Skip to main content

LOLDrivers Database

Vulnerable and malicious Windows drivers database

Last updated: Loading...

Total Drivers2134
MVDB Passed328
Process Killer Drivers245
Quick Filters:
Behaviors:
Certificates:
Architecture:

Changes apply when you click Apply Filters. Live search activates as you type.

Showing 20 of 2134 drivers (Page 1 of 107)

PhantomKiller

x64

LENOVO · 2018-01-03

MVDB PASSED
FEATURED KILLER
PROCESS KILLER

DescriptionPhantomKiller is the newly released, featured process-killer variant based on Lenovo BootRepair.sys. It is tracked separately from the base BootRepair entry: the project ships it as PhantomKiller.sys, while the underlying vulnerable driver lineage is BootRepair.sys from Lenovo PC Manager. The driver exposes \\.\BootRepair without secure DACL restrictions and accepts IOCTL 0x222014 with a 4-byte PID, then calls PsLookupProcessByProcessId, ObOpenObjectByPointer, and ZwTerminateProcess to terminate protected EDR/AV processes.

Process Killer

Operating System

Windows x64

Privileges

Driver load requires administrative privileges; an already loaded driver can be abused by a low-privileged user according to the project README.

Use Case

BYOVD process termination against EDR/AV protected processes.

Command

Terminal
sc.exe create PhantomKiller binPath="C:\Path\to\PhantomKiller.sys" type=kernel
sc.exe start PhantomKiller
PhantomKiller.exe <pid>
github.com/redteamfortress/PhantomKillergithub.com/redteamfortress/PhantomKiller/releases/tag/v1.0.0github.com/redteamfortress/PhantomKiller/releases/downloa...github.com/redteamfortress/PhantomKiller/raw/refs/heads/m...medium.com/@jehadbudagga/phantom-killer-reverse-engineeri...

biontdrv.sys

x64

Paragon Software GmbH · 2025-03-02

MVDB BLOCKED
EXPIRED CERTIFICATE
EXPIRED CERTIFICATE

DescriptionMicrosoft has identified five security flaws in the Paragon Partition Manager BioNTdrv.sys driver, one of which was exploited by ransomware gangs in zero-day attacks to gain SYSTEM privileges on Windows systems. These vulnerabilities, found in BioNTdrv.sys versions 1.3.0 and 1.5.1, enable attackers to escalate their privileges to SYSTEM level to a higher access level than standard administrator permissions.

Memory Manipulator
File Manipulator

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create BioNTdrv.sys binPath=C:\windows\temp\BioNTdrv.sys type=kernel && sc.exe start BioNTdrv.sys
www.sdxcentral.com/alerts/paragon-partition-manager-drive...www.bleepingcomputer.com/news/security/ransomware-gangs-e...paragon-software.zendesk.com/hc/en-us/articles/3299390273...

biontdrv.sys

x64

Paragon Software GmbH · 2025-03-02

MVDB PASSED
VALID CERTIFICATE
VALID CERTIFICATE

DescriptionMicrosoft has identified five security flaws in the Paragon Partition Manager BioNTdrv.sys driver, one of which was exploited by ransomware gangs in zero-day attacks to gain SYSTEM privileges on Windows systems. These vulnerabilities, found in BioNTdrv.sys versions 1.3.0 and 1.5.1, enable attackers to escalate their privileges to SYSTEM level to a higher access level than standard administrator permissions.

Memory Manipulator
File Manipulator

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create BioNTdrv.sys binPath=C:\windows\temp\BioNTdrv.sys type=kernel && sc.exe start BioNTdrv.sys
www.sdxcentral.com/alerts/paragon-partition-manager-drive...www.bleepingcomputer.com/news/security/ransomware-gangs-e...paragon-software.zendesk.com/hc/en-us/articles/3299390273...

SBIOSIO64.sys

x32

Windows (R) Win 7 DDK provider · 2023-11-02

MVDB BLOCKED
EXPIRED CERTIFICATE
EXPIRED CERTIFICATE

DescriptionThe Carbon Black Threat Analysis Unit (TAU) discovered 34 unique vulnerable drivers (237 file hashes) accepting firmware access. Six allow kernel memory access. All give full control of the devices to non-admin users. By exploiting the vulnerable drivers, an attacker without the system privilege may erase/alter firmware, and/or elevate privileges. As of the time of writing in October 2023, the filenames of the vulnerable drivers have not been made public until now.

