5c4142a6-b287-4817-864f-152be08f7c48

srswdrv.sys :inline

Description

srswdrv.sys is a vulnerable kernel driver from the KeServiceDescriptorTable/vulnerable-drivers repository. The driver exposes dangerous kernel primitives to usermode.

  • UUID: 5c4142a6-b287-4817-864f-152be08f7c48
  • Created: 2026-04-17
  • Author: Michael Haag
  • Acknowledgement: | [@rainbowdynamix, @DbgPrint](https://twitter.com/@rainbowdynamix, @DbgPrint)

Download

This download link contains the vulnerable driver!

Block srswdrv.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create srswdrv binPath=C:\windows\temp\srswdrv.sys type=kernel && sc.exe start srswdrv
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/325
  • https://github.com/KeServiceDescriptorTable/vulnerable-drivers

  • Known Vulnerable Samples

    PropertyValue
    Filenamesrswdrv.sys
    Creation Timestamp2022-03-01 22:42:37
    MD54aa226d5b771edc1109c469a76bd38b2
    SHA11b03900fe18aee01758379daef96cb5ad66d2690
    SHA25657414e532a7a10ae7af7fa6294d1d95ad4d9d506882258c5e59d53b4e4f2c91a
    Authentihash MD5de13493d94dfb0940f0f7d52e87fe559
    Authentihash SHA13f177d52830a62cdae02fc8bbe783cb8b4103d3c
    Authentihash SHA256c6852ea86cb52934d04af2e042b32017191d5ba342e3cbcad89c719fa039e15b
    RichPEHeaderHash MD5ba16e5c11619fb4ba339fa89ed59f955
    RichPEHeaderHash SHA15ae1edd8e76b54d655cb4c6190ffcd6f3d030801
    RichPEHeaderHash SHA25654220b2f52ca03d8f49b10c1ba8008802c4725543dd535a3cd2ab6f54b78362b
    CompanyLenovo
    DescriptionSRSETUPWIN Driver
    ProductSRSETUPWIN
    OriginalFilenamesrswdrv.sys

    Download

    Certificates

    Expand
    Certificate 4f76f384daf2bfb94db49483e00e65d9
    FieldValue
    ToBeSigned (TBS) MD5ca366436a1a2cdecbb00e0480b7c4c46
    ToBeSigned (TBS) SHA19ff3200ff7c8bdf9fb0bac5e3cf45823bc014609
    ToBeSigned (TBS) SHA256ad4cfcf10b7c922aa06cd57a68055f898aa38ab3f176c143fbeb362f37d9f98b
    SubjectCN=WDKTestCert ddhankecha,132886868762491660
    ValidFrom2022-02-07 05:54:36
    ValidTo2032-02-07 00:00:00
    Signaturebffde1391745adfb6a5f74e23a482c38a284393aeed88c055b7726f4e5f83387dd834989cb4a483e1a4e5317038c33b1e66aec54d119dd40a8b5268749286e17982ec636fd4217266dab74f0886b90ff1bafd466b48086e14f4804377fb00441756d19fb5051abea35b382a09b9b636b9e6a26fdb27594929a85d8f81b8e967725080bb28343d668aef089a36959e87644bc3f36e66b8aa98e000103aa949a5bbb62002e7a3a613e96ed322aa2eb44aa4b1222327b3d4b26f99d6bf44b3af2730fdd03d684e3c86b0a4a0ac55a5d3b6f18e30ad576f56138ad78817e45e9d0d466a4c90ad9e7d35d240feaf52127a739ac6bb7144870385aab8557421a763a5e
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber4f76f384daf2bfb94db49483e00e65d9
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • WDFLDR.SYS

    Imported Functions

    Expand
    • MmUnmapIoSpace
    • MmAllocateContiguousMemory
    • MmFreeContiguousMemory
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • MmMapIoSpace
    • IoDeleteSymbolicLink
    • IoInitializeRemoveLockEx
    • IoAcquireRemoveLockEx
    • IoReleaseRemoveLockEx
    • MmGetPhysicalAddress
    • ExGetFirmwareEnvironmentVariable
    • RtlCopyUnicodeString
    • DbgPrintEx
    • MmGetSystemRoutineAddress
    • IoDeleteDevice
    • RtlInitUnicodeString
    • WdfVersionUnbind
    • WdfVersionBind
    • WdfVersionUnbindClass
    • WdfVersionBindClass

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
      "Certificates": [
        {
          "CertificateType": "Leaf (Code Signing)",
          "IsCA": false,
          "IsCertificateAuthority": true,
          "IsCodeSigning": true,
          "SerialNumber": "4f76f384daf2bfb94db49483e00e65d9",
          "Signature": "bffde1391745adfb6a5f74e23a482c38a284393aeed88c055b7726f4e5f83387dd834989cb4a483e1a4e5317038c33b1e66aec54d119dd40a8b5268749286e17982ec636fd4217266dab74f0886b90ff1bafd466b48086e14f4804377fb00441756d19fb5051abea35b382a09b9b636b9e6a26fdb27594929a85d8f81b8e967725080bb28343d668aef089a36959e87644bc3f36e66b8aa98e000103aa949a5bbb62002e7a3a613e96ed322aa2eb44aa4b1222327b3d4b26f99d6bf44b3af2730fdd03d684e3c86b0a4a0ac55a5d3b6f18e30ad576f56138ad78817e45e9d0d466a4c90ad9e7d35d240feaf52127a739ac6bb7144870385aab8557421a763a5e",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "CN=WDKTestCert ddhankecha,132886868762491660",
          "TBS": {
            "MD5": "ca366436a1a2cdecbb00e0480b7c4c46",
            "SHA1": "9ff3200ff7c8bdf9fb0bac5e3cf45823bc014609",
            "SHA256": "ad4cfcf10b7c922aa06cd57a68055f898aa38ab3f176c143fbeb362f37d9f98b",
            "SHA384": "56f12b3649ec67369804117c0164dd78dbf6063ae573c440359488a99e1711d6626ee0f845256383558f542732caf703"
          },
          "ValidFrom": "2022-02-07 05:54:36",
          "ValidTo": "2032-02-07 00:00:00",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "CN=WDKTestCert ddhankecha,132886868762491660",
          "SerialNumber": "4f76f384daf2bfb94db49483e00e65d9",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2026-04-20