Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_NATIVE
|
Compilation Date | 2019-Aug-29 02:15:43 |
Detected languages |
English - United States
|
Debug artifacts |
srv2.pdb
|
CompanyName | Microsoft Corporation |
FileDescription | Smb 2.0 Server driver |
FileVersion | 6.1.7601.24520 (win7sp1_ldr_escrow.190828-1732) |
InternalName | SRV2.SYS |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | SRV2.SYS |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 6.1.7601.24520 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
May have dropper capabilities:
|
Suspicious | The PE is possibly packed. |
Unusual section name found: PAGE
Section INIT is both writable and executable. |
Malicious | The PE contains functions mostly used by malware. |
Functions which can be used for anti-debugging purposes:
|
Safe | VirusTotal score: 0/71 (Scanned on 2019-12-12 13:11:28) | All the AVs think this file is safe. |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xd8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 8 |
TimeDateStamp | 2019-Aug-29 02:15:43 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 9.1 |
SizeOfCode | 0x42000 |
SizeOfInitializedData | 0x21c00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000000000004D06C (Section: INIT) |
BaseOfCode | 0x1000 |
ImageBase | 0x10000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.1 |
ImageVersion | 6.1 |
SubsystemVersion | 6.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x68000 |
SizeOfHeaders | 0x400 |
Checksum | 0x6d449 |
Subsystem |
IMAGE_SUBSYSTEM_NATIVE
|
SizeofStackReserve | 0x40000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
ntoskrnl.exe |
MmBuildMdlForNonPagedPool
MmMapLockedPagesSpecifyCache KeBugCheckEx IoCancelIrp EtwWrite IoAllocateMdl IoFreeMdl KeGetCurrentProcessorNumberEx RtlImageDirectoryEntryToData ExAllocatePoolWithTag _strnicmp ExFreePoolWithTag ExInitializeResourceLite KeInitializeEvent ExAcquireResourceExclusiveLite ExReleaseResourceLite KeWaitForSingleObject ExDeleteResourceLite KeSetEvent ExQueueWorkItem IoFreeWorkItem IoAllocateWorkItem IoQueueWorkItemEx IofCompleteRequest IoGetCurrentProcess IoGetRequestorProcess KeAttachProcess KeDetachProcess ExAcquireResourceSharedLite RtlInitUnicodeString IoWMIWriteEvent MmGetSystemRoutineAddress RtlCompareMemory IoWMIRegistrationControl MmSizeOfMdl RtlGetVersion ExInitializeNPagedLookasideList ExInitializePagedLookasideList ExDeleteNPagedLookasideList ExDeletePagedLookasideList KeQueryActiveProcessorCountEx EtwRegister IoCreateDevice KeStackAttachProcess KeUnstackDetachProcess IoDeleteDevice EtwUnregister RtlInitString KeAcquireSpinLockAtDpcLevel KeReleaseSpinLockFromDpcLevel RtlOemStringToUnicodeString ObfReferenceObject ObReferenceObjectByHandle KeClearEvent IoGetRelatedDeviceObject IoQueueThreadIrp ZwOpenEvent ZwClose ObfDereferenceObject KeInitializeQueue InitializeSListHead KeRundownQueue PsCreateSystemThread KeInsertHeadQueue KeInsertQueue KeReadStateQueue ExQueryDepthSList ExpInterlockedPushEntrySList __C_specific_handler ExAcquireFastMutex ExReleaseFastMutex ExpInterlockedPopEntrySList KeLeaveCriticalRegion KeEnterCriticalRegion RtlCaptureStackBackTrace KeRemoveQueue KeSetIdealProcessorThread KeSetSystemGroupAffinityThread KeQueryGroupAffinity KeGetProcessorNumberFromIndex KeDelayExecutionThread PsTerminateSystemThread NtSetInformationThread WmiGetClock IoBuildPartialMdl MmUnmapLockedPages KeReleaseSpinLock KeAcquireSpinLockRaiseToDpc IoFreeIrp IofCallDriver ZwCreateFile strncmp KeInitializeTimer KeInitializeDpc KeCancelTimer KeSetTimer IoCheckFunctionAccess RtlCopyUnicodeString RtlAppendUnicodeToString RtlAppendUnicodeStringToString RtlEqualUnicodeString SeCaptureSubjectContext IoCreateFileEx FsRtlFindExtraCreateParameter FsRtlRemoveExtraCreateParameter FsRtlFreeExtraCreateParameter IoSetFileOrigin FsRtlFreeExtraCreateParameterList IoCreateFile NtQuerySecurityObject FsRtlAllocateExtraCreateParameterList FsRtlAllocateExtraCreateParameter FsRtlInsertExtraCreateParameter _vsnwprintf NtOpenFile NtFsControlFile RtlLengthSecurityDescriptor PsIsThreadImpersonating RtlMapGenericMask SeFreePrivileges SeReleaseSubjectContext IoBuildDeviceIoControlRequest RtlTimeToTimeFields RtlTimeFieldsToTime PsDereferencePrimaryToken PsDereferenceImpersonationToken PsImpersonateClient ExInterlockedAddUlong PsAssignImpersonationToken RtlCreateSecurityDescriptor RtlLengthRequiredSid RtlInitializeSid RtlSubAuthoritySid RtlLengthSid RtlCreateAcl RtlAddAccessAllowedAce