Memory Manipulator
File Manipulator

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create SBIOSIO64sys binPath= C:\windows\temp\SBIOSIO64sys.sys type=kernel && sc.exe start SBIOSIO64sys
blogs.vmware.com/security/2023/10/hunting-vulnerable-kern...

SBIOSIO64.sys

x64

Windows (R) Win 7 DDK provider · 2023-11-02

MVDB BLOCKED
EXPIRED CERTIFICATE
EXPIRED CERTIFICATE

DescriptionThe Carbon Black Threat Analysis Unit (TAU) discovered 34 unique vulnerable drivers (237 file hashes) accepting firmware access. Six allow kernel memory access. All give full control of the devices to non-admin users. By exploiting the vulnerable drivers, an attacker without the system privilege may erase/alter firmware, and/or elevate privileges. As of the time of writing in October 2023, the filenames of the vulnerable drivers have not been made public until now.

Memory Manipulator
File Manipulator

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create SBIOSIO64sys binPath= C:\windows\temp\SBIOSIO64sys.sys type=kernel && sc.exe start SBIOSIO64sys
blogs.vmware.com/security/2023/10/hunting-vulnerable-kern...

SBIOSIO64.sys

x64

Windows (R) Win 7 DDK provider · 2023-11-02

MVDB BLOCKED
EXPIRED CERTIFICATE
EXPIRED CERTIFICATE

DescriptionThe Carbon Black Threat Analysis Unit (TAU) discovered 34 unique vulnerable drivers (237 file hashes) accepting firmware access. Six allow kernel memory access. All give full control of the devices to non-admin users. By exploiting the vulnerable drivers, an attacker without the system privilege may erase/alter firmware, and/or elevate privileges. As of the time of writing in October 2023, the filenames of the vulnerable drivers have not been made public until now.

Memory Manipulator
File Manipulator

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create SBIOSIO64sys binPath= C:\windows\temp\SBIOSIO64sys.sys type=kernel && sc.exe start SBIOSIO64sys
blogs.vmware.com/security/2023/10/hunting-vulnerable-kern...

SBIOSIO64.sys

x32

Windows (R) Win 7 DDK provider · 2023-11-02

MVDB BLOCKED
EXPIRED CERTIFICATE
EXPIRED CERTIFICATE

DescriptionThe Carbon Black Threat Analysis Unit (TAU) discovered 34 unique vulnerable drivers (237 file hashes) accepting firmware access. Six allow kernel memory access. All give full control of the devices to non-admin users. By exploiting the vulnerable drivers, an attacker without the system privilege may erase/alter firmware, and/or elevate privileges. As of the time of writing in October 2023, the filenames of the vulnerable drivers have not been made public until now.

Memory Manipulator
File Manipulator

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create SBIOSIO64sys binPath= C:\windows\temp\SBIOSIO64sys.sys type=kernel && sc.exe start SBIOSIO64sys
blogs.vmware.com/security/2023/10/hunting-vulnerable-kern...

LgCoreTemp.sys

x64

Logitech · 2023-04-15

MVDB PASSED
EXPIRED CERTIFICATE
EXPIRED CERTIFICATE

DescriptionCPU Core Temperature Monitor

File Manipulator

Operating System

Windows 10

Privileges

kernel

Use Case

Denial of Service

Command

Terminal
sc.exe create LgCoreTemp.sys binPath=C:\windows\temp\LgCoreTemp.sys     type=kernel && sc.exe start LgCoreTemp.sys
github.com/VoidSec/Exploit-Development/tree/b82b6d3ac1cce...

