ac9f5c2e00d656784cffc434089485d9

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2023-Mar-09 10:56:59
Detected languages English - United States
Polish - Poland
Debug artifacts C:\svnDev\Drivers\NetFilterSDK\bin\Release_c_api\Win32\axnetdrv.pdb
CompanyName Axence Inc.
FileDescription Axence Network Driver API
FileVersion 1.5.2.2
InternalName axnetdrv.dll
LegalCopyright © Axence Inc. All rights reserved.
OriginalFilename axnetdrv.dll
ProductName Axence Network Driver API
ProductVersion 1.6.6.0

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentControlSet\Services
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Can access the registry:
  • RegSetValueExA
  • RegCloseKey
  • RegOpenKeyExA
  • RegQueryValueExA
 Functions related to the privilege level:
  • AdjustTokenPrivileges
  • OpenProcessToken
 Interacts with services:
  • DeleteService
  • QueryServiceStatus
  • OpenServiceA
  • CreateServiceW
  • OpenSCManagerA
 Enumerates local disk drives:
  • GetLogicalDriveStringsW
  • GetDriveTypeW
 Manipulates other processes:
  • OpenProcess
Info The PE is digitally signed. Signer: AXENCE INC.
Issuer: GlobalSign GCC R45 EV CodeSigning CA 2020
Safe VirusTotal score: 0/70 (Scanned on 2023-07-27 14:35:38) All the AVs think this file is safe.

Hashes

MD5 ac9f5c2e00d656784cffc434089485d9
SHA1 cbff3623cd83ab2115ba3182d1ee0e6b80d777cd
SHA256 7ccefbdee9b66117595c09fcd8dff4fbfc714e47e43ac03d0839d5e512e6e0a1
SHA3 59260af7dbf0bcd2a48b802f318c4f827eaeb1932ba348f52eff5c5230b913ee
SSDeep 3072:tzmwItkf8KNgsX4WIW+uihMQWlTAl4ptmSX6xHq:tGkplX4WIWxQWlEItmSX4q
Imports Hash d81515462052a8a0a212dc417193ef0f

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2023-Mar-09 10:56:59
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 12.0
SizeOfCode 0x19600
SizeOfInitializedData 0xda00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000C1E8 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1b000
ImageBase 0x10000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 0.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x2a000
SizeOfHeaders 0x400
Checksum 0x32e3d
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 113123bd9f5c14f5a1fdf48eacdc952f
SHA1 629ca66308a76fb42358a74e7b721b4ce188566c
SHA256 7a92e6333998d5a0035ef7d116f47a8dbc011f3102ce13111f62e41b9966f373
SHA3 2afa913b40e2feeea98dc35e7f2c44a18298b5f1cbb3e4d1ec21647df5526a0a
VirtualSize 0x1943c
VirtualAddress 0x1000
SizeOfRawData 0x19600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.6384

.rdata

MD5 b5ad01e7a0e286eb0fad63414c3c86c5
SHA1 dcd58f1f2a54d52a39c307fa4b7edb2682413f43
SHA256 af53ff9289a199ff80a1485a619680911dc65b5f01be4e2adf19f0832895ce69
SHA3 1e6510dbc85225c5b643f177307e9ae716c02f18114a061bb933d1fbb60bf0bb
VirtualSize 0x7a1c
VirtualAddress 0x1b000
SizeOfRawData 0x7c00
PointerToRawData 0x19a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.91015

.data

MD5 c098102844bbad1b2e11819355ebda46
SHA1 8f1138292b76f95cc3ffa5f6f994736a356c1291
SHA256 9be8d26c8801ee658b5a6888b171b0a24da2025ed24c5cff35b6503bd10ef589
SHA3 2d9942b051574b3eb2629b1545b7a95bb6b869a2fae026361df99537382afd27
VirtualSize 0x367c
VirtualAddress 0x23000
SizeOfRawData 0x1600
PointerToRawData 0x21600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.88877

