4c9a91ff-9284-49a7-899d-dfe85a112465

RootLaser.sys :inline

Description

Adlice RootLaser.sys version 3.4.1 is a signed kernel driver assessed in public KOSEC BYOVD research. The driver retains a process-termination IOCTL reachable from administrator context and additional kernel read/information-leak attack surface, even though newer access-control and PPL checks mitigate some earlier TrueSight abuse paths.

  • UUID: 4c9a91ff-9284-49a7-899d-dfe85a112465
  • Created: 2026-06-16
  • Author: Michael Haag
  • Acknowledgement: KOSEC LLC |

Download

This download link contains the vulnerable driver!

Block RootLaser.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create RootLaser binPath=C:\windows\temp\RootLaser.sys type=kernel && sc.exe start RootLaser
Use CasePrivilegesOperating System
Terminate non-protected processes from kernel mode and expose kernel read/information leak primitives.kernelWindows 10, Windows 11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/KOSEC-LLC/BYOVD-Research/tree/main/Adlice

    • Known Vulnerable Samples

    PropertyValue
    FilenameRootLaser.sys
    Creation Timestamp2025-01-30 06:42:06
    MD558b75386e369e2d536271d36d50af17a
    SHA12e70e73b9a700336eea20e92b916817e00f053d1
    SHA25685b69f4e518c66b8ba7154ecb1ac1e8791dfe2fdf1e20b7c3a707f59639ac10d
    Authentihash MD5ba341db34b2ef62e933efcc576e11504
    Authentihash SHA16a90728afb865d1e791c00690e7c5b3b5ef92975
    Authentihash SHA2564ada025666ff8886e848052d530a40441fb11939529c92afd3bee1aa04cbc472
    RichPEHeaderHash MD51fd67ad9a33318c94f02be60a429897a
    RichPEHeaderHash SHA17a09ffeabe41378bbd494d01d8622c7563ec1285
    RichPEHeaderHash SHA2561e2b0f247061572271f7b1774bacbd2156f13625b0b247a8d65962dc22b4ec31
    CompanyAdlice Software
    DescriptionAdlice RootLaser
    ProductAdlice RootLaser
    OriginalFilenameAdlice RootLaser

    Download

    Certificates

    Expand
    Certificate 330000006e1229856f0ade6cfc00000000006e
    FieldValue
    ToBeSigned (TBS) MD53066a9830894e57ce6e47f7a6b58b84f
    ToBeSigned (TBS) SHA1ce441ecd2f11e400515a85d5a592da38f950f3dc
    ToBeSigned (TBS) SHA2563e30a731a3b620db0971ecd743ecd312bcdf14c82b9bdc9918102bacbf70520d
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher
    ValidFrom2024-10-10 19:04:53
    ValidTo2025-10-08 19:04:53
    Signature3870e583035a72db64856d80e17833cd3badd24f19abf9a3d7c7485743dd875f69102820df4992d74f8fba0529be4e16f4234910064a3a1863299a29b82d3fac869915a368ec0e5d0127282221bce84db444d2e9974dc2761a2080a7bc7508d7064f32b2d97b0263d0d937527a8af95f18bcb54ec21a453ba35e55869791416a2a8813fcf95e889e65158dbb5b4cba653c989179947d286051ef6b0d56f41da479db08c6b93c44fa5c8399e126594cc53dfa756180607a1dd29559061d828b0ce2c5a462245ed0995a196ad96223b6eb1a787b4d10b5a7d4e3a130750103bc9c713fc8f32015273bb238b15aae25e4765d7ab81c5d3df82ef6a7d3c2e7a61dab024ff02df6876a86ec7198aa6e28c8e69a015129a717b1036113911f0aeefa8d05081974d026196f24bc1e4ef942599fafbd1b2c316bda73237f1822296888df2344c92b08c363976beb7020242b3069e6691f19e715e1d1a19ddc03235263c9bb7b8390145af57603105ced358f394547e3be96718835917234eb7fd7134d9fb605656717ed6b15f0583068c84c6c01abf31cc1df1fe7c4d2935590e6017cf8cc5635e1cd7054240fd0059f168e90ec1a49f24e0f050034d99e4aa6599a64d280d00ea8af57d3125caddb342a0b2c160a2f95d97e6045e69dc1c1b3fa56dfd40380ce60536a59750edf0069dc7c27f8ccc8f073b46d169b8fed1fd40ac6f00c
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber330000006e1229856f0ade6cfc00000000006e
    Version3
    Certificate 330000000d690d5d7893d076df00000000000d
    FieldValue
    ToBeSigned (TBS) MD583f69422963f11c3c340b81712eef319
    ToBeSigned (TBS) SHA10c5e5f24590b53bc291e28583acb78e5adc95601
    ToBeSigned (TBS) SHA256d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014
    ValidFrom2014-10-15 20:31:27
    ValidTo2029-10-15 20:41:27
    Signature96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber330000000d690d5d7893d076df00000000000d
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • ExFreePoolWithTag
    • RtlInitUnicodeString
    • RtlGetVersion
    • IofCompleteRequest
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • __C_specific_handler
    • MmGetSystemRoutineAddress
    • ZwClose
    • ZwSetSecurityObject
    • IoDeviceObjectType
    • IoCreateDevice
    • ObOpenObjectByPointer
    • RtlGetDaclSecurityDescriptor
    • RtlGetGroupSecurityDescriptor
    • RtlGetOwnerSecurityDescriptor
    • RtlGetSaclSecurityDescriptor
    • SeCaptureSecurityDescriptor
    • _snwprintf
    • RtlLengthSecurityDescriptor
    • SeExports
    • RtlCreateSecurityDescriptor
    • _wcsnicmp
    • ExAllocatePoolWithTag
    • wcschr
    • RtlAbsoluteToSelfRelativeSD
    • RtlAddAccessAllowedAce
    • RtlLengthSid
    • IoIsWdmVersionAvailable
    • RtlSetDaclSecurityDescriptor
    • ZwOpenKey
    • ZwSetValueKey
    • ZwQueryValueKey
    • ZwCreateKey
    • RtlFreeUnicodeString
    • KeInitializeEvent
    • KeResetEvent
    • KeSetEvent
    • KeWaitForSingleObject
    • ObfDereferenceObject
    • PsGetCurrentThreadId
    • RtlCaptureStackBackTrace
    • PsLookupThreadByThreadId
    • KeInitializeApc
    • KeInsertQueueApc
    • _wcsicmp
    • IoGetDeviceObjectPointer
    • ObReferenceObjectByHandle
    • MmIsAddressValid
    • ObQueryNameString
    • ZwOpenDirectoryObject
    • ZwQueryDirectoryObject
    • ObOpenObjectByName
    • IoDriverObjectType
    • ZwTerminateProcess
    • ZwOpenProcess
    • PsLookupProcessByProcessId
    • ZwQuerySystemInformation
    • ZwQueryInformationProcess
    • ZwDeleteKey
    • ZwEnumerateKey
    • ZwQueryKey
    • IoAllocateIrp
    • IofCallDriver
    • IoCreateFile
    • IoFreeIrp
    • IoGetRelatedDeviceObject
    • IoGetAttachedDevice
    • IoFileObjectType
    • MmProbeAndLockPages
    • MmUnlockPages
    • MmMapLockedPagesSpecifyCache
    • IoAllocateMdl
    • IoFreeMdl
    • KeBugCheckEx

