08fbd284-7ad2-466d-b55f-6d5a7d07aca5

ArgusMonitor.sys :inline :inline

Description

ArgusMonitor.sys is the kernel driver for the Argus Monitor hardware temperature monitoring and fan control application by Argotronic UG (Germany). The driver exposes 47 IOCTLs providing arbitrary physical memory read/write via MmMapIoSpace (32 map slots, up to 128KB) with a single-shot read primitive that bypasses the address restriction (busNum=0xFF), unrestricted port I/O (any port 0x0000-0xFFFF), PCI configuration space read/write via HalGetBusDataByOffset and HalSetBusDataByOffset, MSR read/write with a whitelist that blocks IA32_LSTAR but allows IA32_MISC_ENABLE write (can disable NX/XD system-wide), and I2C/SMBus access via MMIO bit-banging. The driver uses IoCreateDevice with no DACL and IRP_MJ_CREATE returns STATUS_SUCCESS immediately with no caller validation. A handshake IOCTL accepts a user-chosen 0x200-byte XOR keypad (sending all zeros effectively disables the XOR layer). WHQL attestation signed with an active Microsoft certificate. KASLR bypass confirmed via physical memory PE header scan. Loads on any x64 Windows without ArgusMonitor software.

  • UUID: 08fbd284-7ad2-466d-b55f-6d5a7d07aca5
  • Created: 2026-04-10
  • Author: Michael Haag
  • Acknowledgement: Patrick Saif | @weezerOSINT

Download

This download link contains the vulnerable driver!

Block ArgusMonitor.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create ArgusMonitor binPath=C:\windows\temp\ArgusMonitor.sys type=kernel && sc.exe start ArgusMonitor
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/297
  • https://www.argusmonitor.com/

    • Known Vulnerable Samples

    PropertyValue
    FilenameArgusMonitor.sys
    Creation Timestamp2025-03-27 07:09:37
    MD52b4c57b09ffd3bedfe33416eb78fddee
    SHA1f1bf09e1932863e0e29cbdef2db5c5fe48b4015c
    SHA256df9b2892498c68805fdc0fabb369f8bcf011e784898cb32fdc5d85f6123f1126
    Authentihash MD5a944c88ef70fa8fe19f81881f5aae9e6
    Authentihash SHA187688ce7d806c8dfd74e553b2e834de6cfecc985
    Authentihash SHA2568aa91af14c3af2a7491d07a24886d5750e28886d96b442cd60ac8ee1d144f961
    RichPEHeaderHash MD585000c08f1f9102a4c1b95614f1751ef
    RichPEHeaderHash SHA1f898d898512b1df21be94d442075d6333cd8a998
    RichPEHeaderHash SHA2569085a001626b4a177dce351502d8d067b09bb01897f05a4f8df74d029d015d65
    CompanyArgotronic eGbR
    DescriptionArgus Monitor Hardware Access Driver
    ProductArgus Monitor Driver
    OriginalFilenameArgusMonitor.sys

