f13a227756f0b9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 29 Jul 2024 17:00:57 +0200 Subject: [PATCH 3/4] content: new yara detection rules --- .../yara-rules_mal_drivers_strict.yar | 67 +- .../{ => other}/yara-rules_vuln_drivers.yar | 644 ++++++++--------- ...yara-rules_vuln_drivers_strict_renamed.yar | 684 +++++++++--------- detections/yara/yara-rules_mal_drivers.yar | 67 +- .../yara/yara-rules_vuln_drivers_strict.yar | 644 ++++++++--------- 5 files changed, 1065 insertions(+), 1041 deletions(-) rename detections/yara/{ => other}/yara-rules_mal_drivers_strict.yar (81%) rename detections/yara/{ => other}/yara-rules_vuln_drivers.yar (98%) rename detections/yara/{ => other}/yara-rules_vuln_drivers_strict_renamed.yar (98%) diff --git a/detections/yara/yara-rules_mal_drivers_strict.yar b/detections/yara/other/yara-rules_mal_drivers_strict.yar similarity index 81% rename from detections/yara/yara-rules_mal_drivers_strict.yar rename to detections/yara/other/yara-rules_mal_drivers_strict.yar index 9eb2d22a4..9616c9cc2 100644 --- a/detections/yara/yara-rules_mal_drivers_strict.yar +++ b/detections/yara/other/yara-rules_mal_drivers_strict.yar @@ -21,7 +21,7 @@ rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_6 hash = "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d" hash = "e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12" hash = "bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df" - date = "2023-06-14" + date = "2024-07-29" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004700550049002000730079006d0062006f006c00690063002000640065006200750067006700650072 } /* FileDescription WindowsGUIsymbolicdebugger */ @@ -43,7 +43,7 @@ rule MAL_Driver_Sensecorp_42B2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25" - date = "2023-06-14" + date = "2024-07-29" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -62,7 +62,7 @@ rule MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8" - date = "2023-06-14" + date = "2024-07-29" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005000430049006500200056006900640065006f00200043006100700074007500720065 } /* FileDescription PCIeVideoCapture */ @@ -84,7 +84,7 @@ rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsyste reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c" hash = "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc" - date = "2023-06-14" + date = "2024-07-29" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006e007400620069006f00730020006400720069007600650072 } /* FileDescription ntbiosdriver */ @@ -100,13 +100,36 @@ rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsyste } +rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem_8578 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinTapix.sys, SRVNET2.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330" + hash = "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e" + date = "2024-07-29" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004b00650072006e0065006c00200045007800650063007500740069007600650020004d006f00640075006c0065 } /* FileDescription WindowsKernelExecutiveModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0033002e0039003600300030002e003100360033003800340020002800770069006e0062006c00750065005f00720074006d002e003100330030003800320031002d00310036003200330029 } /* FileVersion winbluertm */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0033002e0039003600300030002e00310036003300380034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00540061007000690078002e007300790073 } /* InternalName WinTapixsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00540061007000690078002e007300790073 } /* OriginalFilename WinTapixsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 1200KB and all of them +} + + rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_200F { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" - date = "2023-06-14" + date = "2024-07-29" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ @@ -131,7 +154,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_E7 hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3" hash = "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce" hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" - date = "2023-06-14" + date = "2024-07-29" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -153,7 +176,7 @@ rule MAL_Driver_Gmer_Gmersys_Gmer_18C9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" - date = "2023-06-14" + date = "2024-07-29" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */ @@ -175,7 +198,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_69 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" - date = "2023-06-14" + date = "2024-07-29" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -191,13 +214,35 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_69 } +rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F6C3 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinTapix.sys, SRVNET2.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d" + date = "2024-07-29" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053006500720076006500720020004e006500740077006f0072006b0020006400720069007600650072 } /* FileDescription ServerNetworkdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310038003300360032002e0036003900330020002800570069006e004200750069006c0064002e003100360030003100300031002e00300038003000300029 } /* FileVersion WinBuild */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310038003300360032002e003600390033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300520056004e004500540032002e005300590053 } /* InternalName SRVNETSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300520056004e004500540032002e005300590053 } /* OriginalFilename SRVNETSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 600KB and all of them +} + + rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_81C7 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_3.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1" - date = "2023-06-14" + date = "2024-07-29" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -219,7 +264,7 @@ rule MAL_Driver_Sensecorp_7F45 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6" - date = "2023-06-14" + date = "2024-07-29" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -238,7 +283,7 @@ rule MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsoperatingsystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427" - date = "2023-06-14" + date = "2024-07-29" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d00530020004c0041004e0020004400720069007600650072 } /* FileDescription MSLANDriver */ diff --git a/detections/yara/yara-rules_vuln_drivers.yar b/detections/yara/other/yara-rules_vuln_drivers.yar similarity index 98% rename from detections/yara/yara-rules_vuln_drivers.yar rename to detections/yara/other/yara-rules_vuln_drivers.yar index 2fc67714e..f0315c6b7 100644 --- a/detections/yara/yara-rules_vuln_drivers.yar +++ b/detections/yara/other/yara-rules_vuln_drivers.yar @@ -8,7 +8,7 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -26,11 +26,11 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -51,7 +51,7 @@ rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ @@ -73,7 +73,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -95,7 +95,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -117,7 +117,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -145,7 +145,7 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_6BEF { hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -171,7 +171,7 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA { hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ @@ -195,7 +195,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_5C0B { hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ @@ -218,7 +218,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -240,7 +240,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -272,7 +272,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_8 hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879" hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -300,7 +300,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D { hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -323,7 +323,7 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_B50F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -340,12 +340,12 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_B50F { rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -367,7 +367,7 @@ rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwrit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ @@ -389,7 +389,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -411,7 +411,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ @@ -433,7 +433,7 @@ rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ @@ -455,7 +455,7 @@ rule PUA_VULN_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ @@ -477,7 +477,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -499,7 +499,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -532,7 +532,7 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -556,7 +556,7 @@ rule PUA_VULN_Driver_Asustek_Driversys_Ectool_927C { hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ @@ -578,7 +578,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ @@ -600,7 +600,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -622,7 +622,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -646,7 +646,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -668,7 +668,7 @@ rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprov author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ @@ -690,7 +690,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -712,7 +712,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -734,7 +734,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Panca author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -756,7 +756,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -779,7 +779,7 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_6C71 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ @@ -801,7 +801,7 @@ rule PUA_VULN_Driver_Bsmisys_5962 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ @@ -851,7 +851,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_99F4 { hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005" hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a" hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -875,7 +875,7 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -900,7 +900,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntam hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ @@ -922,7 +922,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibr author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -946,7 +946,7 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -968,7 +968,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -990,7 +990,7 @@ rule PUA_VULN_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ @@ -1012,7 +1012,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B5 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1034,7 +1034,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -1057,7 +1057,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1075,11 +1075,11 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { rule PUA_VULN_Driver_Zemanaltd_Zam_8FE9 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1101,7 +1101,7 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenam hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -1123,7 +1123,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ @@ -1146,7 +1146,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ @@ -1169,7 +1169,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D reference = "https://github.com/magicsword-io/LOLDrivers" hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -1192,7 +1192,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1215,7 +1215,7 @@ rule PUA_VULN_Driver_Yyinc_Dianhu_80CB { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ @@ -1236,7 +1236,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -1258,7 +1258,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -1280,7 +1280,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ @@ -1298,12 +1298,12 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -1325,7 +1325,7 @@ rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1347,7 +1347,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1371,7 +1371,7 @@ rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 { hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ @@ -1393,7 +1393,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1418,7 +1418,7 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_E16D { hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -1439,7 +1439,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1461,7 +1461,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1483,7 +1483,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1511,7 +1511,7 @@ rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_3943 { hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ @@ -1533,7 +1533,7 @@ rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ @@ -1555,7 +1555,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1581,7 +1581,7 @@ rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ @@ -1603,7 +1603,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1626,7 +1626,7 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_904E { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ @@ -1647,7 +1647,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -1674,7 +1674,7 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2A65 { hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ @@ -1696,7 +1696,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1718,7 +1718,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1734,35 +1734,13 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7795 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a" - date = "2023-06-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ - condition: - all of them -} - - rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1784,7 +1762,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancaf author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -1806,7 +1784,7 @@ rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagno author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ @@ -1828,7 +1806,7 @@ rule PUA_VULN_Driver_Dell_Dbutil_71FE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ @@ -1848,7 +1826,7 @@ rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -1869,7 +1847,7 @@ rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ @@ -1893,7 +1871,7 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_FB81 { hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -1910,11 +1888,11 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_FB81 { rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -1937,7 +1915,7 @@ rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_23B reference = "https://github.com/magicsword-io/LOLDrivers" hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ @@ -1959,7 +1937,7 @@ rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ @@ -1981,7 +1959,7 @@ rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -2003,7 +1981,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2025,7 +2003,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2043,11 +2021,11 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2069,7 +2047,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2091,7 +2069,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2113,7 +2091,7 @@ rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ @@ -2135,7 +2113,7 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -2153,11 +2131,11 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2177,7 +2155,7 @@ rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ @@ -2200,7 +2178,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2223,7 +2201,7 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_2899 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -2244,7 +2222,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2266,7 +2244,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ @@ -2291,7 +2269,7 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 { hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -2313,7 +2291,7 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriv author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ @@ -2335,7 +2313,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -2357,7 +2335,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2379,7 +2357,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -2402,7 +2380,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_0 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2426,7 +2404,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_AE42 { hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -2448,7 +2426,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -2470,7 +2448,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -2493,7 +2471,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ @@ -2517,7 +2495,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_6 hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2539,7 +2517,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2557,11 +2535,11 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7 rule PUA_VULN_Driver_Zemanaltd_Zam_45F4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2587,7 +2565,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 { hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2609,7 +2587,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2631,7 +2609,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2653,7 +2631,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2675,7 +2653,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3070 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ @@ -2697,7 +2675,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -2715,13 +2693,13 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_916C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2743,7 +2721,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2765,7 +2743,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ @@ -2787,7 +2765,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ @@ -2809,7 +2787,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2831,7 +2809,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ @@ -2853,7 +2831,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2875,7 +2853,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -2898,7 +2876,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -2920,7 +2898,7 @@ rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ @@ -2942,7 +2920,7 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -2966,7 +2944,7 @@ rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_8E63 { hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ @@ -2988,7 +2966,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3011,7 +2989,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3033,7 +3011,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3055,7 +3033,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3077,7 +3055,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3099,7 +3077,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -3117,11 +3095,11 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { rule PUA_VULN_Driver_Zemanaltd_Zam_3C18 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3140,7 +3118,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3162,7 +3140,7 @@ rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3184,7 +3162,7 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3207,7 +3185,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3229,7 +3207,7 @@ rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ @@ -3249,7 +3227,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3271,7 +3249,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3293,7 +3271,7 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ @@ -3314,7 +3292,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3336,7 +3314,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -3358,7 +3336,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibra author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -3380,7 +3358,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3402,7 +3380,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -3424,7 +3402,7 @@ rule PUA_VULN_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandp author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ @@ -3445,7 +3423,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3467,7 +3445,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -3489,7 +3467,7 @@ rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3511,7 +3489,7 @@ rule PUA_VULN_Driver_Pchuntersys_Pchunter_1B7F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ @@ -3533,7 +3511,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3555,7 +3533,7 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_8E88 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -3572,11 +3550,11 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_8E88 { rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3595,7 +3573,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3618,7 +3596,7 @@ rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_B179 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ @@ -3640,7 +3618,7 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -3657,11 +3635,11 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3680,7 +3658,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -3702,7 +3680,7 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3724,7 +3702,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3746,7 +3724,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3768,7 +3746,7 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ @@ -3790,7 +3768,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -3813,7 +3791,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -3837,7 +3815,7 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_A072 { hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -3859,7 +3837,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3881,7 +3859,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3903,7 +3881,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ @@ -3927,7 +3905,7 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_3 hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -3949,7 +3927,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ @@ -3971,7 +3949,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ @@ -3993,7 +3971,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4015,7 +3993,7 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -4037,7 +4015,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4059,7 +4037,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -4081,7 +4059,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4103,7 +4081,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4125,7 +4103,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -4147,7 +4125,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4169,7 +4147,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4192,7 +4170,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4214,7 +4192,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4236,7 +4214,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4258,7 +4236,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4280,7 +4258,7 @@ rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ @@ -4301,7 +4279,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4323,7 +4301,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4345,7 +4323,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4367,7 +4345,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ @@ -4389,7 +4367,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4411,7 +4389,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ @@ -4433,7 +4411,7 @@ rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ @@ -4455,7 +4433,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -4477,7 +4455,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4499,7 +4477,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4521,7 +4499,7 @@ rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ @@ -4543,7 +4521,7 @@ rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ @@ -4565,7 +4543,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4588,7 +4566,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4610,7 +4588,7 @@ rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ @@ -4636,7 +4614,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -4658,7 +4636,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4681,7 +4659,7 @@ rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -4703,7 +4681,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4725,7 +4703,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -4747,7 +4725,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4769,7 +4747,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4791,7 +4769,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -4813,7 +4791,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4835,7 +4813,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -4853,12 +4831,12 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ @@ -4882,7 +4860,7 @@ rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxd hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ @@ -4904,7 +4882,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4926,7 +4904,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -4949,7 +4927,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A334 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -4971,7 +4949,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4993,7 +4971,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5015,7 +4993,7 @@ rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ @@ -5037,7 +5015,7 @@ rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_93D8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ @@ -5059,7 +5037,7 @@ rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ @@ -5081,7 +5059,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -5103,7 +5081,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5125,7 +5103,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5147,7 +5125,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_949 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -5169,7 +5147,7 @@ rule PUA_VULN_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ @@ -5190,7 +5168,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -5212,7 +5190,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ @@ -5234,7 +5212,7 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -5256,7 +5234,7 @@ rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ @@ -5274,11 +5252,11 @@ rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5300,7 +5278,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ @@ -5318,11 +5296,11 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { rule PUA_VULN_Driver_Zemanaltd_Zam_9A95 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5341,7 +5319,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5359,11 +5337,11 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { rule PUA_VULN_Driver_Zemanaltd_Zam_2BBC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5382,7 +5360,7 @@ rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ @@ -5404,7 +5382,7 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -5422,11 +5400,11 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5448,7 +5426,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -5470,7 +5448,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ @@ -5493,7 +5471,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5511,11 +5489,11 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5537,7 +5515,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ @@ -5559,7 +5537,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5581,7 +5559,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -5603,7 +5581,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5625,7 +5603,7 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcoden author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ @@ -5647,7 +5625,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5669,7 +5647,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5692,7 +5670,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -5714,7 +5692,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5736,7 +5714,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5758,7 +5736,7 @@ rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ @@ -5780,7 +5758,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5802,7 +5780,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5824,7 +5802,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5847,7 +5825,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5869,7 +5847,7 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -5891,7 +5869,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5913,7 +5891,7 @@ rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonito author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ @@ -5935,7 +5913,7 @@ rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -5956,7 +5934,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -5978,7 +5956,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6000,7 +5978,7 @@ rule PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ @@ -6022,7 +6000,7 @@ rule PUA_VULN_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ @@ -6044,7 +6022,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6066,7 +6044,7 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -6088,7 +6066,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6110,7 +6088,7 @@ rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ @@ -6128,12 +6106,12 @@ rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -6152,7 +6130,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6170,11 +6148,11 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -6193,7 +6171,7 @@ rule PUA_VULN_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ @@ -6216,7 +6194,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6238,7 +6216,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6260,7 +6238,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6282,7 +6260,7 @@ rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6304,7 +6282,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -6326,7 +6304,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6348,7 +6326,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6370,7 +6348,7 @@ rule PUA_VULN_Driver_Wj_Kprocesshacker_7021 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -6391,7 +6369,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6413,7 +6391,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -6435,7 +6413,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6457,7 +6435,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6479,7 +6457,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -6501,7 +6479,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -6523,7 +6501,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ diff --git a/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar b/detections/yara/other/yara-rules_vuln_drivers_strict_renamed.yar similarity index 98% rename from detections/yara/yara-rules_vuln_drivers_strict_renamed.yar rename to detections/yara/other/yara-rules_vuln_drivers_strict_renamed.yar index 2865a7da7..c0a4bf7a2 100644 --- a/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +++ b/detections/yara/other/yara-rules_vuln_drivers_strict_renamed.yar @@ -8,7 +8,7 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -26,11 +26,11 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_D7E0 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -40,7 +40,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_D7E0 { $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } @@ -51,7 +51,7 @@ rule PUA_VULN_Renamed_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ @@ -73,7 +73,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -95,7 +95,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -117,7 +117,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -145,7 +145,7 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_6BEF { hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -171,7 +171,7 @@ rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA { hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ @@ -195,7 +195,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdrive hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ @@ -218,7 +218,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -240,7 +240,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -272,7 +272,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879" hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -300,7 +300,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -323,7 +323,7 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_B50F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -340,12 +340,12 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_B50F { rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_11BD { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -357,7 +357,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_11BD { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d00320030003000380020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WinRing0x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WinRing0/i and not filename matches /WinRing0x64/i } @@ -367,7 +367,7 @@ rule PUA_VULN_Renamed_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardware author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ @@ -389,7 +389,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -411,7 +411,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3124 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ @@ -433,7 +433,7 @@ rule PUA_VULN_Renamed_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ @@ -455,7 +455,7 @@ rule PUA_VULN_Renamed_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ @@ -477,7 +477,7 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -499,7 +499,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -532,7 +532,7 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -556,7 +556,7 @@ rule PUA_VULN_Renamed_Driver_Asustek_Driversys_Ectool_927C { hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ @@ -578,7 +578,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ @@ -600,7 +600,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -622,7 +622,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -646,7 +646,7 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -668,7 +668,7 @@ rule PUA_VULN_Renamed_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemser author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ @@ -690,7 +690,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -712,7 +712,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -734,7 +734,7 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxs author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -756,7 +756,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -779,7 +779,7 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6C71 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ @@ -801,7 +801,7 @@ rule PUA_VULN_Renamed_Driver_Bsmisys_5962 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ @@ -851,7 +851,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_99F4 { hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005" hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a" hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -875,7 +875,7 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -900,7 +900,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftat hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ @@ -922,7 +922,7 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_P author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -946,7 +946,7 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -968,7 +968,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -990,7 +990,7 @@ rule PUA_VULN_Renamed_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ @@ -1012,7 +1012,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1034,7 +1034,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -1057,7 +1057,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1075,11 +1075,11 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_8FE9 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1088,7 +1088,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_8FE9 { $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } @@ -1101,7 +1101,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windows hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -1123,7 +1123,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ @@ -1146,7 +1146,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ @@ -1169,7 +1169,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri reference = "https://github.com/magicsword-io/LOLDrivers" hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -1192,7 +1192,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1215,7 +1215,7 @@ rule PUA_VULN_Renamed_Driver_Yyinc_Dianhu_80CB { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ @@ -1236,7 +1236,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -1258,7 +1258,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -1280,7 +1280,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_591B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ @@ -1298,12 +1298,12 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_591B { rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_47EA { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -1315,7 +1315,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_47EA { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WinRing0/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WinRing0/i and not filename matches /WinRing0x64/i } @@ -1325,7 +1325,7 @@ rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1347,7 +1347,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1371,7 +1371,7 @@ rule PUA_VULN_Renamed_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 { hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ @@ -1393,7 +1393,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1418,7 +1418,7 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_E16D { hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -1439,7 +1439,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1461,7 +1461,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1483,7 +1483,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1511,7 +1511,7 @@ rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_3943 { hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ @@ -1533,7 +1533,7 @@ rule PUA_VULN_Renamed_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F74 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ @@ -1555,7 +1555,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1581,7 +1581,7 @@ rule PUA_VULN_Renamed_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ @@ -1603,7 +1603,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1626,7 +1626,7 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_904E { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ @@ -1647,7 +1647,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -1674,7 +1674,7 @@ rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2 hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ @@ -1696,7 +1696,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1718,7 +1718,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1734,35 +1734,13 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy } -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7795 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a" - date = "2023-06-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i -} - - rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1784,7 +1762,7 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -1806,7 +1784,7 @@ rule PUA_VULN_Renamed_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Leno author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ @@ -1828,7 +1806,7 @@ rule PUA_VULN_Renamed_Driver_Dell_Dbutil_71FE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ @@ -1848,7 +1826,7 @@ rule PUA_VULN_Renamed_Driver_Atszio_Atsziodriver_673B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -1869,7 +1847,7 @@ rule PUA_VULN_Renamed_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ @@ -1893,7 +1871,7 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_FB81 { hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -1910,11 +1888,11 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_FB81 { rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -1926,7 +1904,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } @@ -1937,7 +1915,7 @@ rule PUA_VULN_Renamed_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsy reference = "https://github.com/magicsword-io/LOLDrivers" hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ @@ -1959,7 +1937,7 @@ rule PUA_VULN_Renamed_Driver_Logmeininc_Lmiinfosys_Logmein_453B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ @@ -1981,7 +1959,7 @@ rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -2003,7 +1981,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2025,7 +2003,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2043,11 +2021,11 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2059,7 +2037,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkiow8x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } @@ -2069,7 +2047,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2091,7 +2069,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2113,7 +2091,7 @@ rule PUA_VULN_Renamed_Driver_Safenetinc_Hostnt_Hostnt_07B6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ @@ -2135,7 +2113,7 @@ rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -2153,11 +2131,11 @@ rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9 rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7CB5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2167,7 +2145,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7CB5 { $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /zam64/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } @@ -2177,7 +2155,7 @@ rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochku author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ @@ -2200,7 +2178,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2223,7 +2201,7 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_2899 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -2244,7 +2222,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2266,7 +2244,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ @@ -2291,7 +2269,7 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 { hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -2313,7 +2291,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserve author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ @@ -2335,7 +2313,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -2357,7 +2335,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2379,7 +2357,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -2402,7 +2380,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2426,7 +2404,7 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_A hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -2448,7 +2426,7 @@ rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_372 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -2470,7 +2448,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -2493,7 +2471,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ @@ -2517,7 +2495,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2539,7 +2517,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2557,11 +2535,11 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_45F4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2570,7 +2548,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_45F4 { $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } @@ -2587,7 +2565,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 { hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2609,7 +2587,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2631,7 +2609,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2653,7 +2631,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2675,7 +2653,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3070 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ @@ -2697,7 +2675,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -2715,13 +2693,13 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_916C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2733,7 +2711,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Window $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* OriginalFilename rtkiosys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } @@ -2743,7 +2721,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2765,7 +2743,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkd author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ @@ -2787,7 +2765,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ @@ -2809,7 +2787,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2831,7 +2809,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfor author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ @@ -2853,7 +2831,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2875,7 +2853,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -2898,7 +2876,7 @@ rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -2920,7 +2898,7 @@ rule PUA_VULN_Renamed_Driver_Mydriverscom_Hwm_Drivergenius_08EB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ @@ -2942,7 +2920,7 @@ rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -2966,7 +2944,7 @@ rule PUA_VULN_Renamed_Driver_Powertool_Kevpsys_Powertool_8E63 { hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ @@ -2988,7 +2966,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3011,7 +2989,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3033,7 +3011,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3055,7 +3033,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3077,7 +3055,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3099,7 +3077,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -3117,11 +3095,11 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_3C18 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3130,7 +3108,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_3C18 { $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } @@ -3140,7 +3118,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3162,7 +3140,7 @@ rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3184,7 +3162,7 @@ rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3207,7 +3185,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3229,7 +3207,7 @@ rule PUA_VULN_Renamed_Driver_Multitheftauto_Mtasanandreas_9F4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ @@ -3249,7 +3227,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3271,7 +3249,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3293,7 +3271,7 @@ rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_95D5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ @@ -3314,7 +3292,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3336,7 +3314,7 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -3358,7 +3336,7 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Pa author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -3380,7 +3358,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3402,7 +3380,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -3424,7 +3402,7 @@ rule PUA_VULN_Renamed_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalme author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ @@ -3445,7 +3423,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3467,7 +3445,7 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_C author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -3489,7 +3467,7 @@ rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3511,7 +3489,7 @@ rule PUA_VULN_Renamed_Driver_Pchuntersys_Pchunter_1B7F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ @@ -3533,7 +3511,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3555,7 +3533,7 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_8E88 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -3572,11 +3550,11 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_8E88 { rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_E428 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3585,7 +3563,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_E428 { $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } @@ -3595,7 +3573,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3618,7 +3596,7 @@ rule PUA_VULN_Renamed_Driver_Huawei_Hwosec_Huaweimatebook_B179 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ @@ -3640,7 +3618,7 @@ rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -3657,11 +3635,11 @@ rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7661 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3670,7 +3648,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7661 { $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } @@ -3680,7 +3658,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -3702,7 +3680,7 @@ rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3724,7 +3702,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3746,7 +3724,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3768,7 +3746,7 @@ rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_5351 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ @@ -3790,7 +3768,7 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -3813,7 +3791,7 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5F reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -3837,7 +3815,7 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_A072 { hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -3859,7 +3837,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3881,7 +3859,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3903,7 +3881,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ @@ -3927,7 +3905,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddk hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -3949,7 +3927,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ @@ -3971,7 +3949,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_C author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ @@ -3993,7 +3971,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4015,7 +3993,7 @@ rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -4037,7 +4015,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4059,7 +4037,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -4081,7 +4059,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4103,7 +4081,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4125,7 +4103,7 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -4147,7 +4125,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4169,7 +4147,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4192,7 +4170,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4214,7 +4192,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4236,7 +4214,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4258,7 +4236,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4280,7 +4258,7 @@ rule PUA_VULN_Renamed_Driver_Copyright_Advancedmalwareprotection_6F55 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ @@ -4301,7 +4279,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4323,7 +4301,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4345,7 +4323,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4367,7 +4345,7 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ @@ -4389,7 +4367,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4411,7 +4389,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_E839 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ @@ -4433,7 +4411,7 @@ rule PUA_VULN_Renamed_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmems author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ @@ -4455,7 +4433,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -4477,7 +4455,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4499,7 +4477,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4521,7 +4499,7 @@ rule PUA_VULN_Renamed_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ @@ -4543,7 +4521,7 @@ rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ @@ -4565,7 +4543,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4588,7 +4566,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4610,7 +4588,7 @@ rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ @@ -4636,7 +4614,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -4658,7 +4636,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4681,7 +4659,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -4703,7 +4681,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4725,7 +4703,7 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F1 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -4747,7 +4725,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4769,7 +4747,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4791,7 +4769,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -4813,7 +4791,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4835,7 +4813,7 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -4853,12 +4831,12 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ @@ -4870,7 +4848,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdr $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* OriginalFilename amifldrvsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /amifldrv64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /amifldrv64/i and not filename matches /amifldrv/i } @@ -4882,7 +4860,7 @@ rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_ hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ @@ -4904,7 +4882,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4926,7 +4904,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -4949,7 +4927,7 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A3 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -4971,7 +4949,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4993,7 +4971,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5015,7 +4993,7 @@ rule PUA_VULN_Renamed_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocke author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ @@ -5037,7 +5015,7 @@ rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_93D8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ @@ -5059,7 +5037,7 @@ rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ @@ -5081,7 +5059,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -5103,7 +5081,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5125,7 +5103,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5147,7 +5125,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -5169,7 +5147,7 @@ rule PUA_VULN_Renamed_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatin author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ @@ -5190,7 +5168,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -5212,7 +5190,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ @@ -5234,7 +5212,7 @@ rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -5256,7 +5234,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amdupro author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ @@ -5274,11 +5252,11 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amdupro rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5290,7 +5268,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } @@ -5300,7 +5278,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ @@ -5318,11 +5296,11 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_9A95 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5331,7 +5309,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_9A95 { $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } @@ -5341,7 +5319,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5359,11 +5337,11 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_2BBC { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5372,7 +5350,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_2BBC { $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } @@ -5382,7 +5360,7 @@ rule PUA_VULN_Renamed_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ @@ -5404,7 +5382,7 @@ rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -5422,11 +5400,11 @@ rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5438,7 +5416,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } @@ -5448,7 +5426,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -5470,7 +5448,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9254 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ @@ -5493,7 +5471,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5511,11 +5489,11 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow10x64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5527,7 +5505,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkiow10x64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } @@ -5537,7 +5515,7 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_4 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ @@ -5559,7 +5537,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5581,7 +5559,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -5603,7 +5581,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5625,7 +5603,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windo author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ @@ -5647,7 +5625,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5669,7 +5647,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5692,7 +5670,7 @@ rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -5714,7 +5692,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5736,7 +5714,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5758,7 +5736,7 @@ rule PUA_VULN_Renamed_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ @@ -5780,7 +5758,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5802,7 +5780,7 @@ rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyve author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5824,7 +5802,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5847,7 +5825,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5869,7 +5847,7 @@ rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -5891,7 +5869,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5913,7 +5891,7 @@ rule PUA_VULN_Renamed_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceve author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ @@ -5935,7 +5913,7 @@ rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_C725 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -5956,7 +5934,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -5978,7 +5956,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6000,7 +5978,7 @@ rule PUA_VULN_Renamed_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ @@ -6022,7 +6000,7 @@ rule PUA_VULN_Renamed_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ @@ -6044,7 +6022,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6066,7 +6044,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddk author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -6088,7 +6066,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6110,7 +6088,7 @@ rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ @@ -6128,12 +6106,12 @@ rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_5439 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -6142,7 +6120,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_5439 { $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } @@ -6152,7 +6130,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6170,11 +6148,11 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_DE8F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -6183,7 +6161,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_DE8F { $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /zam64/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /zam64/i and not filename matches /zamguard32/i and not filename matches /zamguard64/i } @@ -6193,7 +6171,7 @@ rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ @@ -6216,7 +6194,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6238,7 +6216,7 @@ rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6260,7 +6238,7 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6282,7 +6260,7 @@ rule PUA_VULN_Renamed_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6304,7 +6282,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -6326,7 +6304,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6348,7 +6326,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6370,7 +6348,7 @@ rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_7021 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -6391,7 +6369,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6413,7 +6391,7 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -6435,7 +6413,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6457,7 +6435,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6479,7 +6457,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -6501,7 +6479,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -6523,7 +6501,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ diff --git a/detections/yara/yara-rules_mal_drivers.yar b/detections/yara/yara-rules_mal_drivers.yar index 99ea20816..ef9ed1c7c 100644 --- a/detections/yara/yara-rules_mal_drivers.yar +++ b/detections/yara/yara-rules_mal_drivers.yar @@ -21,7 +21,7 @@ rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_6 hash = "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d" hash = "e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12" hash = "bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004700550049002000730079006d0062006f006c00690063002000640065006200750067006700650072 } /* FileDescription WindowsGUIsymbolicdebugger */ @@ -43,7 +43,7 @@ rule MAL_Driver_Sensecorp_42B2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -62,7 +62,7 @@ rule MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005000430049006500200056006900640065006f00200043006100700074007500720065 } /* FileDescription PCIeVideoCapture */ @@ -84,7 +84,7 @@ rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsyste reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c" hash = "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006e007400620069006f00730020006400720069007600650072 } /* FileDescription ntbiosdriver */ @@ -100,13 +100,36 @@ rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsyste } +rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem_8578 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinTapix.sys, SRVNET2.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330" + hash = "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e" + date = "2024-07-29" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004b00650072006e0065006c00200045007800650063007500740069007600650020004d006f00640075006c0065 } /* FileDescription WindowsKernelExecutiveModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0033002e0039003600300030002e003100360033003800340020002800770069006e0062006c00750065005f00720074006d002e003100330030003800320031002d00310036003200330029 } /* FileVersion winbluertm */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0033002e0039003600300030002e00310036003300380034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00540061007000690078002e007300790073 } /* InternalName WinTapixsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00540061007000690078002e007300790073 } /* OriginalFilename WinTapixsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_200F { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ @@ -131,7 +154,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_E7 hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3" hash = "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce" hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -153,7 +176,7 @@ rule MAL_Driver_Gmer_Gmersys_Gmer_18C9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */ @@ -175,7 +198,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_69 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -191,13 +214,35 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_69 } +rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F6C3 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinTapix.sys, SRVNET2.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d" + date = "2024-07-29" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053006500720076006500720020004e006500740077006f0072006b0020006400720069007600650072 } /* FileDescription ServerNetworkdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e } /* CompanyName MicrosoftCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310038003300360032002e0036003900330020002800570069006e004200750069006c0064002e003100360030003100300031002e00300038003000300029 } /* FileVersion WinBuild */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310038003300360032002e003600390033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300520056004e004500540032002e005300590053 } /* InternalName SRVNETSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300520056004e004500540032002e005300590053 } /* OriginalFilename SRVNETSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_81C7 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_3.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -219,7 +264,7 @@ rule MAL_Driver_Sensecorp_7F45 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -238,7 +283,7 @@ rule MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsoperatingsystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427" - date = "2023-06-14" + date = "2024-07-29" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d00530020004c0041004e0020004400720069007600650072 } /* FileDescription MSLANDriver */ diff --git a/detections/yara/yara-rules_vuln_drivers_strict.yar b/detections/yara/yara-rules_vuln_drivers_strict.yar index 7f8f2e883..1df1ae74f 100644 --- a/detections/yara/yara-rules_vuln_drivers_strict.yar +++ b/detections/yara/yara-rules_vuln_drivers_strict.yar @@ -8,7 +8,7 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -26,11 +26,11 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -51,7 +51,7 @@ rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ @@ -73,7 +73,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -95,7 +95,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -117,7 +117,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -145,7 +145,7 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_6BEF { hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -171,7 +171,7 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA { hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ @@ -195,7 +195,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_5C0B { hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ @@ -218,7 +218,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -240,7 +240,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -272,7 +272,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_8 hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879" hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -300,7 +300,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D { hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -323,7 +323,7 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_B50F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -340,12 +340,12 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_B50F { rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -367,7 +367,7 @@ rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwrit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ @@ -389,7 +389,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -411,7 +411,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ @@ -433,7 +433,7 @@ rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ @@ -455,7 +455,7 @@ rule PUA_VULN_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ @@ -477,7 +477,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -499,7 +499,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -532,7 +532,7 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -556,7 +556,7 @@ rule PUA_VULN_Driver_Asustek_Driversys_Ectool_927C { hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ @@ -578,7 +578,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ @@ -600,7 +600,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -622,7 +622,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -646,7 +646,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -668,7 +668,7 @@ rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprov author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ @@ -690,7 +690,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -712,7 +712,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -734,7 +734,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Panca author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -756,7 +756,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -779,7 +779,7 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_6C71 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ @@ -801,7 +801,7 @@ rule PUA_VULN_Driver_Bsmisys_5962 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ @@ -851,7 +851,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_99F4 { hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005" hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a" hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -875,7 +875,7 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -900,7 +900,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntam hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ @@ -922,7 +922,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibr author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -946,7 +946,7 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -968,7 +968,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -990,7 +990,7 @@ rule PUA_VULN_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ @@ -1012,7 +1012,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B5 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1034,7 +1034,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -1057,7 +1057,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1075,11 +1075,11 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { rule PUA_VULN_Driver_Zemanaltd_Zam_8FE9 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1101,7 +1101,7 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenam hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -1123,7 +1123,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ @@ -1146,7 +1146,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ @@ -1169,7 +1169,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D reference = "https://github.com/magicsword-io/LOLDrivers" hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -1192,7 +1192,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1215,7 +1215,7 @@ rule PUA_VULN_Driver_Yyinc_Dianhu_80CB { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ @@ -1236,7 +1236,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -1258,7 +1258,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -1280,7 +1280,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ @@ -1298,12 +1298,12 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -1325,7 +1325,7 @@ rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1347,7 +1347,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1371,7 +1371,7 @@ rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 { hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ @@ -1393,7 +1393,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1418,7 +1418,7 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_E16D { hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -1439,7 +1439,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1461,7 +1461,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1483,7 +1483,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1511,7 +1511,7 @@ rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_3943 { hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ @@ -1533,7 +1533,7 @@ rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ @@ -1555,7 +1555,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1581,7 +1581,7 @@ rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ @@ -1603,7 +1603,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1626,7 +1626,7 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_904E { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ @@ -1647,7 +1647,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -1674,7 +1674,7 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2A65 { hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ @@ -1696,7 +1696,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1718,7 +1718,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1734,35 +1734,13 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7795 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a" - date = "2023-06-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1784,7 +1762,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancaf author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -1806,7 +1784,7 @@ rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagno author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ @@ -1828,7 +1806,7 @@ rule PUA_VULN_Driver_Dell_Dbutil_71FE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ @@ -1848,7 +1826,7 @@ rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -1869,7 +1847,7 @@ rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ @@ -1893,7 +1871,7 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_FB81 { hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -1910,11 +1888,11 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_FB81 { rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -1937,7 +1915,7 @@ rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_23B reference = "https://github.com/magicsword-io/LOLDrivers" hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ @@ -1959,7 +1937,7 @@ rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ @@ -1981,7 +1959,7 @@ rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -2003,7 +1981,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2025,7 +2003,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2043,11 +2021,11 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2069,7 +2047,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2091,7 +2069,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2113,7 +2091,7 @@ rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ @@ -2135,7 +2113,7 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -2153,11 +2131,11 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2177,7 +2155,7 @@ rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ @@ -2200,7 +2178,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2223,7 +2201,7 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_2899 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -2244,7 +2222,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2266,7 +2244,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ @@ -2291,7 +2269,7 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 { hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -2313,7 +2291,7 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriv author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ @@ -2335,7 +2313,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -2357,7 +2335,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2379,7 +2357,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -2402,7 +2380,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_0 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2426,7 +2404,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_AE42 { hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -2448,7 +2426,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -2470,7 +2448,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -2493,7 +2471,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ @@ -2517,7 +2495,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_6 hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2539,7 +2517,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2557,11 +2535,11 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7 rule PUA_VULN_Driver_Zemanaltd_Zam_45F4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2587,7 +2565,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 { hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2609,7 +2587,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2631,7 +2609,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2653,7 +2631,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2675,7 +2653,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3070 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ @@ -2697,7 +2675,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -2715,13 +2693,13 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_916C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2743,7 +2721,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2765,7 +2743,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ @@ -2787,7 +2765,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ @@ -2809,7 +2787,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2831,7 +2809,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ @@ -2853,7 +2831,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2875,7 +2853,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -2898,7 +2876,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -2920,7 +2898,7 @@ rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ @@ -2942,7 +2920,7 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -2966,7 +2944,7 @@ rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_8E63 { hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ @@ -2988,7 +2966,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3011,7 +2989,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3033,7 +3011,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3055,7 +3033,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3077,7 +3055,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3099,7 +3077,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -3117,11 +3095,11 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { rule PUA_VULN_Driver_Zemanaltd_Zam_3C18 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3140,7 +3118,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3162,7 +3140,7 @@ rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3184,7 +3162,7 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3207,7 +3185,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3229,7 +3207,7 @@ rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ @@ -3249,7 +3227,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3271,7 +3249,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3293,7 +3271,7 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ @@ -3314,7 +3292,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3336,7 +3314,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -3358,7 +3336,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibra author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -3380,7 +3358,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3402,7 +3380,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -3424,7 +3402,7 @@ rule PUA_VULN_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandp author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ @@ -3445,7 +3423,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3467,7 +3445,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -3489,7 +3467,7 @@ rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3511,7 +3489,7 @@ rule PUA_VULN_Driver_Pchuntersys_Pchunter_1B7F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ @@ -3533,7 +3511,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3555,7 +3533,7 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_8E88 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -3572,11 +3550,11 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_8E88 { rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3595,7 +3573,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3618,7 +3596,7 @@ rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_B179 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ @@ -3640,7 +3618,7 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -3657,11 +3635,11 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3680,7 +3658,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -3702,7 +3680,7 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3724,7 +3702,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3746,7 +3724,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3768,7 +3746,7 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ @@ -3790,7 +3768,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -3813,7 +3791,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -3837,7 +3815,7 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_A072 { hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -3859,7 +3837,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3881,7 +3859,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3903,7 +3881,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ @@ -3927,7 +3905,7 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_3 hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -3949,7 +3927,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ @@ -3971,7 +3949,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ @@ -3993,7 +3971,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4015,7 +3993,7 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -4037,7 +4015,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4059,7 +4037,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -4081,7 +4059,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4103,7 +4081,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4125,7 +4103,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -4147,7 +4125,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4169,7 +4147,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4192,7 +4170,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4214,7 +4192,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4236,7 +4214,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4258,7 +4236,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4280,7 +4258,7 @@ rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ @@ -4301,7 +4279,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4323,7 +4301,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4345,7 +4323,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4367,7 +4345,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ @@ -4389,7 +4367,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4411,7 +4389,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ @@ -4433,7 +4411,7 @@ rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ @@ -4455,7 +4433,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -4477,7 +4455,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4499,7 +4477,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4521,7 +4499,7 @@ rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ @@ -4543,7 +4521,7 @@ rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ @@ -4565,7 +4543,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4588,7 +4566,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4610,7 +4588,7 @@ rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ @@ -4636,7 +4614,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -4658,7 +4636,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4681,7 +4659,7 @@ rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -4703,7 +4681,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4725,7 +4703,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -4747,7 +4725,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4769,7 +4747,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4791,7 +4769,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -4813,7 +4791,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4835,7 +4813,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -4853,12 +4831,12 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ @@ -4882,7 +4860,7 @@ rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxd hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ @@ -4904,7 +4882,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4926,7 +4904,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -4949,7 +4927,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A334 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -4971,7 +4949,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4993,7 +4971,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5015,7 +4993,7 @@ rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ @@ -5037,7 +5015,7 @@ rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_93D8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ @@ -5059,7 +5037,7 @@ rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ @@ -5081,7 +5059,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -5103,7 +5081,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5125,7 +5103,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5147,7 +5125,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_949 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -5169,7 +5147,7 @@ rule PUA_VULN_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ @@ -5190,7 +5168,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -5212,7 +5190,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ @@ -5234,7 +5212,7 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -5256,7 +5234,7 @@ rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ @@ -5274,11 +5252,11 @@ rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5300,7 +5278,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ @@ -5318,11 +5296,11 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { rule PUA_VULN_Driver_Zemanaltd_Zam_9A95 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5341,7 +5319,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5359,11 +5337,11 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { rule PUA_VULN_Driver_Zemanaltd_Zam_2BBC { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5382,7 +5360,7 @@ rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ @@ -5404,7 +5382,7 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -5422,11 +5400,11 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5448,7 +5426,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -5470,7 +5448,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ @@ -5493,7 +5471,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5511,11 +5489,11 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow10x64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5537,7 +5515,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ @@ -5559,7 +5537,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5581,7 +5559,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -5603,7 +5581,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5625,7 +5603,7 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcoden author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ @@ -5647,7 +5625,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5669,7 +5647,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5692,7 +5670,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -5714,7 +5692,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5736,7 +5714,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5758,7 +5736,7 @@ rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ @@ -5780,7 +5758,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5802,7 +5780,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5824,7 +5802,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5847,7 +5825,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5869,7 +5847,7 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -5891,7 +5869,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5913,7 +5891,7 @@ rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonito author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ @@ -5935,7 +5913,7 @@ rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -5956,7 +5934,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -5978,7 +5956,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6000,7 +5978,7 @@ rule PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ @@ -6022,7 +6000,7 @@ rule PUA_VULN_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ @@ -6044,7 +6022,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6066,7 +6044,7 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -6088,7 +6066,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6110,7 +6088,7 @@ rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ @@ -6128,12 +6106,12 @@ rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -6152,7 +6130,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6170,11 +6148,11 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -6193,7 +6171,7 @@ rule PUA_VULN_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ @@ -6216,7 +6194,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6238,7 +6216,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6260,7 +6238,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6282,7 +6260,7 @@ rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6304,7 +6282,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -6326,7 +6304,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6348,7 +6326,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6370,7 +6348,7 @@ rule PUA_VULN_Driver_Wj_Kprocesshacker_7021 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -6391,7 +6369,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6413,7 +6391,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -6435,7 +6413,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6457,7 +6435,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6479,7 +6457,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -6501,7 +6479,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -6523,7 +6501,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2023-06-14" + date = "2024-07-29" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ From dc4633dfc7851209d2c014d4ad8af9e9e7fe30e7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 7 Aug 2024 16:14:40 +0200 Subject: [PATCH 4/4] regenerated, fixed issues --- .../other/yara-rules_mal_drivers_strict.yar | 417 +- .../yara/other/yara-rules_vuln_drivers.yar | 6382 ++++++++++++++-- ...yara-rules_vuln_drivers_strict_renamed.yar | 6486 +++++++++++++++-- detections/yara/yara-rules_mal_drivers.yar | 417 +- .../yara/yara-rules_vuln_drivers_strict.yar | 6384 ++++++++++++++-- 5 files changed, 17822 insertions(+), 2264 deletions(-) diff --git a/detections/yara/other/yara-rules_mal_drivers_strict.yar b/detections/yara/other/yara-rules_mal_drivers_strict.yar index 9616c9cc2..36f4badf5 100644 --- a/detections/yara/other/yara-rules_mal_drivers_strict.yar +++ b/detections/yara/other/yara-rules_mal_drivers_strict.yar @@ -21,7 +21,7 @@ rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_6 hash = "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d" hash = "e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12" hash = "bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df" - date = "2024-07-29" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004700550049002000730079006d0062006f006c00690063002000640065006200750067006700650072 } /* FileDescription WindowsGUIsymbolicdebugger */ @@ -37,13 +37,278 @@ rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_6 } +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_AAF0 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e" + hash = "4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919" + hash = "c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da" + hash = "f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1" + hash = "0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06" + hash = "d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f" + hash = "2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4" + hash = "f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5" + hash = "19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987" + hash = "3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1" + hash = "cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37" + hash = "a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2" + hash = "492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263" + hash = "85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2" + hash = "efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576" + hash = "12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0" + hash = "4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f" + hash = "ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0" + hash = "10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b" + hash = "4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905" + hash = "d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c" + hash = "569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa" + hash = "80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3" + hash = "1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524" + hash = "ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55" + hash = "a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778" + hash = "e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59" + hash = "b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719" + hash = "4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de" + hash = "083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254" + hash = "e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f" + hash = "ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a" + hash = "7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db" + hash = "93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe" + hash = "082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a" + hash = "bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908" + hash = "95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167" + hash = "d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96" + hash = "94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601" + hash = "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875" + date = "2024-08-07" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000320030002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_DDF4 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a" + hash = "bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0" + hash = "af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895" + hash = "9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7" + hash = "2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2" + hash = "29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe" + hash = "e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8" + hash = "897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736" + hash = "0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3" + hash = "469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870" + hash = "818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab" + hash = "4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7" + hash = "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39" + hash = "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920" + hash = "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6" + date = "2024-08-07" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310036002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_0F58 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597" + hash = "087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212" + hash = "0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35" + hash = "06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8" + hash = "eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a" + hash = "627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa" + hash = "b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03" + hash = "dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1" + hash = "a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66" + hash = "94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112" + hash = "07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0" + hash = "4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1" + hash = "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3" + hash = "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd" + date = "2024-08-07" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310034002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_7662 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d" + hash = "a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec" + hash = "60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9" + hash = "b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09" + hash = "d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff" + hash = "008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25" + hash = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe" + hash = "aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9" + hash = "fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2" + hash = "6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b" + hash = "443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85" + hash = "e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15" + hash = "ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd" + hash = "beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b" + hash = "e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19" + hash = "21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a" + hash = "02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715" + hash = "40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a" + hash = "8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b" + hash = "2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878" + hash = "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be" + hash = "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2" + hash = "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e" + date = "2024-08-07" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_14B8 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925" + hash = "36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475" + hash = "673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653" + hash = "5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968" + hash = "8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38" + hash = "69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f" + hash = "a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f" + hash = "62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266" + hash = "1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6" + hash = "b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4" + hash = "0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550" + hash = "15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c" + hash = "c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c" + hash = "618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb" + hash = "4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be" + hash = "c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231" + hash = "822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb" + hash = "b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a" + hash = "26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47" + hash = "c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12" + hash = "a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972" + hash = "82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7" + hash = "6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7" + hash = "52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd" + hash = "64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96" + hash = "f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac" + hash = "51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93" + hash = "c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc" + hash = "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad" + hash = "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b" + hash = "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852" + date = "2024-08-07" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_41AD { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f" + hash = "a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7" + hash = "9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac" + hash = "f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad" + hash = "31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6" + hash = "1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80" + hash = "704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4" + hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" + hash = "4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021" + hash = "9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392" + hash = "8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434" + hash = "b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c" + hash = "07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af" + hash = "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c" + hash = "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55" + hash = "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9" + date = "2024-08-07" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule MAL_Driver_Sensecorp_42B2 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Sense5Ext.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25" - date = "2024-07-29" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -62,7 +327,7 @@ rule MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8" - date = "2024-07-29" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005000430049006500200056006900640065006f00200043006100700074007500720065 } /* FileDescription PCIeVideoCapture */ @@ -77,6 +342,72 @@ rule MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 { } +rule MAL_Driver_Gmer_Gmersys_Gmer_0052 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gmer64.sys, superman.