f3e3afddbb995f025bfa43c4146c4308

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_NATIVE
Compilation Date 2020-Apr-10 11:22:02
Detected languages English - United States
Debug artifacts D:\Builds\tools\objects\nisomedriver\winxpK\i386\msvc-10.0\debug\nisomedriver.pdb
CompanyName National Instruments Corporation
LegalCopyright Copyright © 2000-2020 National Instruments Corporation. All Rights Reserved.
ProductName NISOMEDRIVER
OriginalFilename nisomedriver.sys
FileDescription Some Friendly Description of nisomedriver
ProductVersion 1.0.0a0 debug build
FileVersion 1.0.0a0 debug build
InternalName NISOMEDRIVER 1.0.0a0 debug build
Comments 2020/04/10 14:20:27, nisomedriver/winxpK/i386/msvc-10.0/debug
PrivateBuild alpha build

Plugin Output

Info Matching compiler(s): Microsoft Visual C++
Suspicious The PE is possibly packed. Unusual section name found: PAGE
Section INIT is both writable and executable.
Suspicious The PE contains functions most legitimate programs don't use. Functions which can be used for anti-debugging purposes:
  • DbgPrint
Uses Windows's Native API:
  • ZwClose
  • ZwMapViewOfSection
  • ZwOpenSection
  • ZwOpenProcess
  • ZwUnmapViewOfSection
  • ZwQueryValueKey
  • ZwSetValueKey
  • ZwDeleteKey
  • ZwDeleteValueKey
  • ZwOpenKey
  • ZwCreateKey
Info The PE is digitally signed. Signer: NITestingCert
Issuer: NITestingCert
Suspicious No VirusTotal score. This file has never been scanned on VirusTotal.

Hashes

MD5 f3e3afddbb995f025bfa43c4146c4308
SHA1 2181a37150880b860a165899ba6cdb7d42b36765
SHA256 dabf8c37fcdfb2bcc1bf11db73df92fb0c191034119dd8bbdd46580a0fda5a97
SHA3 4ab0cf717e02da796f4c978d977e1f3b06e82e20c481122abe3db63391039ee4
SSDeep 3072:D5KfOkshQM9TYGrCrn1bD82WRKDB5yHW2Bm4CNuUTOsq:DCOVY8eV86Dvy2JGUTO
Imports Hash 755c9409301825cfc2b184f13c3aee2b

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 8
TimeDateStamp 2020-Apr-10 11:22:02
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.0
SizeOfCode 0x20000
SizeOfInitializedData 0x1b600
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0003C000 (Section: INIT)
BaseOfCode 0x1000
BaseOfData 0x21000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 1.0
SubsystemVersion 5.1
Win32VersionValue 0
SizeOfImage 0x41000
SizeOfHeaders 0x400
Checksum 0x41657
Subsystem IMAGE_SUBSYSTEM_NATIVE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 49dc0dfb64d6435468dfa4a0b9423959
SHA1 0d035107666fcc214720a407d67de5fde2d517d7
SHA256 1df57b08c1678041fe23d5ccbdfa7ffec386a39be2144901beb2a75fafc5e494
SHA3 f4b4a19773418c1f042edf76b8a912aa4a5ee309d1e7305216ba57f159c1efce
VirtualSize 0x1f1af
VirtualAddress 0x1000
SizeOfRawData 0x1f200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 6.10287

.rdata

MD5 f0e8f2f5d952175277f761b901549875
SHA1 42808d8f22b5edb187a2b283b4f64a759d4aaf81
SHA256 645874fa4a4edf26df870d64e3866fd74826df26b1b94008d9a65a23a765d286
SHA3 bf52ba01ef046443a3a22f36d44f03fd018ed6db5c06628317177d68aabc7e72
VirtualSize 0x177cc
VirtualAddress 0x21000
SizeOfRawData 0x17800
PointerToRawData 0x1f600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 5.36117

