Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_NATIVE
|
Compilation Date | 2019-Aug-06 08:26:52 |
Detected languages |
Chinese - PRC
|
Debug artifacts |
c:\jenkins\workspace\unifairy-branches\ring0\project\Bin\amd64\unifairy_x64.pdb
|
Comments | 2019-08-06 |
CompanyName | TENCENT |
FileDescription | UniFairy_x64 NT Driver |
FileVersion | 1, 2, 6008, 34309 |
InternalName | UniFairy_x64 |
LegalCopyright | Copyright (c) 2009 TENCENT. All Rights Reserved |
OriginalFilename | UniFairy_x64.sys |
ProductName | UniFairy_x64 |
ProductVersion | 1, 2, 6008, 34309 |
SpecialBuild | ALL |
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to MD5
Uses constants related to AES |
Malicious | The file headers were tampered with. |
Section INIT is both writable and executable.
Unusual section name found: .tvm0 Section .tvm0 is both writable and executable. The RICH header checksum is invalid. |
Suspicious | The PE contains functions most legitimate programs don't use. |
Functions which can be used for anti-debugging purposes:
|
Info | The PE is digitally signed. |
Signer: Tencent Technology(Shenzhen) Company Limited
Issuer: VeriSign Class 3 Code Signing 2010 CA |
Safe | VirusTotal score: 0/67 (Scanned on 2020-05-11 08:32:52) | All the AVs think this file is safe. |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 9 |
TimeDateStamp | 2019-Aug-06 08:26:52 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 9.1 |
SizeOfCode | 0x2e000 |
SizeOfInitializedData | 0x3800 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000000000035064 (Section: INIT) |
BaseOfCode | 0x1000 |
ImageBase | 0x10000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.1 |
ImageVersion | 6.1 |
SubsystemVersion | 6.1 |
Win32VersionValue | 0 |
SizeOfImage | 0xd5000 |
SizeOfHeaders | 0x400 |
Checksum | 0xe7e1e |
Subsystem |
IMAGE_SUBSYSTEM_NATIVE
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
|
SizeofStackReserve | 0x40000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
ntoskrnl.exe |
ExFreePoolWithTag
PsLookupProcessByProcessId PsIsSystemThread RtlInitUnicodeString IoDeleteDevice KeSetEvent KeInitializeEvent KeInitializeDpc KeInitializeTimer KeFlushQueuedDpcs PsTerminateSystemThread IoGetCurrentProcess ZwClose IofCompleteRequest KeWaitForSingleObject KeSetTimer IoCreateSymbolicLink PsGetCurrentThreadId PsGetCurrentProcessId MmIsAddressValid ObfDereferenceObject IoCreateDevice KeCancelTimer strncpy _vsnprintf IoBuildDeviceIoControlRequest isspace isprint IoGetDeviceObjectPointer wcschr ExUnregisterCallback RtlAnsiStringToUnicodeString RtlInitAnsiString FsRtlIsNameInExpression RtlFreeUnicodeString _wcsupr MmUnmapLockedPages _stricmp IoThreadToProcess KeClearEvent PsProcessType RtlConvertSidToUnicodeString ExReleaseFastMutex strncmp KeInitializeMutex ExAcquireFastMutex _snwprintf _strlwr PsGetProcessImageFileName ZwReadFile wcsncpy PsReferencePrimaryToken IoDeleteSymbolicLink ZwQuerySystemInformation wcsncat KeReleaseSpinLock RtlEqualUnicodeString IoFreeMdl KeReleaseMutex MmUserProbeAddress KeDelayExecutionThread IoFileObjectType ZwCreateFile MmMapLockedPagesSpecifyCache IoBuildAsynchronousFsdRequest ZwQueryValueKey RtlGUIDFromString KeQueryTimeIncrement KeBugCheck SeQueryInformationToken ObReferenceObjectByHandle KeBugCheckEx IoFreeIrp MmProbeAndLockPages PsGetVersion PsThreadType PsGetProcessJob ZwOpenProcess RtlCompareMemory MmUnlockPages ZwQueryInformationProcess RtlUnicodeStringToInteger ZwOpenFile ZwTerminateProcess ZwQueryInformationFile ZwEnumerateKey IoAllocateMdl PsDereferencePrimaryToken IofCallDriver ZwQueryKey ZwOpenKey KeAcquireSpinLockRaiseToDpc ObOpenObjectByName IoDriverObjectType ExEventObjectType MmGetSystemRoutineAddress ExAllocatePoolWithTag __C_specific_handler |
---|---|
HAL.dll |
KeStallExecutionProcessor
|
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 1.2.6008.34309 |
ProductVersion | 1.2.6008.34309 |
FileFlags | (EMPTY) |
FileOs |
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
|
FileType |
VFT_DRV
|
FileSubtype | VFT2_DRV_INSTALLABLE |
Language | Chinese - PRC |
Comments | 2019-08-06 |
CompanyName | TENCENT |
FileDescription | UniFairy_x64 NT Driver |
FileVersion (#2) | 1, 2, 6008, 34309 |
InternalName | UniFairy_x64 |
LegalCopyright | Copyright (c) 2009 TENCENT. All Rights Reserved |
OriginalFilename | UniFairy_x64.sys |
ProductName | UniFairy_x64 |
ProductVersion (#2) | 1, 2, 6008, 34309 |
SpecialBuild | ALL |
Resource LangID | Chinese - PRC |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2019-Aug-06 08:26:52 |
Version | 0.0 |
SizeofData | 104 |
AddressOfRawData | 0x2fb50 |
PointerToRawData | 0x2e350 |
Referenced File | c:\jenkins\workspace\unifairy-branches\ring0\project\Bin\amd64\unifairy_x64.pdb |
XOR Key | 0x1fcf47d9 |
---|---|
Unmarked objects | 0 |
Total imports | 135 |
Imports (VS2008 SP1 build 30729) | 5 |
C objects (VS2008 SP1 build 30729) | 5 |
Exports (VS2008 SP1 build 30729) | 1 |
ASM objects (VS2008 SP1 build 30729) | 5 |
137 (VS2008 SP1 build 30729) | 14 |
Linker (VS2008 SP1 build 30729) | 1 |
Resource objects (VS2008 SP1 build 30729) | 1 |