Manalyze report for be177c932e82479d8264922de1e5db5c

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
Compilation Date	2019-Aug-06 08:26:52
Detected languages	Chinese - PRC
Debug artifacts	c:\jenkins\workspace\unifairy-branches\ring0\project\Bin\amd64\unifairy_x64.pdb
Comments	2019-08-06
CompanyName	TENCENT
FileDescription	UniFairy_x64 NT Driver
FileVersion	`1, 2, 6008, 34309`
InternalName	UniFairy_x64
LegalCopyright	Copyright (c) 2009 TENCENT. All Rights Reserved
OriginalFilename	UniFairy_x64.sys
ProductName	UniFairy_x64
ProductVersion	`1, 2, 6008, 34309`
SpecialBuild	ALL

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to MD5` `Uses constants related to AES`
Malicious	The file headers were tampered with.	`Section INIT is both writable and executable.` `Unusual section name found: .tvm0` `Section .tvm0 is both writable and executable.` `The RICH header checksum is invalid.`
Suspicious	The PE contains functions most legitimate programs don't use.	`Functions which can be used for anti-debugging purposes: ZwQuerySystemInformation` `Uses Windows's Native API: ZwClose ZwReadFile ZwQuerySystemInformation ZwCreateFile ZwQueryValueKey ZwOpenProcess ZwQueryInformationProcess ZwOpenFile ZwTerminateProcess ZwQueryInformationFile ZwEnumerateKey ZwQueryKey ZwOpenKey`
Info	The PE is digitally signed.	`Signer: Tencent Technology(Shenzhen) Company Limited` `Issuer: VeriSign Class 3 Code Signing 2010 CA`
Safe	VirusTotal score: 0/67 (Scanned on 2020-05-11 08:32:52)	`All the AVs think this file is safe.`

Hashes

MD5	`be177c932e82479d8264922de1e5db5c`
SHA1	`d429cef92b580594ea899b51b674df8b0ef23dfd`
SHA256	`5b2bebbf911c22c80752e049f4db6839058521df1fbfd7b7f71fc6748a127cf1`
SHA3	`b6cca108e940f2cef90b81602d4e335d6b0d2b11c92b2be508384ceeb003318b`
SSDeep	`12288:bz8kqZWRyHklJdZGw945qd3F6uqHSx/tQ4wFCFoNrv1aoFtyct9tqd8dgtJweUj:H5MHWdgY`
Imports Hash	`a01c0021447ecbb0072631a493a66cd6`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2019-Aug-06 08:26:52
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`9.1`
SizeOfCode	`0x2e000`
SizeOfInitializedData	`0x3800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000035064 (Section: INIT)`
BaseOfCode	`0x1000`
ImageBase	`0x10000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.1`
ImageVersion	`6.1`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0xd5000`
SizeOfHeaders	`0x400`
Checksum	`0xe7e1e`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY`
SizeofStackReserve	`0x40000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`4b0f1808dc24ff440af3320dfc3e15d3`
SHA1	`6fb22f73379daa390c02e66109cb40880f62e7f8`
SHA256	`a838077e0e9eaee27c3bd6c75ac3877d067e4a228d542c35f0fa20db54e885b2`
SHA3	`c47306c5cb6df7ec015c8658eea33f20208ce766cc49dc6f981698606d5fbe72`
VirtualSize	`0x2d2c2`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2d400`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`1.4183`

.rdata

MD5	`b5ee16130edb7404164f52d2d2033fd3`
SHA1	`7996bc03d2fb6f803453a9b2ee4f96da3b85bd37`
SHA256	`c9accad1ead74321ef97ab809c4be44c51fd965f6ef4bd09640069ef248dfbf5`
SHA3	`906d223cf5df76c471c3a5aa7058bd45ea4eb95cbbe1cc4cd194cd5554f46006`
VirtualSize	`0x19bc`
VirtualAddress	`0x2f000`
SizeOfRawData	`0x1a00`
PointerToRawData	`0x2d800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`5.92515`

.data

MD5	`7085b47761de883be74afb80a8342465`
SHA1	`935a9b52dcdd94ffa71a437a41f0efc2a3413065`
SHA256	`5edbab236d9aa220765b1a0dc3b170d699f8c10db1683e158c729dd97a98e73d`
SHA3	`7f42ce99258c01c3b303479e5c7a23778a204f52780e66e320dc441d02a46e59`
VirtualSize	`0x15b4`
VirtualAddress	`0x31000`
SizeOfRawData	`0x800`
PointerToRawData	`0x2f200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.33775`