.rsrc

MD5 9147545c7099f8dbf17dd1bebe86c832
SHA1 df17c2468a7e7fb54f8a26e895605b8549c0bd1c
SHA256 d4e742c51e78396409e74cea06093ca277c08df763d5964712d24745ed02a586
SHA3 5aea08e0923becf9fe6d4e6c0ab01b7a2eb7c4988c92b278fc2f6a4aef53acd9
VirtualSize 0x538
VirtualAddress 0x27000
SizeOfRawData 0x600
PointerToRawData 0x22c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.77708

.reloc

MD5 e8bc256caa02e6e9c261373498124d4d
SHA1 e8a0a310039818283f00c3a27922de665db324a5
SHA256 1bfb4320ef85e9ae3f7d6326d07eefedc5247712b23a5e5b8a6a0b9a1cd48b30
SHA3 1dda7043beb2ca994be6604f68b0af9ca1ae8f1d684634628c9c49b8e5ca7b15
VirtualSize 0x1f50
VirtualAddress 0x28000
SizeOfRawData 0x2000
PointerToRawData 0x23200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.63288

Imports

KERNEL32.dll GetOverlappedResult
ReadFile
DeviceIoControl
GetProcAddress
GetModuleHandleA
OpenProcess
CancelIo
GetLogicalDriveStringsW
QueryDosDeviceW
GetDriveTypeW
SetLastError
CreateFileA
GetVersionExA
GetLastError
WriteFile
GetTickCount
WaitForMultipleObjects
WaitForSingleObject
SetEvent
GetSystemInfo
ResetEvent
CreateEventA
CloseHandle
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
GetCurrentProcessId
EnterCriticalSection
FlushFileBuffers
WriteConsoleW
SetStdHandle
HeapFree
HeapAlloc
EncodePointer
DecodePointer
CreateThread
GetCurrentThreadId
ExitThread
LoadLibraryExW
GetCommandLineA
RaiseException
RtlUnwind
IsDebuggerPresent
IsProcessorFeaturePresent
GetProcessHeap
ExitProcess
GetModuleHandleExW
MultiByteToWideChar
WideCharToMultiByte
GetStdHandle
GetModuleFileNameW
HeapSize
UnhandledExceptionFilter
SetUnhandledExceptionFilter
Sleep
GetCurrentProcess
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetModuleHandleW
GetFileType
GetModuleFileNameA
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
OutputDebugStringW
HeapReAlloc
LCMapStringW
GetConsoleCP
GetConsoleMode
SetFilePointerEx
GetStringTypeW
CreateFileW
ADVAPI32.dll DeleteService
RegSetValueExA
QueryServiceStatus
OpenServiceA
StartServiceA
CloseServiceHandle
CreateServiceW
OpenSCManagerA
RegCloseKey
RegOpenKeyExA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegQueryValueExA
PSAPI.DLL GetModuleFileNameExA
GetModuleFileNameExW