LgCoreTemp.sys

x32

Logitech · 2023-04-15

MVDB BLOCKED
EXPIRED CERTIFICATE
EXPIRED CERTIFICATE

DescriptionCPU Core Temperature Monitor

File Manipulator

Operating System

Windows 10

Privileges

kernel

Use Case

Denial of Service

Command

Terminal
sc.exe create LgCoreTemp.sys binPath=C:\windows\temp\LgCoreTemp.sys     type=kernel && sc.exe start LgCoreTemp.sys
github.com/VoidSec/Exploit-Development/tree/b82b6d3ac1cce...

nt3.sys

2023-01-09

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create nt3.sys binPath=C:\windows\temp \n \n \n  t3.sys type=kernel && sc.exe start nt3.sys
Imported Functions

No imported functions

learn.microsoft.com/en-us/windows/security/threat-protect...

CmUpx

x64

Realtek Semiconductor Corp. · 2026-04-17

MVDB PASSED
VALID CERTIFICATE
VALID CERTIFICATE

DescriptionCmUpx.sys is a vulnerable kernel driver from the KeServiceDescriptorTable/vulnerable-drivers repository. The driver exposes dangerous kernel primitives to usermode.

Memory Manipulator
File Manipulator

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create CmUpx binPath=C:\windows\temp\CmUpx.sys type=kernel && sc.exe start CmUpx
github.com/magicsword-io/LOLDrivers/issues/325github.com/KeServiceDescriptorTable/vulnerable-drivers

My.sys

2023-01-09

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create My.sys binPath=C:\windows\temp\My.sys type=kernel && sc.exe start My.sys
Imported Functions

No imported functions

learn.microsoft.com/en-us/windows/security/threat-protect...

WinFlash64.sys

x64

2023-01-09

MVDB BLOCKED
EXPIRED CERTIFICATE
EXPIRED CERTIFICATE
Memory Manipulator
File Manipulator

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create WinFlash64.sys binPath=C:\windows\temp\WinFlash64.sys type=kernel && sc.exe start WinFlash64.sys
github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

TRIXX.sys

x64

2026-04-07

MVDB PASSED
VALID CERTIFICATE
VALID CERTIFICATE

DescriptionTRIXX.sys is a shared utility kernel driver distributed by TechPowerUp LLC with Sapphire TRIXX and GPU-Z. The driver provides completely unrestricted hardware access from usermode through 16+ IOCTLs with zero validation on hardware parameters, including arbitrary port I/O read/write, arbitrary PCI configuration space read/write via HalGetBusDataByOffset/HalSetBusDataByOffset, MMIO BAR mapping via MmMapIoSpace, and MMIO read/write through mapped BARs. Physical memory read/write is achievable by remapping a PCI device BAR to a target physical address then mapping it via MmMapIoSpace. The driver creates its device dynamically based on the Windows service name and has no hardware dependency, loading on any x64 Windows system. TechPowerUp has a history of vulnerable kernel drivers including GPU-Z.sys (CVE-2019-7245, CVE-2025-5324) and ThrottleStop.sys (CVE-2025-7771) which expose the same MmMapIoSpace primitive. Fresh EV code signing certificate valid until April 2028 with zero AV detections.

Memory Manipulator
Registry Manipulator
File Manipulator

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create TRIXX binPath=C:\windows\temp\TRIXX.sys type=kernel && sc.exe start TRIXX
github.com/magicsword-io/LOLDrivers/issues/291github.com/magicsword-io/LOLDrivers/issues/320

TRIXX.sys

x32

2026-04-07

MVDB PASSED
VALID CERTIFICATE
VALID CERTIFICATE

DescriptionTRIXX.sys is a shared utility kernel driver distributed by TechPowerUp LLC with Sapphire TRIXX and GPU-Z. The driver provides completely unrestricted hardware access from usermode through 16+ IOCTLs with zero validation on hardware parameters, including arbitrary port I/O read/write, arbitrary PCI configuration space read/write via HalGetBusDataByOffset/HalSetBusDataByOffset, MMIO BAR mapping via MmMapIoSpace, and MMIO read/write through mapped BARs. Physical memory read/write is achievable by remapping a PCI device BAR to a target physical address then mapping it via MmMapIoSpace. The driver creates its device dynamically based on the Windows service name and has no hardware dependency, loading on any x64 Windows system. TechPowerUp has a history of vulnerable kernel drivers including GPU-Z.sys (CVE-2019-7245, CVE-2025-5324) and ThrottleStop.sys (CVE-2025-7771) which expose the same MmMapIoSpace primitive. Fresh EV code signing certificate valid until April 2028 with zero AV detections.

