be177c932e82479d8264922de1e5db5c

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_NATIVE
Compilation Date 2019-Aug-06 08:26:52
Detected languages Chinese - PRC
Debug artifacts c:\jenkins\workspace\unifairy-branches\ring0\project\Bin\amd64\unifairy_x64.pdb
Comments 2019-08-06
CompanyName TENCENT
FileDescription UniFairy_x64 NT Driver
FileVersion 1, 2, 6008, 34309
InternalName UniFairy_x64
LegalCopyright Copyright (c) 2009 TENCENT. All Rights Reserved
OriginalFilename UniFairy_x64.sys
ProductName UniFairy_x64
ProductVersion 1, 2, 6008, 34309
SpecialBuild ALL

Plugin Output

Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Uses constants related to AES
Malicious The file headers were tampered with. Section INIT is both writable and executable.
Unusual section name found: .tvm0
Section .tvm0 is both writable and executable.
The RICH header checksum is invalid.
Suspicious The PE contains functions most legitimate programs don't use. Functions which can be used for anti-debugging purposes:
  • ZwQuerySystemInformation
Uses Windows's Native API:
  • ZwClose
  • ZwReadFile
  • ZwQuerySystemInformation
  • ZwCreateFile
  • ZwQueryValueKey
  • ZwOpenProcess
  • ZwQueryInformationProcess
  • ZwOpenFile
  • ZwTerminateProcess
  • ZwQueryInformationFile
  • ZwEnumerateKey
  • ZwQueryKey
  • ZwOpenKey
Info The PE is digitally signed. Signer: Tencent Technology(Shenzhen) Company Limited
Issuer: VeriSign Class 3 Code Signing 2010 CA
Safe VirusTotal score: 0/67 (Scanned on 2020-05-11 08:32:52) All the AVs think this file is safe.

Hashes

MD5 be177c932e82479d8264922de1e5db5c
SHA1 d429cef92b580594ea899b51b674df8b0ef23dfd
SHA256 5b2bebbf911c22c80752e049f4db6839058521df1fbfd7b7f71fc6748a127cf1
SHA3 b6cca108e940f2cef90b81602d4e335d6b0d2b11c92b2be508384ceeb003318b
SSDeep 12288:bz8kqZWRyHklJdZGw945qd3F6uqHSx/tQ4wFCFoNrv1aoFtyct9tqd8dgtJweUj:H5MHWdgY
Imports Hash a01c0021447ecbb0072631a493a66cd6

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 9
TimeDateStamp 2019-Aug-06 08:26:52
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 9.1
SizeOfCode 0x2e000
SizeOfInitializedData 0x3800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000035064 (Section: INIT)
BaseOfCode 0x1000
ImageBase 0x10000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.1
ImageVersion 6.1
SubsystemVersion 6.1
Win32VersionValue 0
SizeOfImage 0xd5000
SizeOfHeaders 0x400
Checksum 0xe7e1e
Subsystem IMAGE_SUBSYSTEM_NATIVE
DllCharacteristics IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
SizeofStackReserve 0x40000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 4b0f1808dc24ff440af3320dfc3e15d3
SHA1 6fb22f73379daa390c02e66109cb40880f62e7f8
SHA256 a838077e0e9eaee27c3bd6c75ac3877d067e4a228d542c35f0fa20db54e885b2
SHA3 c47306c5cb6df7ec015c8658eea33f20208ce766cc49dc6f981698606d5fbe72
VirtualSize 0x2d2c2
VirtualAddress 0x1000
SizeOfRawData 0x2d400
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 1.4183

.rdata

MD5 b5ee16130edb7404164f52d2d2033fd3
SHA1 7996bc03d2fb6f803453a9b2ee4f96da3b85bd37
SHA256 c9accad1ead74321ef97ab809c4be44c51fd965f6ef4bd09640069ef248dfbf5
SHA3 906d223cf5df76c471c3a5aa7058bd45ea4eb95cbbe1cc4cd194cd5554f46006
VirtualSize 0x19bc
VirtualAddress 0x2f000
SizeOfRawData 0x1a00
PointerToRawData 0x2d800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 5.92515

