31439f28-4616-4ee1-a6b7-1cf742127909

SIVX64.sys :inline :inline

Description

Ray Hinchliffe SIV (System Information Viewer) SIVX64.sys v5.85 dynamically resolves MmMapIoSpace and MmMapIoSpaceEx via MmGetSystemRoutineAddress at runtime (neither appears in the IAT), evading static import-based scanning. The driver exposes multiple privileged IOCTL primitives via \.\SIVDRIVER including arbitrary physical memory mapped read/write (Cmd 0x14, critical), physical memory read via scatter-gather (Cmd 0x10) and bulk MDL (Cmd 0x13), MSR read/write on a whitelisted subset (Cmd 0x08/0x0C), unrestricted I/O port read/scan (Cmd 0x44/0x50), and unrestricted PCI configuration space read (Cmd 0x48). WHQL signed by Microsoft Windows Hardware Compatibility Publisher; loads despite HVCI.

  • UUID: 31439f28-4616-4ee1-a6b7-1cf742127909
  • Created: 2026-04-06
  • Author: Michael Haag
  • Acknowledgement: weezerOSINT | @weezerOSINT

Download

This download link contains the vulnerable driver!

Block SIVX64.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create SIVDRIVER binPath=C:\windows\temp\SIVX64.sys type=kernel && sc.exe start SIVDRIVER
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/287
  • https://www.virustotal.com/gui/file/33903e8fa9f0a2acaa4784d645e309b0bd780693824b6c2c5fef257238c77478

    • Known Vulnerable Samples

    PropertyValue
    FilenameSIVX64.sys
    Creation Timestamp2026-01-14 01:16:50
    MD581d040540015fe998a4cc4bf9a4e8598
    SHA15702d2ff261f0460a347e2a98752563633825842
    SHA25633903e8fa9f0a2acaa4784d645e309b0bd780693824b6c2c5fef257238c77478
    Authentihash MD5c2cb8aaa72a8c0a44e5f78e470f4640b
    Authentihash SHA1189a176afc0d7f52eb3c5e131e51adeaba107c53
    Authentihash SHA256fee16e6386b2626f401714257afd6a2cd92bf0b00e6458240908fa5937fb2554
    RichPEHeaderHash MD5c86a198d64703793934534902549b4ea
    RichPEHeaderHash SHA159e235aea862c4171ec9870f07ff374c226d8e55
    RichPEHeaderHash SHA256b82173c8afd0a4ef912f882f9be3e39b8c6d47dcc7405875687fde8a1ea20320
    PublisherMicrosoft Windows Hardware Compatibility Publisher
    Date2025-07-16 20:48:20
    CompanyRay Hinchliffe
    DescriptionSystem Information Viewer X64 Driver
    ProductSIVDRIVER
    OriginalFilenameSIVX64.sys

