1e69f91e-4ec5-4c6a-b4a4-2279808b6545
gibepext.sys 
Description
gibepext.sys is a vulnerable kernel driver from the KeServiceDescriptorTable/vulnerable-drivers repository. The driver exposes dangerous kernel primitives to usermode.
- UUID: 1e69f91e-4ec5-4c6a-b4a4-2279808b6545
- Created: 2026-04-17
- Author: Michael Haag
- Acknowledgement: | [@rainbowdynamix, @DbgPrint](https://twitter.com/@rainbowdynamix, @DbgPrint)
This download link contains the vulnerable driver!
Block gibepext.sys across your endpoints
Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.
Start Blocking for FreeCommands
sc.exe create gibepext binPath=C:\windows\temp\gibepext.sys type=kernel && sc.exe start gibepext
| Use Case | Privileges | Operating System |
|---|---|---|
| Elevate privileges | kernel | Windows 10 |
Detections
YARA 🏹
Expand
with header and size limitation
without header and size limitation
for renamed driver files
Resources
Known Vulnerable Samples
| Property | Value |
|---|---|
| Filename | gibepext.sys |
| Creation Timestamp | 2022-10-28 03:44:40 |
| MD5 | 98b2adeb673ec8dfd390af389c32513f |
| SHA1 | 0e6f6c0ff3b3146e7c82615869327d0a8d29fab4 |
| SHA256 | 912ee11b2ea9d30519f56735e8a4720101bcacd077c6634cf32eb228b2d96e13 |
| Authentihash MD5 | 827ddc66b64293dc87140d228f892258 |
| Authentihash SHA1 | 06207fcb4c90d84877410e334b2fe77fa151d5ea |
| Authentihash SHA256 | 59dca87987273c41d84a4da4c67dc05ba1d560c683bd4d9405e003fb81db6a9b |
| RichPEHeaderHash MD5 | 8b470376b1d70f44fae33e7ab02ce66a |
| RichPEHeaderHash SHA1 | efa11dcdde7cadec804491f1bec2a1f552895fbc |
| RichPEHeaderHash SHA256 | befc2a8d9e6e21065f5024d4ea18d71cdafb155612cceddcbc74206252901c76 |
| Company | Group-IB LTD. |
| Description | Group-IB THF Huntpoint |
| Product | Group-IB THF Huntpoint |
| OriginalFilename | gibepext.sys |
Certificates
Expand
Certificate 33000000dc341a520fbbcf3d8c0000000000dc
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | a3320406647f4541c4f8e731342ced04 |
| ToBeSigned (TBS) SHA1 | 73f33ada4ceacbc289cffac339cdb36a01773a23 |
| ToBeSigned (TBS) SHA256 | 4e21391a41bf00d507b1ec6ea2a71fe57c28b022ec0c504b19f9e608c6b2acb5 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher |
| ValidFrom | 2022-03-10 19:58:05 |
| ValidTo | 2023-03-08 19:58:05 |
| Signature | 61b21fe5891421228f4bf81ef5a09005d450860e55d2013253f0c9240631c08e1643156b71e60bf9c78b9b116227cece4cf769c69e06b306614cecfb421e11b46f3074bff1e8a57925aa145c7b18b812899908db232437f0f44d4861544a96ee3e40b02935659e281c2ffc5cb04e92eb6db56bd35a919227430ee72019c2d2f0deb3f8d0b66b213367d42311bbd559b20ece3a2f8966c6b76ebfc8452fb4ab79d5c4734cb35d639838a73d65626d0a9bb512eeba084ece0f8deb229cfb98d43bcdec5575792f7af71698c4618db5b2723d39ffee829b00a96b14f74edd560449b040a7611f7e1b16d9d3763501bec9c483a73e63f191d26b2902d879c0612040 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 33000000dc341a520fbbcf3d8c0000000000dc |