.data

MD5 7085b47761de883be74afb80a8342465
SHA1 935a9b52dcdd94ffa71a437a41f0efc2a3413065
SHA256 5edbab236d9aa220765b1a0dc3b170d699f8c10db1683e158c729dd97a98e73d
SHA3 7f42ce99258c01c3b303479e5c7a23778a204f52780e66e320dc441d02a46e59
VirtualSize 0x15b4
VirtualAddress 0x31000
SizeOfRawData 0x800
PointerToRawData 0x2f200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.33775

.pdata

MD5 f9af191bd080b94baa26e87dff179f7c
SHA1 75c85e2e3ceeb0401c0d5bec54f2f92c4cea3d06
SHA256 71ced149598fc63aa3e9d1660c31c2fe2942370e68c3c7d211fb884faced7931
SHA3 c1d9c09517193d1c002c0aaf2c82d668c3c1581b7531488681141bce0081f8aa
VirtualSize 0xb1c
VirtualAddress 0x33000
SizeOfRawData 0xc00
PointerToRawData 0x2fa00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 5.0068

.edata

MD5 c5db9e402cead49274fc2f3afa57ecca
SHA1 bb57d210460c8859e1c5b1ed8f9e72bfcf354faa
SHA256 d1b7f44b580e9dd7c13e3d8faa1a57937c2da646c651cecb93c4379a0781da5e
SHA3 dba9ab6e3f1e059c7358cc9d9d887970fe29424c5c1476497f4b082b270a5ca9
VirtualSize 0x36
VirtualAddress 0x34000
SizeOfRawData 0x200
PointerToRawData 0x30600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 0.415364

INIT

MD5 00d72c944fbccb8e2b9a534c9259b156
SHA1 11586797826bcc1d63e9d1eba438641dd2328420
SHA256 724e12659455dc4bcf0d898f25142788780f5cd12fb77123d0e1ed2a6c2b11b5
SHA3 0405826f6fa45f51ee174e341d8ae0bc42fa236553ebfa96ba091778c2907119
VirtualSize 0xbd0
VirtualAddress 0x35000
SizeOfRawData 0xc00
PointerToRawData 0x30800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.22439

.rsrc

MD5 543029093daf066eb7064db909a8ccbc
SHA1 43c4e2d0ad42bfcfd286c8a79963ff665ba0c887
SHA256 3675a0b402927f84bff1df91cc35c2f3477b8e98ada3395128bab4f430573a21
SHA3 6112c8038e75763a9d1d4cc0342ea3af228a060f2b7f6309807e9900f135c747
VirtualSize 0x430
VirtualAddress 0x36000
SizeOfRawData 0x600
PointerToRawData 0x31400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.06801

.reloc

MD5 236ad5fb425de16e449a527a859fe393
SHA1 f8d90101a6c34af0db33dfe9de20c72aa2d9ff43
SHA256 318fb2969bda8564ca76571e9e53a9207a634b01c7440b2e871144535e9b2312
SHA3 87099b9e7ffff6bc75c897da0c24ad87170eef3fb25d784cfb4ddb8736e96d9b
VirtualSize 0x1f8
VirtualAddress 0x37000
SizeOfRawData 0x200
PointerToRawData 0x31a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 1.34893

.tvm0

MD5 5159cd86dcc4b9ac51204a26655e292d
SHA1 3e8e79fd02bb56549a3c0224bb98633ed896d37b
SHA256 4499753b3581bb6a4c3f4545e0c4c62077cf277bdcbdd7913084efb89233fda7
SHA3 61a7b7abdf19a5023f523279e547a11e1981f1229046c5cfdd4e9ef4d5913940
VirtualSize 0x9d000
VirtualAddress 0x38000
SizeOfRawData 0x9d000
PointerToRawData 0x31c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.37104