RtlSetDaclSecurityDescriptor RtlSetOwnerSecurityDescriptor RtlGetDaclSecurityDescriptor RtlGetOwnerSecurityDescriptor SeSinglePrivilegeCheck SeExports MmUnlockPages ZwUnmapViewOfSection ZwMapViewOfSection MmProbeAndLockPages ZwCreateSection ObOpenObjectByPointer ZwDuplicateObject IoCreateFileSpecifyDeviceObjectHint DbgPrint ExUuidCreate NtClose ExConvertExclusiveToSharedLite FsRtlDoesNameContainWildCards NtQueryInformationFile NtSetInformationFile IoCheckEaBufferValidity RtlValidRelativeSecurityDescriptor FsRtlRemoveDotsFromPath ZwQueryVolumeInformationFile FsRtlInitializeExtraCreateParameterList FsRtlInitializeExtraCreateParameter ExLocalTimeToSystemTime SeLockSubjectContext SeQueryAuthenticationIdToken SeUnlockSubjectContext CcMdlWriteAbort IoCheckQuerySetFileInformation IoCheckQuerySetVolumeInformation NtQueryEaFile NtQueryVolumeInformationFile NtQueryQuotaInformationFile IoCheckQuotaBufferValidity NtSetEaFile NtSetVolumeInformationFile NtSetSecurityObject NtSetQuotaInformationFile ZwReadFile ZwQueryInformationFile ZwOpenKey ZwQueryValueKey ZwQueryLicenseValue NtAllocateVirtualMemory NtFreeVirtualMemory ZwOpenThreadTokenEx ZwOpenProcessTokenEx ZwQueryInformationToken SeSetAuditParameter RtlAbsoluteToSelfRelativeSD SeReportSecurityEventWithSubCategory SeAccessCheckEx SeAuditingWithTokenForSubcategory ZwQuerySystemInformation PsGetVersion ExAllocatePoolWithQuotaTag IoAllocateIrp __chkstk |
---|---|
TDI.SYS |
TdiCopyMdlToBuffer
|
srvnet.sys |
SrvNetDisableStatisticsQueue
SrvNetInitializeStatisticsQueues SrvNetQueryConnectionRTT SrvNetQueryConnectionInformation SrvNetCloseConnection SrvNetDisconnectConnection SrvLibApplySrvDeviceAcl SrvNetStopClient SrvNetDeregisterClient SrvNetStartClient SrvNetRegisterClient SrvNetGetStatisticsAndLock SrvNetFreePool SrvNetAllocatePoolWithTag SrvNetReceiveData SrvNetAllocateBuffer SrvNetSendData SrvNetFreeBuffer SrvAdminRefreshNoRemapPipeList SrvAdminRefreshAllowedServerNameList SrvNetSetConnectionInformation SrvAdminRegisterProvider SrvAdminDeregisterProvider SrvAdminRegisterSession SrvAdminRegisterFile SrvAdminIsScopedName SrvAdminRemapPipeName SrvXsSchedulePrintJob SrvAdminDeregisterFile SrvAdminQueryResumeKeyTarget SrvXsDisconnect SrvXsClosePrinter SrvAdminEvaluateServerAlias SrvXsConnect SrvXsOpenPrinter SrvAdminUpdateFileSessionID SrvNetIncrementConnectionActiveCount SrvNetDecrementConnectionActiveCount SrvAdminDeregisterSession SrvAdminDeregisterTreeConnect SrvAdminRegisterTreeConnect SrvNetGetRemapPipeByName SrvAdminDoesPipeAllowAnonymous SrvXsAddPrintJob SrvAdminValidateSpn SrvAdminDoesShareAllowAnonymous SrvNotifyGroveler SrvAdminAllowIdlePowerDownForActivity SrvAdminInhibitIdlePowerDownForActivity SrvAdminInhibitIdlePowerDownForOpenFiles SrvAdminAllowIdlePowerDownForOpenFiles SrvNetGetLastProcessorNumber SrvNetUpdateMemStatistics SrvNetSetConnectionActiveCount |
ksecdd.sys |
BCryptGenRandom
DeleteSecurityContext ImpersonateSecurityContext BCryptDestroyHash BCryptOpenAlgorithmProvider BCryptGetProperty BCryptCloseAlgorithmProvider BCryptDuplicateHash FreeContextBuffer BCryptFinishHash BCryptCreateHash AcceptSecurityContext RevertSecurityContext AcquireCredentialsHandleW AddCredentialsW FreeCredentialsHandle BCryptHashData QueryContextAttributesW MapSecurityError |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 6.1.7601.24520 |
ProductVersion | 6.1.7601.24520 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_DRV
|
FileSubtype | VFT2_DRV_NETWORK |
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | Smb 2.0 Server driver |
FileVersion (#2) | 6.1.7601.24520 (win7sp1_ldr_escrow.190828-1732) |
InternalName | SRV2.SYS |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | SRV2.SYS |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 6.1.7601.24520 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2019-Aug-29 02:15:43 |
Version | 0.0 |
SizeofData | 33 |
AddressOfRawData | 0x1ac80 |
PointerToRawData | 0x1a080 |
Referenced File | srv2.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 2019-Aug-29 02:15:43 |
Version | 565.6526 |
SizeofData | 4 |
AddressOfRawData | 0x1ac7c |
PointerToRawData | 0x1a07c |
XOR Key | 0xeeefac36 |
---|---|
Unmarked objects | 0 |
Total imports | 281 |
Imports (VS2008 SP1 build 30729) | 9 |
ASM objects (VS2008 SP1 build 30729) | 4 |
C objects (VS2008 SP1 build 30729) | 5 |
142 (VS2008 SP1 build 30729) | 70 |
Linker (VS2008 SP1 build 30729) | 1 |
Resource objects (VS2008 SP1 build 30729) | 1 |