From 16c1d67b0aebd253f9720529f07cdf4f56f9ee7f Mon Sep 17 00:00:00 2001
From: tbaker57 <tim.h.baker@gmail.com>
Date: Wed, 20 Nov 2024 06:21:03 +1000
Subject: [PATCH 1/2] Update drvstore.yml

The Microsoft-signed executable hvciscan_amd64.exe attempts to execute the function 'DriverStoreOpenW' in drvstore.dll in the current directory. Since this is a stand-alone tool
(https://www.microsoft.com/en-us/download/details.aspx?id=105437)
it doesn't have an expected location.
---
 yml/microsoft/built-in/drvstore.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/yml/microsoft/built-in/drvstore.yml b/yml/microsoft/built-in/drvstore.yml
index b361f570..c0c5cdfa 100644
--- a/yml/microsoft/built-in/drvstore.yml
+++ b/yml/microsoft/built-in/drvstore.yml
@@ -23,9 +23,16 @@ VulnerableExecutables:
   - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
     Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
     Type: Catalog
+- Path: 'hvciscan_amd64.exe'
+  Type: Sideloading
+  ExpectedSignatureInformation:
+  - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Type: Catalog
 Resources:
 - https://securityintelligence.com/posts/windows-features-dll-sideloading/
 - https://github.com/xforcered/WFH
+- https://www.microsoft.com/en-us/download/details.aspx?id=105437 (HVCIScan Download)
 Acknowledgements:
 - Name: Chris Spehn
   Twitter: '@ConsciousHacker'

From 801f09fb406b900a629f1985980361189540d31b Mon Sep 17 00:00:00 2001
From: tbaker57 <tim.h.baker@gmail.com>
Date: Wed, 20 Nov 2024 06:24:26 +1000
Subject: [PATCH 2/2] Update drvstore.yml

---
 yml/microsoft/built-in/drvstore.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yml/microsoft/built-in/drvstore.yml b/yml/microsoft/built-in/drvstore.yml
index c0c5cdfa..658f6b3f 100644
--- a/yml/microsoft/built-in/drvstore.yml
+++ b/yml/microsoft/built-in/drvstore.yml
@@ -32,7 +32,7 @@ VulnerableExecutables:
 Resources:
 - https://securityintelligence.com/posts/windows-features-dll-sideloading/
 - https://github.com/xforcered/WFH
-- https://www.microsoft.com/en-us/download/details.aspx?id=105437 (HVCIScan Download)
+- https://www.microsoft.com/en-us/download/details.aspx?id=105437
 Acknowledgements:
 - Name: Chris Spehn
   Twitter: '@ConsciousHacker'