Imports

ntoskrnl.exe ExFreePoolWithTag
PsLookupProcessByProcessId
PsIsSystemThread
RtlInitUnicodeString
IoDeleteDevice
KeSetEvent
KeInitializeEvent
KeInitializeDpc
KeInitializeTimer
KeFlushQueuedDpcs
PsTerminateSystemThread
IoGetCurrentProcess
ZwClose
IofCompleteRequest
KeWaitForSingleObject
KeSetTimer
IoCreateSymbolicLink
PsGetCurrentThreadId
PsGetCurrentProcessId
MmIsAddressValid
ObfDereferenceObject
IoCreateDevice
KeCancelTimer
strncpy
_vsnprintf
IoBuildDeviceIoControlRequest
isspace
isprint
IoGetDeviceObjectPointer
wcschr
ExUnregisterCallback
RtlAnsiStringToUnicodeString
RtlInitAnsiString
FsRtlIsNameInExpression
RtlFreeUnicodeString
_wcsupr
MmUnmapLockedPages
_stricmp
IoThreadToProcess
KeClearEvent
PsProcessType
RtlConvertSidToUnicodeString
ExReleaseFastMutex
strncmp
KeInitializeMutex
ExAcquireFastMutex
_snwprintf
_strlwr
PsGetProcessImageFileName
ZwReadFile
wcsncpy
PsReferencePrimaryToken
IoDeleteSymbolicLink
ZwQuerySystemInformation
wcsncat
KeReleaseSpinLock
RtlEqualUnicodeString
IoFreeMdl
KeReleaseMutex
MmUserProbeAddress
KeDelayExecutionThread
IoFileObjectType
ZwCreateFile
MmMapLockedPagesSpecifyCache
IoBuildAsynchronousFsdRequest
ZwQueryValueKey
RtlGUIDFromString
KeQueryTimeIncrement
KeBugCheck
SeQueryInformationToken
ObReferenceObjectByHandle
KeBugCheckEx
IoFreeIrp
MmProbeAndLockPages
PsGetVersion
PsThreadType
PsGetProcessJob
ZwOpenProcess
RtlCompareMemory
MmUnlockPages
ZwQueryInformationProcess
RtlUnicodeStringToInteger
ZwOpenFile
ZwTerminateProcess
ZwQueryInformationFile
ZwEnumerateKey
IoAllocateMdl
PsDereferencePrimaryToken
IofCallDriver
ZwQueryKey
ZwOpenKey
KeAcquireSpinLockRaiseToDpc
ObOpenObjectByName
IoDriverObjectType
ExEventObjectType
MmGetSystemRoutineAddress
ExAllocatePoolWithTag
__C_specific_handler
HAL.dll KeStallExecutionProcessor

Delayed Imports

1

Type RT_VERSION
Language Chinese - PRC
Codepage Latin 1 / Western European
Size 0x3d8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.56078
MD5 7072156a79e5131b41084d906c917b85
SHA1 602053953baff9ddaed455899d3d7d0af463a3e7
SHA256 628ded8d1222f2961e0558cab59cc21dde8936157148c2997511f84e11b82a87
SHA3 111b9c0debc3118508004cd24c3f5fe4fca4830644c37aa191cb682b28ecff73

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.2.6008.34309
ProductVersion 1.2.6008.34309
FileFlags (EMPTY)
FileOs VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
FileType VFT_DRV
FileSubtype VFT2_DRV_INSTALLABLE
Language Chinese - PRC
Comments 2019-08-06
CompanyName TENCENT
FileDescription UniFairy_x64 NT Driver
FileVersion (#2) 1, 2, 6008, 34309
InternalName UniFairy_x64
LegalCopyright Copyright (c) 2009 TENCENT. All Rights Reserved
OriginalFilename UniFairy_x64.sys
ProductName UniFairy_x64
ProductVersion (#2) 1, 2, 6008, 34309
SpecialBuild ALL
Resource LangID Chinese - PRC

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2019-Aug-06 08:26:52
Version 0.0
SizeofData 104
AddressOfRawData 0x2fb50
PointerToRawData 0x2e350
Referenced File c:\jenkins\workspace\unifairy-branches\ring0\project\Bin\amd64\unifairy_x64.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x1fcf47d9
Unmarked objects 0
Total imports 135
Imports (VS2008 SP1 build 30729) 5
C objects (VS2008 SP1 build 30729) 5
Exports (VS2008 SP1 build 30729) 1
ASM objects (VS2008 SP1 build 30729) 5
137 (VS2008 SP1 build 30729) 14
Linker (VS2008 SP1 build 30729) 1
Resource objects (VS2008 SP1 build 30729) 1

Errors