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "330000006e1229856f0ade6cfc00000000006e",
      "Signature": "3870e583035a72db64856d80e17833cd3badd24f19abf9a3d7c7485743dd875f69102820df4992d74f8fba0529be4e16f4234910064a3a1863299a29b82d3fac869915a368ec0e5d0127282221bce84db444d2e9974dc2761a2080a7bc7508d7064f32b2d97b0263d0d937527a8af95f18bcb54ec21a453ba35e55869791416a2a8813fcf95e889e65158dbb5b4cba653c989179947d286051ef6b0d56f41da479db08c6b93c44fa5c8399e126594cc53dfa756180607a1dd29559061d828b0ce2c5a462245ed0995a196ad96223b6eb1a787b4d10b5a7d4e3a130750103bc9c713fc8f32015273bb238b15aae25e4765d7ab81c5d3df82ef6a7d3c2e7a61dab024ff02df6876a86ec7198aa6e28c8e69a015129a717b1036113911f0aeefa8d05081974d026196f24bc1e4ef942599fafbd1b2c316bda73237f1822296888df2344c92b08c363976beb7020242b3069e6691f19e715e1d1a19ddc03235263c9bb7b8390145af57603105ced358f394547e3be96718835917234eb7fd7134d9fb605656717ed6b15f0583068c84c6c01abf31cc1df1fe7c4d2935590e6017cf8cc5635e1cd7054240fd0059f168e90ec1a49f24e0f050034d99e4aa6599a64d280d00ea8af57d3125caddb342a0b2c160a2f95d97e6045e69dc1c1b3fa56dfd40380ce60536a59750edf0069dc7c27f8ccc8f073b46d169b8fed1fd40ac6f00c",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
      "TBS": {
        "MD5": "3066a9830894e57ce6e47f7a6b58b84f",
        "SHA1": "ce441ecd2f11e400515a85d5a592da38f950f3dc",
        "SHA256": "3e30a731a3b620db0971ecd743ecd312bcdf14c82b9bdc9918102bacbf70520d",
        "SHA384": "68c6537d64e3a4f02a2c1d04257c13ab1def23c9c54bafc434176be50a411a75c118c9f8edc81f97b8a1db2dc1d009e3"
      },
      "ValidFrom": "2024-10-10 19:04:53",
      "ValidTo": "2025-10-08 19:04:53",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "330000000d690d5d7893d076df00000000000d",
      "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "TBS": {
        "MD5": "83f69422963f11c3c340b81712eef319",
        "SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
        "SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
        "SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
      },
      "ValidFrom": "2014-10-15 20:31:27",
      "ValidTo": "2029-10-15 20:41:27",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "SerialNumber": "330000006e1229856f0ade6cfc00000000006e",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-06-16