549d3563-74ce-4d84-844c-8d985886373c
watabe.sys 
Description
watabe.sys is a vulnerable kernel driver from the KeServiceDescriptorTable/vulnerable-drivers repository. The driver exposes dangerous kernel primitives to usermode.
- UUID: 549d3563-74ce-4d84-844c-8d985886373c
- Created: 2026-04-17
- Author: Michael Haag
- Acknowledgement: | [@rainbowdynamix, @DbgPrint](https://twitter.com/@rainbowdynamix, @DbgPrint)
This download link contains the vulnerable driver!
Block watabe.sys across your endpoints
Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.
Start Blocking for FreeCommands
sc.exe create watabe binPath=C:\windows\temp\watabe.sys type=kernel && sc.exe start watabe
| Use Case | Privileges | Operating System |
|---|---|---|
| Elevate privileges | kernel | Windows 10 |
Detections
YARA 🏹
Expand
with header and size limitation
without header and size limitation
for renamed driver files
Resources
Known Vulnerable Samples
| Property | Value |
|---|---|
| Filename | watabe.sys |
| Creation Timestamp | 2024-05-29 12:14:48 |
| MD5 | 3d47b72711f29447c0105e6617e849d9 |
| SHA1 | aa40f06968b60a9cca272ae604f469610b767a71 |
| SHA256 | 42bbad0caff790db44833fc67a202850576d73d278ea85fb8095e3f93b0b4370 |
| Authentihash MD5 | 1f694d5b026c4cdded1fe42bd63041ea |
| Authentihash SHA1 | a454e02cb3c10b441313bc2f896bbfd072a1610e |
| Authentihash SHA256 | 53e17fa767d63cbc20f34726865de99a511e70d10def3b68e606969d71ab4fe0 |
| RichPEHeaderHash MD5 | 59ae546cad2da955d25222088065c63f |
| RichPEHeaderHash SHA1 | 6d73b53f9da9292f0f69d37bdf22a296dc0e9a93 |
| RichPEHeaderHash SHA256 | 07f30ceac3eccbf2f9801abc926140c327bc2253745d34bb9f253d3c05aa97cc |
Certificates
Expand
Certificate 33000000686482c2f9111ac876000000000068
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | bf1b33d19fe586a212c6881ba8c909ad |
| ToBeSigned (TBS) SHA1 | 943d7a07f4bae5edab88b907e1ecb1a480586dea |
| ToBeSigned (TBS) SHA256 | 69afb778f16b01c6efc55d8683bdf14ab875d726232d0190588a7bda91feec28 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher |
| ValidFrom | 2024-01-11 20:09:14 |
| ValidTo | 2025-01-10 20:09:14 |
| Signature | 62081015636520406a3a1b59597659d178319549cf1657af4a3143dbffdfa4b93e7ac0d55c150d0b4af499f3d8f9140736e9b6fa1787014236134a96bbe500ddf1e0950502a88b4c893b454272cc633bc195a5922f510945ade40b45a08daa99b7023af6d9a5417e640fad8f1482d330c4a9a0824efe4b7d57d510712d5e53af9d5775f9af2943c771879af8c1c448173e8d3b4d68714e43acdbf2cc23400f18be3ee892d0ebbac117f3c7a4f8d65614e631729303e551afbe850a3a228954917fad47eb378fddff3d12ae1f97a471f116a64fb4eccd173a7269291a007178126c2640411849fda9be545621b03be472414d23ff754bae092524b4792517ad1ecb3f944fd53e54bfc91a91ba444b009b6cf32218564d8f124d97e97d924789dcb9a416e85da0d9e77fa65df3e9d13a5f15247a5b1ad0d16ed10985ffaca8cb2a3f4c2ee77a6b2c6999301b1968809282f4efbaf38a76f04bdaabcb746c84545e66fc6de100506ef2179cd8ac50ca84efdc6d53d1aa5ed433826b8546ead2057b9b5142574ee03a728aed19a43b81a0dc3031ad9a80b8f4d3852ad820efbab20d59997f5dc33d8881c7c6b91f3a0621bddb0469012b2503ec605ce15b7b73958d84c79c08efc358f546a44cfe5ffee35dde1810c4253305204978a5a9223f4801f5002c3318456dbdc4b6003f70cc4a6244fbb3d16c374b34c25116e0a6ef8d74 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 33000000686482c2f9111ac876000000000068 |
| Version | 3 |
Certificate 330000000d690d5d7893d076df00000000000d
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 83f69422963f11c3c340b81712eef319 |
