63535f5c-9535-4bb0-ae8c-4366d40055f9
_xyzxbqvb.rdu_GFAC_Sys_x64.sys 
Description
_xyzxbqvb.rdu_GFAC_Sys_x64.sys is a vulnerable kernel driver from the KeServiceDescriptorTable/vulnerable-drivers repository. The driver exposes dangerous kernel primitives to usermode.
- UUID: 63535f5c-9535-4bb0-ae8c-4366d40055f9
- Created: 2026-04-17
- Author: Michael Haag
- Acknowledgement: | [@rainbowdynamix, @DbgPrint](https://twitter.com/@rainbowdynamix, @DbgPrint)
This download link contains the vulnerable driver!
Block _xyzxbqvb.rdu_GFAC_Sys_x64.sys across your endpoints
Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.
Start Blocking for FreeCommands
sc.exe create _xyzxbqvb.rdu_GFAC_Sys_x64 binPath=C:\windows\temp\_xyzxbqvb.rdu_GFAC_Sys_x64.sys type=kernel && sc.exe start _xyzxbqvb.rdu_GFAC_Sys_x64
| Use Case | Privileges | Operating System |
|---|---|---|
| Elevate privileges | kernel | Windows 10 |
Detections
YARA 🏹
Expand
with header and size limitation
without header and size limitation
for renamed driver files
Resources
Known Vulnerable Samples
| Property | Value |
|---|---|
| Filename | _xyzxbqvb.rdu_GFAC_Sys_x64.sys |
| Creation Timestamp | 2025-07-06 23:41:32 |
| MD5 | c6016d13579a954adb70e656d2711838 |
| SHA1 | 127a34bc163a830e9bd4b9db6879bff81ca02699 |
| SHA256 | b6748d7da5759dee7d5f2f32b0326b4edb7b2135a0e4a6d5ff26aef1e139d8b2 |
| Authentihash MD5 | c7e4f8c22d24c9209d4782e1d5958a71 |
| Authentihash SHA1 | 310a06a4fdae0c5afb3b29b43477d3e6cff61458 |
| Authentihash SHA256 | 82e9fc464c46b441fb638ba8883d7b8054a83d4ee10285a753028df9f3ffdf18 |
| RichPEHeaderHash MD5 | f9b07fdd3dd7301bc4bdfb1682caeca2 |
| RichPEHeaderHash SHA1 | 7e8fc264bc308430f4ad07dc9553c46ccfa3595c |
| RichPEHeaderHash SHA256 | 6b4a9f3fb319daca364ec169a70fe0b4260416cb7973f7baca32e4202762d6d5 |
Certificates
Expand
Certificate 08ad40b260d29c4c9f5ecda9bd93aed9
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 5d8003a64dfa5a4d88365da1566038cb |
| ToBeSigned (TBS) SHA1 | 79465b56bc7ad55a37bdf633943da8bfc84db228 |
| ToBeSigned (TBS) SHA256 | 84bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332 |
| Subject | C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 |
| ValidFrom | 2021-04-29 00:00:00 |
| ValidTo | 2036-04-28 23:59:59 |
| Signature | 3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.12 |
| IsCertificateAuthority | True |
| SerialNumber | 08ad40b260d29c4c9f5ecda9bd93aed9 |
| Version | 3 |
Certificate 020c8dc013e399724b5702c903428e25
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 3541d63fa33e95e1121a2dd592ecd61c |
| ToBeSigned (TBS) SHA1 | d78866135e3cb2d0b661730bf555dd43022fab02 |
| ToBeSigned (TBS) SHA256 | 9d196605b9acc92ef0fbbaed53e63ee28e544bcfd9e01ecf6fcbe731c61cc3cb |
| Subject | JURISDICTION_OF_INCORPORATION_C=US, JURISDICTION_OF_INCORPORATION_SP=Delaware, BUSINESS_CATEGORY=Private Organization, serialNumber=4184388, C=US, ST=California, L=Tustin, O=Little Orbit Inc, CN=Little Orbit Inc |
| ValidFrom | 2024-11-21 00:00:00 |
| ValidTo | 2025-11-20 23:59:59 |
| Signature | 86ce1fe6aa1cc10fb96374c4af603647fff1dd1daac2fc874cfc0181e69a038fc4e24722224a4b0bc59cd34dd32844ae25170b3d70bf8cb39e5f4c33dfe3c38ec106c0171e816dffe14d5722a5c31902a9974d5abeed0c513909cdf627d82c6f686536146fd2f886a6221d2bf5a55e960dbda1e01c1890b40786937486e9aeb0ae24241c5b168a274060f8b557c935d7f354fc745e1e4bd0bee449fe40bfc19d1a5d0622ffcaa06b4adca5e876690a158625298483d6fcfa4d8f939b68e6021331f5a9a657cbe58792a40bccee632b7223ddab75618255f311c5c073f168c27aeff1afeeb3f65b6d17c4553a1e3ae631dec3ceacaf1ac90d16628cfbc25c8869addd0b9b1479cecf1f672fd0c2a6f36199972853c661938cc951397aaa93eefe512fe4590433d9b401c80388306f33af69ba917246af1ac76d583a9c0802d284950c95c1c1bcf49fb1db40d7f8fa09228bbe44687e1ab21d9b55d7d9093e063494d7daf0a48ee115a58ff82fe79b90ee15b542406fbc1cf2458508df2e274a2c038622d0359dd34c3e2c135178933cb792be2e55922dd63f0682771c62657371187a467c2a6cf8e6081046a21c66d6998fb611b4e78d6e49237cbf9c56396d305a83790b3bb953326f7a09089dcd9c1611ee125dc05b60a777641a17350d655391cced31c8285501e5ba2e05f854fbdce4f38bc8e1173c497a7e01df5652dbc9 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 020c8dc013e399724b5702c903428e25 |
| Version | 3 |
Imports
Expand
- FLTMGR.SYS
- ntoskrnl.exe
Imported Functions
Expand
- FltCreateCommunicationPort
- FltCloseCommunicationPort
- FltCloseClientPort
- FltSendMessage
- FltBuildDefaultSecurityDescriptor
- FltFreeSecurityDescriptor
- FltGetFileNameInformation
- FltReleaseFileNameInformation
- FltParseFileNameInformation
- FltLockUserBuffer
- FltRegisterFilter
- FltUnregisterFilter
- FltStartFiltering
- RtlInitUnicodeString
- KeEnterCriticalRegion
- KeLeaveCriticalRegion
- KeInitializeSpinLock
- ExInitializeResourceLite
- ExAcquireResourceExclusiveLite
- ExReleaseResourceLite
- ExDeleteResourceLite
- ExAllocatePool2
- ExFreePoolWithTag
- ZwCreateFile
- ZwReadFile
- ZwWriteFile
- ZwClose
- ZwDeleteFile
- MmGetSystemRoutineAddress
- IoGetInitialStack
- KeSetSystemAffinityThread
- KeQueryActiveProcessors
- __C_specific_handler
- ExAllocatePoolWithTag
- ProbeForRead
- ProbeForWrite
- MmProbeAndLockProcessPages
- MmProbeAndLockPages
- MmUnlockPages
- MmProtectMdlSystemAddress
- MmMapLockedPagesSpecifyCache
- MmUnmapLockedPages
- MmMapIoSpace
- MmUnmapIoSpace
- MmAllocateContiguousMemory
- MmFreeContiguousMemory
- IoAllocateMdl
- IoFreeMdl
- IoGetCurrentProcess
- MmGetPhysicalAddress
- MmAllocateNonCachedMemory
- MmFreeNonCachedMemory
- MmIsAddressValid
- MmSecureVirtualMemory
- MmUnsecureVirtualMemory
- RtlCreateHeap
- RtlDestroyHeap
- RtlAllocateHeap
- RtlFreeHeap
- KeStackAttachProcess
- KeUnstackDetachProcess
- PsProcessType
- PsThreadType
- PsGetVersion
- PsCreateSystemThread
- PsWrapApcWow64Thread
- ObfDereferenceObject
- ZwSetInformationThread
- ZwTerminateProcess
- ZwOpenProcess
- PsIsThreadTerminating
- PsLookupProcessByProcessId
- PsLookupThreadByThreadId
- ObOpenObjectByPointer
- ZwAllocateVirtualMemory
- ZwFreeVirtualMemory
- PsSetCreateProcessNotifyRoutine
- PsSetCreateThreadNotifyRoutine
- PsRemoveCreateThreadNotifyRoutine
- PsSetLoadImageNotifyRoutine
- PsRemoveLoadImageNotifyRoutine
- KeGetCurrentIrql
- KeAreAllApcsDisabled