Delayed Imports

nf_addBindingRule

Ordinal 1
Address 0x6c30

nf_addFlowCtl

Ordinal 2
Address 0x6760

nf_addRule

Ordinal 3
Address 0x4b20

nf_addRuleEx

Ordinal 4
Address 0x6dc0

nf_adjustProcessPriviledges

Ordinal 5
Address 0x5a80

nf_completeTCPConnectRequest

Ordinal 6
Address 0x5b60

nf_completeUDPConnectRequest

Ordinal 7
Address 0x5cb0

nf_deleteBindingRules

Ordinal 8
Address 0x6d30

nf_deleteFlowCtl

Ordinal 9
Address 0x6800

nf_deleteRules

Ordinal 10
Address 0x4bd0

nf_free

Ordinal 11
Address 0x5320

nf_getConnCount

Ordinal 12
Address 0x54c0

nf_getDriverType

Ordinal 13
Address 0x6ec0

nf_getFlowCtlStat

Ordinal 14
Address 0x6a50

nf_getProcessNameA

Ordinal 15
Address 0x59a0

nf_getProcessNameFromKernel

Ordinal 16
Address 0x65c0

nf_getProcessNameW

Ordinal 17
Address 0x5a10

nf_getTCPConnInfo

Ordinal 18
Address 0x5d90

nf_getTCPStat

Ordinal 19
Address 0x6af0

nf_getUDPConnInfo

Ordinal 20
Address 0x5e70

nf_getUDPStat

Ordinal 21
Address 0x6b90

nf_init

Ordinal 22
Address 0x50e0

nf_ipPostReceive

Ordinal 23
Address 0x4b00

nf_ipPostSend

Ordinal 24
Address 0x4ae0

nf_modifyFlowCtl

Ordinal 25
Address 0x69b0

nf_registerDriver

Ordinal 26
Address 0xa8e0

nf_registerDriverEx

Ordinal 27
Address 0xa940

nf_setIPEventHandler

Ordinal 28
Address 0x6750

nf_setOptions

Ordinal 29
Address 0x5b40

nf_setRules

Ordinal 30
Address 0x4c70

nf_setRulesEx

Ordinal 31
Address 0x4d60

nf_setTCPFlowCtl

Ordinal 32
Address 0x6890

nf_setTCPTimeout

Ordinal 33
Address 0x5520

nf_setUDPFlowCtl

Ordinal 34
Address 0x6920

nf_tcpClose

Ordinal 35
Address 0x4480

nf_tcpDisableFiltering

Ordinal 36
Address 0x5550

nf_tcpIsProxy

Ordinal 37
Address 0x5850

nf_tcpPostReceive

Ordinal 38
Address 0x4450

nf_tcpPostSend

Ordinal 39
Address 0x4420

nf_tcpSetConnectionState

Ordinal 40
Address 0x4110

nf_tcpSetSockOpt

Ordinal 41
Address 0x5730

nf_udpDisableFiltering

Ordinal 42
Address 0x5610

nf_udpPostReceive

Ordinal 43
Address 0x48e0

nf_udpPostSend

Ordinal 44
Address 0x48b0

nf_udpSetConnectionState

Ordinal 45
Address 0x45a0

nf_unRegisterDriver

Ordinal 46
Address 0xa9a0

1

Type RT_VERSION
Language Polish - Poland
Codepage UNKNOWN
Size 0x314
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.42888
MD5 0538d988b1e7a853a7b50547ac0a04bc
SHA1 92d49c3c857853b2d68fe46549ae310a87906506
SHA256 4dd347782031d1489aa94ef73d0ead94f0674afdf09a15f27ee2f1d7de19ed97
SHA3 e73c8fd9de94c8062270a98f7ea1a9f266cbd541d47108ae5b463a7e12270f76

2

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.5.2.2
ProductVersion 1.6.6.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_STATIC_LIB
Language English - United States
CompanyName Axence Inc.
FileDescription Axence Network Driver API
FileVersion (#2) 1.5.2.2
InternalName axnetdrv.dll
LegalCopyright © Axence Inc. All rights reserved.
OriginalFilename axnetdrv.dll
ProductName Axence Network Driver API
ProductVersion (#2) 1.6.6.0
Resource LangID Polish - Poland

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2023-Mar-09 10:56:59
Version 0.0
SizeofData 92
AddressOfRawData 0x20930
PointerToRawData 0x1f330
Referenced File C:\svnDev\Drivers\NetFilterSDK\bin\Release_c_api\Win32\axnetdrv.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2023-Mar-09 10:56:59
Version 0.0
SizeofData 20
AddressOfRawData 0x2098c
PointerToRawData 0x1f38c

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x10023008
SEHandlerTable 0x10020f10
SEHandlerCount 25

RICH Header

XOR Key 0xdb6f0078
Unmarked objects 0
199 (41118) 1
ASM objects (VS2013 build 21005) 23
C objects (VS2013 build 21005) 122
C++ objects (VS2013 build 21005) 45
Imports (VS2008 SP1 build 30729) 7
Total imports 111
229 (VS2013 UPD5 build 40629) 5
Exports (VS2013 UPD5 build 40629) 1
Resource objects (VS2013 build 21005) 1
151 1
Linker (VS2013 UPD5 build 40629) 1

Errors

<-- -->