| ToBeSigned (TBS) SHA1 | 0c5e5f24590b53bc291e28583acb78e5adc95601 |
| ToBeSigned (TBS) SHA256 | d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014 |
| ValidFrom | 2014-10-15 20:31:27 |
| ValidTo | 2029-10-15 20:41:27 |
| Signature | 96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 330000000d690d5d7893d076df00000000000d |
| Version | 3 |
Imports
Expand
- ntoskrnl.exe
Imported Functions
Expand
- RtlInitUnicodeString
- IoCreateDevice
- IoCreateSymbolicLink
- IoDeleteDevice
- IoDeleteSymbolicLink
- RtlFreeUnicodeString
- ExAllocatePool
- ExFreePoolWithTag
- MmMapLockedPagesSpecifyCache
- MmUnmapIoSpace
- MmMapIoSpaceEx
- IofCompleteRequest
- IoGetCurrentProcess
- ZwClose
- ZwOpenSection
- MmGetPhysicalAddress
- ZwOpenProcess
- RtlCreateUnicodeString
- KeStackAttachProcess
- KeUnstackDetachProcess
- ZwAllocateVirtualMemory
- ZwFreeVirtualMemory
- MmCopyVirtualMemory
- __C_specific_handler
- _stricmp
- RtlCompareUnicodeString
- RtlGetVersion
- MmCopyMemory
- ZwQuerySystemInformation
- PsInitialSystemProcess
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- INIT
Signature
Expand
{
"Certificates": [
{
"CertificateType": "Leaf (Code Signing)",
"IsCA": false,
"IsCertificateAuthority": false,
"IsCodeSigning": true,
"SerialNumber": "33000000686482c2f9111ac876000000000068",
"Signature": "62081015636520406a3a1b59597659d178319549cf1657af4a3143dbffdfa4b93e7ac0d55c150d0b4af499f3d8f9140736e9b6fa1787014236134a96bbe500ddf1e0950502a88b4c893b454272cc633bc195a5922f510945ade40b45a08daa99b7023af6d9a5417e640fad8f1482d330c4a9a0824efe4b7d57d510712d5e53af9d5775f9af2943c771879af8c1c448173e8d3b4d68714e43acdbf2cc23400f18be3ee892d0ebbac117f3c7a4f8d65614e631729303e551afbe850a3a228954917fad47eb378fddff3d12ae1f97a471f116a64fb4eccd173a7269291a007178126c2640411849fda9be545621b03be472414d23ff754bae092524b4792517ad1ecb3f944fd53e54bfc91a91ba444b009b6cf32218564d8f124d97e97d924789dcb9a416e85da0d9e77fa65df3e9d13a5f15247a5b1ad0d16ed10985ffaca8cb2a3f4c2ee77a6b2c6999301b1968809282f4efbaf38a76f04bdaabcb746c84545e66fc6de100506ef2179cd8ac50ca84efdc6d53d1aa5ed433826b8546ead2057b9b5142574ee03a728aed19a43b81a0dc3031ad9a80b8f4d3852ad820efbab20d59997f5dc33d8881c7c6b91f3a0621bddb0469012b2503ec605ce15b7b73958d84c79c08efc358f546a44cfe5ffee35dde1810c4253305204978a5a9223f4801f5002c3318456dbdc4b6003f70cc4a6244fbb3d16c374b34c25116e0a6ef8d74",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
"TBS": {
"MD5": "bf1b33d19fe586a212c6881ba8c909ad",
"SHA1": "943d7a07f4bae5edab88b907e1ecb1a480586dea",
"SHA256": "69afb778f16b01c6efc55d8683bdf14ab875d726232d0190588a7bda91feec28",
"SHA384": "72a1893b9b4f31de108abab7058424c9f38431b369a039c3299cf4079d54e4f4384535b56c7efa9eb44282f182dc6811"
},
"ValidFrom": "2024-01-11 20:09:14",
"ValidTo": "2025-01-10 20:09:14",
"Version": 3
},
{
"CertificateType": "CA",
"IsCA": true,
"IsCertificateAuthority": true,
"IsCodeSigning": false,
"SerialNumber": "330000000d690d5d7893d076df00000000000d",
"Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
"TBS": {
"MD5": "83f69422963f11c3c340b81712eef319",
"SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
"SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
"SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
},
"ValidFrom": "2014-10-15 20:31:27",
"ValidTo": "2029-10-15 20:41:27",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
"SerialNumber": "33000000686482c2f9111ac876000000000068",
"Version": 1
}
],
"SignerInfo": ""
}
last_updated: 2026-04-20