LOLDrivers Database

Vulnerable and malicious Windows drivers database

Last updated: Loading...

Total Drivers1967
MVDB Passed241
Process Killer Drivers197
Quick Filters:
Behaviors:
Architecture:
Showing 20 of 1967 drivers (Page 1 of 99)

Chaos-Rootkit.sysx64

HVCI Compatible
File Hashes
MD59532893c1d358188d66b0d7b0784bb6b
SHA1d022f5e3c1bba43871af254a16ab0e378ea66184
SHA2560ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db
Authentihashes
Description
Chaos-Rootkit is a x64 ring0 rootkit with process hiding, privilege escalation, and capabilities for protecting and unprotecting processes, work on the latest Windows versions.
Category
vulnerable driver
Author
Michael Haag
Created Date
2023-06-05
Capacities
File Manipulator
Commands & Usage
Imported Functions (21)
Resources (1)

filnk.sysx64

HVCI Compatible PROCESS KILLER
File Hashes
MD54b22e494ad2ac90c42f02dcca0328b7c
SHA1116decf4442c23766953d68f05a20c74924ca22e
SHA256ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12
Authentihashes
Company
Filseclab Corporation
Description
Twister Antivirus, fildds.sys, DoS2 CVE-2023-1444 From IoControlCode 0x8011206B, a normal user can cause DoS due to writing into null address.
Category
vulnerable driver
Author
VirarK
Created Date
2024-06-20
Capacities
Process Killer Memory Manipulator Debug Bypass Registry Manipulator File Manipulator
Commands & Usage
Imported Functions (144)
Resources (1)

BS_I2cIo.sysx64

HVCI BLOCKED
File Hashes
MD583601bbe5563d92c1fdb4e960d84dc77
SHA1dc55217b6043d819eadebd423ff07704ee103231
SHA25655fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a
Authentihashes
Company
BIOSTAR Group
Description
I/O Interface driver file
Category
vulnerable driver
Author
Michael Haag
Created Date
2023-01-09
Capacities
Memory Manipulator File Manipulator
Commands & Usage
Imported Functions (16)
Resources (1)

TmComm.sysx64

HVCI BLOCKED PROCESS KILLER
File Hashes
MD52e1f8a2a80221deb93496a861693c565
SHA1a00e444120449e35641d58e62ed64bb9c9f518d2
SHA256cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64
Authentihashes
Company
Trend Micro Inc.
Description
TrendMicro Common Module
Category
vulnerable driver
Author
Michael Haag
Created Date
2023-01-09
Capacities
Process Killer Memory Manipulator Debug Bypass Registry Manipulator File Manipulator
Commands & Usage
Imported Functions (206)
Resources (1)

Truesightx64

HVCI BLOCKED PROCESS KILLER
File Hashes
MD5f53fa44c7b591a2be105344790543369
SHA1363068731e87bcee19ad5cb802e14f9248465d31
SHA256bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c
Authentihashes
Company
Adlice Software
Description
This is a C# AV/EDR Killer using Rogue Anti-Malware Driver 3.3. This driver is not present in the loldrivers or Windows blocklist at the time of this writing. The only reason I'm making this public is because the company has already published a fix in version 3.4, and Microsoft will likely block this driver soon. This driver can be used in Windows 23H2 with HVCI enabled, loldrivers blocklist, or WDAC enabled. HVCI is designed to ensure the integrity of code executed in the kernel, but it cannot protect against all possible vulnerabilities or actions that can be performed through drivers or system interfaces.
Category
vulnerable driver
Author
ph4nt0mbyt3, Michael Haag
Created Date
2023-11-10
Capacities
Process Killer Memory Manipulator Debug Bypass Registry Manipulator File Manipulator
Commands & Usage
Imported Functions (74)
Resources (1)

gftkyj64.sysx64

HVCI Compatible
File Hashes
MD504a88f5974caa621cee18f34300fc08a
SHA1a804ebec7e341b4d98d9e94f6e4860a55ea1638d
SHA2569b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c
Authentihashes
Description
SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses. Investigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes. We first reported our discovery to Microsoft’s Security Response Center (MSRC) in October 2022 and received an official case number (75361). Today, MSRC released an associated advisory under ADV220005. This research is being released alongside Mandiant, a SentinelOne technology and incident response partner.
Category
malicious
Author
Michael Haag
Created Date
2023-03-04
Capacities
Memory Manipulator File Manipulator
Commands & Usage
Imported Functions (26)
Resources (1)

