Manalyze report for 0c0195c48b6b8582fa6f6373032118da

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
Compilation Date	2008-Jul-26 13:29:37
Detected languages	English - United States Japanese - Japan
Debug artifacts	d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb
Comments	The modified BSD license
CompanyName	OpenLibSys.org
FileDescription	WinRing0
FileVersion	`1.2.0.5`
InternalName	WinRing0.sys
LegalCopyright	Copyright (C) 2007-2008 OpenLibSys.org. All rights reserved.
OriginalFilename	WinRing0.sys
ProductName	WinRing0
ProductVersion	`1.2.0.5`

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: OpenLibSys.org`
Suspicious	The PE is possibly packed.	`Section INIT is both writable and executable.`
Info	The PE is digitally signed.	`Signer: Noriyuki MIYAZAKI` `Issuer: GlobalSign ObjectSign CA`
Suspicious	VirusTotal score: 1/68 (Scanned on 2022-02-08 21:00:54)	`Rising: HackTool.VulnDriver/x64!1.D7DB (CLASSIC)`

Hashes

MD5	`0c0195c48b6b8582fa6f6373032118da`
SHA1	`d25340ae8e92a6d29f599fef426a2bc1b5217299`
SHA256	`11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5`
SHA3	`8f7ff39c7d8e247b80b6b52fc3fcd2dcbb888429a17bc8a80d159200b1a573e0`
SSDeep	`192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ`
Imports Hash	`339148af70954ba6902998810340c271`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2008-Jul-26 13:29:37
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`8.0`
SizeOfCode	`0xc00`
SizeOfInitializedData	`0xa00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000005008 (Section: INIT)`
BaseOfCode	`0x1000`
ImageBase	`0x10000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`6.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x7000`
SizeOfHeaders	`0x400`
Checksum	`0x11908`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
SizeofStackReserve	`0x40000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`1c3d5bb2285dafcf3b7746bf717c1a51`
SHA1	`fb3662c00e041cc3fd4632fc3af1a6ee1e9adf65`
SHA256	`bb6ff767614c7b790f14fa23afd68cda015814f1313d87495946dc89016db1fb`
SHA3	`d4a7fb837db6a7b4c3a30f6b0429c28717d1bc460becfe8a907589e01c9c9015`
VirtualSize	`0x6c6`
VirtualAddress	`0x1000`
SizeOfRawData	`0x800`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`5.39102`

.rdata

MD5	`08362d1269d5a5ef4e7560cab993590d`
SHA1	`316fe35ff30c114253ea682a9c9929679bbb3459`
SHA256	`9bee45685c1797fe5f69f58bb4324a3dcf6295a7c345a56a0b17fe8fb595b372`
SHA3	`59c4521a8a7dccd38a4c260542d0b2bb07d64cab7d34aa9da1d8f59572406511`
VirtualSize	`0x17c`
VirtualAddress	`0x2000`
SizeOfRawData	`0x200`
PointerToRawData	`0xc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`3.28451`

.data

MD5	`043c46095689123e1f5be96c109c2f46`
SHA1	`1dac2e85e0b0e26cd7b1735882681682853b6b46`
SHA256	`6d9f1ceff88895d9855aa37608ab958f1256662a77d8674f39a6d8211be48723`
SHA3	`0c48c9b1522d5fcbd51ab6025a46af93288db01ed49953ea5a08df4bd80dcf29`
VirtualSize	`0x114`
VirtualAddress	`0x3000`
SizeOfRawData	`0x200`
PointerToRawData	`0xe00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.301407`

.pdata

MD5	`077af14197899077aa36d2c72ba1773f`
SHA1	`e9f80ee0b78502b0f98024cec454ae4a3dc8df5c`
SHA256	`ff37629f469897a4da6c48357444d207cfb51b0b4ce130c1217ead61733344b6`
SHA3	`d34ad8228dca9271baa73f01dac94acca8559b838f9ddeaba4208100d5e22505`
VirtualSize	`0x60`
VirtualAddress	`0x4000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`0.857623`

INIT

MD5	`ba375d2de342e7d7a93487a35ea5d36d`
SHA1	`96cb3b95dfcbb378d5be5de10391c8bed46a73dc`
SHA256	`67525a9cc78d3877c58463243e1cae3f15f1cc5496d6c8ff9aff19d8109aa514`
SHA3	`46fadd93b564a5bf07c7d164f0d979b361d37acb943c039d918307a47355e530`
VirtualSize	`0x222`
VirtualAddress	`0x5000`
SizeOfRawData	`0x400`
PointerToRawData	`0x1200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.05721`

.rsrc

MD5	`5459c1fdb222b651d36692c4ca5df895`
SHA1	`deb7053dba3b8adc2b338a1db77e74c58ad565cb`
SHA256	`d9bcaa83948d34fd24e9139bd57f49e2c16e8a316633b0f2b7c68005c16c31a9`
SHA3	`c871e1631f8c2ab4e80522e236a3d73690aa97f754220ee7b9ca8a42579a6ce5`
VirtualSize	`0x3c0`
VirtualAddress	`0x6000`
SizeOfRawData	`0x400`
PointerToRawData	`0x1600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.12673`

Imports

ntoskrnl.exe	`IoDeleteSymbolicLink` `RtlInitUnicodeString` `IoDeleteDevice` `IoCreateDevice` `MmMapIoSpace` `KeBugCheckEx` `IoCreateSymbolicLink` `MmUnmapIoSpace` `IofCompleteRequest` `__C_specific_handler`
HAL.dll	`HalSetBusDataByOffset` `HalGetBusDataByOffset`

Delayed Imports

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x35c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.42844`
MD5	`bab086f4770435a7367ff68c5206ed86`
SHA1	`809f3c2cfc7e8375045f660f01167638974e8796`
SHA256	`495974216acc865259dc7d3d6f8a310d2fcc3466284c3c2128adb9019dd85ec2`
SHA3	`f55721b480725b7ee12402630ae89a8df82b49e40ea98053d706e5f525e4d877`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.2.0.5
ProductVersion	1.2.0.5
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	Japanese - Japan
Comments	The modified BSD license
CompanyName	OpenLibSys.org
FileDescription	WinRing0
FileVersion (#2)	1.2.0.5
InternalName	WinRing0.sys
LegalCopyright	Copyright (C) 2007-2008 OpenLibSys.org. All rights reserved.
OriginalFilename	WinRing0.sys
ProductName	WinRing0
ProductVersion (#2)	1.2.0.5

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2008-Jul-26 13:29:37
Version	`0.0`
SizeofData	`85`
AddressOfRawData	`0x208c`
PointerToRawData	`0xc8c`
Referenced File	d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xaf005b71`
Unmarked objects	`0`
Total imports	`12`
Imports (VS2012 build 50727 / VS2005 build 50727)	`5`
ASM objects (VS2012 build 50727 / VS2005 build 50727)	`1`
C objects (VS2012 build 50727 / VS2005 build 50727)	`3`
113 (VS2012 build 50727 / VS2005 build 50727)	`1`
Resource objects (VS2012 build 50727 / VS2005 build 50727)	`1`
Linker (VS2012 build 50727 / VS2005 build 50727)	`1`

0c0195c48b6b8582fa6f6373032118da

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

INIT

.rsrc

Imports

Delayed Imports

1

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors