Malware / file
YARA rules
5,941 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 5,941PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev_26F4
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys
view YARA rule
rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev_26F4 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712"
date = "2024-08-07"
score = 40
id = "1ee8489d-ef29-5d5b-80f5-8f0a206eda3f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100380020005000750062006c00690063002000620079002000560065006b0074006f0072002000540031003300200028007200650076002e003000350029 } /* ProductName AntidetectPublicbyVektorTrev */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100380020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them
}
PUA_VULN_Driver_Watchdogdevelopmentcomllc_Wsdkdsys_Wsdkd_6278
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wsdkd.sys
view YARA rule
rule PUA_VULN_Driver_Watchdogdevelopmentcomllc_Wsdkdsys_Wsdkd_6278 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wsdkd.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440"
date = "2024-08-07"
score = 40
id = "4beb5c5a-5bdf-513e-9d43-00c30289eddb"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005700610074006300680044006f006700200041006e00740069007600690072007500730020004400720069007600650072 } /* FileDescription WatchDogAntivirusDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005700610074006300680044006f00670044006500760065006c006f0070006d0065006e0074002e0063006f006d002c0020004c004c0043002e } /* CompanyName WatchDogDevelopmentcomLLC */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0033002e0031002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* InternalName wsdkdsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]007700730064006b0064 } /* ProductName wsdkd */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007700730064006b0064002e007300790073 } /* OriginalFilename wsdkdsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320032 } /* LegalCopyright CopyrightC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980"
date = "2024-08-07"
score = 40
id = "4ca1b53c-7539-5e0e-8309-224a4a859480"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* InternalName CPUDriver */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* OriginalFilename CPUDriver */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006200790020004100530055005300540065006b00200043004f004d0050005500540045005200200049004e0043002e00200032003000300036 } /* LegalCopyright CopyrightbyASUSTekCOMPUTERINC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_4932
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_4932 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668"
hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51"
hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c"
hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e"
hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4"
hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98"
hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126"
hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd"
hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097"
date = "2024-08-07"
score = 40
id = "6fa00211-cb55-5870-92ec-18a6e2c7eb89"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd"
date = "2024-08-07"
score = 40
id = "d7e481c0-695e-5536-8b06-b66d0f711f86"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_916C
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_916C {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677"
hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab"
hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82"
date = "2024-08-07"
score = 40
id = "346488b2-5390-528e-8d54-5ed3dbc6e322"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* InternalName rtkiosys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* OriginalFilename rtkiosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b"
hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b"
date = "2024-08-07"
score = 40
id = "e7e01116-2971-59fd-bada-ac22cdc17670"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_6F80
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_6F80 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0"
date = "2024-08-07"
score = 40
id = "8ed20998-ff6a-56d1-aa40-b6b35f308cbd"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_C490
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_C490 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b"
hash = "a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e"
hash = "e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16"
date = "2024-08-07"
score = 40
id = "054d4045-5d8d-5bd9-aaba-3a0cbef517af"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f } /* FileDescription GenericPortIO */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_3C0A
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_3C0A {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8"
date = "2024-08-07"
score = 40
id = "41080479-633a-5f9b-88c9-fba696c3205a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00330032 } /* FileDescription GenericPortIOforWin */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_8FE4
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovider_8FE4 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65"
hash = "71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5"
date = "2024-08-07"
score = 40
id = "85e60907-b5da-5c9a-811e-0ddb0c850087"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00470065006e006500720069006300200050006f0072007400200049002f004f00200066006f0072002000570069006e00360034 } /* FileDescription GenericPortIOforWin */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030002e0032003100390035002e0031003700310031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* InternalName rtportsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300033002000440044004b00200033003700390030002000700072006f00760069006400650072 } /* ProductName WindowsRDDKprovider */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007200740070006f00720074002e007300790073 } /* OriginalFilename rtportsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200032003000300035 } /* LegalCopyright CopyrightCMicrosoftCorp */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3"
date = "2024-08-07"
score = 40
id = "ddcb8217-640d-598d-9afd-a1c15d1bbb8c"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7"
date = "2024-08-07"
score = 40
id = "5eede083-38a6-50f5-b31e-a4880d4b4304"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_8899