    Download

    Certificates

    Expand
    Certificate 3300000074ff3d4a9e7c401e86000000000074
    FieldValue
    ToBeSigned (TBS) MD5846e2b51dbe3b3cdd48503e99cbce6a6
    ToBeSigned (TBS) SHA177940716d023ecae58709321c2b6a30df8e3d86d
    ToBeSigned (TBS) SHA2561dc33c8d9456aa23f43eb0c09beeb7b3565770f7e05d12d7b88575a4c61fa31f
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher
    ValidFrom2025-07-16 20:48:20
    ValidTo2026-07-14 20:48:20
    Signatureb9ad07972990d4f7f1d20dddce037fbf8c19c8fc17ec991a97b0f3d3ac6b792c100f660abcf1eea23ce0eafaae637cb21524c9eb170657b4e3b45bc07fcbe811227491344f510071ddf12fa883ac943d0c0ec3d7c91468dc65b4373d62b939e66fe0f26098912ed0add0c44ff71b32e58db5bc56235c16b533e0ab06e9794e41a38bab04dfa510dddad2291a5c74c28ae750c0937ebaa640452d4708109d08a4e8b9e80a670f54ab2e575158b4e3f491c8a483fe36abb5f5f604a38578fd9a77f817824b1979c1f7b3a5fcd3e14ec6901e9ecc60e58bc4ab39d8ba6aa819d04ec3871d211963d2d34785d75ea15648052847a8572c7d89db4253fa67838639b395263564a561d02e60a7cdc52e65f725166deed0c847c1105350918bd149e889f1dbe604f74aa0110ca1598906e3f1c5efaeda772e51d5f89992258f893aba1baa1c8a14dd59d8f57aa742ee2251b99ce6655f0bcd920760c5a452a5fe5e2f30652b5022d124348161ce86060652b6b84abc60043da659d3e91bb7ce18adbbbb94fa19130947a4a651af21a33d58cafcd5d920016858ddf2b5df3e7dc3bc8a1b66edf03cbca7c40048dae606f66e55692edcd698773d391be409c2895f71fddb7494d28fa3bd30aae628d7967204708b509e551c86cd3a1cbef68796c15e71e15e5dcfc5914352f9991fcd57c5112e03d8c2441cb643bc6bbdfb261bda63746f
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber3300000074ff3d4a9e7c401e86000000000074
    Version3
    Certificate 330000000d690d5d7893d076df00000000000d
    FieldValue
    ToBeSigned (TBS) MD583f69422963f11c3c340b81712eef319
    ToBeSigned (TBS) SHA10c5e5f24590b53bc291e28583acb78e5adc95601
    ToBeSigned (TBS) SHA256d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014
    ValidFrom2014-10-15 20:31:27
    ValidTo2029-10-15 20:41:27
    Signature96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber330000000d690d5d7893d076df00000000000d
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • ExFreePoolWithTag
    • KeInitializeMutex
    • RtlAnsiStringToUnicodeString
    • ZwYieldExecution
    • IoWMIQueryAllData
    • IoBuildSynchronousFsdRequest
    • ZwQuerySymbolicLinkObject
    • strstr
    • RtlInitUnicodeString
    • IoDeleteDevice
    • ProbeForWrite
    • strchr
    • MmGetSystemRoutineAddress
    • KeInitializeEvent
    • RtlQueryRegistryValues
    • RtlInitAnsiString
    • IoIs32bitProcess
    • KeInitializeDpc
    • KeIpiGenericCall
    • PsGetThreadId
    • MmUnmapIoSpace
    • ZwOpenSymbolicLinkObject
    • IoWMIOpenBlock
    • KeInitializeTimer
    • KeSetTimerEx
    • IoCreateSynchronizationEvent
    • KeReleaseMutex
    • IoCancelIrp
    • KeDelayExecutionThread
    • IoGetDeviceObjectPointer
    • IoDeleteSymbolicLink
    • ExAllocatePool
    • KeQueryTimeIncrement
    • ZwClose
    • IofCompleteRequest
    • IoGetDeviceAttachmentBaseRef
    • ObReferenceObjectByHandle
    • KeWaitForSingleObject
    • IoGetAttachedDeviceReference
    • PsGetVersion
    • IoGetDiskDeviceObject
    • RtlCompareMemory
    • ObfReferenceObject
    • IoCreateSymbolicLink
    • ObfDereferenceObject
    • IoOpenDeviceRegistryKey
    • ObReferenceObjectByName
    • IoCreateDevice
    • IoDeviceObjectType
    • IoEnumerateDeviceObjectList
    • KeCancelTimer
    • KeNumberProcessors
    • PsGetThreadProcessId
    • IoGetDeviceProperty
    • DbgPrintEx
    • DbgPrint
    • IofCallDriver
    • ZwQueryKey
    • KeBugCheckEx
    • IoBuildDeviceIoControlRequest
    • IoGetLowerDeviceObject
    • SeSinglePrivilegeCheck
    • ProbeForRead
    • DbgBreakPoint
    • _wcsicmp
    • RtlUnwindEx
    • RtlAnsiCharToUnicodeChar
    • HalTranslateBusAddress
    • HalGetBusDataByOffset
    • HalSetBusDataByOffset
    • KeStallExecutionProcessor
    • KeQueryPerformanceCounter

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "3300000074ff3d4a9e7c401e86000000000074",
      "Signature": "b9ad07972990d4f7f1d20dddce037fbf8c19c8fc17ec991a97b0f3d3ac6b792c100f660abcf1eea23ce0eafaae637cb21524c9eb170657b4e3b45bc07fcbe811227491344f510071ddf12fa883ac943d0c0ec3d7c91468dc65b4373d62b939e66fe0f26098912ed0add0c44ff71b32e58db5bc56235c16b533e0ab06e9794e41a38bab04dfa510dddad2291a5c74c28ae750c0937ebaa640452d4708109d08a4e8b9e80a670f54ab2e575158b4e3f491c8a483fe36abb5f5f604a38578fd9a77f817824b1979c1f7b3a5fcd3e14ec6901e9ecc60e58bc4ab39d8ba6aa819d04ec3871d211963d2d34785d75ea15648052847a8572c7d89db4253fa67838639b395263564a561d02e60a7cdc52e65f725166deed0c847c1105350918bd149e889f1dbe604f74aa0110ca1598906e3f1c5efaeda772e51d5f89992258f893aba1baa1c8a14dd59d8f57aa742ee2251b99ce6655f0bcd920760c5a452a5fe5e2f30652b5022d124348161ce86060652b6b84abc60043da659d3e91bb7ce18adbbbb94fa19130947a4a651af21a33d58cafcd5d920016858ddf2b5df3e7dc3bc8a1b66edf03cbca7c40048dae606f66e55692edcd698773d391be409c2895f71fddb7494d28fa3bd30aae628d7967204708b509e551c86cd3a1cbef68796c15e71e15e5dcfc5914352f9991fcd57c5112e03d8c2441cb643bc6bbdfb261bda63746f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
      "TBS": {
        "MD5": "846e2b51dbe3b3cdd48503e99cbce6a6",
        "SHA1": "77940716d023ecae58709321c2b6a30df8e3d86d",
        "SHA256": "1dc33c8d9456aa23f43eb0c09beeb7b3565770f7e05d12d7b88575a4c61fa31f",
        "SHA384": "4aaab3a5d5e7ce0b6103d30108636aaf1ec645331e3d42f57002c2380b2ea34662245f7f84fe07e7837bf6115bbc0eb5"
      },
      "ValidFrom": "2025-07-16 20:48:20",
      "ValidTo": "2026-07-14 20:48:20",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "330000000d690d5d7893d076df00000000000d",
      "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "TBS": {
        "MD5": "83f69422963f11c3c340b81712eef319",
        "SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
        "SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
        "SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
      },
      "ValidFrom": "2014-10-15 20:31:27",
      "ValidTo": "2029-10-15 20:41:27",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "SerialNumber": "3300000074ff3d4a9e7c401e86000000000074",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-14