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0052aa88e42055a2eed5ddd17c3499c692360155e5e031a211edfcef577acce3" + hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" + date = "2024-08-07" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004d00450052 } /* CompanyName GMER */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c002000360039003800330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200036003900380033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* InternalName gmersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004d00450052 } /* ProductName GMER */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* OriginalFilename gmersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200047004d0045005200200032003000300033002d0032003000310033 } /* LegalCopyright CopyrightCGMER */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Mimidrv_Mimidrvmimikatz_2FAF { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8" + date = "2024-08-07" + score = 85 + strings: + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_2FD4 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21" + hash = "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28" + hash = "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553" + date = "2024-08-07" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsystem_C0D8 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ntbios_2.sys" @@ -84,7 +415,7 @@ rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsyste reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c" hash = "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc" - date = "2024-07-29" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006e007400620069006f00730020006400720069007600650072 } /* FileDescription ntbiosdriver */ @@ -107,7 +438,7 @@ rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330" hash = "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e" - date = "2024-07-29" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004b00650072006e0065006c00200045007800650063007500740069007600650020004d006f00640075006c0065 } /* FileDescription WindowsKernelExecutiveModule */ @@ -123,28 +454,6 @@ rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_200F { - meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" - date = "2024-07-29" - score = 85 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_E7AF { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_6.sys" @@ -154,7 +463,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_E7 hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3" hash = "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce" hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" - date = "2024-07-29" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -170,23 +479,24 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_E7 } -rule MAL_Driver_Gmer_Gmersys_Gmer_18C9 { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_30E0 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gmer64.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" - date = "2024-07-29" + hash = "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2" + hash = "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640" + date = "2024-08-07" score = 85 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004d00450052 } /* CompanyName GMER */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c002000360039003800330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200036003900380033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* InternalName gmersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004d00450052 } /* ProductName GMER */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* OriginalFilename gmersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200047004d0045005200200032003000300033002d0032003000310033 } /* LegalCopyright CopyrightCGMER */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310033002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -198,7 +508,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_69 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" - date = "2024-07-29" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -220,7 +530,7 @@ rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d" - date = "2024-07-29" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053006500720076006500720020004e006500740077006f0072006b0020006400720069007600650072 } /* FileDescription ServerNetworkdriver */ @@ -242,7 +552,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_81 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1" - date = "2024-07-29" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -258,13 +568,30 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_81 } +rule MAL_Driver_773B { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894" + date = "2024-08-07" + score = 85 + strings: + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d002000320030003100370020 } /* LegalCopyright Copyrightc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule MAL_Driver_Sensecorp_7F45 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Sense5Ext.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6" - date = "2024-07-29" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -283,7 +610,7 @@ rule MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsoperatingsystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427" - date = "2024-07-29" + date = "2024-08-07" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d00530020004c0041004e0020004400720069007600650072 } /* FileDescription MSLANDriver */ diff --git a/detections/yara/other/yara-rules_vuln_drivers.yar b/detections/yara/other/yara-rules_vuln_drivers.yar index f0315c6b7..86bd85a7b 100644 --- a/detections/yara/other/yara-rules_vuln_drivers.yar +++ b/detections/yara/other/yara-rules_vuln_drivers.yar @@ -6,9 +6,14 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" + hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" + hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" + hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" + hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" - date = "2024-07-29" + hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -24,13 +29,106 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { } +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0E85 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" + hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" + hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" + hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" + hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" + hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" + hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" + hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" + hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" + hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_786F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" + hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" + hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" + hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" + hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_A397 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" + hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" + hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" + hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" + hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" + hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" + hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" + hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" + hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" + hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" + hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" + hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" + hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" + hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" + hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -44,6 +142,187 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 { } +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2298 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" + hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" + hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" + hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" + hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" + hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" + hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" + hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" + hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" + hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" + hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" + hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" + hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" + hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" + hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" + hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" + hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_0ABC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" + hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" + hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" + hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_9DBC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" + hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" + hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" + hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" + hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" + hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" + hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" + hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" + hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + all of them +} + + rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys" @@ -51,7 +330,7 @@ rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ @@ -73,7 +352,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -95,7 +374,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -117,7 +396,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -133,29 +412,97 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_6BEF { +rule PUA_VULN_Driver_Novellinc_Novellxtier_8473 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" - hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" - hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" - hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" - hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" - hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" - hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2024-07-29" + hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" + hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" + hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" + hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" + hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_CFAB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" + hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" + hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" + hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" + hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_4CD8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" + hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" + hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ condition: all of them } @@ -167,11 +514,14 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" + hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" + hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" + hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ @@ -195,7 +545,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_5C0B { hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ @@ -218,7 +568,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -234,28 +584,254 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 { +rule PUA_VULN_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2024-07-29" + hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_6945 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003100200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Fintekcorp_Fintekcorpfintekpcieuart_32BD { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e" + hash = "17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d" + hash = "b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006e00740065006b002000500063006900650032005500610072007400200041006400610070007400650072 } /* FileDescription FintekPcieUartAdapter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e } /* CompanyName FintekCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e002000460069006e00740065006b0020005000630069006500320055006100720074 } /* ProductName FintekCorpFintekPcieUart */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200040002000460069006e00740065006b00200043006f00720070002e00200032003000300032002d0032003000310033 } /* LegalCopyright CopyrightFintekCorp */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_42B3 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180" + hash = "c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them } +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Netfiltersys_F171 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_DD4F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" + hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" + hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" + hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" + hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_7627 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" + hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_16AE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c" + hash = "d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Computerz_Computerzsys_Computerzsystemdriver_61F3 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ComputerZSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f006d00700075007400650072005a } /* CompanyName ComputerZ */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* ProductName ComputerZSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300030003800200043006f006d00700075007400650072005a } /* LegalCopyright CopyrightCComputerZ */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_88E2 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -272,7 +848,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_8 hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879" hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -295,12 +871,17 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" + hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" + hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" + hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" + hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" + hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -316,14 +897,64 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D { } +rule PUA_VULN_Driver_Mitactechnologycorporation_Vdbsvsys_Mitacsystemserviceprovider_91AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VdBSv64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* InternalName VdBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* OriginalFilename VdBSvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_00B3 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" + hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" + hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" + hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" + hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Novellinc_Novellxtier_B50F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" + hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - date = "2024-07-29" + hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" + hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -345,7 +976,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -367,7 +998,7 @@ rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwrit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ @@ -389,7 +1020,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -411,7 +1042,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ @@ -427,13 +1058,80 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_FF55 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0038002e003100780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_A855 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" + hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" + hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Monitor_win10_x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ @@ -449,13 +1147,47 @@ rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { } +rule PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_2B33 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" + hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" + hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" + hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" + hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" + hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" + hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" + hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" + hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" + hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" + hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" + hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" + hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + condition: + all of them +} + + rule PUA_VULN_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PhlashNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ @@ -477,7 +1209,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -493,13 +1225,80 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { } +rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_F4DC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2" + hash = "070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_8FE4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65" + hash = "71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00360034 } /* FileDescription GenericPortIOforWin */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Anticheatexpertcom_Acebase_Anticheatexpert_7326 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ACE-BASE.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7326aefff9ea3a32286b423a62baebe33b73251348666c1ee569afe62dd60e11" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100430045002d0042004100530045003600340020004e00540020004400720069007600650072 } /* FileDescription ACEBASENTDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041004e0054004900430048004500410054004500580050004500520054002e0043004f004d } /* CompanyName ANTICHEATEXPERTCOM */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032003200300032002e0036003200310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100430045002d004200410053004500360034 } /* InternalName ACEBASE */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069002d004300680065006100740020004500780070006500720074 } /* ProductName AntiCheatExpert */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200041006e0074006900430068006500610074004500780070006500720074002e0063006f006d0020004c0069006d0069007400650064002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright AntiCheatExpertcomLimitedAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -515,24 +1314,86 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1072 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" - hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" - hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" - hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" + hash = "1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a" + hash = "e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0061007600610073007400210020004e0047 } /* ProductName avastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003200200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_8A07 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" + hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" + hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" + hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" + hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" + hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" + hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" + hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" + hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" + hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" + hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" + hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" + hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" + hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" + hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" + hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" + hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" + hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" + hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" + hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" + hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -548,6 +1409,75 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { } +rule PUA_VULN_Driver_Proxydrvsys_Nn_C0E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_5381 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" + hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" + hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Netfiltersys_26D6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" + hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" + hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Asustek_Driversys_Ectool_927C { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - driver7-x86-withoutdbg.sys" @@ -555,8 +1485,9 @@ rule PUA_VULN_Driver_Asustek_Driversys_Ectool_927C { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" + hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ @@ -572,13 +1503,169 @@ rule PUA_VULN_Driver_Asustek_Driversys_Ectool_927C { } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Intelcorp_Stdcdrvwssys_Selftestdatacollectordriverforwindowsx_70AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrvws64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f00720020004400720069007600650072 } /* FileDescription SelfTestDataCollectorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070002e } /* CompanyName IntelCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* InternalName stdcdrvwssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072002000440072006900760065007200200066006f0072002000570069006e0064006f00770073002000370020007800360034 } /* ProductName SelfTestDataCollectorDriverforWindowsx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* OriginalFilename stdcdrvwssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310030 } /* LegalCopyright Copyright */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realteksemiconductorcorp_Rtportsys_Realtekportio_FF32 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* FileDescription REALTEKPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* CompanyName REALTEKSemiconductorCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* InternalName RTPORTSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* ProductName REALTEKPortIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* OriginalFilename RTPORTSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200031003900390039002d00320030003000310020005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* LegalCopyright CopyrightcREALTEKSemiconductorCorp */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_834A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" + hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_F4C7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" + hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" + hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ @@ -594,13 +1681,36 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { } +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_3867 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8" + hash = "5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -622,7 +1732,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -638,6 +1748,28 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { } +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" @@ -646,7 +1778,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -662,13 +1794,35 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { } +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + all of them +} + + rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprovider_C9CF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mtcBSv64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ @@ -684,13 +1838,35 @@ rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprov } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -708,11 +1884,11 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viraglt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viraglt64.sys, viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -734,7 +1910,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Panca author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -750,13 +1926,36 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Panca } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D633 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b" + hash = "29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -772,44 +1971,68 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_6C71 { +rule PUA_VULN_Driver_Bsmisys_5962 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ncpl.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMI.sys, BSMIXP64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" - hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2024-07-29" + hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" + hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - all of them + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */ + condition: + all of them } -rule PUA_VULN_Driver_Bsmisys_5962 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_C6FE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIXP64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" - date = "2024-07-29" + hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" + hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" + hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" + hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: all of them } @@ -851,7 +2074,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_99F4 { hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005" hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a" hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -867,25 +2090,46 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_99F4 { } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { +rule PUA_VULN_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_7C8A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" - hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" - hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" - date = "2024-07-29" + hash = "7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00330033002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00330033002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000310038004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright NCRCorporation */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avaluetechnologyinc_Avalueio_Avalueio_A5A4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - avalueio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec" + hash = "defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100760061006c007500650049004f0020004400720069007600650072 } /* FileDescription AvalueIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0020004100760061006c0075006500200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName AvalueTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100560041004c005500450049004f } /* InternalName AVALUEIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061006c007500650049004f0020 } /* ProductName AvalueIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100560041004c005500450049004f002e005300590053 } /* OriginalFilename AVALUEIOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006300200032003000310036 } /* LegalCopyright Copyrightc */ condition: all of them } @@ -900,7 +2144,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntam hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ @@ -916,13 +2160,87 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntam } +rule PUA_VULN_Driver_Novellinc_Novellxtier_F27F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" + hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" + hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" + hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" + hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" + hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_5A66 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa" + hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" + hash = "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213" + hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" + hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" + hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibrary_6B83 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIOx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -938,37 +2256,13 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibr } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" - hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" - hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" - date = "2024-07-29" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - all of them -} - - rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -990,7 +2284,7 @@ rule PUA_VULN_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ @@ -1012,7 +2306,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B5 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1028,13 +2322,38 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B5 } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_F159 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" + hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" + hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" + hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -1057,7 +2376,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1073,13 +2392,59 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { } +rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_3C11 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d" + hash = "5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9" + hash = "7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300030003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_8FE9 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1098,10 +2463,15 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenam author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" + hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" + hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" + hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - date = "2024-07-29" + hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" + hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -1123,7 +2493,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ @@ -1139,6 +2509,50 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { } +rule PUA_VULN_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Intelcorporation_Stdcdrvsys_Selftestdatacollector_3702 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrv64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* FileDescription SelfTestDataCollector */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* InternalName stdcdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* ProductName SelfTestDataCollector */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* OriginalFilename stdcdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcIntelCorporation */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -1146,7 +2560,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ @@ -1169,7 +2583,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D reference = "https://github.com/magicsword-io/LOLDrivers" hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -1185,6 +2599,94 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D } +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_3C0A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00330032 } /* FileDescription GenericPortIOforWin */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5FAE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1A45 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" @@ -1192,7 +2694,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1215,7 +2717,7 @@ rule PUA_VULN_Driver_Yyinc_Dianhu_80CB { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ @@ -1231,12 +2733,14 @@ rule PUA_VULN_Driver_Yyinc_Dianhu_80CB { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" + hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2024-07-29" + hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -1258,7 +2762,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -1274,13 +2778,57 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Wnbiossys_Windowsrwinddkdriver_530D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wnbios.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "530d9223ec7e4123532a403abef96dfd1af5291eb49497392ff5d14d18fccfbb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0057006e00420069006f00730020004400720069007600650072 } /* FileDescription WnBiosDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0077006e00620069006f0073002e007300790073 } /* InternalName wnbiossys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0077006e00620069006f0073002e007300790073 } /* OriginalFilename wnbiossys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ @@ -1303,7 +2851,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -1325,7 +2873,7 @@ rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1347,7 +2895,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1369,9 +2917,12 @@ rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" + hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" + hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" + hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ @@ -1387,13 +2938,38 @@ rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 { } +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_E502 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65" + hash = "5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab" + hash = "d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7" + hash = "d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD4 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1409,37 +2985,13 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD } -rule PUA_VULN_Driver_Novellinc_Novellxtier_E16D { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" - hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" - hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" - hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2024-07-29" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - all of them -} - - rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1461,7 +3013,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1483,7 +3035,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1499,29 +3051,69 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } -rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_3943 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_3B71 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv106.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" - hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" - hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" - hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" - hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - date = "2024-07-29" + hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" + hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" + hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" + hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: all of them } @@ -1533,7 +3125,7 @@ rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ @@ -1549,13 +3141,88 @@ rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_DB1D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" + hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" + hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" + hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" + hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" + hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" + hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" + hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Netfiltersys_1265 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" + hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" + hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1571,6 +3238,50 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { } +rule PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_C79A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys" @@ -1581,7 +3292,8 @@ rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" - date = "2024-07-29" + hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ @@ -1597,13 +3309,36 @@ rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { } +rule PUA_VULN_Driver_Ludashicom_Computerzsys_FA77 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a" + hash = "423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1619,35 +3354,13 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_904E { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" - hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - date = "2024-07-29" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - all of them -} - - rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -1663,6 +3376,28 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2A65 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrIbDrv.sys" @@ -1674,7 +3409,7 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2A65 { hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ @@ -1696,7 +3431,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1712,62 +3447,130 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_2203 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2024-07-29" + hash = "2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300038002c002000300035002c002000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ condition: all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2024-07-29" + hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" + hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: all of them } -rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancafemanager_7E01 { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_468B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2024-07-29" + hash = "468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5" + hash = "f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancafemanager_7E01 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* InternalName PanMonFltsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ @@ -1778,13 +3581,36 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancaf } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_F4E5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114" + hash = "642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagnostics_F05B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LenovoDiagnosticsDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ @@ -1800,13 +3626,54 @@ rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagno } +rule PUA_VULN_Driver_3F20 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Dell_Dbutil_71FE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ @@ -1819,6 +3686,29 @@ rule PUA_VULN_Driver_Dell_Dbutil_71FE { } +rule PUA_VULN_Driver_Cn_Computerzsys_6D2C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d" + hash = "8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100330020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" @@ -1826,7 +3716,7 @@ rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -1847,7 +3737,7 @@ rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ @@ -1863,24 +3753,26 @@ rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_FB81 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9724 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" - hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" - hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" - date = "2024-07-29" + hash = "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be" + hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" + hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" + hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: all of them } @@ -1892,7 +3784,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -1915,7 +3807,7 @@ rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_23B reference = "https://github.com/magicsword-io/LOLDrivers" hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ @@ -1931,13 +3823,81 @@ rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_23B } +rule PUA_VULN_Driver_Elitegroupcomputersystems_Ecsiodriversys_Ecsiodriver_2705 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ecsiodriverx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045004300530049006f004400720069007600650072 } /* FileDescription ECSIoDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073 } /* CompanyName ElitegroupComputerSystems */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* InternalName ECSIoDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300530049006f004400720069007600650072 } /* ProductName ECSIoDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* OriginalFilename ECSIoDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d003200300031003000200045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCElitegroupComputerSystemsAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Cn_Computerzsys_8D33 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409" + hash = "31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_C586 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65" + hash = "dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ @@ -1953,13 +3913,82 @@ rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_9D93 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" + hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* FileDescription AsrSetupDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* InternalName AsrSetupDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* ProductName AsrSetupDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* OriginalFilename AsrSetupDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + condition: + all of them +} + + rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - date = "2024-07-29" + hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" + hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1975,13 +4004,58 @@ rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_EDBB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5" + hash = "4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + condition: + all of them +} + + rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2003,7 +4077,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2025,7 +4099,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2041,44 +4115,123 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_1493 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2024-07-29" + hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" + hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" + hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" + hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" + hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" + hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { +rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_7C0F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2024-07-29" + hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" + hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" + hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" + hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" + hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" + hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" + hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" + hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" + hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Cn_Computerzsys_BC45 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e" + hash = "182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: all of them @@ -2091,7 +4244,7 @@ rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ @@ -2113,7 +4266,7 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -2129,13 +4282,35 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_848B { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2155,7 +4330,7 @@ rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ @@ -2178,7 +4353,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2194,23 +4369,89 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_2899 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" - hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - date = "2024-07-29" + hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: all of them } @@ -2222,7 +4463,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2244,7 +4485,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ @@ -2267,9 +4508,11 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" + hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" - date = "2024-07-29" + hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -2285,13 +4528,63 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 { } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" + hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Ludashicom_Computerzsys_71C0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713" + hash = "13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9" + hash = "8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040" + hash = "e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc" + hash = "ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91" + hash = "5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ @@ -2313,7 +4606,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -2335,7 +4628,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2357,7 +4650,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -2380,7 +4673,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_0 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2404,7 +4697,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_AE42 { hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -2426,7 +4719,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -2444,11 +4737,11 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -2464,6 +4757,52 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D7C9 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8" + hash = "64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300030002c002000300030002c002000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Cn_Computerzsys_A97B { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67" + hash = "47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -2471,7 +4810,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ @@ -2487,6 +4826,28 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { } +rule PUA_VULN_Driver_Featureintegrationtechnologyinc_Fintekpciecom_81FB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d" + hash = "ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460049004e00540045004b002000500043004900450043004f004d00200041006400610070007400650072 } /* FileDescription FINTEKPCIECOMAdapter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName FeatureIntegrationTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460049004e00540045004b002000500043004900450043004f004d0020 } /* ProductName FINTEKPCIECOM */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200320020004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightCFeatureIntegrationTechnologyInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_6BFC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -2495,7 +4856,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_6 hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2517,7 +4878,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2539,7 +4900,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_45F4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2565,7 +4926,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 { hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2587,7 +4948,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2609,7 +4970,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2625,13 +4986,60 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { } +rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_8899 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" + hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" + hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" + hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Filseclabcorporation_Fildds_Filseclabdynamicdefensesystem_F8C0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - fildds.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f8c07b6e2066a5a22a92d9f521ecdeb8c68698c400e4b83e0501b9f340957c22" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d0020004400720076 } /* FileDescription FilseclabDynamicDefenseSystemDrv */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200038003500350033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200038003500350033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c006400640073 } /* InternalName fildds */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d } /* ProductName FilseclabDynamicDefenseSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c006400640073002e007300790073 } /* OriginalFilename filddssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d0032003000310031002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2647,13 +5055,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3070 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ @@ -2675,7 +5105,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -2699,7 +5129,7 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodena hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2715,13 +5145,35 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodena } +rule PUA_VULN_Driver_Nmscommunications_Cgkwinksys_Ctaccess_223F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cg6kwin2k.