.data

MD5 36c23bf51c3a26d6ba4d490fddc41fc5
SHA1 25da516b11f333950793bbd57709d4aa6c7dbe0e
SHA256 09f9a7a02df39e4bac13c9951305ee3cbd4afea6de7d9106f5ee497f211f5205
SHA3 3b26b2c2b7ca86589280da1edfd517bf5c22913318c6191a1e3a0d2f9acfe7c7
VirtualSize 0xf04
VirtualAddress 0x39000
SizeOfRawData 0xe00
PointerToRawData 0x36e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.12168

.CRT

MD5 20bd0226e93f9d4795ba09e826a9dcc6
SHA1 0cb1323a8654dd2c9b1fa5a84cb38f1b152bc684
SHA256 7409c6a93757b5e72bb7ece36639c9167d858d30a8e1942d755d23f5e997a47d
SHA3 fde6d2926a58ab138e4eea6249b339a0c46d51c5c90bae032c3a4d222159d443
VirtualSize 0x14
VirtualAddress 0x3a000
SizeOfRawData 0x200
PointerToRawData 0x37c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 0.164765

PAGE

MD5 d4fb943e9a985fddeff6698455630cce
SHA1 fa1ada99aff8ac14c03d8935a201ffd8effe150d
SHA256 8028173fa51c4591b1be60b5e554cdf033aa3a2b61d1a6ae271c7ba0f032a5a8
SHA3 5aa343a00f2974e35bd30d9db5fe3c7e2fc19096d1e728d068926e5295ad864a
VirtualSize 0x187
VirtualAddress 0x3b000
SizeOfRawData 0x200
PointerToRawData 0x37e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 4.87276

INIT

MD5 696afbaa6ee10064050c12617974a9f3
SHA1 2a77daec78527393897e7f9351862df8e2583058
SHA256 602b1e644e4f5f2056a34121a171e22e76231931ac3435e1af2eaee23b6d331b
SHA3 d7ca869cfc4baa339053a6d8f3154bcf4f1205e256dc41eacdd244208dfec7c5
VirtualSize 0xb64
VirtualAddress 0x3c000
SizeOfRawData 0xc00
PointerToRawData 0x38000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.6497

.rsrc

MD5 d8d83c913d8073fec28b7bb7d4bc3fb1
SHA1 778c8ba9b1b13581c41d2c40f679f12882ac79fe
SHA256 cca1351abd1962a35cec959bd8c5145c4bc3590219a395bfdd9a74b613a40639
SHA3 9f60376b107d50fdfb7f1c69ee11d92ff73c4eefd94e97f1034fd2f0dcd1bd4d
VirtualSize 0x528
VirtualAddress 0x3d000
SizeOfRawData 0x600
PointerToRawData 0x38c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 3.04911

.reloc

MD5 31cf143a5f5117fe8919a4fd0f982a6d
SHA1 fddbe98248303501bb15e0f38dc4dc58be62f25d
SHA256 83e6e35e0db0ae3e8a921a1485d8d4ad09ad1efe32c4935103c4922575bd325e
SHA3 90a89be200cb98fc0a1147ce5450d3352c9a9380a17be70e4bed5291d1ea8cbf
VirtualSize 0x24e6
VirtualAddress 0x3e000
SizeOfRawData 0x2600
PointerToRawData 0x39200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.58513

