From 8d1801a7753e0681f95bcc43d0463872652fe471 Mon Sep 17 00:00:00 2001
From: junk <junk@noreply.localhost>
Date: Wed, 8 Jan 2025 22:39:52 -0500
Subject: [PATCH] Add yara/vulnerable_driver.yar

---
 yara/vulnerable_driver.yar | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 yara/vulnerable_driver.yar

diff --git a/yara/vulnerable_driver.yar b/yara/vulnerable_driver.yar
new file mode 100644
index 0000000..e038699
--- /dev/null
+++ b/yara/vulnerable_driver.yar
@@ -0,0 +1,20 @@
+import "pe"
+
+rule hardware_io_wdf {
+    meta:
+        description = "Designed to catch x64 kernel drivers importing a memory-mapped I/O API (MmMapIoSpace)"
+
+    strings:
+        $wdf_api_name = "WdfVersionBind"
+
+    condition:
+        filesize < 1MB and
+        uint16(0) == 0x5a4d and pe.machine == pe.MACHINE_AMD64 and
+        (pe.imports("ntoskrnl.exe", "MmMapIoSpace") or pe.imports("ntoskrnl.exe", "MmMapIoSpaceEx")) and
+        $wdf_api_name and // WDF
+        //not $wdf_api_name and // WDM
+        for all signature in pe.signatures:
+        (
+            not signature.subject contains "WDKTestCert"
+        )
+}
\ No newline at end of file