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430047002f004d0047002000660061006d0069006c00790020006400720069007600650072 } /* FileDescription CGMGfamilydriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e004d005300200043006f006d006d0075006e00690063006100740069006f006e0073 } /* CompanyName NMSCommunications */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e003000300020006200750069006c0074002000620079003a002000410064006d0069006e006900730074007200610074006f0072 } /* FileVersion builtbyAdministrator */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300670036006b00770069006e0032006b002e007300790073 } /* InternalName cgkwinksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004300540020004100630063006500730073 } /* ProductName CTAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300670036006b00770069006e0032006b002e007300790073 } /* OriginalFilename cgkwinksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004e004d005300200043006f006d006d0075006e00690063006100740069006f006e007300200043006f00720070002e0032003000300034 } /* LegalCopyright CopyrightCNMSCommunicationsCorp */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2737,16 +5189,38 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2024-07-29" + hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ $ = { 00460069006c006500560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* ProductVersion */ @@ -2759,13 +5233,36 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C } +rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdatetoolkerneldriver_0CF8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0" + hash = "f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d0077006100720065002000550070006400610074006500200054006f006f006c0020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateToolKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d0077006100720065002000550070006400610074006500200054006f006f006c0020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateToolKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003100200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ @@ -2781,13 +5278,35 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_4D77 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2803,13 +5322,57 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { } +rule PUA_VULN_Driver_Cn_Computerzsys_00D9 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_C35C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003800780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ @@ -2831,7 +5394,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2853,7 +5416,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -2876,7 +5439,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -2892,13 +5455,124 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 { } +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E602 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_5DF6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003300200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Cn_Computerzsys_348D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1" + hash = "c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + all of them +} + + rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ @@ -2916,11 +5590,11 @@ rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -2936,25 +5610,67 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { } -rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_8E63 { +rule PUA_VULN_Driver_Evgatechnologyinc_Windowsvistasmartiodevice_Windowsvistasmartiodevice_3C95 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SMARTEIO64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" - hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" - hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - date = "2024-07-29" + hash = "3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* FileDescription WindowsVistaSmartIODevice */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName EVGATechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* InternalName WindowsVistaSmartIODevice */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* ProductName WindowsVistaSmartIODevice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053004d00410052005400450049004f00360034002e005300590053 } /* OriginalFilename SMARTEIOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800630029002000320030003000370020004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightcEVGATechnologyInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ condition: all of them } @@ -2966,7 +5682,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2989,7 +5705,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3005,13 +5721,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 { } +rule PUA_VULN_Driver_Wistroncorporation_Wirwadrvsys_Wistronrwadriver_D8FC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiRwaDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* FileDescription WistronRWADriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* CompanyName WistronCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* InternalName WiRwaDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* ProductName WistronRWADriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* OriginalFilename WiRwaDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCWistronCorporation */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3027,13 +5765,36 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { } +rule PUA_VULN_Driver_Ludashicom_Computerzsys_F14D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d" + hash = "c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3055,7 +5816,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3077,7 +5838,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -3093,13 +5854,57 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Atlaccesssys_Windowsrwinddkdriver_0B57 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atlAccess.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006d0070006c0065002000500043004900200061006300630065007300730020006400720069007600650072 } /* FileDescription SimplePCIaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610074006c004100630063006500730073002e007300790073 } /* InternalName atlAccesssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610074006c004100630063006500730073002e007300790073 } /* OriginalFilename atlAccesssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_909F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_3C18 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3118,7 +5923,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3134,13 +5939,58 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { } +rule PUA_VULN_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_9399 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727" + hash = "a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0034002e00320031003300340033002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000320031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + all of them +} + + rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3158,11 +6008,11 @@ rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3185,7 +6035,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3207,7 +6057,7 @@ rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ @@ -3227,7 +6077,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3243,40 +6093,108 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { +rule PUA_VULN_Driver_Novellinc_Novellxtier_A153 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2024-07-29" + hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" + hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" + hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: all of them } -rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_3F36 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2024-07-29" + hash = "3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f" + hash = "37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003200300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ @@ -3286,13 +6204,57 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { } +rule PUA_VULN_Driver_Z_Computerzsys_Zwuqisystemdriver_61E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ZwuqiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a6b665668 } /* CompanyName Z */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* ProductName ZwuqiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e007a0077007500710069002e0063006f006d } /* LegalCopyright CopyrightCwwwzwuqicom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3314,7 +6276,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -3336,7 +6298,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibra author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -3352,13 +6314,35 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibra } +rule PUA_VULN_Driver_Novellinc_Novellxtier_6C5A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" + hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3374,13 +6358,60 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { } +rule PUA_VULN_Driver_Cn_Computerzsys_3913 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d" + hash = "a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1" + hash = "3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Cn_Computerzsys_767E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b" + hash = "d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_9A54 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -3402,7 +6433,7 @@ rule PUA_VULN_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandp author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ @@ -3423,7 +6454,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3445,7 +6476,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -3461,13 +6492,148 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_F8D4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003800780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_D0E4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb" + hash = "2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_77DA { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f" + hash = "837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Ludashicom_Computerzsys_0368 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d" + hash = "66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_B0DC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvaudio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00300030002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00300030002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_7C79 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0039002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0039002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3489,7 +6655,7 @@ rule PUA_VULN_Driver_Pchuntersys_Pchunter_1B7F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ @@ -3511,7 +6677,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3527,22 +6693,48 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_8E88 { +rule PUA_VULN_Driver_Cn_Computerzsys_0FC3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - date = "2024-07-29" + hash = "0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7" + hash = "40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Netfiltersys_EDC6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" + hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" + hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ condition: all of them } @@ -3554,7 +6746,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3567,13 +6759,35 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { } +rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3589,6 +6803,51 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3CB1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284" + hash = "9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Watchdogdevelopmentcomllc_Wsdkdsys_Wsdkd_6278 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wsdkd.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005700610074006300680044006f006700200041006e00740069007600690072007500730020004400720069007600650072 } /* FileDescription WatchDogAntivirusDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005700610074006300680044006f00670044006500760065006c006f0070006d0065006e0074002e0063006f006d002c0020004c004c0043002e } /* CompanyName WatchDogDevelopmentcomLLC */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* InternalName wsdkdsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007700730064006b0064 } /* ProductName wsdkd */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* OriginalFilename wsdkdsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_B179 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwOs2Ec7x64.sys" @@ -3596,7 +6855,7 @@ rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_B179 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ @@ -3618,7 +6877,7 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -3639,7 +6898,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3658,7 +6917,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -3676,11 +6935,11 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3702,7 +6961,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3718,13 +6977,58 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { } +rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_0F30 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0" + hash = "903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00320030002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e0030002e0037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Insydesoftware_Insydeflash_Insydeflashutilitybitdriver_CE0A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iscflashx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* FileDescription iscflashxsys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f006600740077006100720065 } /* CompanyName InsydeSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049006e00730079006400650046006c006100730068 } /* InternalName InsydeFlash */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e007300790064006500200046006c0061007300680020005500740069006c00690074007900200036003400200062006900740020004400720069007600650072 } /* ProductName InsydeFlashUtilitybitDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* OriginalFilename iscflashxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003500200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3746,7 +7050,7 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ @@ -3768,7 +7072,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -3791,7 +7095,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -3807,25 +7111,93 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_A072 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_16E2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" - hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" - hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2024-07-29" + hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" + hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_060D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f" + hash = "b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Ludashicom_Computerzsys_7553 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3" + hash = "64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" + hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ condition: all of them } @@ -3837,7 +7209,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3859,7 +7231,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3881,7 +7253,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ @@ -3897,37 +7269,13 @@ rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { } -rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_31F4 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" - hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" - hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" - date = "2024-07-29" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - all of them -} - - rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ @@ -3943,35 +7291,13 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { } -rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2024-07-29" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ - condition: - all of them -} - - rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3993,7 +7319,7 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -4009,13 +7335,35 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3D00 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4037,7 +7385,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -4059,7 +7407,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4081,7 +7429,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4103,7 +7451,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -4119,13 +7467,35 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { } +rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxc_1183 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d003200580037003200430020004b00650072006e0065006c0020004400650076006900630065002000440072006900760065007200280053005900530029002000570069006e0064006f00770073004e0054 } /* FileDescription GPCXCKernelDeviceDriverSYSWindowsNT */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e007300790073 } /* InternalName CPXCsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043 } /* ProductName GPCXC */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043 } /* OriginalFilename CPXC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300030003700200049006e007400650072006600610063006500200043006f00720070002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorpAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4147,7 +7517,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4170,7 +7540,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4186,13 +7556,78 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_6CF1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_EAE5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003000390031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4208,13 +7643,59 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B } +rule PUA_VULN_Driver_Databaseharborsoftware_Sysinfodetectorxsys_Sysinfodetector_45E5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysInfoDetectorX64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200200066006f007200200053007900730049006e0066006f0020004400650074006500630074006f0072 } /* FileDescription DriverforSysInfoDetector */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* CompanyName DatabaseHarborSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* InternalName SysInfoDetectorXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007900730049006e0066006f0020004400650074006500630074006f0072 } /* ProductName SysInfoDetector */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* OriginalFilename SysInfoDetectorXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003400200044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* LegalCopyright CopyrightCDatabaseHarborSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7048 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" + hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" + hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4230,13 +7711,57 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_Dev_DF96 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0030002e0030002e003200200044006500760020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion DevbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0030002e0030002e00320020004400650076 } /* ProductVersion Dev */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d00320030003100370020004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcNCRCorporation */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4252,13 +7777,79 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_BA40 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003100370035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amsdk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ @@ -4273,67 +7864,271 @@ rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 { } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_3670 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76" + hash = "0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e00310037003000350032002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310037002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_898E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289" + hash = "07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AFDA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2024-07-29" + hash = "afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3" + hash = "b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { +rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_6386 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2024-07-29" + hash = "63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e" + hash = "9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300031003400200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ condition: all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_C490 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2024-07-29" + hash = "c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b" + hash = "a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e" + hash = "e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: all of them } @@ -4345,7 +8140,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ @@ -4367,7 +8162,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4383,13 +8178,35 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ @@ -4411,7 +8228,7 @@ rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ @@ -4427,13 +8244,35 @@ rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physi } +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_4CE8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e00310031003200380035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300030002d0032003000310031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_AF10 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -4451,11 +8290,11 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4477,7 +8316,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4493,13 +8332,35 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_F629 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" + hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ @@ -4515,13 +8376,35 @@ rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { } +rule PUA_VULN_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ @@ -4543,7 +8426,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4566,7 +8449,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4582,13 +8465,35 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AE3A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ @@ -4604,6 +8509,160 @@ rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { } +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_6F80 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Filseclabcorporation_Filnk_Filseclabdynamicdefensesystem_AE55 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - filnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d0020004400720076 } /* FileDescription FilseclabDynamicDefenseSystemDrv */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c002000310039003300350033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c002000310039003300350033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c006e006b } /* InternalName filnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d } /* ProductName FilseclabDynamicDefenseSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c006e006b002e007300790073 } /* OriginalFilename filnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d0032003000310033002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_A475 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_66F8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" + hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_55B5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003700780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" @@ -4614,7 +8673,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -4630,13 +8689,102 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { } +rule PUA_VULN_Driver_Filseclabcorporation_Filwfp_Filseclabfirewall_490C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - filwfp.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "490cfbb540dcd70b7bff4fdd62e7ed7400bbfebaf5083523d49f7184670f7b9a" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c006100620020004600690072006500770061006c006c } /* FileDescription FilseclabFirewall */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031003200310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031003200310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c007700660070 } /* InternalName filwfp */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c006100620020004600690072006500770061006c006c } /* ProductName FilseclabFirewall */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c007700660070002e007300790073 } /* OriginalFilename filwfpsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" + hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4659,7 +8807,7 @@ rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -4681,7 +8829,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4703,7 +8851,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -4725,7 +8873,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4747,7 +8895,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4763,13 +8911,80 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_00C3 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e003200320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030002e00320032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300034002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright CopyrightcRadiantSystemsInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Cn_Computerzsys_DEE3 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233" + hash = "26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -4791,7 +9006,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4807,13 +9022,57 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_RCIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -4836,7 +9095,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D reference = "https://github.com/magicsword-io/LOLDrivers" hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ @@ -4852,6 +9111,74 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D } +rule PUA_VULN_Driver_Inferre_Hwdetectngsys_Hwdetectngsys_D456 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hwdetectng.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2" + hash = "43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee" + hash = "2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480057004400650074006500630074004e0047 } /* FileDescription HWDetectNG */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069004e00460045005200520045 } /* CompanyName iNFERRE */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* InternalName hwdetectngsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* ProductName hwdetectngsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* OriginalFilename hwdetectngsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200032003000300038002d0030003900200069004e00460045005200520045 } /* LegalCopyright ciNFERRE */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Adlicesoftware_Truesight_Truesight_BFC2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - truesight.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0052006f006700750065004b0069006c006c0065007200200041006e007400690072006f006f0074006b006900740020004400720069007600650072 } /* FileDescription RogueKillerAntirootkitDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410064006c00690063006500200053006f006600740077006100720065 } /* CompanyName AdliceSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005400720075006500730069006700680074 } /* InternalName Truesight */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720075006500730069006700680074 } /* ProductName Truesight */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005400720075006500730069006700680074 } /* OriginalFilename Truesight */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000410064006c00690063006500200053006f00660074007700610072006500280043002900200032003000320033 } /* LegalCopyright CopyrightAdliceSoftwareC */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_87B4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_F581 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys" @@ -4860,7 +9187,7 @@ rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxd hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ @@ -4882,7 +9209,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4898,13 +9225,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -4920,6 +9269,52 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { } +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_CA34 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_46D1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" + hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" + hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" + hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A334 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" @@ -4927,7 +9322,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A334 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -4949,7 +9344,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4971,7 +9366,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4989,11 +9384,11 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IObitUnlocker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ @@ -5009,45 +9404,22 @@ rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_93D8 { +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_C190 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2024-07-29" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ - condition: - all of them -} - - -rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - date = "2024-07-29" + hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ condition: all of them } @@ -5059,7 +9431,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -5081,7 +9453,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5097,13 +9469,36 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_7337 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e" + hash = "d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5119,13 +9514,36 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_1E24 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d" + hash = "39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_9491 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -5147,7 +9565,7 @@ rule PUA_VULN_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ @@ -5168,7 +9586,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -5184,13 +9602,102 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Generalelectriccompany_Gedevicedriver_Proficymachineedition_Build_A369 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce" + hash = "ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* CompanyName GeneralElectricCompany */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* FileVersion Build */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* ProductVersion Build */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310037002000470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* LegalCopyright GeneralElectricCompany */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_85FD { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ @@ -5208,11 +9715,11 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -5234,7 +9741,7 @@ rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ @@ -5256,7 +9763,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5277,18 +9784,39 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2024-07-29" + hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_7A2C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ condition: all of them } @@ -5300,7 +9828,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_9A95 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5319,7 +9847,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5341,7 +9869,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_2BBC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5360,7 +9888,7 @@ rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ @@ -5376,13 +9904,35 @@ rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { } +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E6D1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600330032002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + condition: + all of them +} + + rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -5404,7 +9954,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5426,7 +9976,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -5442,13 +9992,35 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE } +rule PUA_VULN_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ @@ -5464,14 +10036,36 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_3AF9 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0031003000780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + all of them +} + + rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NalDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iqvw64e.sys, iQVW64.SYS, NalDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5493,7 +10087,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5515,7 +10109,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ @@ -5537,7 +10131,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5559,7 +10153,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -5575,13 +10169,36 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 } +rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_05C1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686" + hash = "4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300032003000200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5597,13 +10214,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { } +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + all of them +} + + rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ @@ -5619,13 +10258,35 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcoden } +rule PUA_VULN_Driver_Proxydrvsys_Nn_0B20 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5647,7 +10308,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5670,7 +10331,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -5692,7 +10353,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5714,7 +10375,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5730,13 +10391,79 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_81D5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300031003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvflash.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ @@ -5754,11 +10481,11 @@ rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5780,7 +10507,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5802,7 +10529,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5825,7 +10552,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5841,13 +10568,36 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_B3D1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c" + hash = "442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -5863,13 +10613,35 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_1698 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003700780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5891,7 +10663,7 @@ rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonito author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ @@ -5909,11 +10681,11 @@ rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonito rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - krpocesshacker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -5934,7 +10706,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -5950,13 +10722,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5978,7 +10772,7 @@ rule PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ @@ -6000,7 +10794,7 @@ rule PUA_VULN_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ @@ -6022,7 +10816,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6038,13 +10832,36 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { } +rule PUA_VULN_Driver_Geintelligentplatformsinc_Gedevicedriver_Proficymachineedition_Build_CAC5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461" + hash = "51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* CompanyName GEIntelligentPlatformsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* FileVersion Build */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* ProductVersion Build */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310031002c00200047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* LegalCopyright GEIntelligentPlatformsInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -6060,13 +10877,32 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3 } +rule PUA_VULN_Driver_Lowleveldriver_F941 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GPU-Z.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f9418b5e90a235339a4a1a889490faca39cd117a51ba4446daa1011da06c7ecd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0077002d004c006500760065006c0020004400720069007600650072 } /* FileDescription LowLevelDriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360030002e0030002e0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0077002d004c006500760065006c0020004400720069007600650072 } /* ProductName LowLevelDriver */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300034002d00320030003100300020002800630029002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6088,7 +10924,7 @@ rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ @@ -6111,7 +10947,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -6130,7 +10966,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6152,7 +10988,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -6165,13 +11001,35 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_0FC0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + all of them +} + + rule PUA_VULN_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ @@ -6194,7 +11052,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6216,7 +11074,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6238,7 +11096,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6260,7 +11118,7 @@ rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6282,7 +11140,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -6304,7 +11162,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6326,7 +11184,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6348,7 +11206,7 @@ rule PUA_VULN_Driver_Wj_Kprocesshacker_7021 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -6369,7 +11227,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6385,13 +11243,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_HWMIO64_W10.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -6413,7 +11293,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6429,13 +11309,35 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_B224 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0031003000780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + all of them +} + + rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6451,13 +11353,57 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { } +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5E3B { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_9DEE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0038002e003100780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + all of them +} + + rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -6475,11 +11421,11 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -6495,13 +11441,35 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { } +rule PUA_VULN_Driver_Asmediatechnologyinc_Asmiosys_Asmediapcidriver_E465 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsmIo64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* FileDescription AsmediaPCIDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410073006d006500640069006100200054006500630068006e006f006c006f00670079002000200049006e0063002e } /* CompanyName AsmediaTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* InternalName AsmIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* ProductName AsmediaPCIDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* OriginalFilename AsmIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000410073006d006500640069006100200054006500630068006e006f006c006f00670079002e } /* LegalCopyright AsmediaTechnology */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ diff --git a/detections/yara/other/yara-rules_vuln_drivers_strict_renamed.yar b/detections/yara/other/yara-rules_vuln_drivers_strict_renamed.yar index c0a4bf7a2..366cc0b06 100644 --- a/detections/yara/other/yara-rules_vuln_drivers_strict_renamed.yar +++ b/detections/yara/other/yara-rules_vuln_drivers_strict_renamed.yar @@ -6,9 +6,14 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" + hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" + hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" + hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" + hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" - date = "2024-07-29" + hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -24,13 +29,106 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { } +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_0E85 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" + hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" + hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" + hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" + hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" + hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" + hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" + hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" + hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" + hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + +rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_786F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" + hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" + hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" + hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" + hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i +} + + +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_A397 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" + hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" + hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" + hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" + hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" + hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" + hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" + hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" + hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" + hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" + hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" + hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" + hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" + hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" + hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_D7E0 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -44,6 +142,187 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_D7E0 { } +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_2298 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" + hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" + hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" + hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" + hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" + hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" + hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + +rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" + hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" + hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" + hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" + hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" + hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" + hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" + hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" + hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" + hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" + hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrDrv/i +} + + +rule PUA_VULN_Renamed_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_0ABC { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GtcKmdfBs/i +} + + +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" + hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" + hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" + hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_9DBC { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" + hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" + hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" + hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" + hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" + hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" + hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /netfilter2/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" + hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" + hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /LgDataCatcher/i +} + + +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vboxguest/i +} + + rule PUA_VULN_Renamed_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys" @@ -51,7 +330,7 @@ rule PUA_VULN_Renamed_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ @@ -73,7 +352,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -95,7 +374,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -117,7 +396,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -133,31 +412,99 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_6BEF { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_8473 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" - hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" - hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" - hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" - hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" - hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" - hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2024-07-29" + hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" + hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" + hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" + hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" + hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + +rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_CFAB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" + hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" + hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" + hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" + hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /inpout32/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_4CD8 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" + hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" + hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vboxguest/i } @@ -167,11 +514,14 @@ rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" + hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" + hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" + hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ @@ -195,7 +545,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdrive hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ @@ -218,7 +568,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -234,36 +584,262 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 { +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2024-07-29" + hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO64I/i } -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_88E2 { +rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_6945 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc" - hash = "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478" - hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" + hash = "6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003100200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PDFWKRNL/i +} + + +rule PUA_VULN_Renamed_Driver_Fintekcorp_Fintekcorpfintekpcieuart_32BD { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e" + hash = "17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d" + hash = "b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006e00740065006b002000500063006900650032005500610072007400200041006400610070007400650072 } /* FileDescription FintekPcieUartAdapter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e } /* CompanyName FintekCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e002000460069006e00740065006b0020005000630069006500320055006100720074 } /* ProductName FintekCorpFintekPcieUart */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200040002000460069006e00740065006b00200043006f00720070002e00200032003000300032002d0032003000310033 } /* LegalCopyright CopyrightFintekCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /FPCIE2COM/i +} + + +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_42B3 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180" + hash = "c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i +} + + +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + condition: + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i +} + + +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSB/i +} + + +rule PUA_VULN_Renamed_Driver_Netfiltersys_F171 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_DD4F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" + hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" + hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" + hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" + hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NICM/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_7627 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" + hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_16AE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c" + hash = "d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + +rule PUA_VULN_Renamed_Driver_Computerz_Computerzsys_Computerzsystemdriver_61F3 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ComputerZSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f006d00700075007400650072005a } /* CompanyName ComputerZ */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* ProductName ComputerZSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300030003800200043006f006d00700075007400650072005a } /* LegalCopyright CopyrightCComputerZ */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + +rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_88E2 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc" + hash = "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478" + hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" hash = "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a" hash = "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476" hash = "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06" @@ -272,7 +848,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879" hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -295,12 +871,17 @@ rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" + hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" + hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" + hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" + hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" + hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -316,14 +897,64 @@ rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver } +rule PUA_VULN_Renamed_Driver_Mitactechnologycorporation_Vdbsvsys_Mitacsystemserviceprovider_91AF { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VdBSv64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* InternalName VdBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* OriginalFilename VdBSvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VdBSv64/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_00B3 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" + hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" + hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" + hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" + hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_B50F { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" + hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - date = "2024-07-29" + hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" + hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -345,7 +976,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_11BD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -367,7 +998,7 @@ rule PUA_VULN_Renamed_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardware author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ @@ -389,7 +1020,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -411,7 +1042,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3124 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ @@ -427,13 +1058,80 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3124 { } +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_FF55 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0038002e003100780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_A855 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" + hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" + hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i +} + + rule PUA_VULN_Renamed_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Monitor_win10_x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ @@ -449,13 +1147,47 @@ rule PUA_VULN_Renamed_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { } +rule PUA_VULN_Renamed_Driver_Iobit_Iobitunlockersys_Iobitunlocker_2B33 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" + hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" + hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" + hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" + hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" + hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" + hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" + hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" + hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" + hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" + hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" + hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" + hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iobitunlocker/i +} + + rule PUA_VULN_Renamed_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PhlashNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ @@ -477,7 +1209,7 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -493,13 +1225,80 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { } +rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_F4DC { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2" + hash = "070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AODDriver/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_8FE4 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65" + hash = "71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00360034 } /* FileDescription GenericPortIOforWin */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i +} + + +rule PUA_VULN_Renamed_Driver_Anticheatexpertcom_Acebase_Anticheatexpert_7326 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ACE-BASE.