Manalyze report for 9bc01afe065c25daf5a013cbb92120cf

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
Compilation Date	2022-Mar-16 10:40:19
Detected languages	English - United States
Debug artifacts	D:\opt\fort\build-driver-loader-win10\x64\fortfw.pdb
CompanyName	Nodir Temirkhodjaev
FileDescription	Fort Firewall Driver Loader
FileVersion	`1.0.0`
InternalName	fortfw
LegalCopyright	Copyright (C) 2021 Nodir Temirkhodjaev. All Rights Reserved.
OriginalFilename	fortfw.sys
ProductName	Fort Firewall
ProductVersion	`1.0.0`

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains another PE executable: This program cannot be run in DOS mode.`
Suspicious	The PE is possibly packed.	`Unusual section name found: PAGE`
Suspicious	The PE contains functions most legitimate programs don't use.	`Functions which can be used for anti-debugging purposes: ZwQuerySystemInformation` `Uses Windows's Native API: ZwClose ZwReadFile ZwQueryInformationFile ZwOpenFile ZwQuerySystemInformation`
Safe	VirusTotal score: 0/72 (Scanned on 2025-11-15 05:31:08)	`All the AVs think this file is safe.`

Hashes

MD5	`9bc01afe065c25daf5a013cbb92120cf`
SHA1	`3113e357712b0e59c448061792defc11089f9560`
SHA256	`d2aa71bf3839cfc932fd218d76a9aeda977b768b09d05f1530aaa347b1b9ee9b`
SHA3	`288cbbadfa374afb5757bc55070dde326124ed189973cb98d5f7c690d4ca2ace`
SSDeep	`1536:EMGkKcXSkDbXooEziXu1K9h53R+i4KCvAArBbzrk/bMOfc0iPHHPQ1:EMGkKcX/D8oERoTB+iO4Edr4C5HI1`
Imports Hash	`c9288061ef03390593bbf22e14659b7f`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`8`
TimeDateStamp	2022-Mar-16 10:40:19
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x2a00`
SizeOfInitializedData	`0x1a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000008000 (Section: INIT)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`A.0`
Win32VersionValue	`0`
SizeOfImage	`0xb000`
SizeOfHeaders	`0x400`
Checksum	`0x290c0`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`fb2ca776ecfae0617286ca9c2e763215`
SHA1	`a12951f9c7fbb6192d195c8a29c9edcfeae61799`
SHA256	`8c76d79b86b482efd644702a4b1ed3144a62a486d21164df44659da236537f12`
SHA3	`6653b7c4c4dd4745d496bec51d1bf2d409ae80292e7c9df7f3c01131364bb371`
VirtualSize	`0x211f`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`6.28695`

.rdata

MD5	`fd2da3487ebc02f2345b6b9144e976c0`
SHA1	`f495db1e2a887e1e3a3666e9748f241b77300aba`
SHA256	`e0bbf01496112844c57fdc5edade9f6555ee8373eebb4f58be8b1f71de2d0571`
SHA3	`ebf103be8936b44cd81e6dbbf5a584f5b4c97f8ca3b6abba86cff6477475126c`
VirtualSize	`0xa1c`
VirtualAddress	`0x4000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x2600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`4.65862`

.data

MD5	`323c6634376413d6f41f56d7172f4df7`
SHA1	`430d54e5e5e0ca80d21c2a0732631159933f6ebf`
SHA256	`4fecde78f0872c8e351c4157c211e51384f305916668e0ed093d42d836191b35`
SHA3	`35d93f432eb8d388a7c00e97ed472ebb037c6bd678f218ff4b567b56e6b1c437`
VirtualSize	`0x520`
VirtualAddress	`0x5000`
SizeOfRawData	`0x400`
PointerToRawData	`0x3200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.90231`

.pdata

MD5	`e03613e561970d175decd25f88985a79`
SHA1	`a3df1a4eb55fa1f8448cdce47794c270fce070ed`
SHA256	`4013be446acf691cbaab1f571c33da9600e394613aa139c617000976a17646d6`
SHA3	`7230fdbb117d6e27e3ddd7cb5675902ff19b19b2ec5ec8570175588ce1c66e18`
VirtualSize	`0x150`
VirtualAddress	`0x6000`
SizeOfRawData	`0x200`
PointerToRawData	`0x3600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`2.80188`

PAGE

MD5	`b5e8b5cf653911f58551f3311f5471c0`
SHA1	`ac65e72ef7e9b1a488114f1ca5fad2b3fb478aa8`
SHA256	`a86ff29ed73873a1db02b4cdfe1ed4567d131b5286868ddbf46c1b95a2face59`
SHA3	`e3b3a2cec0b8805b1c48ef0af9c6c60b7fbaddcb60a02a394d42b529b5a71cc7`
VirtualSize	`0x31b`
VirtualAddress	`0x7000`
SizeOfRawData	`0x400`
PointerToRawData	`0x3800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.14092`