| Version | 3 |
Certificate 610baac1000000000009
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | a569061297e8e824767dbc3184a69bea |
| ToBeSigned (TBS) SHA1 | adbb26a587a8f44b4fccaecb306f980d1c55a150 |
| ToBeSigned (TBS) SHA256 | cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012 |
| ValidFrom | 2012-04-18 23:48:38 |
| ValidTo | 2027-04-18 23:58:38 |
| Signature | 5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 610baac1000000000009 |
| Version | 3 |
Imports
Expand
- ntoskrnl.exe
- FLTMGR.SYS
- ksecdd.sys
Imported Functions
Expand
- ExDeleteResourceLite
- wcsnlen
- RtlCompareUnicodeString
- KeInitializeCrashDumpHeader
- KeWaitForSingleObject
- ExFreePoolWithTag
- PsCreateSystemThread
- IoCreateFile
- ObReferenceObjectByHandle
- ObfDereferenceObject
- ZwCreateFile
- ZwQueryInformationFile
- ZwReadFile
- ZwWriteFile
- ZwClose
- ZwOpenSection
- ZwMapViewOfSection
- ZwUnmapViewOfSection
- RtlPrefixUnicodeString
- MmGetPhysicalMemoryRanges
- MmIsAddressValid
- ZwOpenProcess
- IoQueryFileDosDeviceName
- ObOpenObjectByPointer
- ZwFsControlFile
- ZwDuplicateObject
- sprintf_s
- ObGetObjectType
- ZwQuerySystemInformation
- KeCapturePersistentThreadState
- DbgPrintEx
- IoDeleteDevice
- KeBugCheckEx
- MmGetSystemRoutineAddress
- ExAcquireResourceExclusiveLite
- IoCreateDevice
- ZwSetSecurityObject
- IoDeviceObjectType
- _snwprintf
- RtlLengthSecurityDescriptor
- SeCaptureSecurityDescriptor
- RtlCreateSecurityDescriptor
- RtlSetDaclSecurityDescriptor
- RtlAbsoluteToSelfRelativeSD
- IoIsWdmVersionAvailable
- SeExports
- wcschr
- _wcsnicmp
- ExAllocatePoolWithTag
- RtlLengthSid
- RtlAddAccessAllowedAce
- RtlGetSaclSecurityDescriptor
- RtlGetDaclSecurityDescriptor
- RtlGetGroupSecurityDescriptor
- RtlGetOwnerSecurityDescriptor
- ZwOpenKey
- ZwCreateKey
- ZwQueryValueKey
- ZwSetValueKey
- RtlFreeUnicodeString
- ExQueryDepthSList
- ExpInterlockedPopEntrySList
- ExpInterlockedPushEntrySList
- RtlEqualUnicodeString
- RtlCopyUnicodeString
- RtlAppendUnicodeStringToString
- RtlUnicodeToUTF8N
- ExInitializeResourceLite
- RtlGetVersion
- KeInitializeEvent
- KeReadStateEvent
- KeSetEvent
- KeDelayExecutionThread
- ObfReferenceObject
- ZwOpenKeyEx
- ObQueryNameString
- FsRtlGetFileSize
- ZwQueryDirectoryFile
- _vsnprintf
- _vsnwprintf
- KeLeaveCriticalRegion
- KeEnterCriticalRegion
- __C_specific_handler
- PsDereferencePrimaryToken
- PsReferencePrimaryToken
- SeTokenIsAdmin
- MmGetPhysicalAddress
- IoGetCurrentProcess
- IoDeleteSymbolicLink
- IoCreateSymbolicLink
- IofCompleteRequest
- MmUnmapIoSpace
- MmMapIoSpace
- ZwQueryInformationThread
- IoFileObjectType
- PsThreadType
- KeInitializeDpc
- KeFlushQueuedDpcs
- KeInitializeTimerEx
- KeCancelTimer
- KeSetTimerEx
- ExInitializeNPagedLookasideList
- ExDeleteNPagedLookasideList
- ExInitializePagedLookasideList
- ExDeletePagedLookasideList
- ExAcquireSpinLockExclusive
- ExReleaseSpinLockExclusive
- InitializeSListHead
- ExpInterlockedFlushSList
- MmMapLockedPagesSpecifyCache
- PsGetProcessId
- PsGetThreadProcess
- ZwWaitForSingleObject
- KeQueryActiveProcessorCountEx
- KeInitializeApc
- KeInsertQueueApc
- ExGetPreviousMode
- KeWaitForMultipleObjects
- KeAcquireSpinLockRaiseToDpc
- KeReleaseSpinLock
- ExReleaseResourceLite
- strrchr
- strstr
- PsGetCurrentProcessId
- PsGetCurrentThreadId
- KeSetSystemGroupAffinityThread
- strncmp
- KeQueryActiveProcessorCount
- KeQueryActiveProcessors
- KeSetSystemAffinityThread
- DbgPrint
- RtlTimeToTimeFields
- RtlInitUnicodeString
- FltDeletePushLock
- FltReleasePushLock
- FltAcquirePushLockShared
- FltAcquirePushLockExclusive
- FltParseFileName
- FltInitializePushLock
- BCryptGenRandom
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- PAGE
- INIT
- .rsrc
- .reloc
Signature
Expand
{
"Certificates": [
{
"CertificateType": "Leaf (Code Signing)",
"IsCA": false,
"IsCertificateAuthority": false,
"IsCodeSigning": true,
"SerialNumber": "33000000dc341a520fbbcf3d8c0000000000dc",
"Signature": "61b21fe5891421228f4bf81ef5a09005d450860e55d2013253f0c9240631c08e1643156b71e60bf9c78b9b116227cece4cf769c69e06b306614cecfb421e11b46f3074bff1e8a57925aa145c7b18b812899908db232437f0f44d4861544a96ee3e40b02935659e281c2ffc5cb04e92eb6db56bd35a919227430ee72019c2d2f0deb3f8d0b66b213367d42311bbd559b20ece3a2f8966c6b76ebfc8452fb4ab79d5c4734cb35d639838a73d65626d0a9bb512eeba084ece0f8deb229cfb98d43bcdec5575792f7af71698c4618db5b2723d39ffee829b00a96b14f74edd560449b040a7611f7e1b16d9d3763501bec9c483a73e63f191d26b2902d879c0612040",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
"TBS": {
"MD5": "a3320406647f4541c4f8e731342ced04",
"SHA1": "73f33ada4ceacbc289cffac339cdb36a01773a23",
"SHA256": "4e21391a41bf00d507b1ec6ea2a71fe57c28b022ec0c504b19f9e608c6b2acb5",
"SHA384": "e7f40fafff666298c5154ba64cdd1060454547233fb1d8a7982d4927d46e6e4038a40e581f33963401d6553f3ab97499"
},
"ValidFrom": "2022-03-10 19:58:05",
"ValidTo": "2023-03-08 19:58:05",
"Version": 3
},
{
"CertificateType": "CA",
"IsCA": true,
"IsCertificateAuthority": true,
"IsCodeSigning": false,
"SerialNumber": "610baac1000000000009",
"Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012",
"TBS": {
"MD5": "a569061297e8e824767dbc3184a69bea",
"SHA1": "adbb26a587a8f44b4fccaecb306f980d1c55a150",
"SHA256": "cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46",
"SHA384": "e947cac936803f5683196e4ff1b259096073395d0b908522ddce90d57597c9f7b57f7ddcdbe021ba863d843c340da8ba"
},
"ValidFrom": "2012-04-18 23:48:38",
"ValidTo": "2027-04-18 23:58:38",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012",
"SerialNumber": "33000000dc341a520fbbcf3d8c0000000000dc",
"Version": 1
}
],
"SignerInfo": ""
}
last_updated: 2026-04-20