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7326aefff9ea3a32286b423a62baebe33b73251348666c1ee569afe62dd60e11" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100430045002d0042004100530045003600340020004e00540020004400720069007600650072 } /* FileDescription ACEBASENTDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041004e0054004900430048004500410054004500580050004500520054002e0043004f004d } /* CompanyName ANTICHEATEXPERTCOM */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032003200300032002e0036003200310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100430045002d004200410053004500360034 } /* InternalName ACEBASE */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069002d004300680065006100740020004500780070006500720074 } /* ProductName AntiCheatExpert */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200041006e0074006900430068006500610074004500780070006500720074002e0063006f006d0020004c0069006d0069007400650064002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright AntiCheatExpertcomLimitedAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 1900KB and all of them and not filename matches /ACE-BASE/i +} + + rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -515,27 +1314,89 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_1072 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" - hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" - hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" - hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" - hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" - hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" - hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" - hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" - hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" - hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" - hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" - hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" - date = "2024-07-29" + hash = "1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a" + hash = "e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0061007600610073007400210020004e0047 } /* ProductName avastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003200200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i +} + + +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_8A07 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" + hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" + hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" + hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" + hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" + hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" + hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" + hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" + hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" + hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" + hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" + hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" + hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" + hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" + hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" + hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" + hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" + hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" + hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" + hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" + hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" + hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" + hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" + hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" + hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" + hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" + hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" + hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" + hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ @@ -548,6 +1409,75 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { } +rule PUA_VULN_Renamed_Driver_Proxydrvsys_Nn_C0E7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /ProxyDrv/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_5381 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" + hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" + hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + +rule PUA_VULN_Renamed_Driver_Netfiltersys_26D6 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" + hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" + hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i +} + + rule PUA_VULN_Renamed_Driver_Asustek_Driversys_Ectool_927C { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - driver7-x86-withoutdbg.sys" @@ -555,8 +1485,9 @@ rule PUA_VULN_Renamed_Driver_Asustek_Driversys_Ectool_927C { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" + hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ @@ -572,13 +1503,169 @@ rule PUA_VULN_Renamed_Driver_Asustek_Driversys_Ectool_927C { } +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i +} + + +rule PUA_VULN_Renamed_Driver_Intelcorp_Stdcdrvwssys_Selftestdatacollectordriverforwindowsx_70AF { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrvws64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f00720020004400720069007600650072 } /* FileDescription SelfTestDataCollectorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070002e } /* CompanyName IntelCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* InternalName stdcdrvwssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072002000440072006900760065007200200066006f0072002000570069006e0064006f00770073002000370020007800360034 } /* ProductName SelfTestDataCollectorDriverforWindowsx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* OriginalFilename stdcdrvwssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310030 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /stdcdrvws64/i +} + + +rule PUA_VULN_Renamed_Driver_Realteksemiconductorcorp_Rtportsys_Realtekportio_FF32 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* FileDescription REALTEKPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* CompanyName REALTEKSemiconductorCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* InternalName RTPORTSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* ProductName REALTEKPortIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* OriginalFilename RTPORTSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200031003900390039002d00320030003000310020005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* LegalCopyright CopyrightcREALTEKSemiconductorCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i +} + + +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_834A { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" + hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + +rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_F4C7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" + hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" + hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ @@ -594,13 +1681,36 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { } +rule PUA_VULN_Renamed_Driver_Computerzsys_Ludashisystemdriver_3867 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8" + hash = "5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -622,7 +1732,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -638,6 +1748,28 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { } +rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i +} + + rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" @@ -646,7 +1778,7 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -662,13 +1794,35 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprovider_C9CF { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mtcBSv64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ @@ -684,13 +1838,35 @@ rule PUA_VULN_Renamed_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemser } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -708,11 +1884,11 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viraglt64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viraglt64.sys, viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -724,7 +1900,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viraglt64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viraglt64/i and not filename matches /viragt64/i } @@ -734,7 +1910,7 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxs author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -750,13 +1926,36 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxs } +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D633 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b" + hash = "29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -772,46 +1971,70 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6C71 { +rule PUA_VULN_Renamed_Driver_Bsmisys_5962 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ncpl.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMI.sys, BSMIXP64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" - hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2024-07-29" + hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" + hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ncpl/i -} + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BSMI/i and not filename matches /BSMIXP64/i +} -rule PUA_VULN_Renamed_Driver_Bsmisys_5962 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_C6FE { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIXP64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" - date = "2024-07-29" + hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" + hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" + hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" + hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BSMIXP64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -851,7 +2074,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_99F4 { hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005" hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a" hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -867,27 +2090,48 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_99F4 { } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { +rule PUA_VULN_Renamed_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_7C8A { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" - hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" - hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" - date = "2024-07-29" + hash = "7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00330033002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00330033002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000310038004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright NCRCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /RadHwMgr/i +} + + +rule PUA_VULN_Renamed_Driver_Avaluetechnologyinc_Avalueio_Avalueio_A5A4 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - avalueio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec" + hash = "defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100760061006c007500650049004f0020004400720069007600650072 } /* FileDescription AvalueIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0020004100760061006c0075006500200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName AvalueTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100560041004c005500450049004f } /* InternalName AVALUEIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061006c007500650049004f0020 } /* ProductName AvalueIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100560041004c005500450049004f002e005300590053 } /* OriginalFilename AVALUEIOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006300200032003000310036 } /* LegalCopyright Copyrightc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /avalueio/i } @@ -900,7 +2144,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftat hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ @@ -916,13 +2160,87 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftat } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_F27F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" + hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" + hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" + hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" + hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" + hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /libnicm/i +} + + +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_5A66 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa" + hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" + hash = "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213" + hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" + hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" + hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /nscm/i +} + + rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibrary_6B83 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIOx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -938,37 +2256,13 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_P } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" - hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" - hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" - date = "2024-07-29" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -980,7 +2274,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -990,7 +2284,7 @@ rule PUA_VULN_Renamed_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ @@ -1012,7 +2306,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1028,13 +2322,38 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy } +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_F159 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" + hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" + hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" + hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -1057,7 +2376,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1073,13 +2392,59 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { } +rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_3C11 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d" + hash = "5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9" + hash = "7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300030003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AODDriver/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_8FE9 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1098,10 +2463,15 @@ rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windows author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" + hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" + hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" + hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - date = "2024-07-29" + hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" + hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -1123,7 +2493,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ @@ -1139,6 +2509,50 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { } +rule PUA_VULN_Renamed_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LgCoreTemp/i +} + + +rule PUA_VULN_Renamed_Driver_Intelcorporation_Stdcdrvsys_Selftestdatacollector_3702 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrv64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* FileDescription SelfTestDataCollector */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* InternalName stdcdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* ProductName SelfTestDataCollector */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* OriginalFilename stdcdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcIntelCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /stdcdrv64/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -1146,7 +2560,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ @@ -1169,7 +2583,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri reference = "https://github.com/magicsword-io/LOLDrivers" hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -1185,6 +2599,94 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri } +rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_3C0A { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00330032 } /* FileDescription GenericPortIOforWin */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i +} + + +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_5FAE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i +} + + +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSBMon/i +} + + +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_1A45 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" @@ -1192,7 +2694,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1215,7 +2717,7 @@ rule PUA_VULN_Renamed_Driver_Yyinc_Dianhu_80CB { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ @@ -1231,12 +2733,14 @@ rule PUA_VULN_Renamed_Driver_Yyinc_Dianhu_80CB { rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" + hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2024-07-29" + hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -1248,7 +2752,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -1258,7 +2762,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -1274,18 +2778,62 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { } -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_591B { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Wnbiossys_Windowsrwinddkdriver_530D { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wnbios.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2024-07-29" + hash = "530d9223ec7e4123532a403abef96dfd1af5291eb49497392ff5d14d18fccfbb" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0057006e00420069006f00730020004400720069007600650072 } /* FileDescription WnBiosDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0077006e00620069006f0073002e007300790073 } /* InternalName wnbiossys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0077006e00620069006f0073002e007300790073 } /* OriginalFilename wnbiossys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /wnbios/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_591B { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ @@ -1303,7 +2851,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_47EA { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -1325,7 +2873,7 @@ rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1347,7 +2895,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1369,9 +2917,12 @@ rule PUA_VULN_Renamed_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" + hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" + hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" + hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ @@ -1387,13 +2938,38 @@ rule PUA_VULN_Renamed_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 { } +rule PUA_VULN_Renamed_Driver_Computerzsys_Ludashisystemdriver_E502 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65" + hash = "5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab" + hash = "d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7" + hash = "d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD4 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1409,37 +2985,13 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_E16D { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" - hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" - hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" - hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2024-07-29" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /libnicm/i -} - - rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1461,7 +3013,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1483,7 +3035,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1499,31 +3051,71 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit } -rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_3943 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_3B71 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv106.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" - hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" - hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" - hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" - hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - date = "2024-07-29" + hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" + hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" + hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" + hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i +} + + +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrDrv106/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i } @@ -1533,7 +3125,7 @@ rule PUA_VULN_Renamed_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F74 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ @@ -1549,13 +3141,88 @@ rule PUA_VULN_Renamed_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F74 } +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_DB1D { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" + hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" + hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" + hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" + hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" + hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" + hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" + hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i +} + + +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i +} + + +rule PUA_VULN_Renamed_Driver_Netfiltersys_1265 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" + hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" + hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i +} + + rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1571,6 +3238,50 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { } +rule PUA_VULN_Renamed_Driver_Iobit_Iobitunlockersys_Iobitunlocker_C79A { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iobitunlocker/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys" @@ -1581,7 +3292,8 @@ rule PUA_VULN_Renamed_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" - date = "2024-07-29" + hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ @@ -1597,13 +3309,36 @@ rule PUA_VULN_Renamed_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { } +rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_FA77 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a" + hash = "423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1619,35 +3354,13 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_904E { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" - hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - date = "2024-07-29" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NICM/i -} - - rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -1663,6 +3376,28 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2A65 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrIbDrv.sys" @@ -1674,7 +3409,7 @@ rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2 hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ @@ -1696,7 +3431,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1712,13 +3447,81 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { } +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_2203 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300038002c002000300035002c002000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" + hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i +} + + +rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_468B { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5" + hash = "f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1740,7 +3543,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1762,7 +3565,7 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -1778,13 +3581,36 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsy } +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_F4E5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114" + hash = "642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + rule PUA_VULN_Renamed_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagnostics_F05B { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LenovoDiagnosticsDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ @@ -1800,13 +3626,54 @@ rule PUA_VULN_Renamed_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Leno } +rule PUA_VULN_Renamed_Driver_3F20 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 700KB and all of them and not filename matches /pchunter/i +} + + +rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NCHGBIOS2x64/i +} + + rule PUA_VULN_Renamed_Driver_Dell_Dbutil_71FE { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ @@ -1819,6 +3686,29 @@ rule PUA_VULN_Renamed_Driver_Dell_Dbutil_71FE { } +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_6D2C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d" + hash = "8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100330020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + rule PUA_VULN_Renamed_Driver_Atszio_Atsziodriver_673B { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" @@ -1826,7 +3716,7 @@ rule PUA_VULN_Renamed_Driver_Atszio_Atsziodriver_673B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -1847,7 +3737,7 @@ rule PUA_VULN_Renamed_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ @@ -1863,26 +3753,28 @@ rule PUA_VULN_Renamed_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_FB81 { +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_9724 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" - hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" - hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" - date = "2024-07-29" + hash = "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be" + hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" + hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" + hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /nscm/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i } @@ -1892,7 +3784,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -1915,7 +3807,7 @@ rule PUA_VULN_Renamed_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsy reference = "https://github.com/magicsword-io/LOLDrivers" hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ @@ -1931,13 +3823,81 @@ rule PUA_VULN_Renamed_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsy } +rule PUA_VULN_Renamed_Driver_Elitegroupcomputersystems_Ecsiodriversys_Ecsiodriver_2705 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ecsiodriverx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045004300530049006f004400720069007600650072 } /* FileDescription ECSIoDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073 } /* CompanyName ElitegroupComputerSystems */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* InternalName ECSIoDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300530049006f004400720069007600650072 } /* ProductName ECSIoDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* OriginalFilename ECSIoDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d003200300031003000200045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCElitegroupComputerSystemsAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ecsiodriverx64/i +} + + +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_8D33 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409" + hash = "31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + +rule PUA_VULN_Renamed_Driver_Computerzsys_Ludashisystemdriver_C586 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65" + hash = "dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + rule PUA_VULN_Renamed_Driver_Logmeininc_Lmiinfosys_Logmein_453B { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ @@ -1953,13 +3913,82 @@ rule PUA_VULN_Renamed_Driver_Logmeininc_Lmiinfosys_Logmein_453B { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i +} + + +rule PUA_VULN_Renamed_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_9D93 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" + hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* FileDescription AsrSetupDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* InternalName AsrSetupDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* ProductName AsrSetupDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* OriginalFilename AsrSetupDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrSetupDrv103/i +} + + rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - date = "2024-07-29" + hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" + hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1975,13 +4004,58 @@ rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_ } +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i +} + + +rule PUA_VULN_Renamed_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_EDBB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5" + hash = "4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GtcKmdfBs/i +} + + rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -1993,7 +4067,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -2003,7 +4077,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2025,7 +4099,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2041,13 +4115,69 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_1493 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" + hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" + hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" + hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" + hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" + hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + +rule PUA_VULN_Renamed_Driver_Powertool_Kevpsys_Powertool_7C0F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" + hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" + hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" + hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" + hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" + hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" + hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" + hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" + hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + condition: + uint16(0) == 0x5a4d and filesize < 2900KB and all of them and not filename matches /kEvP64/i +} + + rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2063,13 +4193,36 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { } +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_BC45 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e" + hash = "182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2091,7 +4244,7 @@ rule PUA_VULN_Renamed_Driver_Safenetinc_Hostnt_Hostnt_07B6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ @@ -2113,7 +4266,7 @@ rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -2129,13 +4282,35 @@ rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9 } +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_848B { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7CB5 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2155,7 +4330,7 @@ rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochku author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ @@ -2178,7 +4353,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2194,62 +4369,128 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_2899 { +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" - hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - date = "2024-07-29" + hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2024-07-29" + hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000370038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2024-07-29" + hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100300034 } /* FileVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i +} + + +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000370038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i +} + + +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100300034 } /* FileVersion */ $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ @@ -2267,9 +4508,11 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" + hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" - date = "2024-07-29" + hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -2285,13 +4528,63 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 { } +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" + hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + +rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_71C0 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713" + hash = "13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9" + hash = "8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040" + hash = "e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc" + hash = "ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91" + hash = "5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ @@ -2313,7 +4606,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -2335,7 +4628,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2357,7 +4650,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -2380,7 +4673,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2404,7 +4697,7 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_A hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -2426,7 +4719,7 @@ rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_372 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -2444,11 +4737,11 @@ rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_372 rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -2460,7 +4753,53 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D7C9 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8" + hash = "64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300030002c002000300030002c002000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_A97B { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67" + hash = "47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i } @@ -2471,7 +4810,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ @@ -2487,6 +4826,28 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { } +rule PUA_VULN_Renamed_Driver_Featureintegrationtechnologyinc_Fintekpciecom_81FB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d" + hash = "ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460049004e00540045004b002000500043004900450043004f004d00200041006400610070007400650072 } /* FileDescription FINTEKPCIECOMAdapter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName FeatureIntegrationTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460049004e00540045004b002000500043004900450043004f004d0020 } /* ProductName FINTEKPCIECOM */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200320020004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightCFeatureIntegrationTechnologyInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /FPCIE2COM/i +} + + rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_6BFC { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -2495,7 +4856,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2517,7 +4878,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2539,7 +4900,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_45F4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2565,7 +4926,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 { hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2587,7 +4948,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2609,7 +4970,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2625,13 +4986,60 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { } +rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_8899 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" + hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" + hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" + hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i +} + + +rule PUA_VULN_Renamed_Driver_Filseclabcorporation_Fildds_Filseclabdynamicdefensesystem_F8C0 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - fildds.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f8c07b6e2066a5a22a92d9f521ecdeb8c68698c400e4b83e0501b9f340957c22" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d0020004400720076 } /* FileDescription FilseclabDynamicDefenseSystemDrv */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200038003500350033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200038003500350033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c006400640073 } /* InternalName fildds */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d } /* ProductName FilseclabDynamicDefenseSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c006400640073002e007300790073 } /* OriginalFilename filddssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d0032003000310031002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /fildds/i +} + + rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2647,13 +5055,35 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3070 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ @@ -2675,7 +5105,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -2699,7 +5129,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Window hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2715,13 +5145,35 @@ rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Window } +rule PUA_VULN_Renamed_Driver_Nmscommunications_Cgkwinksys_Ctaccess_223F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cg6kwin2k.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430047002f004d0047002000660061006d0069006c00790020006400720069007600650072 } /* FileDescription CGMGfamilydriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e004d005300200043006f006d006d0075006e00690063006100740069006f006e0073 } /* CompanyName NMSCommunications */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e003000300020006200750069006c0074002000620079003a002000410064006d0069006e006900730074007200610074006f0072 } /* FileVersion builtbyAdministrator */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300670036006b00770069006e0032006b002e007300790073 } /* InternalName cgkwinksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004300540020004100630063006500730073 } /* ProductName CTAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300670036006b00770069006e0032006b002e007300790073 } /* OriginalFilename cgkwinksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004e004d005300200043006f006d006d0075006e00690063006100740069006f006e007300200043006f00720070002e0032003000300034 } /* LegalCopyright CopyrightCNMSCommunicationsCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cg6kwin2k/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2737,13 +5189,35 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { } +rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i +} + + rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ @@ -2759,13 +5233,36 @@ rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkd } +rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdatetoolkerneldriver_0CF8 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0" + hash = "f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d0077006100720065002000550070006400610074006500200054006f006f006c0020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateToolKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d0077006100720065002000550070006400610074006500200054006f006f006c0020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateToolKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003100200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PDFWKRNL/i +} + + rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ @@ -2781,13 +5278,35 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B } +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_4D77 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2803,13 +5322,57 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { } +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_00D9 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_C35C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003800780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i +} + + rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ @@ -2831,7 +5394,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2853,7 +5416,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -2876,7 +5439,7 @@ rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -2892,71 +5455,224 @@ rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 { } -rule PUA_VULN_Renamed_Driver_Mydriverscom_Hwm_Drivergenius_08EB { +rule PUA_VULN_Renamed_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E602 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2024-07-29" + hash = "e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00790044007200690076006500720073002e0063006f006d } /* CompanyName MyDriverscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0032002e003700300037002e0031003200310034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032003000310036002e0037002e0037002e0031003200310034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480057004d } /* InternalName HWM */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440072006900760065007200470065006e006900750073 } /* ProductName DriverGenius */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d00790064007200690076006500720073002e007300790073 } /* OriginalFilename mydriverssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020004d00790044007200690076006500720073002e0063006f006d00200061006c006c002000720069006700680074 } /* LegalCopyright CopyrightMyDriverscomallright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /mydrivers/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GtcKmdfBs/i } -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { +rule PUA_VULN_Renamed_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2024-07-29" + hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /titidrv/i } -rule PUA_VULN_Renamed_Driver_Powertool_Kevpsys_Powertool_8E63 { +rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_5DF6 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" - hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" - hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - date = "2024-07-29" + hash = "5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003300200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PDFWKRNL/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_348D { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1" + hash = "c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + +rule PUA_VULN_Renamed_Driver_Mydriverscom_Hwm_Drivergenius_08EB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00790044007200690076006500720073002e0063006f006d } /* CompanyName MyDriverscom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0032002e003700300037002e0031003200310034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032003000310036002e0037002e0037002e0031003200310034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480057004d } /* InternalName HWM */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440072006900760065007200470065006e006900750073 } /* ProductName DriverGenius */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d00790064007200690076006500720073002e007300790073 } /* OriginalFilename mydriverssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020004d00790044007200690076006500720073002e0063006f006d00200061006c006c002000720069006700680074 } /* LegalCopyright CopyrightMyDriverscomallright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /mydrivers/i +} + + +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i +} + + +rule PUA_VULN_Renamed_Driver_Evgatechnologyinc_Windowsvistasmartiodevice_Windowsvistasmartiodevice_3C95 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SMARTEIO64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* FileDescription WindowsVistaSmartIODevice */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName EVGATechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* InternalName WindowsVistaSmartIODevice */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* ProductName WindowsVistaSmartIODevice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053004d00410052005400450049004f00360034002e005300590053 } /* OriginalFilename SMARTEIOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800630029002000320030003000370020004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightcEVGATechnologyInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SMARTEIO64/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /kEvP64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSB/i } @@ -2966,7 +5682,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2989,7 +5705,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3005,13 +5721,35 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 { } +rule PUA_VULN_Renamed_Driver_Wistroncorporation_Wirwadrvsys_Wistronrwadriver_D8FC { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiRwaDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* FileDescription WistronRWADriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* CompanyName WistronCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* InternalName WiRwaDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* ProductName WistronRWADriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* OriginalFilename WiRwaDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCWistronCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiRwaDrv/i +} + + rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3027,13 +5765,36 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { } +rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_F14D { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d" + hash = "c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3055,7 +5816,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3077,7 +5838,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -3093,13 +5854,57 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { } +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Atlaccesssys_Windowsrwinddkdriver_0B57 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atlAccess.