INIT

MD5	`6554e21881d7e47c7bbd1134f0a6045a`
SHA1	`ea17b9298277dc0d20c10dc6984e56394717b044`
SHA256	`fb60c538b2ee993bfe2404905f4a1fc7fd5a32f0e53ac97677c041dac64312e7`
SHA3	`f6ca72f955a76f127a3f5e3bb1eed5e100cd3ce57dedca1fd50a37b33ea3219f`
VirtualSize	`0x392`
VirtualAddress	`0x8000`
SizeOfRawData	`0x400`
PointerToRawData	`0x3c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`4.63051`

.rsrc

MD5	`3267e0f01c9a39fae008a03fdbc5f798`
SHA1	`3f7e853a1d03782c5461c4f731dd709f0435eb0c`
SHA256	`b683efc93cc1f0d372e11726a3d43a963fc72fb7f81d02eb798c2594114a1515`
SHA3	`dcab476cff2760adf08bd36bd64f20b92d4314c8ee7b1bf3d382d6b9ec52c6ef`
VirtualSize	`0x3e0`
VirtualAddress	`0x9000`
SizeOfRawData	`0x400`
PointerToRawData	`0x4000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.17559`

.reloc

MD5	`68c56d12ace3c0d0d55d95d122e07c92`
SHA1	`6a475a64238e51cd0c9c5e5cc0b89bdde40c40ff`
SHA256	`dc8ca68b35232e4395d94a214dd6dfdfdeb3d2cbf770774b058e37cd9f39535c`
SHA3	`6d17927c3e33ab069ea2ecaf85ce687b57df6ee375515b6eb8c171ce377952c2`
VirtualSize	`0xd4`
VirtualAddress	`0xa000`
SizeOfRawData	`0x200`
PointerToRawData	`0x4400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`2.62535`

Imports

ntoskrnl.exe	`IoQueryFullDriverPath` `ZwClose` `ZwReadFile` `_stricmp` `ZwQueryInformationFile` `ZwOpenFile` `ExFreePoolWithTag` `ExAllocatePool2` `RtlGetVersion` `DbgPrintEx` `MmGetSystemRoutineAddress` `PsGetVersion` `ExAllocatePoolWithQuotaTag` `ZwQuerySystemInformation` `__C_specific_handler`
ksecdd.sys	`BCryptImportKeyPair` `BCryptDestroyHash` `BCryptFinishHash` `BCryptHashData` `BCryptCreateHash` `BCryptVerifySignature` `BCryptDestroyKey` `BCryptCloseAlgorithmProvider` `BCryptGetProperty` `BCryptOpenAlgorithmProvider`

Delayed Imports

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x37c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.38865`
MD5	`18913e1056075ef82d3eb6eba400ab83`
SHA1	`688be1a939f42fd9b15ff2059087a80b51810ca4`
SHA256	`4bf86c25d472f44eff4150a28e1fea957ad37edcfd5b05eb5a540ca68a89b879`
SHA3	`e8204c96c7e94742ab51a042aab0b768e6b88a547103755ca9cd274df2d8b7f1`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.0.0.0
ProductVersion	1.0.0.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_DRV`
FileSubtype	VFT2_UNKNOWN
Language	English - United States
CompanyName	Nodir Temirkhodjaev
FileDescription	Fort Firewall Driver Loader
FileVersion (#2)	1.0.0
InternalName	fortfw
LegalCopyright	Copyright (C) 2021 Nodir Temirkhodjaev. All Rights Reserved.
OriginalFilename	fortfw.sys
ProductName	Fort Firewall
ProductVersion (#2)	1.0.0

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2022-Mar-16 10:40:19
Version	`0.0`
SizeofData	`77`
AddressOfRawData	`0x45a0`
PointerToRawData	`0x2ba0`
Referenced File	D:\opt\fort\build-driver-loader-win10\x64\fortfw.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2022-Mar-16 10:40:19
Version	`0.0`
SizeofData	`412`
AddressOfRawData	`0x45f0`
PointerToRawData	`0x2bf0`

TLS Callbacks

Load Configuration

Size	`0x118`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140005200`

RICH Header

XOR Key	`0x45095de9`
Unmarked objects	`0`
C objects (CVTCIL) (27412)	`1`
Imports (27412)	`5`
Total imports	`27`
ASM objects (27412)	`4`
C objects (27412)	`7`
ASM objects (VS2019 Update 11 (16.11.10) compiler 30140)	`1`
C objects (VS2019 Update 11 (16.11.10) compiler 30140)	`1`
Resource objects (VS2019 Update 11 (16.11.10) compiler 30140)	`1`
Linker (VS2019 Update 11 (16.11.10) compiler 30140)	`1`

Errors

[!] Error: Could not read a WIN_CERTIFICATE's data.