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_8899 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3"
hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427"
hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38"
hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229"
date = "2024-08-07"
score = 40
id = "e7728971-efb9-5c8b-8600-8f2b393d966e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c"
date = "2024-08-07"
score = 40
id = "c683be43-e577-5248-8a28-b13dbefd7f91"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* InternalName speedfansys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* OriginalFilename speedfansys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20"
hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f"
date = "2024-08-07"
score = 40
id = "9c05031d-2062-53fb-982c-f874bf902b48"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* InternalName amifldrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* OriginalFilename amifldrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Atlaccesssys_Windowsrwinddkdriver_0B57
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atlAccess.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Atlaccesssys_Windowsrwinddkdriver_0B57 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atlAccess.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57"
date = "2024-08-07"
score = 40
id = "1c6be4ef-90f7-5b77-8490-0362233c02d9"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006d0070006c0065002000500043004900200061006300630065007300730020006400720069007600650072 } /* FileDescription SimplePCIaccessdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610074006c004100630063006500730073002e007300790073 } /* InternalName atlAccesssys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610074006c004100630063006500730073002e007300790073 } /* OriginalFilename atlAccesssys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c"
hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e"
hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832"
hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547"
hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0"
hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e"
hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b"
hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c"
hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036"
hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5"
hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377"
hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289"
date = "2024-08-07"
score = 40
id = "145b846a-8721-5a56-aa76-6d7d5dd16562"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9"
date = "2024-08-07"
score = 40
id = "32559d4c-eef4-5b67-a74c-f89589bc446b"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* InternalName CupFixerxsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* OriginalFilename CupFixerxsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_1698
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_1698 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3"
date = "2024-08-07"
score = 40
id = "4be3fa3a-dec2-5906-99b0-024c8ed059a5"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003700780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_3AF9
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_3AF9 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb"
date = "2024-08-07"
score = 40
id = "b44afa7f-6a0d-5cbd-ab2c-910d211f5cb0"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0031003000780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_55B5
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_55B5 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03"
date = "2024-08-07"
score = 40
id = "91f857f9-14eb-5b6d-8aed-41c2dae736e1"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003700780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_9DEE
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_9DEE {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504"
date = "2024-08-07"
score = 40
id = "38c59d28-a35d-57f5-ad0e-7822e3381b53"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0038002e003100780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_B224
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_B224 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71"
date = "2024-08-07"
score = 40
id = "d5d84ed9-f0c5-54a8-8a7d-0006c1c98f1d"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0031003000780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_C35C
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_C35C {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633"
date = "2024-08-07"
score = 40
id = "52742e0b-0e2f-5a83-9993-b3cde1a5cb5e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003800780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_F8D4
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_F8D4 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6"
date = "2024-08-07"
score = 40
id = "2de9949d-830d-5540-8b4f-1d1262b8b76c"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e003800780036003400200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_FF55
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwinxdriver_FF55 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8"
date = "2024-08-07"
score = 40
id = "4b402b27-36ca-5e2c-bb00-64ab93b8720f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044006300500072006f00740065006300740020004400720069007600650072 } /* FileDescription DcProtectDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* InternalName DcProtectsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0044006300500072006f00740065006300740020002800520029002000570069006e0038002e003100780038003600200064007200690076006500720020 } /* ProductName DcProtectRWinxdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044006300500072006f0074006500630074002e007300790073 } /* OriginalFilename DcProtectsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032002d00320030003200300020004a00690061006e0067006d0065006e0020004500790075006e0020004e006500740077006f0072006b00200043006f002e002c004c00740064002e00200032003000310039 } /* LegalCopyright CopyrightCJiangmenEyunNetworkCoLtd */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756"
hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13"
hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837"
date = "2024-08-07"
score = 40
id = "4d2f4d82-aa28-5be1-8e0a-9db164a4bb50"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_9DBC