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006d0070006c0065002000500043004900200061006300630065007300730020006400720069007600650072 } /* FileDescription SimplePCIaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610074006c004100630063006500730073002e007300790073 } /* InternalName atlAccesssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610074006c004100630063006500730073002e007300790073 } /* OriginalFilename atlAccesssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /atlAccess/i +} + + +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_909F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_3C18 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3118,7 +5923,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3134,13 +5939,58 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { } +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxMouseNT/i +} + + +rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_9399 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727" + hash = "a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0034002e00320031003300340033002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000320031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rtif/i +} + + rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3158,11 +6008,11 @@ rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3185,7 +6035,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3207,7 +6057,7 @@ rule PUA_VULN_Renamed_Driver_Multitheftauto_Mtasanandreas_9F4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ @@ -3227,7 +6077,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3243,13 +6093,81 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_A153 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" + hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" + hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + +rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_3F36 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f" + hash = "37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003200300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3271,7 +6189,7 @@ rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_95D5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ @@ -3286,13 +6204,57 @@ rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_95D5 { } +rule PUA_VULN_Renamed_Driver_Z_Computerzsys_Zwuqisystemdriver_61E7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ZwuqiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a6b665668 } /* CompanyName Z */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* ProductName ZwuqiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e007a0077007500710069002e0063006f006d } /* LegalCopyright CopyrightCwwwzwuqicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3314,7 +6276,7 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -3336,7 +6298,7 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Pa author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -3352,13 +6314,35 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Pa } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6C5A { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" + hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3374,25 +6358,72 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { } -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_9A54 { +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_3913 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2024-07-29" + hash = "39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d" + hash = "a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1" + hash = "3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_767E { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b" + hash = "d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + +rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_9A54 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i } @@ -3402,7 +6433,7 @@ rule PUA_VULN_Renamed_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalme author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ @@ -3423,7 +6454,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3445,7 +6476,7 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_C author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -3461,13 +6492,148 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_C } +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_F8D4 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003800780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i +} + + +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_D0E4 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb" + hash = "2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i +} + + +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_77DA { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f" + hash = "837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + +rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_0368 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d" + hash = "66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_B0DC { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvaudio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00300030002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00300030002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvaudio/i +} + + +rule PUA_VULN_Renamed_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_7C79 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0039002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0039002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /RadHwMgr/i +} + + rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3489,7 +6655,7 @@ rule PUA_VULN_Renamed_Driver_Pchuntersys_Pchunter_1B7F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ @@ -3511,7 +6677,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3527,24 +6693,50 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_8E88 { +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_0FC3 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - date = "2024-07-29" + hash = "0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7" + hash = "40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + +rule PUA_VULN_Renamed_Driver_Netfiltersys_EDC6 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" + hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" + hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i } @@ -3554,7 +6746,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_E428 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3567,13 +6759,35 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_E428 { } +rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3589,6 +6803,51 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { } +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3CB1 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284" + hash = "9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + +rule PUA_VULN_Renamed_Driver_Watchdogdevelopmentcomllc_Wsdkdsys_Wsdkd_6278 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wsdkd.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005700610074006300680044006f006700200041006e00740069007600690072007500730020004400720069007600650072 } /* FileDescription WatchDogAntivirusDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005700610074006300680044006f00670044006500760065006c006f0070006d0065006e0074002e0063006f006d002c0020004c004c0043002e } /* CompanyName WatchDogDevelopmentcomLLC */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* InternalName wsdkdsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007700730064006b0064 } /* ProductName wsdkd */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* OriginalFilename wsdkdsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /wsdkd/i +} + + rule PUA_VULN_Renamed_Driver_Huawei_Hwosec_Huaweimatebook_B179 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwOs2Ec7x64.sys" @@ -3596,7 +6855,7 @@ rule PUA_VULN_Renamed_Driver_Huawei_Hwosec_Huaweimatebook_B179 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ @@ -3618,7 +6877,7 @@ rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -3639,7 +6898,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7661 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3658,7 +6917,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -3676,11 +6935,11 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3702,7 +6961,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3718,13 +6977,58 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { } +rule PUA_VULN_Renamed_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_0F30 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0" + hash = "903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00320030002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e0030002e0037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /RadHwMgr/i +} + + +rule PUA_VULN_Renamed_Driver_Insydesoftware_Insydeflash_Insydeflashutilitybitdriver_CE0A { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iscflashx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* FileDescription iscflashxsys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f006600740077006100720065 } /* CompanyName InsydeSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049006e00730079006400650046006c006100730068 } /* InternalName InsydeFlash */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e007300790064006500200046006c0061007300680020005500740069006c00690074007900200036003400200062006900740020004400720069007600650072 } /* ProductName InsydeFlashUtilitybitDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* OriginalFilename iscflashxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003500200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iscflashx64/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3746,7 +7050,7 @@ rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_5351 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ @@ -3768,7 +7072,7 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -3791,7 +7095,7 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5F reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -3807,27 +7111,95 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5F } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_A072 { +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_16E2 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" - hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" - hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2024-07-29" + hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" + hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_060D { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f" + hash = "b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + +rule PUA_VULN_Renamed_Driver_Ludashicom_Computerzsys_7553 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3" + hash = "64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + +rule PUA_VULN_Renamed_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" + hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /atillk64/i } @@ -3837,7 +7209,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3859,7 +7231,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3881,7 +7253,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ @@ -3897,37 +7269,13 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { } -rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_31F4 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" - hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" - hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" - date = "2024-07-29" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i -} - - rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ @@ -3943,35 +7291,13 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { } -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2024-07-29" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i -} - - rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3993,7 +7319,7 @@ rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -4009,13 +7335,35 @@ rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B } -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3D00 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4037,7 +7385,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -4059,7 +7407,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4081,7 +7429,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4103,7 +7451,7 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -4119,13 +7467,35 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 } +rule PUA_VULN_Renamed_Driver_Interfacecorporation_Cpxcsys_Gpcxc_1183 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d003200580037003200430020004b00650072006e0065006c0020004400650076006900630065002000440072006900760065007200280053005900530029002000570069006e0064006f00770073004e0054 } /* FileDescription GPCXCKernelDeviceDriverSYSWindowsNT */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e007300790073 } /* InternalName CPXCsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043 } /* ProductName GPCXC */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043 } /* OriginalFilename CPXC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300030003700200049006e007400650072006600610063006500200043006f00720070002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorpAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CP2X72C/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4147,7 +7517,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4170,7 +7540,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4186,13 +7556,78 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6CF1 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + +rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_EAE5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003000390031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtif/i +} + + rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4208,13 +7643,59 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex } +rule PUA_VULN_Renamed_Driver_Databaseharborsoftware_Sysinfodetectorxsys_Sysinfodetector_45E5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysInfoDetectorX64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200200066006f007200200053007900730049006e0066006f0020004400650074006500630074006f0072 } /* FileDescription DriverforSysInfoDetector */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* CompanyName DatabaseHarborSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* InternalName SysInfoDetectorXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007900730049006e0066006f0020004400650074006500630074006f0072 } /* ProductName SysInfoDetector */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* OriginalFilename SysInfoDetectorXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003400200044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* LegalCopyright CopyrightCDatabaseHarborSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SysInfoDetectorX64/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7048 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" + hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" + hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4230,13 +7711,57 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { } +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i +} + + +rule PUA_VULN_Renamed_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_Dev_DF96 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0030002e0030002e003200200044006500760020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion DevbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0030002e0030002e00320020004400650076 } /* ProductVersion Dev */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d00320030003100370020004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcNCRCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /RadHwMgr/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4252,13 +7777,79 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit } +rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_BA40 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003100370035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtif/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSBMon/i +} + + rule PUA_VULN_Renamed_Driver_Copyright_Advancedmalwareprotection_6F55 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amsdk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ @@ -4273,69 +7864,273 @@ rule PUA_VULN_Renamed_Driver_Copyright_Advancedmalwareprotection_6F55 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_3670 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76" + hash = "0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e00310037003000350032002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310037002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rtif/i +} + + rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + +rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i +} + + +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Computerzsys_Ludashisystemdriver_898E { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289" + hash = "07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AFDA { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2024-07-29" + hash = "afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3" + hash = "b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i } -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { +rule PUA_VULN_Renamed_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_6386 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2024-07-29" + hash = "63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e" + hash = "9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300031003400200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CP2X72C/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { +rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_C490 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2024-07-29" + hash = "c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b" + hash = "a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e" + hash = "e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i } @@ -4345,7 +8140,7 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ @@ -4367,7 +8162,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4383,13 +8178,35 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { } +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_E839 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ @@ -4411,7 +8228,7 @@ rule PUA_VULN_Renamed_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmems author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ @@ -4427,13 +8244,35 @@ rule PUA_VULN_Renamed_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmems } +rule PUA_VULN_Renamed_Driver_Tenasyscorporation_Rtifsys_Intime_4CE8 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e00310031003200380035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300030002d0032003000310031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtif/i +} + + rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_AF10 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -4451,11 +8290,11 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4467,7 +8306,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -4477,7 +8316,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4493,13 +8332,35 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_F629 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" + hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + rule PUA_VULN_Renamed_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ @@ -4515,13 +8376,35 @@ rule PUA_VULN_Renamed_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { } +rule PUA_VULN_Renamed_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LgDCatcher/i +} + + rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ @@ -4543,7 +8426,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4566,7 +8449,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4582,51 +8465,316 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { } -rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AE3A { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_6F80 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtport/i +} + + +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkiow8x64/i +} + + +rule PUA_VULN_Renamed_Driver_Filseclabcorporation_Filnk_Filseclabdynamicdefensesystem_AE55 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - filnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d0020004400720076 } /* FileDescription FilseclabDynamicDefenseSystemDrv */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c002000310039003300350033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c002000310039003300350033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c006e006b } /* InternalName filnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d } /* ProductName FilseclabDynamicDefenseSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c006e006b002e007300790073 } /* OriginalFilename filnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d0032003000310033002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 900KB and all of them and not filename matches /filnk/i +} + + +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i +} + + +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_A475 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_66F8 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" + hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_55B5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003700780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i +} + + +rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5" + hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" + hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" + hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" + hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i +} + + +rule PUA_VULN_Renamed_Driver_Filseclabcorporation_Filwfp_Filseclabfirewall_490C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - filwfp.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "490cfbb540dcd70b7bff4fdd62e7ed7400bbfebaf5083523d49f7184670f7b9a" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c006100620020004600690072006500770061006c006c } /* FileDescription FilseclabFirewall */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031003200310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031003200310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c007700660070 } /* InternalName filwfp */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c006100620020004600690072006500770061006c006c } /* ProductName FilseclabFirewall */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c007700660070002e007300790073 } /* OriginalFilename filwfpsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /filwfp/i +} + + +rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrAutoChkUpdDrv_1_0_32/i +} + + +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2024-07-29" + hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i } -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { +rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5" - hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" - hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" - hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" - hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" - date = "2024-07-29" + hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" + hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i } @@ -4636,7 +8784,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4659,7 +8807,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -4681,7 +8829,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4703,7 +8851,7 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F1 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -4725,7 +8873,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4747,7 +8895,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4763,13 +8911,80 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + +rule PUA_VULN_Renamed_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_00C3 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e003200320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030002e00320032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300034002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright CopyrightcRadiantSystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /RadHwMgr/i +} + + +rule PUA_VULN_Renamed_Driver_Cn_Computerzsys_DEE3 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233" + hash = "26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ComputerZ/i +} + + rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -4791,7 +9006,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4807,13 +9022,57 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_RCIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -4836,7 +9095,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdr reference = "https://github.com/magicsword-io/LOLDrivers" hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ @@ -4852,6 +9111,74 @@ rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdr } +rule PUA_VULN_Renamed_Driver_Inferre_Hwdetectngsys_Hwdetectngsys_D456 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hwdetectng.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2" + hash = "43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee" + hash = "2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480057004400650074006500630074004e0047 } /* FileDescription HWDetectNG */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069004e00460045005200520045 } /* CompanyName iNFERRE */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* InternalName hwdetectngsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* ProductName hwdetectngsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* OriginalFilename hwdetectngsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200032003000300038002d0030003900200069004e00460045005200520045 } /* LegalCopyright ciNFERRE */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /hwdetectng/i +} + + +rule PUA_VULN_Renamed_Driver_Adlicesoftware_Truesight_Truesight_BFC2 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - truesight.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0052006f006700750065004b0069006c006c0065007200200041006e007400690072006f006f0074006b006900740020004400720069007600650072 } /* FileDescription RogueKillerAntirootkitDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410064006c00690063006500200053006f006600740077006100720065 } /* CompanyName AdliceSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005400720075006500730069006700680074 } /* InternalName Truesight */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720075006500730069006700680074 } /* ProductName Truesight */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005400720075006500730069006700680074 } /* OriginalFilename Truesight */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000410064006c00690063006500200053006f00660074007700610072006500280043002900200032003000320033 } /* LegalCopyright CopyrightAdliceSoftwareC */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /truesight/i +} + + +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_87B4 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_F581 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys" @@ -4860,7 +9187,7 @@ rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_ hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ @@ -4882,7 +9209,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4898,13 +9225,35 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -4920,6 +9269,52 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_CA34 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_46D1 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" + hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" + hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" + hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A334 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" @@ -4927,7 +9322,7 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A3 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -4949,7 +9344,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4971,7 +9366,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4989,11 +9384,11 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { rule PUA_VULN_Renamed_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IObitUnlocker.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ @@ -5005,51 +9400,28 @@ rule PUA_VULN_Renamed_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocke $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /IObitUnlocker/i -} - - -rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_93D8 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2024-07-29" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rzpnk/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iobitunlocker/i } -rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_C190 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - date = "2024-07-29" + hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i } @@ -5059,7 +9431,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -5081,7 +9453,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5097,13 +9469,36 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit } +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_7337 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e" + hash = "d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5119,13 +9514,36 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { } +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_1E24 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d" + hash = "39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SBIOSIO64/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_9491 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -5147,7 +9565,7 @@ rule PUA_VULN_Renamed_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatin author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ @@ -5168,7 +9586,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -5180,7 +9598,96 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i +} + + +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxTAP/i +} + + +rule PUA_VULN_Renamed_Driver_Generalelectriccompany_Gedevicedriver_Proficymachineedition_Build_A369 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce" + hash = "ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* CompanyName GeneralElectricCompany */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* FileVersion Build */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* ProductVersion Build */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310037002000470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* LegalCopyright GeneralElectricCompany */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GEDevDrv/i +} + + +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_85FD { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -5190,7 +9697,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ @@ -5208,11 +9715,11 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -5234,7 +9741,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amdupro author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ @@ -5256,7 +9763,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5278,7 +9785,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ @@ -5294,13 +9801,34 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_7A2C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_9A95 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5319,7 +9847,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5341,7 +9869,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_2BBC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5360,7 +9888,7 @@ rule PUA_VULN_Renamed_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ @@ -5376,13 +9904,35 @@ rule PUA_VULN_Renamed_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { } +rule PUA_VULN_Renamed_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E6D1 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600330032002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GtcKmdfBs/i +} + + rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -5404,7 +9954,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5426,7 +9976,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -5442,13 +9992,35 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy } +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxTAP/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9254 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ @@ -5464,14 +10036,36 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9254 { } +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_3AF9 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0031003000780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i +} + + rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NalDrv.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iqvw64e.sys, iQVW64.SYS, NalDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5483,7 +10077,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003300200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NalDrv/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iqvw64e/i and not filename matches /iQVW64/i and not filename matches /NalDrv/i } @@ -5493,7 +10087,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5515,7 +10109,7 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_4 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ @@ -5537,7 +10131,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5559,7 +10153,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -5575,13 +10169,36 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri } +rule PUA_VULN_Renamed_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_05C1 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686" + hash = "4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300032003000200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CP2X72C/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5597,13 +10214,35 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { } +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt/i +} + + rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ @@ -5619,13 +10258,35 @@ rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windo } +rule PUA_VULN_Renamed_Driver_Proxydrvsys_Nn_0B20 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ProxyDrv/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5647,7 +10308,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5670,7 +10331,7 @@ rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -5692,7 +10353,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5714,7 +10375,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5730,13 +10391,79 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit } +rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_81D5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300031003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AODDriver/i +} + + +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i +} + + rule PUA_VULN_Renamed_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvflash.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ @@ -5754,11 +10481,11 @@ rule PUA_VULN_Renamed_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5770,7 +10497,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -5780,7 +10507,7 @@ rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyve author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5802,7 +10529,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5825,7 +10552,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5841,13 +10568,36 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 { } +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_B3D1 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c" + hash = "442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SBIOSIO64/i +} + + rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -5863,13 +10613,35 @@ rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { } +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_1698 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003700780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5891,7 +10663,7 @@ rule PUA_VULN_Renamed_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceve author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ @@ -5909,11 +10681,11 @@ rule PUA_VULN_Renamed_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceve rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_C725 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - krpocesshacker.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -5924,7 +10696,7 @@ rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_C725 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /krpocesshacker/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /kprocesshacker/i } @@ -5934,7 +10706,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -5950,13 +10722,35 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5978,7 +10772,7 @@ rule PUA_VULN_Renamed_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ @@ -6000,7 +10794,7 @@ rule PUA_VULN_Renamed_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ @@ -6022,7 +10816,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6038,13 +10832,36 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { } +rule PUA_VULN_Renamed_Driver_Geintelligentplatformsinc_Gedevicedriver_Proficymachineedition_Build_CAC5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461" + hash = "51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* CompanyName GEIntelligentPlatformsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* FileVersion Build */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* ProductVersion Build */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310031002c00200047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* LegalCopyright GEIntelligentPlatformsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GEDevDrv/i +} + + rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -6060,13 +10877,32 @@ rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddk } +rule PUA_VULN_Renamed_Driver_Lowleveldriver_F941 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GPU-Z.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f9418b5e90a235339a4a1a889490faca39cd117a51ba4446daa1011da06c7ecd" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0077002d004c006500760065006c0020004400720069007600650072 } /* FileDescription LowLevelDriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360030002e0030002e0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0077002d004c006500760065006c0020004400720069007600650072 } /* ProductName LowLevelDriver */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300034002d00320030003100300020002800630029002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /GPU-Z/i +} + + rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6088,7 +10924,7 @@ rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ @@ -6111,7 +10947,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_5439 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -6130,7 +10966,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6152,7 +10988,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_DE8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -6165,13 +11001,35 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_DE8F { } +rule PUA_VULN_Renamed_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_0FC0 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvoclock/i +} + + rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ @@ -6194,7 +11052,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6216,7 +11074,7 @@ rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6238,7 +11096,7 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6260,7 +11118,7 @@ rule PUA_VULN_Renamed_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6282,7 +11140,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -6304,7 +11162,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6326,7 +11184,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6348,7 +11206,7 @@ rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_7021 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -6369,7 +11227,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6385,13 +11243,35 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_HWMIO64_W10.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -6413,7 +11293,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6429,13 +11309,35 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit } +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_B224 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0031003000780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i +} + + rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6451,13 +11353,57 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { } +rule PUA_VULN_Renamed_Driver_Avastsoftware_Ngiodriversys_Avastng_5E3B { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ngiodriver/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_9DEE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0038002e003100780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DcProtect/i +} + + rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -6469,17 +11415,17 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -6491,7 +11437,29 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Asmediatechnologyinc_Asmiosys_Asmediapcidriver_E465 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsmIo64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* FileDescription AsmediaPCIDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410073006d006500640069006100200054006500630068006e006f006c006f00670079002000200049006e0063002e } /* CompanyName AsmediaTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* InternalName AsmIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* ProductName AsmediaPCIDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* OriginalFilename AsmIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000410073006d006500640069006100200054006500630068006e006f006c006f00670079002e } /* LegalCopyright AsmediaTechnology */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsmIo64/i } @@ -6501,7 +11469,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ diff --git a/detections/yara/yara-rules_mal_drivers.yar b/detections/yara/yara-rules_mal_drivers.yar index ef9ed1c7c..c7c0d1052 100644 --- a/detections/yara/yara-rules_mal_drivers.yar +++ b/detections/yara/yara-rules_mal_drivers.yar @@ -21,7 +21,7 @@ rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_6 hash = "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d" hash = "e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12" hash = "bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004700550049002000730079006d0062006f006c00690063002000640065006200750067006700650072 } /* FileDescription WindowsGUIsymbolicdebugger */ @@ -37,13 +37,278 @@ rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_6 } +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_AAF0 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e" + hash = "4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919" + hash = "c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da" + hash = "f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1" + hash = "0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06" + hash = "d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f" + hash = "2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4" + hash = "f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5" + hash = "19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987" + hash = "3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1" + hash = "cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37" + hash = "a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2" + hash = "492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263" + hash = "85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2" + hash = "efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576" + hash = "12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0" + hash = "4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f" + hash = "ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0" + hash = "10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b" + hash = "4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905" + hash = "d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c" + hash = "569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa" + hash = "80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3" + hash = "1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524" + hash = "ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55" + hash = "a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778" + hash = "e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59" + hash = "b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719" + hash = "4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de" + hash = "083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254" + hash = "e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f" + hash = "ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a" + hash = "7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db" + hash = "93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe" + hash = "082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a" + hash = "bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908" + hash = "95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167" + hash = "d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96" + hash = "94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601" + hash = "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000320030002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_DDF4 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a" + hash = "bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0" + hash = "af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895" + hash = "9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7" + hash = "2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2" + hash = "29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe" + hash = "e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8" + hash = "897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736" + hash = "0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3" + hash = "469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870" + hash = "818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab" + hash = "4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7" + hash = "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39" + hash = "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920" + hash = "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310036002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_0F58 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597" + hash = "087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212" + hash = "0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35" + hash = "06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8" + hash = "eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a" + hash = "627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa" + hash = "b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03" + hash = "dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1" + hash = "a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66" + hash = "94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112" + hash = "07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0" + hash = "4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1" + hash = "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3" + hash = "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310034002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_7662 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d" + hash = "a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec" + hash = "60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9" + hash = "b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09" + hash = "d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff" + hash = "008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25" + hash = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe" + hash = "aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9" + hash = "fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2" + hash = "6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b" + hash = "443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85" + hash = "e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15" + hash = "ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd" + hash = "beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b" + hash = "e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19" + hash = "21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a" + hash = "02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715" + hash = "40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a" + hash = "8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b" + hash = "2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878" + hash = "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be" + hash = "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2" + hash = "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_14B8 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925" + hash = "36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475" + hash = "673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653" + hash = "5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968" + hash = "8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38" + hash = "69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f" + hash = "a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f" + hash = "62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266" + hash = "1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6" + hash = "b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4" + hash = "0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550" + hash = "15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c" + hash = "c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c" + hash = "618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb" + hash = "4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be" + hash = "c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231" + hash = "822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb" + hash = "b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a" + hash = "26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47" + hash = "c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12" + hash = "a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972" + hash = "82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7" + hash = "6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7" + hash = "52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd" + hash = "64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96" + hash = "f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac" + hash = "51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93" + hash = "c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc" + hash = "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad" + hash = "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b" + hash = "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_41AD { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f" + hash = "a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7" + hash = "9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac" + hash = "f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad" + hash = "31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6" + hash = "1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80" + hash = "704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4" + hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" + hash = "4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021" + hash = "9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392" + hash = "8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434" + hash = "b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c" + hash = "07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af" + hash = "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c" + hash = "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55" + hash = "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + rule MAL_Driver_Sensecorp_42B2 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Sense5Ext.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -62,7 +327,7 @@ rule MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005000430049006500200056006900640065006f00200043006100700074007500720065 } /* FileDescription PCIeVideoCapture */ @@ -77,6 +342,72 @@ rule MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 { } +rule MAL_Driver_Gmer_Gmersys_Gmer_0052 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gmer64.sys, superman.