.pdata

MD5	`f9af191bd080b94baa26e87dff179f7c`
SHA1	`75c85e2e3ceeb0401c0d5bec54f2f92c4cea3d06`
SHA256	`71ced149598fc63aa3e9d1660c31c2fe2942370e68c3c7d211fb884faced7931`
SHA3	`c1d9c09517193d1c002c0aaf2c82d668c3c1581b7531488681141bce0081f8aa`
VirtualSize	`0xb1c`
VirtualAddress	`0x33000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x2fa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`5.0068`

.edata

MD5	`c5db9e402cead49274fc2f3afa57ecca`
SHA1	`bb57d210460c8859e1c5b1ed8f9e72bfcf354faa`
SHA256	`d1b7f44b580e9dd7c13e3d8faa1a57937c2da646c651cecb93c4379a0781da5e`
SHA3	`dba9ab6e3f1e059c7358cc9d9d887970fe29424c5c1476497f4b082b270a5ca9`
VirtualSize	`0x36`
VirtualAddress	`0x34000`
SizeOfRawData	`0x200`
PointerToRawData	`0x30600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`0.415364`

INIT

MD5	`00d72c944fbccb8e2b9a534c9259b156`
SHA1	`11586797826bcc1d63e9d1eba438641dd2328420`
SHA256	`724e12659455dc4bcf0d898f25142788780f5cd12fb77123d0e1ed2a6c2b11b5`
SHA3	`0405826f6fa45f51ee174e341d8ae0bc42fa236553ebfa96ba091778c2907119`
VirtualSize	`0xbd0`
VirtualAddress	`0x35000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x30800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.22439`

.rsrc

MD5	`543029093daf066eb7064db909a8ccbc`
SHA1	`43c4e2d0ad42bfcfd286c8a79963ff665ba0c887`
SHA256	`3675a0b402927f84bff1df91cc35c2f3477b8e98ada3395128bab4f430573a21`
SHA3	`6112c8038e75763a9d1d4cc0342ea3af228a060f2b7f6309807e9900f135c747`
VirtualSize	`0x430`
VirtualAddress	`0x36000`
SizeOfRawData	`0x600`
PointerToRawData	`0x31400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.06801`

.reloc

MD5	`236ad5fb425de16e449a527a859fe393`
SHA1	`f8d90101a6c34af0db33dfe9de20c72aa2d9ff43`
SHA256	`318fb2969bda8564ca76571e9e53a9207a634b01c7440b2e871144535e9b2312`
SHA3	`87099b9e7ffff6bc75c897da0c24ad87170eef3fb25d784cfb4ddb8736e96d9b`
VirtualSize	`0x1f8`
VirtualAddress	`0x37000`
SizeOfRawData	`0x200`
PointerToRawData	`0x31a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.34893`

.tvm0

MD5	`5159cd86dcc4b9ac51204a26655e292d`
SHA1	`3e8e79fd02bb56549a3c0224bb98633ed896d37b`
SHA256	`4499753b3581bb6a4c3f4545e0c4c62077cf277bdcbdd7913084efb89233fda7`
SHA3	`61a7b7abdf19a5023f523279e547a11e1981f1229046c5cfdd4e9ef4d5913940`
VirtualSize	`0x9d000`
VirtualAddress	`0x38000`
SizeOfRawData	`0x9d000`
PointerToRawData	`0x31c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.37104`