    Download

    Certificates

    Expand
    Certificate 330000006e1229856f0ade6cfc00000000006e
    FieldValue
    ToBeSigned (TBS) MD53066a9830894e57ce6e47f7a6b58b84f
    ToBeSigned (TBS) SHA1ce441ecd2f11e400515a85d5a592da38f950f3dc
    ToBeSigned (TBS) SHA2563e30a731a3b620db0971ecd743ecd312bcdf14c82b9bdc9918102bacbf70520d
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher
    ValidFrom2024-10-10 19:04:53
    ValidTo2025-10-08 19:04:53
    Signature3870e583035a72db64856d80e17833cd3badd24f19abf9a3d7c7485743dd875f69102820df4992d74f8fba0529be4e16f4234910064a3a1863299a29b82d3fac869915a368ec0e5d0127282221bce84db444d2e9974dc2761a2080a7bc7508d7064f32b2d97b0263d0d937527a8af95f18bcb54ec21a453ba35e55869791416a2a8813fcf95e889e65158dbb5b4cba653c989179947d286051ef6b0d56f41da479db08c6b93c44fa5c8399e126594cc53dfa756180607a1dd29559061d828b0ce2c5a462245ed0995a196ad96223b6eb1a787b4d10b5a7d4e3a130750103bc9c713fc8f32015273bb238b15aae25e4765d7ab81c5d3df82ef6a7d3c2e7a61dab024ff02df6876a86ec7198aa6e28c8e69a015129a717b1036113911f0aeefa8d05081974d026196f24bc1e4ef942599fafbd1b2c316bda73237f1822296888df2344c92b08c363976beb7020242b3069e6691f19e715e1d1a19ddc03235263c9bb7b8390145af57603105ced358f394547e3be96718835917234eb7fd7134d9fb605656717ed6b15f0583068c84c6c01abf31cc1df1fe7c4d2935590e6017cf8cc5635e1cd7054240fd0059f168e90ec1a49f24e0f050034d99e4aa6599a64d280d00ea8af57d3125caddb342a0b2c160a2f95d97e6045e69dc1c1b3fa56dfd40380ce60536a59750edf0069dc7c27f8ccc8f073b46d169b8fed1fd40ac6f00c
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber330000006e1229856f0ade6cfc00000000006e
    Version3
    Certificate 330000000d690d5d7893d076df00000000000d
    FieldValue
    ToBeSigned (TBS) MD583f69422963f11c3c340b81712eef319
    ToBeSigned (TBS) SHA10c5e5f24590b53bc291e28583acb78e5adc95601
    ToBeSigned (TBS) SHA256d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014
    ValidFrom2014-10-15 20:31:27
    ValidTo2029-10-15 20:41:27
    Signature96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber330000000d690d5d7893d076df00000000000d
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • KeWaitForSingleObject
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • IoGetDeviceObjectPointer
    • ObfDereferenceObject
    • _vsnwprintf
    • KeGetCurrentIrql
    • KeLowerIrql
    • KfRaiseIrql
    • RtlCompareMemory
    • MmUnmapIoSpace
    • MmMapLockedPagesSpecifyCache
    • RtlCopyUnicodeString
    • ZwCreateFile
    • ZwQueryInformationFile
    • ZwReadFile
    • ZwClose
    • KeSetEvent
    • ZwSetInformationFile
    • ZwWriteFile
    • MmIsAddressValid
    • KeDelayExecutionThread
    • MmBuildMdlForNonPagedPool
    • MmUnmapLockedPages
    • IoAllocateMdl
    • IoFreeMdl
    • __C_specific_handler
    • RtlWriteRegistryValue
    • ZwOpenKey
    • ZwQueryValueKey
    • KeQueryTimeIncrement
    • ExAllocatePool2
    • ExFreePoolWithTag
    • ExSystemTimeToLocalTime
    • MmMapIoSpace
    • IoBuildDeviceIoControlRequest
    • IofCallDriver
    • RtlTimeToSecondsSince1970
    • KeInitializeEvent
    • RtlIsNtDdiVersionAvailable
    • RtlGetVersion
    • MmGetSystemRoutineAddress
    • RtlRandomEx
    • RtlInitUnicodeString
    • HalTranslateBusAddress
    • KeQueryPerformanceCounter
    • KeStallExecutionProcessor
    • HalGetBusDataByOffset
    • HalSetBusDataByOffset

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "330000006e1229856f0ade6cfc00000000006e",
      "Signature": "3870e583035a72db64856d80e17833cd3badd24f19abf9a3d7c7485743dd875f69102820df4992d74f8fba0529be4e16f4234910064a3a1863299a29b82d3fac869915a368ec0e5d0127282221bce84db444d2e9974dc2761a2080a7bc7508d7064f32b2d97b0263d0d937527a8af95f18bcb54ec21a453ba35e55869791416a2a8813fcf95e889e65158dbb5b4cba653c989179947d286051ef6b0d56f41da479db08c6b93c44fa5c8399e126594cc53dfa756180607a1dd29559061d828b0ce2c5a462245ed0995a196ad96223b6eb1a787b4d10b5a7d4e3a130750103bc9c713fc8f32015273bb238b15aae25e4765d7ab81c5d3df82ef6a7d3c2e7a61dab024ff02df6876a86ec7198aa6e28c8e69a015129a717b1036113911f0aeefa8d05081974d026196f24bc1e4ef942599fafbd1b2c316bda73237f1822296888df2344c92b08c363976beb7020242b3069e6691f19e715e1d1a19ddc03235263c9bb7b8390145af57603105ced358f394547e3be96718835917234eb7fd7134d9fb605656717ed6b15f0583068c84c6c01abf31cc1df1fe7c4d2935590e6017cf8cc5635e1cd7054240fd0059f168e90ec1a49f24e0f050034d99e4aa6599a64d280d00ea8af57d3125caddb342a0b2c160a2f95d97e6045e69dc1c1b3fa56dfd40380ce60536a59750edf0069dc7c27f8ccc8f073b46d169b8fed1fd40ac6f00c",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
      "TBS": {
        "MD5": "3066a9830894e57ce6e47f7a6b58b84f",
        "SHA1": "ce441ecd2f11e400515a85d5a592da38f950f3dc",
        "SHA256": "3e30a731a3b620db0971ecd743ecd312bcdf14c82b9bdc9918102bacbf70520d",
        "SHA384": "68c6537d64e3a4f02a2c1d04257c13ab1def23c9c54bafc434176be50a411a75c118c9f8edc81f97b8a1db2dc1d009e3"
      },
      "ValidFrom": "2024-10-10 19:04:53",
      "ValidTo": "2025-10-08 19:04:53",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "330000000d690d5d7893d076df00000000000d",
      "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "TBS": {
        "MD5": "83f69422963f11c3c340b81712eef319",
        "SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
        "SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
        "SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
      },
      "ValidFrom": "2014-10-15 20:31:27",
      "ValidTo": "2029-10-15 20:41:27",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "SerialNumber": "330000006e1229856f0ade6cfc00000000006e",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-14