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_9DBC {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2"
hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1"
hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0"
hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd"
hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090"
hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176"
hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e"
date = "2024-08-07"
score = 40
id = "8fb3920a-b0bf-57b3-bf15-24f323efde31"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_DB1D
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_DB1D {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1"
hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3"
hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0"
hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d"
hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec"
hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b"
hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9"
hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59"
date = "2024-08-07"
score = 40
id = "cca75a99-2482-54a2-8891-2cd23c8836e9"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_1E24
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_1E24 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d"
hash = "39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0"
date = "2024-08-07"
score = 40
id = "e8515bb1-cf81-510a-9d48-7fd353c6c37a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030003000300030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_B3D1
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosiodriver_B3D1 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c"
hash = "442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243"
date = "2024-08-07"
score = 40
id = "d2eed5da-ca7c-5ae3-ab44-2a49f43ec409"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300420049004f00530049004f0020004400720069007600650072 } /* FileDescription SBIOSIODriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030003000300030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* InternalName SBIOSIOsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530061006d00730075006e00670020002800520029002000420049004f005300200049004f0020006400720069007600650072 } /* ProductName SamsungRBIOSIOdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005300420049004f00530049004f00360034002e007300790073 } /* OriginalFilename SBIOSIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000530061006d00730075006e006700200045006c0065006300740072006f006e006900630073002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightcSamsungElectronicsAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_5C0B
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vmdrv.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_5C0B {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vmdrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921"
hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351"
hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3"
date = "2024-08-07"
score = 40
id = "20989ad0-08b4-5fe0-b4cc-9846bdf4bb89"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* InternalName vmdrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* OriginalFilename vmdrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200056006f006900630065006d006f006400200053002e004c002e0032003000310030002d0032003000320030 } /* LegalCopyright CopyrightCVoicemodSL */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowsrwinddkprovider_Wnbiossys_Windowsrwinddkdriver_530D
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wnbios.sys
view YARA rule
rule PUA_VULN_Driver_Windowsrwinddkprovider_Wnbiossys_Windowsrwinddkdriver_530D {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wnbios.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "530d9223ec7e4123532a403abef96dfd1af5291eb49497392ff5d14d18fccfbb"
date = "2024-08-07"
score = 40
id = "98c36c7b-603b-5fe4-8774-7ea9ecf84ef9"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0057006e00420069006f00730020004400720069007600650072 } /* FileDescription WnBiosDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0077006e00620069006f0073002e007300790073 } /* InternalName wnbiossys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0077006e00620069006f0073002e007300790073 } /* OriginalFilename wnbiossys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwritedriver_21CC
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwRwDrv.sys
view YARA rule
rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwritedriver_21CC {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwRwDrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21"
date = "2024-08-07"
score = 40
id = "fa8e9fd9-7d07-5e05-a8d0-3769b9dd9157"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f0077007300ae002000770069006e006f007700730020003700200064007200690076006500720020006b006900740073002000700072006f00760069006400650072 } /* CompanyName Windowswinowsdriverkitsprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* InternalName HwRwDrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* ProductName Hardwarereadwritedriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* OriginalFilename HwRwDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightMicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_786F
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys
view YARA rule
rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_786F {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc"
hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b"
hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5"
hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548"
hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69"
date = "2024-08-07"
score = 40
id = "78b84e8a-1f92-5954-a1da-19d7208279db"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys
view YARA rule
rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a"
hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4"
date = "2024-08-07"
score = 40
id = "4b731a73-af46-5607-96c3-6aeeb7df9976"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Wistroncorporation_Wirwadrvsys_Wistronrwadriver_D8FC
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiRwaDrv.sys
view YARA rule
rule PUA_VULN_Driver_Wistroncorporation_Wirwadrvsys_Wistronrwadriver_D8FC {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiRwaDrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e"
date = "2024-08-07"