Imports

ntoskrnl.exe	`ExFreePoolWithTag` `PsLookupProcessByProcessId` `PsIsSystemThread` `RtlInitUnicodeString` `IoDeleteDevice` `KeSetEvent` `KeInitializeEvent` `KeInitializeDpc` `KeInitializeTimer` `KeFlushQueuedDpcs` `PsTerminateSystemThread` `IoGetCurrentProcess` `ZwClose` `IofCompleteRequest` `KeWaitForSingleObject` `KeSetTimer` `IoCreateSymbolicLink` `PsGetCurrentThreadId` `PsGetCurrentProcessId` `MmIsAddressValid` `ObfDereferenceObject` `IoCreateDevice` `KeCancelTimer` `strncpy` `_vsnprintf` `IoBuildDeviceIoControlRequest` `isspace` `isprint` `IoGetDeviceObjectPointer` `wcschr` `ExUnregisterCallback` `RtlAnsiStringToUnicodeString` `RtlInitAnsiString` `FsRtlIsNameInExpression` `RtlFreeUnicodeString` `_wcsupr` `MmUnmapLockedPages` `_stricmp` `IoThreadToProcess` `KeClearEvent` `PsProcessType` `RtlConvertSidToUnicodeString` `ExReleaseFastMutex` `strncmp` `KeInitializeMutex` `ExAcquireFastMutex` `_snwprintf` `_strlwr` `PsGetProcessImageFileName` `ZwReadFile` `wcsncpy` `PsReferencePrimaryToken` `IoDeleteSymbolicLink` `ZwQuerySystemInformation` `wcsncat` `KeReleaseSpinLock` `RtlEqualUnicodeString` `IoFreeMdl` `KeReleaseMutex` `MmUserProbeAddress` `KeDelayExecutionThread` `IoFileObjectType` `ZwCreateFile` `MmMapLockedPagesSpecifyCache` `IoBuildAsynchronousFsdRequest` `ZwQueryValueKey` `RtlGUIDFromString` `KeQueryTimeIncrement` `KeBugCheck` `SeQueryInformationToken` `ObReferenceObjectByHandle` `KeBugCheckEx` `IoFreeIrp` `MmProbeAndLockPages` `PsGetVersion` `PsThreadType` `PsGetProcessJob` `ZwOpenProcess` `RtlCompareMemory` `MmUnlockPages` `ZwQueryInformationProcess` `RtlUnicodeStringToInteger` `ZwOpenFile` `ZwTerminateProcess` `ZwQueryInformationFile` `ZwEnumerateKey` `IoAllocateMdl` `PsDereferencePrimaryToken` `IofCallDriver` `ZwQueryKey` `ZwOpenKey` `KeAcquireSpinLockRaiseToDpc` `ObOpenObjectByName` `IoDriverObjectType` `ExEventObjectType` `MmGetSystemRoutineAddress` `ExAllocatePoolWithTag` `__C_specific_handler`
HAL.dll	`KeStallExecutionProcessor`

Delayed Imports

1

Type	`RT_VERSION`
Language	Chinese - PRC
Codepage	Latin 1 / Western European
Size	`0x3d8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.56078`
MD5	`7072156a79e5131b41084d906c917b85`
SHA1	`602053953baff9ddaed455899d3d7d0af463a3e7`
SHA256	`628ded8d1222f2961e0558cab59cc21dde8936157148c2997511f84e11b82a87`
SHA3	`111b9c0debc3118508004cd24c3f5fe4fca4830644c37aa191cb682b28ecff73`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	1.2.6008.34309
ProductVersion	1.2.6008.34309
FileFlags	`(EMPTY)`
FileOs	`VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE`
FileType	`VFT_DRV`
FileSubtype	VFT2_DRV_INSTALLABLE
Language	Chinese - PRC
Comments	2019-08-06
CompanyName	TENCENT
FileDescription	UniFairy_x64 NT Driver
FileVersion (#2)	1, 2, 6008, 34309
InternalName	UniFairy_x64
LegalCopyright	Copyright (c) 2009 TENCENT. All Rights Reserved
OriginalFilename	UniFairy_x64.sys
ProductName	UniFairy_x64
ProductVersion (#2)	1, 2, 6008, 34309
SpecialBuild	ALL

Resource LangID	Chinese - PRC

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2019-Aug-06 08:26:52
Version	`0.0`
SizeofData	`104`
AddressOfRawData	`0x2fb50`
PointerToRawData	`0x2e350`
Referenced File	c:\jenkins\workspace\unifairy-branches\ring0\project\Bin\amd64\unifairy_x64.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x1fcf47d9`
Unmarked objects	`0`
Total imports	`135`
Imports (VS2008 SP1 build 30729)	`5`
C objects (VS2008 SP1 build 30729)	`5`
Exports (VS2008 SP1 build 30729)	`1`
ASM objects (VS2008 SP1 build 30729)	`5`
137 (VS2008 SP1 build 30729)	`14`
Linker (VS2008 SP1 build 30729)	`1`
Resource objects (VS2008 SP1 build 30729)	`1`

be177c932e82479d8264922de1e5db5c

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.edata

INIT

.rsrc

.reloc

.tvm0

Imports

Delayed Imports

1

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors