56610446-9914-41f6-a028-33640a683c9d

Kinkajou.sys :inline

Description

Kinkajou.sys is a vulnerable kernel driver from the KeServiceDescriptorTable/vulnerable-drivers repository. The driver exposes dangerous kernel primitives to usermode.

  • UUID: 56610446-9914-41f6-a028-33640a683c9d
  • Created: 2026-04-17
  • Author: Michael Haag
  • Acknowledgement: | [@rainbowdynamix, @DbgPrint](https://twitter.com/@rainbowdynamix, @DbgPrint)

Download

This download link contains the vulnerable driver!

Block Kinkajou.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create Kinkajou binPath=C:\windows\temp\Kinkajou.sys type=kernel && sc.exe start Kinkajou
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/325
  • https://github.com/KeServiceDescriptorTable/vulnerable-drivers

    • Known Vulnerable Samples

    PropertyValue
    FilenameKinkajou.sys
    Creation Timestamp2025-07-22 15:47:09
    MD5eb59b40453b7d61b14559155c176e527
    SHA1261e06eca5649465b6f18641841ee58f966693c3
    SHA256f5dd6db447868c2964c1d109e7d2cc31ebdace198b3d0a02cfba5b7ef7ae6964
    Authentihash MD57e2640d868eb4565598c90e4c2f0062d
    Authentihash SHA1851e088bb12ea2e77324329999694972673e21a7
    Authentihash SHA256c48e5dbc0726c55d22c8682f54321cdeb79e383f78e75e246d1fc54d5c45da9f
    RichPEHeaderHash MD59c6d1a0c2143e467c327678c07d8fed9
    RichPEHeaderHash SHA14f5e5f8c45dbb9fe04f47443531c02c93f3e3b2f
    RichPEHeaderHash SHA256d2a5f38cb5831e84b2e3a7f999a239c30cacb3777eff05cfe4ba9889a5f4c786

    Download

    Certificates

    Expand
    Certificate 406a99baa9a804a045ee6c1eafccb7ea
    FieldValue
    ToBeSigned (TBS) MD5474a38691ebb40a6f341094226e077d8
    ToBeSigned (TBS) SHA1b07eeddcd585caf30a87b24dfbecbb6591b13a10
    ToBeSigned (TBS) SHA2569587bcedca7adaf508d6d87c0dd8c9561a3b6dbf0a6e94af1d25c80dc4a3c3f1
    SubjectCN=WDKTestCert yo,133912822835426319
    ValidFrom2025-05-09 16:38:03
    ValidTo2035-05-09 00:00:00
    Signature0b94ec3e15d95958a2d1ac724a36e4fed1399bacf84520750f14e2ef02db1cfa21e6194a7cabc853916e9244cdab6007fa56ac8aae6a51cdf97a7d8e012a2ced24164f2eefb8c2a984d10ad396aa6ac18501f0f904bbf9429789cca00e94d3d7a2dc46f03fb9b92b7aec78f1de8a34503e1d71b59565c704a860f106de654d47b2ded338428238a7bbd40831058a03d80566d9518aec974806a0525760308a495a36da5ea7759360eee720991bd9239e22d3fd9fbb60e892a5effc99c18daaa888054bf83e892180e1ce608f4c1d6ff8066ffe66879ff965b5d40933f5e569fed82ad43043802d736c92d05f3e02b7caefefb634313561ed9db94ba8d9cea296
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber406a99baa9a804a045ee6c1eafccb7ea
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • RtlInitUnicodeString
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • IofCompleteRequest
    • KeInvalidateAllCaches
    • MmIsAddressValid
    • KeAttachProcess
    • KeDetachProcess
    • ZwAllocateVirtualMemory
    • ZwFreeVirtualMemory
    • PsGetProcessPeb
    • ZwLockVirtualMemory
    • strlen
    • DbgPrintEx
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • RtlCompareUnicodeString
    • RtlGetVersion
    • ExAllocatePool
    • MmUnmapIoSpace
    • MmMapIoSpaceEx
    • MmCopyMemory
    • MmGetVirtualForPhysical
    • KeStackAttachProcess
    • KeUnstackDetachProcess
    • ZwQueryVirtualMemory
    • ZwQuerySystemInformation
    • KeFlushEntireTb
    • wcslen
    • PsInitialSystemProcess

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "406a99baa9a804a045ee6c1eafccb7ea",
      "Signature": "0b94ec3e15d95958a2d1ac724a36e4fed1399bacf84520750f14e2ef02db1cfa21e6194a7cabc853916e9244cdab6007fa56ac8aae6a51cdf97a7d8e012a2ced24164f2eefb8c2a984d10ad396aa6ac18501f0f904bbf9429789cca00e94d3d7a2dc46f03fb9b92b7aec78f1de8a34503e1d71b59565c704a860f106de654d47b2ded338428238a7bbd40831058a03d80566d9518aec974806a0525760308a495a36da5ea7759360eee720991bd9239e22d3fd9fbb60e892a5effc99c18daaa888054bf83e892180e1ce608f4c1d6ff8066ffe66879ff965b5d40933f5e569fed82ad43043802d736c92d05f3e02b7caefefb634313561ed9db94ba8d9cea296",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=WDKTestCert yo,133912822835426319",
      "TBS": {
        "MD5": "474a38691ebb40a6f341094226e077d8",
        "SHA1": "b07eeddcd585caf30a87b24dfbecbb6591b13a10",
        "SHA256": "9587bcedca7adaf508d6d87c0dd8c9561a3b6dbf0a6e94af1d25c80dc4a3c3f1",
        "SHA384": "c2d0141830e472ce80a4dacc67f3f948ba38492eb0119b946cda985d0734777ee31d45b56e573052be058b6392abd795"
      },
      "ValidFrom": "2025-05-09 16:38:03",
      "ValidTo": "2035-05-09 00:00:00",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "CN=WDKTestCert yo,133912822835426319",
      "SerialNumber": "406a99baa9a804a045ee6c1eafccb7ea",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-20