Memory Manipulator
Registry Manipulator
File Manipulator

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create TRIXX binPath=C:\windows\temp\TRIXX.sys type=kernel && sc.exe start TRIXX
github.com/magicsword-io/LOLDrivers/issues/291github.com/magicsword-io/LOLDrivers/issues/320

TRIXX.sys

x32

2026-04-07

MVDB BLOCKED
EXPIRED CERTIFICATE
EXPIRED CERTIFICATE

DescriptionTRIXX.sys is a shared utility kernel driver distributed by TechPowerUp LLC with Sapphire TRIXX and GPU-Z. The driver provides completely unrestricted hardware access from usermode through 16+ IOCTLs with zero validation on hardware parameters, including arbitrary port I/O read/write, arbitrary PCI configuration space read/write via HalGetBusDataByOffset/HalSetBusDataByOffset, MMIO BAR mapping via MmMapIoSpace, and MMIO read/write through mapped BARs. Physical memory read/write is achievable by remapping a PCI device BAR to a target physical address then mapping it via MmMapIoSpace. The driver creates its device dynamically based on the Windows service name and has no hardware dependency, loading on any x64 Windows system. TechPowerUp has a history of vulnerable kernel drivers including GPU-Z.sys (CVE-2019-7245, CVE-2025-5324) and ThrottleStop.sys (CVE-2025-7771) which expose the same MmMapIoSpace primitive. Fresh EV code signing certificate valid until April 2028 with zero AV detections.

Memory Manipulator
File Manipulator

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create TRIXX binPath=C:\windows\temp\TRIXX.sys type=kernel && sc.exe start TRIXX
github.com/magicsword-io/LOLDrivers/issues/291github.com/magicsword-io/LOLDrivers/issues/320

TPwSav.sys

x64

Compal Electronic, Inc. · 2025-01-31

MVDB BLOCKED
EXPIRED CERTIFICATE
EXPIRED CERTIFICATE

DescriptionA driver associated with Toshiba laptops power saving functionality allows arbitary one byte reading and writing mapped physical addresses. Blackpoint Cyber's SOC observed this driver being used as part of a custom EDRSandblast malware to blind EDR prior to Qilin ransomware deployment.

Memory Manipulator
File Manipulator

Operating System

Windows

Privileges

kernel

Use Case

Elevate privileges, Blind EDR

Command

Terminal
sc.exe create TPwSav.sys binPath=C:\windows\temp\TPwSav.sys type=kernel && sc.exe start TPwSav.sys
blackpointcyber.com/resources/blog/qilin-ransomware-and-t...

bwrsh.sys

2023-01-09

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create bwrsh.sys binPath=C:\windows\temp\bwrsh.sys type=kernel && sc.exe start bwrsh.sys
Imported Functions

No imported functions

learn.microsoft.com/en-us/windows/security/threat-protect...

rtcoremini64.sys

x64

2023-07-22

MVDB BLOCKED
VALID CERTIFICATE
VALID CERTIFICATE

DescriptionConfirmed vulnerable driver from Microsoft Block List

Memory Manipulator
Registry Manipulator
File Manipulator

Operating System

Windows

Privileges

kernel

Use Case

Elevate privileges

gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c

vmdrv.sys

x64

Windows (R) Win 7 DDK provider · 2023-05-06

MVDB BLOCKED
VALID CERTIFICATE
VALID CERTIFICATE

DescriptionVoicemod Virtual Audio Device (WDM)

Memory Manipulator
File Manipulator

Operating System

Windows 10

Privileges

kernel

Use Case

Elevate privileges

Command

Terminal
sc.exe create vmdrv.sys binPath=C:\windows\temp\vmdrv.sys type=kernel && sc.exe start vmdrv.sys
Page 1 of 107

Special Thanks

This database is based on the amazing work from the LOLDrivers.io project and its contributors.

Source & Contributors

Original project: magicsword-io/LOLDrivers

This project: didntchooseaname/loldrivers-database

Independent interface for educational and research purposes.