WinIo64A.sys

HVCI BLOCKED
File Hashes
SHA10c74d09da7baf7c05360346e4c3512d0cd433d59
Category
vulnerable driver
Author
Michael Haag
Created Date
2023-01-09
Commands & Usage
Imported Functions
No Imported Functions
Resources (1)

ADV64DRV.sysx64

HVCI BLOCKED
File Hashes
MD5778b7feea3c750d44745d3bf294bd4ce
SHA12261198385d62d2117f50f631652eded0ecc71db
SHA25604a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162
Authentihashes
Company
FUJITSU LIMITED.
Category
vulnerable driver
Author
Michael Haag
Created Date
2023-01-09
Capacities
Memory Manipulator File Manipulator
Commands & Usage
Imported Functions (13)
Resources (1)

sysconp.sysx64

HVCI BLOCKED
File Hashes
MD5bc1eeb4993a601e6f7776233028ac095
SHA10e1df95042081fa2408782f14ce483f0db19d5ab
SHA256dba8db472e51edd59f0bbaf4e09df71613d4dd26fd05f14a9bc7e3fc217a78aa
Authentihashes
Description
The Carbon Black Threat Analysis Unit (TAU) discovered 34 unique vulnerable drivers (237 file hashes) accepting firmware access. Six allow kernel memory access. All give full control of the devices to non-admin users. By exploiting the vulnerable drivers, an attacker without the system privilege may erase/alter firmware, and/or elevate privileges. As of the time of writing in October 2023, the filenames of the vulnerable drivers have not been made public until now.
Category
vulnerable driver
Author
Takahiro Haruyama
Created Date
2023-11-02
Capacities
Memory Manipulator Registry Manipulator File Manipulator
Commands & Usage
Imported Functions (30)
Resources (1)

sysconp.sysx64

HVCI BLOCKED
File Hashes
MD5a2be99e4904264baa5649c4d4cd13a17
SHA1ec1eafb87340b18c7ef3bc349fed1ddd5d3678f6
SHA256df4c02beb039d15ff0c691bbc3595c9edfc1d24e783c8538a859bc5ea537188d
Authentihashes
Description
The Carbon Black Threat Analysis Unit (TAU) discovered 34 unique vulnerable drivers (237 file hashes) accepting firmware access. Six allow kernel memory access. All give full control of the devices to non-admin users. By exploiting the vulnerable drivers, an attacker without the system privilege may erase/alter firmware, and/or elevate privileges. As of the time of writing in October 2023, the filenames of the vulnerable drivers have not been made public until now.
Category
vulnerable driver
Author
Takahiro Haruyama
Created Date
2023-11-02
Capacities
Memory Manipulator Registry Manipulator File Manipulator
Commands & Usage
Imported Functions (30)
Resources (1)

AsrDrv.sysx64

HVCI Compatible
File Hashes
MD54f27c09cc8680e06b04d6a9c34ca1e08
SHA1400f833dcc2ef0a122dd0e0b1ec4ec929340d90e
SHA256950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9
Authentihashes
Company
ASRock Incorporation
Description
ASRock IO Driver
Category
vulnerable driver
Author
Michael Haag
Created Date
2023-01-09
Capacities
Memory Manipulator File Manipulator
Commands & Usage
Imported Functions (22)
Resources (1)

nt6.sys

HVCI BLOCKED
File Hashes
SHA25615c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229
Category
vulnerable driver
Author
Michael Haag
Created Date
2023-01-09
Commands & Usage
Imported Functions
No Imported Functions
Resources (1)

driver_4fc254af.sysx64

HVCI Compatible
File Hashes
MD57cd54df7962a91032a643f152a79cd19
SHA1261f76e625b0bc71a2cbf1e4b451555c2feeb959
SHA2564fc254af8ebfa6fc1050f65c17015b39b36693b58f029c2fa1873976cbca52df
Authentihashes
Description
Sophos, from time to time, has observed a threat actor deploy variants of Poortry on different machines within a single estate during an attack. These variants contain the same payload, but signed with a different certificate than the driver first seen used during the attack.
Category
malicious
Author
Michael Haag
Created Date
2024-09-10
Capacities
File Manipulator
Commands & Usage
Imported Functions (31)
Resources (1)

