894bd2db-1d93-4b3d-8e4d-7dac29382cb9

wdisvhost.sys :inline

Description

wdisvhost.sys is a vulnerable kernel driver from the KeServiceDescriptorTable/vulnerable-drivers repository. The driver exposes dangerous kernel primitives to usermode.

  • UUID: 894bd2db-1d93-4b3d-8e4d-7dac29382cb9
  • Created: 2026-04-17
  • Author: Michael Haag
  • Acknowledgement: | [@rainbowdynamix, @DbgPrint](https://twitter.com/@rainbowdynamix, @DbgPrint)

Download

This download link contains the vulnerable driver!

Block wdisvhost.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create wdisvhost binPath=C:\windows\temp\wdisvhost.sys type=kernel && sc.exe start wdisvhost
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/325
  • https://github.com/KeServiceDescriptorTable/vulnerable-drivers

    • Known Vulnerable Samples

    PropertyValue
    Filenamewdisvhost.sys
    Creation Timestamp2009-12-29 02:36:19
    MD59851c3d7aee98aa0d712c50e9ca20eb9
    SHA1513e8fc423ce2737843053852a0a672c43d2db9e
    SHA256988960e31a258ea71cf93a7791ae8c91c8cefb6ad8a50cdbd1b07f73b524aa61
    Authentihash MD5a7c7afe04a23793de0fe3b0d99cc20bd
    Authentihash SHA1ce465a42be6f19ca8e99c23b78c42b6073c8b673
    Authentihash SHA2565721c075bfec3ce946b8a96a58551a765be294212eaf27e5ffd6b738baef57d3
    RichPEHeaderHash MD51ca376dfca09b19f2421324c4fb8a536
    RichPEHeaderHash SHA127b8b4fa4e7b64527ab469cda082f8d62e8ddd3b
    RichPEHeaderHash SHA256e437729618db22b65d8932ba76cec6eb1f742c8462dd3f0df1c5b34c958a5555

    Download

    Certificates

    Expand
    Certificate 0f4e02f997b62a18c0983bddeda309ab
    FieldValue
    ToBeSigned (TBS) MD5a8524495a477651182b4bde5e7067ee3
    ToBeSigned (TBS) SHA1421ef2e5d418e5a362fbf80a163bd98a6ff655a4
    ToBeSigned (TBS) SHA25671d19c0f529996809f7cead25d8bf89b4433e5886dc824276c9bcc2cc1c3059c
    SubjectC=NL, ST=Noord Brabant, L='s,Hertogenbosch, O=Remko Weijnen, CN=Remko Weijnen
    ValidFrom2015-06-30 00:00:00
    ValidTo2018-07-06 12:00:00
    Signature7b492458bed209ba27f8cd4671fc3af69f9dee6c6c380454a9f83028a20602a759a0b4998bb91a8219bd9741b57ff30837473f495d77a1a111f12dd986f1eb0c7485c0a681553c1df12d2dbc1e18082991350515d30e838b2cd22911c5ab5582a2f9e58759fac9a3feb2d6724529e6fd9a68752a6b38a5e0d4311501eda6e82a3657f0fd031fbb58774933634d472e39513e207cfd1467852f47a56d3b4ee55f5c831cdeb4e7d50c71faff4a250c24ed4e9f0b7073ae6858110c6a297a159c3387eec686370f7e55cba1a8aaf721a26c44fc59a2ab85b98464e7829842f1c23e26fde1af8538b25d9e0eb05a01ba7eb53f92644a393e56fdaa8e24214caea373
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0f4e02f997b62a18c0983bddeda309ab
    Version3
    Certificate 61204db4000000000027
    FieldValue
    ToBeSigned (TBS) MD58e3ffc222fbcebdbb8b23115ab259be7
    ToBeSigned (TBS) SHA1ee20bff28ffe13be731c294c90d6ded5aae0ec0e
    ToBeSigned (TBS) SHA25659826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
    ValidFrom2011-04-15 19:45:33
    ValidTo2021-04-15 19:55:33
    Signature208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber61204db4000000000027
    Version3
    Certificate 0b7e10903c38490ffa2f679a87a1a7b9
    FieldValue
    ToBeSigned (TBS) MD57b0fbcf5c5aa55932726e9222f56efe2
    ToBeSigned (TBS) SHA1f09486b2b82a88a8b82aa2a12440496c8e53c452
    ToBeSigned (TBS) SHA2560bf095b845b69928b5d7dfd1c42ae4f90feb8dc97f7830598c93e848877021fb
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA
    ValidFrom2013-10-22 12:00:00
    ValidTo2028-10-22 12:00:00
    Signature6a0eff7e137c06a54bc02e8cf9536409e2ba58913050eccc9fe1d3a82f4846361829d078285f9856400f1ebabdb13b875cdc5bd8200ded1a164dd51124214bf127699013eb11a101dafdb54e795975bd382a6ac3f68e412b8aa28bd72c5151d99ca0c8e34eba6ca847d24ed1681f8c02573bb3296a8e6a202ab9f2006264bac8e900f9cca4d4ba9a35d8af2c656c167c5821de4a30d0faeb245d06c99d16b7ad4a45d325e20cf040aa5c4dac7ecd0682b976466908d832b682fee3a95834431b8e6767973f6831163638953e87f7c7c3af9d7a7719d9de93b5fd6e2bfc94f93db74c12352c30bee88d9e05709a4813f48cd6e71eac38e7a8f3ad0cb77aec67ed
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber0b7e10903c38490ffa2f679a87a1a7b9
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • KeWaitForSingleObject
    • IofCallDriver
    • IoBuildSynchronousFsdRequest
    • KeInitializeEvent
    • IoDeleteDevice
    • IoCreateSymbolicLink
    • IoCreateDevice
    • RtlInitUnicodeString
    • ExAllocatePool
    • IofCompleteRequest
    • ExFreePoolWithTag
    • IoFreeMdl
    • MmUnmapLockedPages
    • MmUnmapIoSpace
    • MmMapLockedPages
    • MmBuildMdlForNonPagedPool
    • IoAllocateMdl
    • MmMapIoSpace
    • IoDeleteSymbolicLink
    • MmMapLockedPagesSpecifyCache
    • IoGetDeviceObjectPointer

