5b9a202c-0695-532e-9d92-662cedefee07

NGStar.sys :inline

Description

NGStar.sys is the kernel-mode USB fingerprint sensor driver for NITGEN Fingkey Hamster II/III devices. The driver creates \Device\gstar-0 exposed as \.\gstar-0 via IoCreateDevice with FILE_DEVICE_UNKNOWN and no IoCreateDeviceSecure call, making all 28 IOCTL codes (0x00222004-0x00222070) reachable by any unprivileged user-mode process (FILE_ANY_ACCESS on all codes). IOCTLs 0x0022206C and 0x00222070 allocate a fixed 10-byte NonPagedPool block via the deprecated ExAllocatePool API then pass it directly as the receive buffer for an uncapped USB bulk transfer with no post-transfer bounds check — kernel pool overflow leading to local privilege escalation to SYSTEM. ExAllocatePool (non-tagged, removed from Windows 11 and Server 2022 kernel exports) causes a kernel bugcheck (BSOD) on any IOCTL reaching the allocation path — confirmed local DoS. IOCTL 0x00222050 decrements a session reference counter at [rbp+0x40] via lock add without an underflow guard; counter wraps to 0xFFFFFFFF from zero, corrupting the device extension refcount and triggering premature cleanup leading to use-after-free. Driver carries no embedded PE signature; trusted via catalog fdu11.cat (VeriSign-signed, expired 2014, valid via timestamp countersignature). VT detection: 0/77.

  • UUID: 5b9a202c-0695-532e-9d92-662cedefee07
  • Created: 2026-06-01
  • Author: @BohraDJayesh
  • Acknowledgement: JayeshDuttBohra | @BohraDJayesh

Download

This download link contains the vulnerable driver!

Block NGStar.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

pnputil /add-driver fdu11.cat && sc.exe create ngstar binPath=C:\windows\temp\NGStar.sys type=kernel && sc.exe start ngstar
Use CasePrivilegesOperating System
Local privilege escalation to SYSTEM via kernel pool overflow (IOCTLs 0x0022206C and 0x00222070 — fixed 10-byte NonPagedPool alloc passed as uncapped USB bulk receive buffer); confirmed kernel DoS / BSOD via deprecated ExAllocatePool on Windows 11 and Server 2022; device context use-after-free via session counter underflow (IOCTL 0x00222050). All primitives accessible from unprivileged user-mode after driver load. BYOVD: catalog-signed (0/77 VT), FILE_ANY_ACCESS surface reachable from any local process.kernelWindows 7, Windows 8, Windows 10, Windows 11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • Internal Research

    • Known Vulnerable Samples

    PropertyValue
    FilenameNGStar.sys
    Creation Timestamp2011-01-20 01:16:57
    MD5297a9b187c6897749bc7bb92d02e95c0
    SHA13f102ab63f53869309443b5de9c9416a5e001284
    SHA2564542b20be7adceb61fa5f538fed8c395951e775dbd7c4a2f7c6aee477c4d924e
    Authentihash MD5b0f2bf18148addfad4ca53d4e00088b7
    Authentihash SHA16ec95a0e99215e43742aec5fc55f2fe0345b3dc1
    Authentihash SHA256e2bc6987462f4cfe4de4b53add75822cb2a197a6958b10cb9d85e16788703d18
    RichPEHeaderHash MD5eb2cd0517f8714f7dbc4b0514950d3cd
    RichPEHeaderHash SHA1313be86d1b51712b39b608d936897d5e74304ec5
    RichPEHeaderHash SHA256b08b03325f19080d245bd0d190404c9c92d693afded600766f828d96eb8d371b
    PublisherNITGEN&COMPANY Co., Ltd.
    Date2012-07-04
    CompanyNITGEN&COMPANY Co., Ltd.
    DescriptionNGStar Driver for Windows 2000/XP/Vista/7 (x64)
    ProductNGStar.sys
    OriginalFilenameNGStar.sys

    Download

    Imports

    Expand
    • ntoskrnl.exe
    • USBD.SYS

    Imported Functions

    Expand
    • IoReleaseRemoveLockEx
    • IoDetachDevice
    • DbgPrint
    • IoAllocateMdl
    • IoFreeMdl
    • IofCallDriver
    • PoRequestPowerIrp
    • IoCancelIrp
    • PoSetPowerState
    • ExAllocatePool
    • MmUnmapLockedPages
    • sprintf
    • ExFreePool
    • PoStartNextPowerIrp
    • IoAcquireRemoveLockEx
    • IofCompleteRequest
    • IoCreateDevice
    • IoDeleteSymbolicLink
    • IoReleaseRemoveLockAndWaitEx
    • KeWaitForSingleObject
    • IoBuildPartialMdl
    • IoFreeIrp
    • RtlFreeAnsiString
    • IoAttachDeviceToDeviceStack
    • PoCallDriver
    • IoAllocateIrp
    • RtlInitUnicodeString
    • IoIsWdmVersionAvailable
    • IoDeleteDevice
    • KeSetEvent
    • MmMapLockedPages
    • KeBugCheckEx
    • IoInitializeRemoveLockEx
    • RtlUnicodeStringToAnsiString
    • KeInitializeEvent
    • IoBuildDeviceIoControlRequest
    • IoCreateSymbolicLink
    • USBD_CreateConfigurationRequestEx
    • USBD_ParseConfigurationDescriptor

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc

    Signature

    Expand

    source

    last_updated: 2026-06-16