WinRing0.sysx64

HVCI BLOCKED
File Hashes
MD5828bb9cb1dd449cd65a29b18ec46055f
SHA1558aad879b6a47d94a968f39d0a4e3a3aaef1ef1
SHA2563ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8
Authentihashes
Company
OpenLibSys.org
Description
WinRing0
Category
vulnerable driver
Author
Michael Haag
Created Date
2023-01-09
Capacities
Memory Manipulator File Manipulator
Commands & Usage
Imported Functions (12)
Resources (2)

WinRing0.sysx64

HVCI BLOCKED
File Hashes
MD512cecc3c14160f32b21279c1a36b8338
SHA17fb52290883a6b69a96d480f2867643396727e83
SHA25647eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84
Authentihashes
Company
OpenLibSys.org
Description
WinRing0
Category
vulnerable driver
Author
Michael Haag
Created Date
2023-01-09
Capacities
Memory Manipulator File Manipulator
Commands & Usage
Imported Functions (12)
Resources (2)

WinRing0.sysx64

HVCI Compatible
File Hashes
MD527bcbeec8a466178a6057b64bef66512
SHA1012db3a80faf1f7f727b538cbe5d94064e7159de
SHA256a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062
Authentihashes
Company
OpenLibSys.org
Description
WinRing0
Category
vulnerable driver
Author
Michael Haag
Created Date
2023-01-09
Capacities
Memory Manipulator File Manipulator
Commands & Usage
Imported Functions (12)
Resources (2)

WinRing0.sysx64

HVCI BLOCKED
File Hashes
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
Authentihashes
Company
OpenLibSys.org
Description
WinRing0
Category
vulnerable driver
Author
Michael Haag
Created Date
2023-01-09
Capacities
Memory Manipulator File Manipulator
Commands & Usage
Imported Functions (12)
Resources (2)

idmtdi.sysx64

HVCI Compatible PROCESS KILLER
File Hashes
MD541d7ebdb73b4bf2a063ae430e33bc164
SHA14ebbaa7e0820e453ca82dab25bf8acde4ba87df2
SHA25677225a99b2e0e2b4007fb2f5a96d356e13deab45b9ef54c175d5452de8a211a7
Authentihashes
Company
Tonec Inc.
Description
Sophos, from time to time, has observed a threat actor deploy variants of Poortry on different machines within a single estate during an attack. These variants contain the same payload, but signed with a different certificate than the driver first seen used during the attack.
Category
malicious
Author
Michael Haag
Created Date
2024-09-10
Capacities
Process Killer Memory Manipulator File Manipulator
Commands & Usage
Imported Functions (54)
Resources (1)

cpuz.sysx32

HVCI BLOCKED
File Hashes
MD5a89ca92145fc330adced0dd005421183
SHA1e33eac9d3b9b5c0db3db096332f059bf315a2343
SHA2560d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f
Authentihashes
Company
CPUID
Description
CPUID Driver
Category
vulnerable driver
Author
Nasreddine Bencherchali
Created Date
2023-05-06
Capacities
Memory Manipulator File Manipulator
Commands & Usage
Imported Functions (35)

cpuz.sysx32

HVCI BLOCKED
File Hashes
MD526ce59f9fc8639fd7fed53ce3b785015
SHA12bf6b88b84d27cdf0699d6d18b08a1b36310cdd1
SHA25611d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b
Authentihashes
Company
CPUID
Description
CPUID Driver
Category
vulnerable driver
Author
Nasreddine Bencherchali
Created Date
2023-05-06
Capacities
Memory Manipulator File Manipulator
Commands & Usage
Imported Functions (34)
Page 1 of 99

Special Thanks

This database is based on the amazing work from the LOLDrivers.io project and its contributors.

Source & Contributors

Original project: magicsword-io/LOLDrivers

This project: didntchooseaname/loldrivers-database

This is an independent interface for educational and research purposes.