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "0f4e02f997b62a18c0983bddeda309ab",
      "Signature": "7b492458bed209ba27f8cd4671fc3af69f9dee6c6c380454a9f83028a20602a759a0b4998bb91a8219bd9741b57ff30837473f495d77a1a111f12dd986f1eb0c7485c0a681553c1df12d2dbc1e18082991350515d30e838b2cd22911c5ab5582a2f9e58759fac9a3feb2d6724529e6fd9a68752a6b38a5e0d4311501eda6e82a3657f0fd031fbb58774933634d472e39513e207cfd1467852f47a56d3b4ee55f5c831cdeb4e7d50c71faff4a250c24ed4e9f0b7073ae6858110c6a297a159c3387eec686370f7e55cba1a8aaf721a26c44fc59a2ab85b98464e7829842f1c23e26fde1af8538b25d9e0eb05a01ba7eb53f92644a393e56fdaa8e24214caea373",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=NL, ST=Noord Brabant, L=\u0027s,Hertogenbosch, O=Remko Weijnen, CN=Remko Weijnen",
      "TBS": {
        "MD5": "a8524495a477651182b4bde5e7067ee3",
        "SHA1": "421ef2e5d418e5a362fbf80a163bd98a6ff655a4",
        "SHA256": "71d19c0f529996809f7cead25d8bf89b4433e5886dc824276c9bcc2cc1c3059c",
        "SHA384": "fb0da82f5b925a27bae035cc0d2787160a709e66a644accf576c8d2aab86ff901f95896c4fd8c1631cb2ef72e305f530"
      },
      "ValidFrom": "2015-06-30 00:00:00",
      "ValidTo": "2018-07-06 12:00:00",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "61204db4000000000027",
      "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA",
      "TBS": {
        "MD5": "8e3ffc222fbcebdbb8b23115ab259be7",
        "SHA1": "ee20bff28ffe13be731c294c90d6ded5aae0ec0e",
        "SHA256": "59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821",
        "SHA384": "f2dab7e56a33298654924501499487f6ba72c7d9477476a186e1ed7a9be031fade0e35ac09eff5e56bbbab95ae5374e7"
      },
      "ValidFrom": "2011-04-15 19:45:33",
      "ValidTo": "2021-04-15 19:55:33",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "0b7e10903c38490ffa2f679a87a1a7b9",
      "Signature": "6a0eff7e137c06a54bc02e8cf9536409e2ba58913050eccc9fe1d3a82f4846361829d078285f9856400f1ebabdb13b875cdc5bd8200ded1a164dd51124214bf127699013eb11a101dafdb54e795975bd382a6ac3f68e412b8aa28bd72c5151d99ca0c8e34eba6ca847d24ed1681f8c02573bb3296a8e6a202ab9f2006264bac8e900f9cca4d4ba9a35d8af2c656c167c5821de4a30d0faeb245d06c99d16b7ad4a45d325e20cf040aa5c4dac7ecd0682b976466908d832b682fee3a95834431b8e6767973f6831163638953e87f7c7c3af9d7a7719d9de93b5fd6e2bfc94f93db74c12352c30bee88d9e05709a4813f48cd6e71eac38e7a8f3ad0cb77aec67ed",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA",
      "TBS": {
        "MD5": "7b0fbcf5c5aa55932726e9222f56efe2",
        "SHA1": "f09486b2b82a88a8b82aa2a12440496c8e53c452",
        "SHA256": "0bf095b845b69928b5d7dfd1c42ae4f90feb8dc97f7830598c93e848877021fb",
        "SHA384": "f2a7644292efe9a7adc26cdeb0aa13980ea792d21845ba696684ac64d7f906839f3ec7625c3a88efefe3a451d961d317"
      },
      "ValidFrom": "2013-10-22 12:00:00",
      "ValidTo": "2028-10-22 12:00:00",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA",
      "SerialNumber": "0f4e02f997b62a18c0983bddeda309ab",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-20