- ExAcquireResourceSharedLite
- PsGetCurrentProcessId
- PsGetCurrentThreadId
- PsGetProcessId
- IoVolumeDeviceToDosName
- IoThreadToProcess
- PsGetProcessImageFileName
- PsGetProcessInheritedFromUniqueProcessId
- strcmp
- RtlGetVersion
- IofCompleteRequest
- IoCreateDevice
- IoCreateSymbolicLink
- IoDeleteDevice
- IoDeleteSymbolicLink
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- PAGE
- INIT
- .reloc
Signature
Expand
{
"Certificates": [
{
"CertificateType": "CA",
"IsCA": true,
"IsCertificateAuthority": true,
"IsCodeSigning": true,
"SerialNumber": "08ad40b260d29c4c9f5ecda9bd93aed9",
"Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
"Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"TBS": {
"MD5": "5d8003a64dfa5a4d88365da1566038cb",
"SHA1": "79465b56bc7ad55a37bdf633943da8bfc84db228",
"SHA256": "84bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332",
"SHA384": "65b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e64"
},
"ValidFrom": "2021-04-29 00:00:00",
"ValidTo": "2036-04-28 23:59:59",
"Version": 3
},
{
"CertificateType": "Leaf (Code Signing)",
"IsCA": false,
"IsCertificateAuthority": false,
"IsCodeSigning": true,
"SerialNumber": "020c8dc013e399724b5702c903428e25",
"Signature": "86ce1fe6aa1cc10fb96374c4af603647fff1dd1daac2fc874cfc0181e69a038fc4e24722224a4b0bc59cd34dd32844ae25170b3d70bf8cb39e5f4c33dfe3c38ec106c0171e816dffe14d5722a5c31902a9974d5abeed0c513909cdf627d82c6f686536146fd2f886a6221d2bf5a55e960dbda1e01c1890b40786937486e9aeb0ae24241c5b168a274060f8b557c935d7f354fc745e1e4bd0bee449fe40bfc19d1a5d0622ffcaa06b4adca5e876690a158625298483d6fcfa4d8f939b68e6021331f5a9a657cbe58792a40bccee632b7223ddab75618255f311c5c073f168c27aeff1afeeb3f65b6d17c4553a1e3ae631dec3ceacaf1ac90d16628cfbc25c8869addd0b9b1479cecf1f672fd0c2a6f36199972853c661938cc951397aaa93eefe512fe4590433d9b401c80388306f33af69ba917246af1ac76d583a9c0802d284950c95c1c1bcf49fb1db40d7f8fa09228bbe44687e1ab21d9b55d7d9093e063494d7daf0a48ee115a58ff82fe79b90ee15b542406fbc1cf2458508df2e274a2c038622d0359dd34c3e2c135178933cb792be2e55922dd63f0682771c62657371187a467c2a6cf8e6081046a21c66d6998fb611b4e78d6e49237cbf9c56396d305a83790b3bb953326f7a09089dcd9c1611ee125dc05b60a777641a17350d655391cced31c8285501e5ba2e05f854fbdce4f38bc8e1173c497a7e01df5652dbc9",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "JURISDICTION_OF_INCORPORATION_C=US, JURISDICTION_OF_INCORPORATION_SP=Delaware, BUSINESS_CATEGORY=Private Organization, serialNumber=4184388, C=US, ST=California, L=Tustin, O=Little Orbit Inc, CN=Little Orbit Inc",
"TBS": {
"MD5": "3541d63fa33e95e1121a2dd592ecd61c",
"SHA1": "d78866135e3cb2d0b661730bf555dd43022fab02",
"SHA256": "9d196605b9acc92ef0fbbaed53e63ee28e544bcfd9e01ecf6fcbe731c61cc3cb",
"SHA384": "b4d837fca80a466c790497375485596ed79d591bc20c4ac15ab9b4387304238653c760ea5360670f6f85d46f6ad20614"
},
"ValidFrom": "2024-11-21 00:00:00",
"ValidTo": "2025-11-20 23:59:59",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"SerialNumber": "020c8dc013e399724b5702c903428e25",
"Version": 1
}
],
"SignerInfo": ""
}
last_updated: 2026-04-20