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0052aa88e42055a2eed5ddd17c3499c692360155e5e031a211edfcef577acce3" + hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004d00450052 } /* CompanyName GMER */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c002000360039003800330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200036003900380033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* InternalName gmersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004d00450052 } /* ProductName GMER */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* OriginalFilename gmersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200047004d0045005200200032003000300033002d0032003000310033 } /* LegalCopyright CopyrightCGMER */ + condition: + all of them +} + + +rule MAL_Driver_Mimidrv_Mimidrvmimikatz_2FAF { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8" + date = "2024-08-07" + score = 70 + strings: + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_2FD4 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21" + hash = "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28" + hash = "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsystem_C0D8 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ntbios_2.sys" @@ -84,7 +415,7 @@ rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsyste reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c" hash = "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006e007400620069006f00730020006400720069007600650072 } /* FileDescription ntbiosdriver */ @@ -107,7 +438,7 @@ rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330" hash = "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004b00650072006e0065006c00200045007800650063007500740069007600650020004d006f00640075006c0065 } /* FileDescription WindowsKernelExecutiveModule */ @@ -123,28 +454,6 @@ rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_200F { - meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" - date = "2024-07-29" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ - condition: - all of them -} - - rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_E7AF { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_6.sys" @@ -154,7 +463,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_E7 hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3" hash = "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce" hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -170,23 +479,24 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_E7 } -rule MAL_Driver_Gmer_Gmersys_Gmer_18C9 { +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_30E0 { meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gmer64.sys" + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" - date = "2024-07-29" + hash = "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2" + hash = "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640" + date = "2024-08-07" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004d00450052 } /* CompanyName GMER */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c002000360039003800330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200036003900380033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* InternalName gmersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004d00450052 } /* ProductName GMER */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006d0065007200360034002e007300790073 } /* OriginalFilename gmersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200047004d0045005200200032003000300033002d0032003000310033 } /* LegalCopyright CopyrightCGMER */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310033002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ condition: all of them } @@ -198,7 +508,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_69 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -220,7 +530,7 @@ rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053006500720076006500720020004e006500740077006f0072006b0020006400720069007600650072 } /* FileDescription ServerNetworkdriver */ @@ -242,7 +552,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_81 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -258,13 +568,30 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_81 } +rule MAL_Driver_773B { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894" + date = "2024-08-07" + score = 70 + strings: + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d002000320030003100370020 } /* LegalCopyright Copyrightc */ + condition: + all of them +} + + rule MAL_Driver_Sensecorp_7F45 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Sense5Ext.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -283,7 +610,7 @@ rule MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsoperatingsystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427" - date = "2024-07-29" + date = "2024-08-07" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d00530020004c0041004e0020004400720069007600650072 } /* FileDescription MSLANDriver */ diff --git a/detections/yara/yara-rules_vuln_drivers_strict.yar b/detections/yara/yara-rules_vuln_drivers_strict.yar index 1df1ae74f..8a59841a7 100644 --- a/detections/yara/yara-rules_vuln_drivers_strict.yar +++ b/detections/yara/yara-rules_vuln_drivers_strict.yar @@ -6,9 +6,14 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" + hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" + hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" + hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" + hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" - date = "2024-07-29" + hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -24,13 +29,106 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { } +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0E85 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" + hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" + hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" + hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" + hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" + hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" + hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" + hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" + hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" + hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_786F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" + hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" + hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" + hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" + hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_A397 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" + hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" + hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" + hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" + hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" + hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" + hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" + hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" + hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" + hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" + hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" + hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" + hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" + hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" + hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -44,6 +142,187 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 { } +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2298 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" + hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" + hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" + hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" + hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" + hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" + hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" + hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" + hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" + hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" + hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" + hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" + hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" + hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" + hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" + hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" + hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_0ABC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" + hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" + hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" + hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_9DBC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" + hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" + hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" + hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" + hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" + hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" + hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" + hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" + hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys" @@ -51,7 +330,7 @@ rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ @@ -73,7 +352,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -95,7 +374,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -117,7 +396,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -133,29 +412,97 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_6BEF { +rule PUA_VULN_Driver_Novellinc_Novellxtier_8473 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" - hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" - hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" - hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" - hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" - hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" - hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2024-07-29" + hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" + hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" + hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" + hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" + hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_CFAB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" + hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" + hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" + hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" + hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_4CD8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" + hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" + hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -167,11 +514,14 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" + hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" + hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" + hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ @@ -195,7 +545,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_5C0B { hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ @@ -218,7 +568,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -234,28 +584,254 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 { +rule PUA_VULN_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2024-07-29" + hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_6945 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003100200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Fintekcorp_Fintekcorpfintekpcieuart_32BD { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e" + hash = "17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d" + hash = "b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006e00740065006b002000500063006900650032005500610072007400200041006400610070007400650072 } /* FileDescription FintekPcieUartAdapter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e } /* CompanyName FintekCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006e00740065006b00200043006f00720070002e002000460069006e00740065006b0020005000630069006500320055006100720074 } /* ProductName FintekCorpFintekPcieUart */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200040002000460069006e00740065006b00200043006f00720070002e00200032003000300032002d0032003000310033 } /* LegalCopyright CopyrightFintekCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_42B3 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180" + hash = "c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003300320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Netfiltersys_F171 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_DD4F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" + hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" + hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" + hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" + hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_7627 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" + hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_16AE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c" + hash = "d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300032002e00310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Computerz_Computerzsys_Computerzsystemdriver_61F3 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ComputerZSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f006d00700075007400650072005a } /* CompanyName ComputerZ */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0038002e003800310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f006d00700075007400650072005a002000530079007300740065006d0020004400720069007600650072 } /* ProductName ComputerZSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300030003800200043006f006d00700075007400650072005a } /* LegalCopyright CopyrightCComputerZ */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_88E2 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -272,7 +848,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_8 hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879" hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -295,12 +871,17 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" + hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" + hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" + hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" + hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" + hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -316,14 +897,64 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D { } +rule PUA_VULN_Driver_Mitactechnologycorporation_Vdbsvsys_Mitacsystemserviceprovider_91AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VdBSv64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* InternalName VdBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0056006400420053007600360034002e007300790073 } /* OriginalFilename VdBSvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_00B3 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" + hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" + hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" + hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" + hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Novellinc_Novellxtier_B50F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" + hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - date = "2024-07-29" + hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" + hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -345,7 +976,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -367,7 +998,7 @@ rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwrit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ @@ -389,7 +1020,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -411,7 +1042,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ @@ -427,13 +1058,80 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_FF55 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0038002e003100780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_A855 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" + hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" + hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Monitor_win10_x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ @@ -449,13 +1147,47 @@ rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { } +rule PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_2B33 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" + hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" + hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" + hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" + hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" + hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" + hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" + hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" + hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" + hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" + hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" + hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" + hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PhlashNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ @@ -477,7 +1209,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -493,13 +1225,80 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { } +rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_F4DC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2" + hash = "070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f00440044007200690076006500720032002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_8FE4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65" + hash = "71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00360034 } /* FileDescription GenericPortIOforWin */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Anticheatexpertcom_Acebase_Anticheatexpert_7326 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ACE-BASE.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7326aefff9ea3a32286b423a62baebe33b73251348666c1ee569afe62dd60e11" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100430045002d0042004100530045003600340020004e00540020004400720069007600650072 } /* FileDescription ACEBASENTDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041004e0054004900430048004500410054004500580050004500520054002e0043004f004d } /* CompanyName ANTICHEATEXPERTCOM */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032003200300032002e0036003200310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100430045002d004200410053004500360034 } /* InternalName ACEBASE */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069002d004300680065006100740020004500780070006500720074 } /* ProductName AntiCheatExpert */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200041006e0074006900430068006500610074004500780070006500720074002e0063006f006d0020004c0069006d0069007400650064002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright AntiCheatExpertcomLimitedAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 1900KB and all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -515,24 +1314,86 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1072 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" - hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" - hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" - hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" - hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" + hash = "1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a" + hash = "e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e0031003100320036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0061007600610073007400210020004e0047 } /* ProductName avastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003200200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_8A07 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" + hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" + hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" + hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" + hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" + hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" + hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" + hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" + hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" + hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" + hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" + hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" + hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" + hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" + hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" + hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" + hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" + hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" + hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" + hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" + hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" + hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -548,6 +1409,75 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { } +rule PUA_VULN_Driver_Proxydrvsys_Nn_C0E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_5381 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" + hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" + hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Netfiltersys_26D6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" + hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" + hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Asustek_Driversys_Ectool_927C { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - driver7-x86-withoutdbg.sys" @@ -555,8 +1485,9 @@ rule PUA_VULN_Driver_Asustek_Driversys_Ectool_927C { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" + hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ @@ -572,13 +1503,169 @@ rule PUA_VULN_Driver_Asustek_Driversys_Ectool_927C { } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Intelcorp_Stdcdrvwssys_Selftestdatacollectordriverforwindowsx_70AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrvws64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f00720020004400720069007600650072 } /* FileDescription SelfTestDataCollectorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070002e } /* CompanyName IntelCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* InternalName stdcdrvwssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072002000440072006900760065007200200066006f0072002000570069006e0064006f00770073002000370020007800360034 } /* ProductName SelfTestDataCollectorDriverforWindowsx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730074006400630064007200760077007300360034002e007300790073 } /* OriginalFilename stdcdrvwssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310030 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realteksemiconductorcorp_Rtportsys_Realtekportio_FF32 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* FileDescription REALTEKPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* CompanyName REALTEKSemiconductorCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00300031002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* InternalName RTPORTSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200450041004c00540045004b00200050006f0072007400200049002f004f } /* ProductName REALTEKPortIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005200540050004f00520054002e005300590053 } /* OriginalFilename RTPORTSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200031003900390039002d00320030003000310020005200450041004c00540045004b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070002e } /* LegalCopyright CopyrightcREALTEKSemiconductorCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_834A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" + hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_F4C7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" + hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" + hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ @@ -594,13 +1681,36 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { } +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_3867 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8" + hash = "5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -622,7 +1732,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -638,6 +1748,28 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { } +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" @@ -646,7 +1778,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -662,13 +1794,35 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { } +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprovider_C9CF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mtcBSv64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ @@ -684,13 +1838,35 @@ rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprov } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -708,11 +1884,11 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viraglt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viraglt64.sys, viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -734,7 +1910,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Panca author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -750,13 +1926,36 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Panca } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D633 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b" + hash = "29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -772,44 +1971,68 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_6C71 { +rule PUA_VULN_Driver_Bsmisys_5962 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ncpl.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMI.sys, BSMIXP64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" - hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2024-07-29" + hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" + hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */ + condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Bsmisys_5962 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_C6FE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIXP64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" - date = "2024-07-29" + hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" + hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" + hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" + hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -851,7 +2074,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_99F4 { hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005" hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a" hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -867,25 +2090,46 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_99F4 { } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { +rule PUA_VULN_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_7C8A { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" - hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" - hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" - date = "2024-07-29" + hash = "7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00330033002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00330033002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000310038004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright NCRCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Avaluetechnologyinc_Avalueio_Avalueio_A5A4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - avalueio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec" + hash = "defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100760061006c007500650049004f0020004400720069007600650072 } /* FileDescription AvalueIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0020004100760061006c0075006500200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName AvalueTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00300032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100560041004c005500450049004f } /* InternalName AVALUEIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061006c007500650049004f0020 } /* ProductName AvalueIO */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100560041004c005500450049004f002e005300590053 } /* OriginalFilename AVALUEIOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006300200032003000310036 } /* LegalCopyright Copyrightc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -900,7 +2144,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntam hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ @@ -916,13 +2160,87 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntam } +rule PUA_VULN_Driver_Novellinc_Novellxtier_F27F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" + hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" + hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" + hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" + hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" + hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_5A66 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa" + hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" + hash = "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213" + hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" + hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" + hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibrary_6B83 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIOx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -938,37 +2256,13 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibr } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" - hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" - hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" - date = "2024-07-29" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -990,7 +2284,7 @@ rule PUA_VULN_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ @@ -1012,7 +2306,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B5 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1028,13 +2322,38 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B5 } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_F159 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" + hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" + hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" + hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -1057,7 +2376,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1073,13 +2392,59 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { } +rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_3C11 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d" + hash = "5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9" + hash = "7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300030003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_8FE9 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1098,10 +2463,15 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenam author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" + hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" + hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" + hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - date = "2024-07-29" + hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" + hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -1123,7 +2493,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ @@ -1139,6 +2509,50 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { } +rule PUA_VULN_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Intelcorporation_Stdcdrvsys_Selftestdatacollector_3702 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrv64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* FileDescription SelfTestDataCollector */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* InternalName stdcdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530065006c006600540065007300740020004400610074006100200043006f006c006c006500630074006f0072 } /* ProductName SelfTestDataCollector */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300740064006300640072007600360034002e007300790073 } /* OriginalFilename stdcdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcIntelCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -1146,7 +2560,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ @@ -1169,7 +2583,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D reference = "https://github.com/magicsword-io/LOLDrivers" hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -1185,6 +2599,94 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D } +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_3C0A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00330032 } /* FileDescription GenericPortIOforWin */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5FAE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0030002e0030002e003300360032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1A45 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" @@ -1192,7 +2694,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1215,7 +2717,7 @@ rule PUA_VULN_Driver_Yyinc_Dianhu_80CB { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ @@ -1231,12 +2733,14 @@ rule PUA_VULN_Driver_Yyinc_Dianhu_80CB { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" + hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2024-07-29" + hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -1258,7 +2762,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -1274,13 +2778,57 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { } -rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { +rule PUA_VULN_Driver_Windowsrwinddkprovider_Wnbiossys_Windowsrwinddkdriver_530D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wnbios.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "530d9223ec7e4123532a403abef96dfd1af5291eb49497392ff5d14d18fccfbb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0057006e00420069006f00730020004400720069007600650072 } /* FileDescription WnBiosDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0077006e00620069006f0073002e007300790073 } /* InternalName wnbiossys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0077006e00620069006f0073002e007300790073 } /* OriginalFilename wnbiossys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ @@ -1303,7 +2851,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -1325,7 +2873,7 @@ rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1347,7 +2895,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1369,9 +2917,12 @@ rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" + hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" + hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" + hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ @@ -1387,13 +2938,38 @@ rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 { } +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_E502 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65" + hash = "5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab" + hash = "d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7" + hash = "d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e0031003100310030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD4 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1409,37 +2985,13 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD } -rule PUA_VULN_Driver_Novellinc_Novellxtier_E16D { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" - hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" - hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" - hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2024-07-29" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them -} - - rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1461,7 +3013,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1483,7 +3035,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1499,29 +3051,69 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } -rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_3943 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_3B71 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv106.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" - hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" - hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" - hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" - hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - date = "2024-07-29" + hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" + hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" + hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" + hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -1533,7 +3125,7 @@ rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ @@ -1549,13 +3141,88 @@ rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_DB1D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" + hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" + hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" + hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" + hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" + hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" + hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" + hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Netfiltersys_1265 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" + hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" + hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1571,6 +3238,50 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { } +rule PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_C79A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys" @@ -1581,7 +3292,8 @@ rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" - date = "2024-07-29" + hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ @@ -1597,13 +3309,36 @@ rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { } +rule PUA_VULN_Driver_Ludashicom_Computerzsys_FA77 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a" + hash = "423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1619,35 +3354,13 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_904E { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" - hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - date = "2024-07-29" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -1663,6 +3376,28 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2A65 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrIbDrv.sys" @@ -1674,7 +3409,7 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2A65 { hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ @@ -1696,7 +3431,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1712,57 +3447,125 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_2203 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2024-07-29" + hash = "2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300038002c002000300035002c002000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A { +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2024-07-29" + hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" + hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancafemanager_7E01 { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_468B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2024-07-29" + hash = "468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5" + hash = "f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ + condition: + uint16(0) == 0x5a4d and filesize < 300KB and all of them +} + + +rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancafemanager_7E01 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -1778,13 +3581,36 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancaf } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_F4E5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114" + hash = "642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagnostics_F05B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LenovoDiagnosticsDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ @@ -1800,13 +3626,54 @@ rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagno } +rule PUA_VULN_Driver_3F20 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 700KB and all of them +} + + +rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Dell_Dbutil_71FE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ @@ -1819,6 +3686,29 @@ rule PUA_VULN_Driver_Dell_Dbutil_71FE { } +rule PUA_VULN_Driver_Cn_Computerzsys_6D2C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d" + hash = "8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310033002e0031003000310039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100330020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" @@ -1826,7 +3716,7 @@ rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -1847,7 +3737,7 @@ rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ @@ -1863,24 +3753,26 @@ rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_FB81 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9724 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" - hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" - hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" - date = "2024-07-29" + hash = "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be" + hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" + hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" + hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them } @@ -1892,7 +3784,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -1915,7 +3807,7 @@ rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_23B reference = "https://github.com/magicsword-io/LOLDrivers" hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ @@ -1931,13 +3823,81 @@ rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_23B } +rule PUA_VULN_Driver_Elitegroupcomputersystems_Ecsiodriversys_Ecsiodriver_2705 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ecsiodriverx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045004300530049006f004400720069007600650072 } /* FileDescription ECSIoDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073 } /* CompanyName ElitegroupComputerSystems */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* InternalName ECSIoDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300530049006f004400720069007600650072 } /* ProductName ECSIoDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045004300530049006f004400720069007600650072002e007300790073 } /* OriginalFilename ECSIoDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d003200300031003000200045006c00690074006500670072006f0075007000200043006f006d00700075007400650072002000530079007300740065006d0073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCElitegroupComputerSystemsAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Cn_Computerzsys_8D33 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409" + hash = "31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e0031003000310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_C586 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65" + hash = "dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0039002e0031003100300035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ @@ -1953,13 +3913,82 @@ rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_9D93 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" + hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* FileDescription AsrSetupDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* InternalName AsrSetupDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* ProductName AsrSetupDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* OriginalFilename AsrSetupDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - date = "2024-07-29" + hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" + hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1975,13 +4004,58 @@ rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_EDBB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5" + hash = "4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2003,7 +4077,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2025,7 +4099,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2041,48 +4115,127 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_1493 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2024-07-29" + hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" + hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" + hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" + hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" + hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" + hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { +rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_7C0F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2024-07-29" + hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" + hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" + hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" + hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" + hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" + hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" + hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" + hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" + hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + condition: + uint16(0) == 0x5a4d and filesize < 2900KB and all of them +} + + +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Cn_Computerzsys_BC45 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e" + hash = "182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { @@ -2091,7 +4244,7 @@ rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ @@ -2113,7 +4266,7 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -2129,13 +4282,35 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_848B { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2155,7 +4330,7 @@ rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ @@ -2178,7 +4353,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2194,23 +4369,89 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_2899 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" - hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - date = "2024-07-29" + hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -2222,7 +4463,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2244,7 +4485,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ @@ -2267,9 +4508,11 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" + hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" - date = "2024-07-29" + hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -2285,13 +4528,63 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 { } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" + hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Ludashicom_Computerzsys_71C0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713" + hash = "13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9" + hash = "8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040" + hash = "e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc" + hash = "ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91" + hash = "5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ @@ -2313,7 +4606,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -2335,7 +4628,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2357,7 +4650,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -2380,7 +4673,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_0 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2404,7 +4697,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_AE42 { hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -2426,7 +4719,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -2444,11 +4737,11 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -2464,6 +4757,52 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_D7C9 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8" + hash = "64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000300030002c002000300030002c002000300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e0056006f0063006c006f0063006b002e00520043 } /* OriginalFilename NVoclockRC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Cn_Computerzsys_A97B { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67" + hash = "47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003000300038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -2471,7 +4810,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ @@ -2487,6 +4826,28 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { } +rule PUA_VULN_Driver_Featureintegrationtechnologyinc_Fintekpciecom_81FB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d" + hash = "ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460049004e00540045004b002000500043004900450043004f004d00200041006400610070007400650072 } /* FileDescription FINTEKPCIECOMAdapter */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName FeatureIntegrationTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320032002c00310032002c0035002c0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460049004e00540045004b002000500043004900450043004f004d0020 } /* ProductName FINTEKPCIECOM */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0046005000430049004500320043004f004d002e007300790073 } /* OriginalFilename FPCIECOMsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200320020004600650061007400750072006500200049006e0074006500670072006100740069006f006e00200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightCFeatureIntegrationTechnologyInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_6BFC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -2495,7 +4856,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_6 hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2517,7 +4878,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2539,7 +4900,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_45F4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2565,7 +4926,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 { hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2587,7 +4948,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2609,7 +4970,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2625,13 +4986,60 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { } +rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_8899 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" + hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" + hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" + hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Filseclabcorporation_Fildds_Filseclabdynamicdefensesystem_F8C0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - fildds.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f8c07b6e2066a5a22a92d9f521ecdeb8c68698c400e4b83e0501b9f340957c22" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d0020004400720076 } /* FileDescription FilseclabDynamicDefenseSystemDrv */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200038003500350033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200038003500350033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c006400640073 } /* InternalName fildds */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d } /* ProductName FilseclabDynamicDefenseSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c006400640073002e007300790073 } /* OriginalFilename filddssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d0032003000310031002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2647,13 +5055,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3070 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ @@ -2675,7 +5105,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -2699,7 +5129,7 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodena hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2715,13 +5145,35 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodena } +rule PUA_VULN_Driver_Nmscommunications_Cgkwinksys_Ctaccess_223F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cg6kwin2k.