Imports

ntoskrnl.exe IoGetDeviceProperty
IoDeleteDevice
IoDetachDevice
IoAttachDeviceToDeviceStack
IoInitializeRemoveLockEx
IoCreateDevice
KeSetEvent
KeInitializeEvent
ExAllocatePoolWithTag
KeInitializeMutex
ExFreePoolWithTag
RtlFreeUnicodeString
memcpy
_aulldiv
_aullrem
_allmul
_purecall
IoAllocateWorkItem
IoFreeWorkItem
IoReleaseRemoveLockAndWaitEx
ObfDereferenceObject
ProbeForWrite
ObReferenceObjectByHandle
ExEventObjectType
_except_handler3
KeWaitForSingleObject
IoQueueWorkItem
RtlInitUnicodeString
IoOpenDeviceRegistryKey
PoSetPowerState
PoRequestPowerIrp
IoOpenDeviceInterfaceRegistryKey
IoRegisterDeviceInterface
RtlAnsiStringToUnicodeString
RtlInitAnsiString
IoSetDeviceInterfaceState
RtlEqualUnicodeString
KeInsertQueueDpc
IoBuildSynchronousFsdRequest
KeReleaseMutex
memset
PsReferencePrimaryToken
IoGetRequestorProcess
PsDereferenceImpersonationToken
SeTokenIsAdmin
PsReferenceImpersonationToken
MmFreePagesFromMdl
MmAllocatePagesForMdl
MmFreeContiguousMemory
MmAllocateContiguousMemory
MmBuildMdlForNonPagedPool
MmSizeOfMdl
MmUnlockPages
PsGetProcessId
ProbeForRead
PsGetCurrentProcessId
MmMapLockedPagesSpecifyCache
IoBuildPartialMdl
ZwClose
ZwMapViewOfSection
ZwOpenSection
ZwOpenProcess
MmUnmapLockedPages
ZwUnmapViewOfSection
MmMapIoSpace
MmUnmapIoSpace
KeInitializeSemaphore
KeReleaseSemaphore
KeQueryTimeIncrement
_alldiv
KeTickCount
KeGetCurrentThread
memmove
ZwQueryValueKey
ZwSetValueKey
ZwDeleteKey
ZwDeleteValueKey
ZwOpenKey
ZwCreateKey
DbgPrint
_vsnprintf
_wcsupr
wcstombs
IofCallDriver
IoReleaseRemoveLockEx
IoAcquireRemoveLockEx
PsDereferencePrimaryToken
IofCompleteRequest
IoGetDeviceNumaNode
RtlAnsiCharToUnicodeChar
KeBugCheckEx
MmGetSystemRoutineAddress
IoConnectInterrupt
IoDisconnectInterrupt
KeQueryActiveProcessors
HAL.DLL ExAcquireFastMutex
KeQueryPerformanceCounter
KfReleaseSpinLock
KeGetCurrentIrql
KfAcquireSpinLock
ExReleaseFastMutex

Delayed Imports

1

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x4c8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.51386
MD5 04940acf43ce744c9958ab2e38a8c3fe
SHA1 171b835cf67bec48a8e513820bc45875e48a725d
SHA256 413ad5b2a24b2f4db17c141a586b8430cca8952178c0077fd40e3eb2bc8f6928
SHA3 deba1488a9d699912eb2929ca575fe25f59752f832d5e9a93437ad5d26e2e805

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 1.0.0.16384
ProductVersion 1.0.0.16384
FileFlags VS_FF_DEBUG
VS_FF_PRERELEASE
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language English - United States
CompanyName National Instruments Corporation
LegalCopyright Copyright © 2000-2020 National Instruments Corporation. All Rights Reserved.
ProductName NISOMEDRIVER
OriginalFilename nisomedriver.sys
FileDescription Some Friendly Description of nisomedriver
ProductVersion (#2) 1.0.0a0 debug build
FileVersion (#2) 1.0.0a0 debug build
InternalName NISOMEDRIVER 1.0.0a0 debug build
Comments 2020/04/10 14:20:27, nisomedriver/winxpK/i386/msvc-10.0/debug
PrivateBuild alpha build
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2020-Apr-10 11:22:02
Version 0.0
SizeofData 106
AddressOfRawData 0x38724
PointerToRawData 0x36d24
Referenced File D:\Builds\tools\objects\nisomedriver\winxpK\i386\msvc-10.0\debug\nisomedriver.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xc87ecd0e
Unmarked objects 0
C objects (VS2008 SP1 build 30729) 13
C++ objects (VS2008 SP1 build 30729) 4
Total imports 101
Imports (VS2003 (.NET) build 4035) 5
C++ objects (VS2010 SP1 build 40219) 28
C objects (VS2010 SP1 build 40219) 4
Resource objects (VS2010 SP1 build 40219) 1
Linker (VS2010 SP1 build 40219) 1

Errors