score = 40
id = "67b74d38-f26d-56b9-8a92-c923ad1f797e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* FileDescription WistronRWADriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* CompanyName WistronCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031003000310036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* InternalName WiRwaDrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300740072006f006e00200052005700410020004400720069007600650072 } /* ProductName WistronRWADriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069005200770061004400720076002e007300790073 } /* OriginalFilename WiRwaDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000570069007300740072006f006e00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCWistronCorporation */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Wj_Kprocesshacker_7021
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys
view YARA rule
rule PUA_VULN_Driver_Wj_Kprocesshacker_7021 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4"
date = "2024-08-07"
score = 40
id = "dd2a2bfd-12be-5cdb-8293-c51220015bd9"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Wj_Kprocesshacker_C725
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys
view YARA rule
rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c"
date = "2024-08-07"
score = 40
id = "53a8740a-65a5-5eb5-afc5-b86058982071"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0038 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Yyinc_Dianhu_80CB
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Dh_Kernel_10.sys
view YARA rule
rule PUA_VULN_Driver_Yyinc_Dianhu_80CB {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Dh_Kernel_10.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3"
hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955"
date = "2024-08-07"
score = 40
id = "166a402d-9679-54b8-9703-3e3b2b001236"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0059005900200049006e0063002e } /* CompanyName YYInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006400690061006e00680075 } /* ProductName dianhu */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d003200300031003700200059005900200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightYYIncAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Z_Computerzsys_Zwuqisystemdriver_61E7
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys
view YARA rule
rule PUA_VULN_Driver_Z_Computerzsys_Zwuqisystemdriver_61E7 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629"
date = "2024-08-07"
score = 40
id = "c691fecf-9556-5b70-9a84-b645b053cfc0"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* FileDescription ZwuqiSystemDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a6b665668 } /* CompanyName Z */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0039002e003400310036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* InternalName ComputerZSys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0077007500710069002000530079007300740065006d0020004400720069007600650072 } /* ProductName ZwuqiSystemDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f006d00700075007400650072005a002e005300790073 } /* OriginalFilename ComputerZSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020007700770077002e007a0077007500710069002e0063006f006d } /* LegalCopyright CopyrightCwwwzwuqicom */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
PUA_VULN_Driver_Zemanaltd_Zam_2BBC
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys
view YARA rule
rule PUA_VULN_Driver_Zemanaltd_Zam_2BBC {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1"
date = "2024-08-07"
score = 40
id = "171ebc5a-3e8a-5771-8960-b623f6581759"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003300370031 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
PUA_VULN_Driver_Zemanaltd_Zam_3C18
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys
view YARA rule
rule PUA_VULN_Driver_Zemanaltd_Zam_3C18 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b"
date = "2024-08-07"
score = 40
id = "94b7a58c-0092-5d81-985f-330599efe25a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003900320038 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
PUA_VULN_Driver_Zemanaltd_Zam_45F4
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys
view YARA rule
rule PUA_VULN_Driver_Zemanaltd_Zam_45F4 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef"
date = "2024-08-07"
score = 40
id = "56dc2fa5-c19c-5a77-9590-e7a957ccb27f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003800360035 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
PUA_VULN_Driver_Zemanaltd_Zam_5439
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys
view YARA rule
rule PUA_VULN_Driver_Zemanaltd_Zam_5439 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91"
hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd"
date = "2024-08-07"
score = 40
id = "f35db7b6-8a4b-5c26-9e00-da5c1c7780e8"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320031002e00360033 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
PUA_VULN_Driver_Zemanaltd_Zam_7661
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys
view YARA rule
rule PUA_VULN_Driver_Zemanaltd_Zam_7661 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a"
date = "2024-08-07"
score = 40
id = "cf60dd6e-f13e-5498-b3e1-b28c4b469f10"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003200320039 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
PUA_VULN_Driver_Zemanaltd_Zam_7CB5
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys
view YARA rule
rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21"
date = "2024-08-07"
score = 40
id = "4af76d57-3f28-5d80-b72a-796f65942488"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
PUA_VULN_Driver_Zemanaltd_Zam_8FE9
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys
view YARA rule
rule PUA_VULN_Driver_Zemanaltd_Zam_8FE9 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a"
date = "2024-08-07"
score = 40
id = "45ac5fe9-25e2-5ee9-a410-95d19ec75e33"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003100310035 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
PUA_VULN_Driver_Zemanaltd_Zam_9A95
Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys
view YARA rule
rule PUA_VULN_Driver_Zemanaltd_Zam_9A95 {
meta:
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c"
date = "2024-08-07"
score = 40
id = "de7c3f85-1101-58c2-882b-e7e59d95fdd8"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003200380037 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
Showing 1351-1400 of 5,941