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430047002f004d0047002000660061006d0069006c00790020006400720069007600650072 } /* FileDescription CGMGfamilydriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e004d005300200043006f006d006d0075006e00690063006100740069006f006e0073 } /* CompanyName NMSCommunications */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e003000300020006200750069006c0074002000620079003a002000410064006d0069006e006900730074007200610074006f0072 } /* FileVersion builtbyAdministrator */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300670036006b00770069006e0032006b002e007300790073 } /* InternalName cgkwinksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004300540020004100630063006500730073 } /* ProductName CTAccess */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300670036006b00770069006e0032006b002e007300790073 } /* OriginalFilename cgkwinksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004e004d005300200043006f006d006d0075006e00690063006100740069006f006e007300200043006f00720070002e0032003000300034 } /* LegalCopyright CopyrightCNMSCommunicationsCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2737,13 +5189,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ @@ -2759,13 +5233,36 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C } +rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdatetoolkerneldriver_0CF8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0" + hash = "f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d0077006100720065002000550070006400610074006500200054006f006f006c0020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateToolKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d0077006100720065002000550070006400610074006500200054006f006f006c0020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateToolKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003100200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ @@ -2781,13 +5278,35 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_4D77 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300035002e00300039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2803,13 +5322,57 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { } +rule PUA_VULN_Driver_Cn_Computerzsys_00D9 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_C35C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003800780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ @@ -2831,7 +5394,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2853,7 +5416,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -2876,7 +5439,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -2892,13 +5455,124 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 { } +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E602 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200032002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdeliveryfirmwareupdateutilitydriver_5DF6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* InternalName PDFWKRNLsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005500530042002d004300200050006f007700650072002000440065006c006900760065007200790020004600690072006d007700610072006500200055007000640061007400650020005500740069006c0069007400790020004400720069007600650072 } /* ProductName USBCPowerDeliveryFirmwareUpdateUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004400460057004b0052004e004c002e007300790073 } /* OriginalFilename PDFWKRNLsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300032003300200041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* LegalCopyright CopyrightCAdvancedMicroDevicesInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Cn_Computerzsys_348D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1" + hash = "c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e0031003100320039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ @@ -2916,11 +5590,11 @@ rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -2936,27 +5610,69 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { } -rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_8E63 { +rule PUA_VULN_Driver_Evgatechnologyinc_Windowsvistasmartiodevice_Windowsvistasmartiodevice_3C95 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SMARTEIO64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" - hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" - hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - date = "2024-07-29" + hash = "3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* FileDescription WindowsVistaSmartIODevice */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* CompanyName EVGATechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310033002e00300031002e0032003000300038002d0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* InternalName WindowsVistaSmartIODevice */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020005600690073007400610036003400200053006d00610072007400200049004f0020004400650076006900630065 } /* ProductName WindowsVistaSmartIODevice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053004d00410052005400450049004f00360034002e005300590053 } /* OriginalFilename SMARTEIOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800630029002000320030003000370020004500560047004100200054006500630068006e006f006c006f0067007900200049006e0063002e } /* LegalCopyright CopyrightcEVGATechnologyInc */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -2966,7 +5682,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2989,7 +5705,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3005,13 +5721,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 { } +rule PUA_VULN_Driver_Wistroncorporation_Wirwadrvsys_Wistronrwadriver_D8FC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiRwaDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* FileDescription WistronRWADriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* CompanyName WistronCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* InternalName WiRwaDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* ProductName WistronRWADriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* OriginalFilename WiRwaDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCWistronCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3027,13 +5765,36 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { } +rule PUA_VULN_Driver_Ludashicom_Computerzsys_F14D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d" + hash = "c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310035002e0031003000340030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100350020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3055,7 +5816,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3077,7 +5838,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -3093,13 +5854,57 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Atlaccesssys_Windowsrwinddkdriver_0B57 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atlAccess.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006d0070006c0065002000500043004900200061006300630065007300730020006400720069007600650072 } /* FileDescription SimplePCIaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610074006c004100630063006500730073002e007300790073 } /* InternalName atlAccesssys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610074006c004100630063006500730073002e007300790073 } /* OriginalFilename atlAccesssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_909F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00300036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_3C18 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3118,7 +5923,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3134,13 +5939,58 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { } +rule PUA_VULN_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_9399 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727" + hash = "a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0034002e00320031003300340033002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000320031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3158,11 +6008,11 @@ rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3185,7 +6035,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3207,7 +6057,7 @@ rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ @@ -3227,7 +6077,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3243,35 +6093,103 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { } -rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { +rule PUA_VULN_Driver_Novellinc_Novellxtier_A153 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2024-07-29" + hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" + hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" + hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { +rule PUA_VULN_Driver_Ludashicom_Computerzsys_3F36 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2024-07-29" + hash = "3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f" + hash = "37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000320030002e0031003000330030002e0031003200310037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003200300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ @@ -3286,13 +6204,57 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { } +rule PUA_VULN_Driver_Z_Computerzsys_Zwuqisystemdriver_61E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ZwuqiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a6b665668 } /* CompanyName Z */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* ProductName ZwuqiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e007a0077007500710069002e0063006f006d } /* LegalCopyright CopyrightCwwwzwuqicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3314,7 +6276,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -3336,7 +6298,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibra author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -3352,13 +6314,35 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibra } +rule PUA_VULN_Driver_Novellinc_Novellxtier_6C5A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" + hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3374,13 +6358,60 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { } +rule PUA_VULN_Driver_Cn_Computerzsys_3913 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d" + hash = "a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1" + hash = "3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310031002e003400310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100310020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Cn_Computerzsys_767E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b" + hash = "d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_9A54 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -3402,7 +6433,7 @@ rule PUA_VULN_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandp author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ @@ -3423,7 +6454,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3445,7 +6476,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -3461,13 +6492,148 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_F8D4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003800780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_D0E4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb" + hash = "2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00350032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_77DA { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f" + hash = "837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Ludashicom_Computerzsys_0368 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d" + hash = "66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310036002e0031003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100360020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_B0DC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvaudio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00300030002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00300030002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_7C79 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0039002e0030002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0039002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3489,7 +6655,7 @@ rule PUA_VULN_Driver_Pchuntersys_Pchunter_1B7F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ @@ -3511,7 +6677,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3527,22 +6693,48 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_8E88 { +rule PUA_VULN_Driver_Cn_Computerzsys_0FC3 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - date = "2024-07-29" + hash = "0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7" + hash = "40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310034002e0031003000320031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100340020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Netfiltersys_EDC6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" + hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" + hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -3554,7 +6746,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3567,13 +6759,35 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { } +rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3589,6 +6803,51 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3CB1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284" + hash = "9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Watchdogdevelopmentcomllc_Wsdkdsys_Wsdkd_6278 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wsdkd.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005700610074006300680044006f006700200041006e00740069007600690072007500730020004400720069007600650072 } /* FileDescription WatchDogAntivirusDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005700610074006300680044006f00670044006500760065006c006f0070006d0065006e0074002e0063006f006d002c0020004c004c0043002e } /* CompanyName WatchDogDevelopmentcomLLC */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* InternalName wsdkdsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007700730064006b0064 } /* ProductName wsdkd */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* OriginalFilename wsdkdsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_B179 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwOs2Ec7x64.sys" @@ -3596,7 +6855,7 @@ rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_B179 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ @@ -3618,7 +6877,7 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -3639,7 +6898,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3658,7 +6917,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -3676,11 +6935,11 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3702,7 +6961,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3718,13 +6977,58 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { } +rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_0F30 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0" + hash = "903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00320030002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e0030002e0037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0032003000300032002d0032003000300039002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright RadiantSystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Insydesoftware_Insydeflash_Insydeflashutilitybitdriver_CE0A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iscflashx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* FileDescription iscflashxsys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f006600740077006100720065 } /* CompanyName InsydeSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200032002c00200031002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049006e00730079006400650046006c006100730068 } /* InternalName InsydeFlash */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e007300790064006500200046006c0061007300680020005500740069006c00690074007900200036003400200062006900740020004400720069007600650072 } /* ProductName InsydeFlashUtilitybitDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069007300630066006c006100730068007800360034002e007300790073 } /* OriginalFilename iscflashxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003500200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3746,7 +7050,7 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ @@ -3768,7 +7072,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -3791,7 +7095,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -3807,25 +7111,93 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_A072 { +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_16E2 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" - hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" - hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2024-07-29" + hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" + hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_060D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f" + hash = "b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300035002e00300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Ludashicom_Computerzsys_7553 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3" + hash = "64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]006c007500640061007300680069002e0063006f006d } /* CompanyName ludashicom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000310039002e0031003000320035002e003900310038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]9c8159275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100390020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright Cwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" + hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -3837,7 +7209,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3859,7 +7231,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3881,7 +7253,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ @@ -3897,37 +7269,13 @@ rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { } -rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_31F4 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" - hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" - hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" - date = "2024-07-29" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ @@ -3943,35 +7291,13 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { } -rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2024-07-29" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3993,7 +7319,7 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -4009,13 +7335,35 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_3D00 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00320035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4037,7 +7385,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -4059,7 +7407,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4081,7 +7429,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4103,7 +7451,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -4119,13 +7467,35 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { } +rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxc_1183 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d003200580037003200430020004b00650072006e0065006c0020004400650076006900630065002000440072006900760065007200280053005900530029002000570069006e0064006f00770073004e0054 } /* FileDescription GPCXCKernelDeviceDriverSYSWindowsNT */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360031002d00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e007300790073 } /* InternalName CPXCsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043 } /* ProductName GPCXC */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043 } /* OriginalFilename CPXC */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300030003700200049006e007400650072006600610063006500200043006f00720070002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorpAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4147,7 +7517,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4170,7 +7540,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4186,13 +7556,78 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_6CF1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_EAE5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003000390031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4208,13 +7643,59 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B } +rule PUA_VULN_Driver_Databaseharborsoftware_Sysinfodetectorxsys_Sysinfodetector_45E5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysInfoDetectorX64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200200066006f007200200053007900730049006e0066006f0020004400650074006500630074006f0072 } /* FileDescription DriverforSysInfoDetector */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* CompanyName DatabaseHarborSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* InternalName SysInfoDetectorXsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007900730049006e0066006f0020004400650074006500630074006f0072 } /* ProductName SysInfoDetector */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0053007900730049006e0066006f004400650074006500630074006f0072005800360034002e007300790073 } /* OriginalFilename SysInfoDetectorXsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003400200044006100740061006200610073006500200048006100720062006f007200200053006f006600740077006100720065 } /* LegalCopyright CopyrightCDatabaseHarborSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7048 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" + hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" + hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4230,13 +7711,57 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwaremanagerdriver_Dev_DF96 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e } /* CompanyName NCRCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0030002e0030002e003200200044006500760020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion DevbuiltbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0030002e0030002e00320020004400650076 } /* ProductVersion Dev */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0043005200200043006f00720070006f0072006100740069006f006e0020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName NCRCorporationHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d00320030003100370020004e0043005200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightcNCRCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4252,13 +7777,79 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_BA40 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e00310034003100370035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310034002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amsdk.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ @@ -4269,71 +7860,275 @@ rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005a0041004d002e006500780065 } /* OriginalFilename ZAMexe */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000310038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_3670 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76" + hash = "0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e00310037003000350032002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300032002d0032003000310037002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_898E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289" + hash = "07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]9c8159275e08 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e00310030002e003800330031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* ProductName LudashiSystemDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003100300020007700770077002e006c007500640061007300680069002e0063006f006d } /* LegalCopyright CopyrightCwwwludashicom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AFDA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2024-07-29" + hash = "afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3" + hash = "b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00350034 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { +rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_6386 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2024-07-29" + hash = "63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e" + hash = "9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300032002e00330030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300031003400200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } -rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_C490 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2024-07-29" + hash = "c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b" + hash = "a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e" + hash = "e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -4345,7 +8140,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ @@ -4367,7 +8162,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4383,13 +8178,35 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ @@ -4411,7 +8228,7 @@ rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ @@ -4427,13 +8244,35 @@ rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physi } +rule PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_4CE8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004e00740069006d006500200050006e00500020005200540020004b00650072006e0065006c00200049006e00740065007200660061006300650020004400720069007600650072 } /* FileDescription INtimePnPRTKernelInterfaceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00540065006e004100730079007300200043006f00720070006f0072006100740069006f006e } /* CompanyName TenAsysCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e00310031003200380035002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0072007400690066002e007300790073 } /* InternalName rtifsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004e00740069006d0065 } /* ProductName INtime */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0072007400690066002e007300790073 } /* OriginalFilename rtifsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300030002d0032003000310031002000620079002000540065006e004100730079007300200043006f00720070006f0072006100740069006f006e002e } /* LegalCopyright CopyrightbyTenAsysCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_AF10 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -4451,11 +8290,11 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4477,7 +8316,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4493,13 +8332,35 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_F629 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" + hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ @@ -4515,13 +8376,35 @@ rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { } +rule PUA_VULN_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ @@ -4543,7 +8426,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4566,7 +8449,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4582,13 +8465,35 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_AE3A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVIDIASystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070002e } /* CompanyName NVIDIACorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00300033002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560049004400490041002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVIDIASystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ @@ -4604,6 +8509,160 @@ rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { } +rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_6F80 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Filseclabcorporation_Filnk_Filseclabdynamicdefensesystem_AE55 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - filnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d0020004400720076 } /* FileDescription FilseclabDynamicDefenseSystemDrv */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c002000310039003300350033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c002000310039003300350033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c006e006b } /* InternalName filnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c00610062002000440079006e0061006d0069006300200044006500660065006e00730065002000530079007300740065006d } /* ProductName FilseclabDynamicDefenseSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c006e006b002e007300790073 } /* OriginalFilename filnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d0032003000310033002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 900KB and all of them +} + + +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_A475 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00300030002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_66F8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" + hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_55B5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003700780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" @@ -4614,7 +8673,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -4630,13 +8689,102 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { } +rule PUA_VULN_Driver_Filseclabcorporation_Filwfp_Filseclabfirewall_490C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - filwfp.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "490cfbb540dcd70b7bff4fdd62e7ed7400bbfebaf5083523d49f7184670f7b9a" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00460069006c007300650063006c006100620020004600690072006500770061006c006c } /* FileDescription FilseclabFirewall */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* CompanyName FilseclabCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031003200310036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200031003200310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00660069006c007700660070 } /* InternalName filwfp */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00460069006c007300650063006c006100620020004600690072006500770061006c006c } /* ProductName FilseclabFirewall */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00660069006c007700660070002e007300790073 } /* OriginalFilename filwfpsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000460069006c007300650063006c0061006200200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCFilseclabCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" + hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4659,7 +8807,7 @@ rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -4681,7 +8829,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4703,7 +8851,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -4725,7 +8873,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4747,7 +8895,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4763,13 +8911,80 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinchardwaremanagerdriver_00C3 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061006400690061006e00740020004800610072006400770061007200650020004d0061006e006100670065007200200066006f007200200050003100350078007800200050006c006100740066006f0072006d } /* FileDescription RadiantHardwareManagerforPxxPlatform */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* CompanyName RadiantSystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e003200320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0030002e00320032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* InternalName RadHwMgrsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e00200020004800610072006400770061007200650020004d0061006e00610067006500720020006400720069007600650072 } /* ProductName RadiantSystemsIncHardwareManagerdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520061006400480077004d00670072002e007300790073 } /* OriginalFilename RadHwMgrsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300034002000520061006400690061006e0074002000530079007300740065006d0073002c00200049006e0063002e0020 } /* LegalCopyright CopyrightcRadiantSystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Cn_Computerzsys_DEE3 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233" + hash = "26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c007500640061007300680069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription LudashiSystemDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]003300360030002e0063006e } /* CompanyName cn */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e00310032002e003300300032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]003300360030786c4ef659275e08 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]7248674362406709002000280043002900200032003000310030002d00320030003100320020003300360030002e0063006e } /* LegalCopyright Ccn */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -4791,7 +9006,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4807,13 +9022,57 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_RCIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -4836,7 +9095,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D reference = "https://github.com/magicsword-io/LOLDrivers" hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ @@ -4852,6 +9111,74 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D } +rule PUA_VULN_Driver_Inferre_Hwdetectngsys_Hwdetectngsys_D456 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hwdetectng.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2" + hash = "43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee" + hash = "2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480057004400650074006500630074004e0047 } /* FileDescription HWDetectNG */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069004e00460045005200520045 } /* CompanyName iNFERRE */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* InternalName hwdetectngsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* ProductName hwdetectngsys */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00680077006400650074006500630074006e0067002e007300790073 } /* OriginalFilename hwdetectngsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200032003000300038002d0030003900200069004e00460045005200520045 } /* LegalCopyright ciNFERRE */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Adlicesoftware_Truesight_Truesight_BFC2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - truesight.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0052006f006700750065004b0069006c006c0065007200200041006e007400690072006f006f0074006b006900740020004400720069007600650072 } /* FileDescription RogueKillerAntirootkitDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410064006c00690063006500200053006f006600740077006100720065 } /* CompanyName AdliceSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005400720075006500730069006700680074 } /* InternalName Truesight */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720075006500730069006700680074 } /* ProductName Truesight */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005400720075006500730069006700680074 } /* OriginalFilename Truesight */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000410064006c00690063006500200053006f00660074007700610072006500280043002900200032003000320033 } /* LegalCopyright CopyrightAdliceSoftwareC */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_87B4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300035002e00340037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_F581 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys" @@ -4860,7 +9187,7 @@ rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxd hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ @@ -4882,7 +9209,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4898,13 +9225,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -4920,6 +9269,52 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { } +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_CA34 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_46D1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" + hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" + hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" + hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A334 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" @@ -4927,7 +9322,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A334 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -4949,7 +9344,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4971,7 +9366,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4989,11 +9384,11 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IObitUnlocker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ @@ -5009,45 +9404,22 @@ rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_93D8 { +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_C190 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2024-07-29" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - -rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - date = "2024-07-29" + hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -5059,7 +9431,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -5081,7 +9453,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5097,13 +9469,36 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_7337 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e" + hash = "d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e003200300037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5119,13 +9514,36 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_1E24 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d" + hash = "39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_9491 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -5147,7 +9565,7 @@ rule PUA_VULN_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ @@ -5168,7 +9586,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -5184,13 +9602,102 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Generalelectriccompany_Gedevicedriver_Proficymachineedition_Build_A369 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce" + hash = "ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* CompanyName GeneralElectricCompany */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* FileVersion Build */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0035003000200028004200750069006c0064002000370036003700370029 } /* ProductVersion Build */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310037002000470065006e006500720061006c00200045006c00650063007400720069006300200043006f006d00700061006e0079 } /* LegalCopyright GeneralElectricCompany */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_85FD { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00360039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ @@ -5208,11 +9715,11 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -5234,7 +9741,7 @@ rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ @@ -5256,7 +9763,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5277,18 +9784,39 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2024-07-29" + hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_7A2C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" + date = "2024-08-07" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -5300,7 +9828,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_9A95 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5319,7 +9847,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5341,7 +9869,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_2BBC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5360,7 +9888,7 @@ rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ @@ -5376,13 +9904,35 @@ rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { } +rule PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystemserviceprovider_E6D1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription GetacSystemServiceProvider */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName GetacTechnologyCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002c00200032002c00200030002c00200033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600330032002e007300790073 } /* InternalName mtcBSvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470065007400610063002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName GetacSystemServiceProvider */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004700740063004b006d0064006600420073002e007300790073 } /* OriginalFilename GtcKmdfBssys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020003200300031003900200047006500740061006300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCGetacTechnologyCorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -5404,7 +9954,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5426,7 +9976,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -5442,13 +9992,35 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE } +rule PUA_VULN_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ @@ -5464,14 +10036,36 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_3AF9 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0031003000780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NalDrv.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iqvw64e.sys, iQVW64.SYS, NalDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5493,7 +10087,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -5515,7 +10109,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ @@ -5537,7 +10131,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5559,7 +10153,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -5575,13 +10169,36 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 } +rule PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_05C1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686" + hash = "4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004700500043002d0032005800370032004300200049002f004f0020004d006f00640075006c006500200044006500760069006300650020004400720069007600650072 } /* FileDescription GPCXCIOModuleDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e } /* CompanyName InterfaceCorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00330030002e00330033002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* InternalName CPXCSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004700500043002d00320058003700320043002000440049004f002d0042004d0028005000430049002f0043002d0050004300490029 } /* ProductName GPCXCDIOBMPCICPCI */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000320058003700320043002e005300590053 } /* OriginalFilename CPXCSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300031002c0020003200300032003000200049006e007400650072006600610063006500200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightInterfaceCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5597,13 +10214,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { } +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ @@ -5619,13 +10258,35 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcoden } +rule PUA_VULN_Driver_Proxydrvsys_Nn_0B20 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5647,7 +10308,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5670,7 +10331,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -5692,7 +10353,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5714,7 +10375,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5730,13 +10391,79 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdriveservicedriver_81D5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDOverDriveServiceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0032002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0032002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* InternalName AODDriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020004f00760065007200440072006900760065002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDOverDriveServiceDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004f0044004400720069007600650072002e007300790073 } /* OriginalFilename AODDriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003200300031003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvflash.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ @@ -5754,11 +10481,11 @@ rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5780,7 +10507,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5802,7 +10529,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5825,7 +10552,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5841,13 +10568,36 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_B3D1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c" + hash = "442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -5863,13 +10613,35 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_1698 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003700780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5891,7 +10663,7 @@ rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonito author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ @@ -5909,11 +10681,11 @@ rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonito rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - krpocesshacker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -5934,7 +10706,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -5950,13 +10722,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5978,7 +10772,7 @@ rule PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ @@ -6000,7 +10794,7 @@ rule PUA_VULN_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ @@ -6022,7 +10816,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6038,13 +10832,36 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { } +rule PUA_VULN_Driver_Geintelligentplatformsinc_Gedevicedriver_Proficymachineedition_Build_CAC5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461" + hash = "51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* FileDescription GEDeviceDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* CompanyName GEIntelligentPlatformsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* FileVersion Build */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030003000200028004200750069006c0064002000350035003100370029 } /* ProductVersion Build */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0047004500200044006500760069006300650020004400720069007600650072 } /* InternalName GEDeviceDriver */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00660069006300790020004d0061006300680069006e0065002000450064006900740069006f006e } /* ProductName ProficyMachineEdition */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00470045004400650076004400720076002e005300590053 } /* OriginalFilename GEDevDrvSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000310031002c00200047004500200049006e00740065006c006c006900670065006e007400200050006c006100740066006f0072006d0073002c00200049006e0063002e } /* LegalCopyright GEIntelligentPlatformsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -6060,13 +10877,32 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3 } +rule PUA_VULN_Driver_Lowleveldriver_F941 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GPU-Z.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f9418b5e90a235339a4a1a889490faca39cd117a51ba4446daa1011da06c7ecd" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0077002d004c006500760065006c0020004400720069007600650072 } /* FileDescription LowLevelDriver */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00360030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00360030002e0030002e0030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0077002d004c006500760065006c0020004400720069007600650072 } /* ProductName LowLevelDriver */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000300034002d00320030003100300020002800630029002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6088,7 +10924,7 @@ rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ @@ -6111,7 +10947,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -6130,7 +10966,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6152,7 +10988,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -6165,13 +11001,35 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { } +rule PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver_0FC0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription NVidiaSystemUtilityDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056006900640069006100200043006f00720070002e } /* CompanyName NVidiaCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00300030002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* InternalName nvoclocksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00560069006400690061002000530079007300740065006d0020005500740069006c0069007400790020004400720069007600650072 } /* ProductName NVidiaSystemUtilityDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0076006f0063006c006f0063006b002e007300790073 } /* OriginalFilename nvoclocksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9004e0056004900440049004100200043006f00720070002e00200032003000300033002d0032003000300034 } /* LegalCopyright CopyrightNVIDIACorp */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ @@ -6194,7 +11052,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6216,7 +11074,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6238,7 +11096,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6260,7 +11118,7 @@ rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6282,7 +11140,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -6304,7 +11162,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6326,7 +11184,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6348,7 +11206,7 @@ rule PUA_VULN_Driver_Wj_Kprocesshacker_7021 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -6369,7 +11227,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6385,13 +11243,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_HWMIO64_W10.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -6413,7 +11293,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6429,13 +11309,35 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_B224 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0031003000780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6451,13 +11353,57 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { } +rule PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5E3B { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0061007600610073007400210020004e0047002000730065007400750070002000680065006c0070006500720020006400720069007600650072 } /* FileDescription avastNGsetuphelperdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0030002e00330033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* InternalName ngiodriversys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100760061007300740020004e0047 } /* ProductName AvastNG */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00670069006f006400720069007600650072002e007300790073 } /* OriginalFilename ngiodriversys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_9DEE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0038002e003100780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -6475,11 +11421,11 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -6495,13 +11441,35 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { } +rule PUA_VULN_Driver_Asmediatechnologyinc_Asmiosys_Asmediapcidriver_E465 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsmIo64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb" + date = "2024-08-07" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* FileDescription AsmediaPCIDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410073006d006500640069006100200054006500630068006e006f006c006f00670079002000200049006e0063002e } /* CompanyName AsmediaTechnologyInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* InternalName AsmIosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410073006d006500640069006100200050004300490020004400720069007600650072 } /* ProductName AsmediaPCIDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073006d0049006f002e007300790073 } /* OriginalFilename AsmIosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000410073006d006500640069006100200054006500630068006e006f006c006f00670079002e } /* LegalCopyright AsmediaTechnology */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2024-07-29" + date = "2024-08-07" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */