90df671c-a903-49bd-ac62-c124d4f6901d

GlobalVistaVentures_v3.sys :inline

Description

GlobalVistaVentures_v3.sys is a vulnerable kernel driver from the KeServiceDescriptorTable/vulnerable-drivers repository. The driver exposes dangerous kernel primitives to usermode.

  • UUID: 90df671c-a903-49bd-ac62-c124d4f6901d
  • Created: 2026-04-17
  • Author: Michael Haag
  • Acknowledgement: | [@rainbowdynamix, @DbgPrint](https://twitter.com/@rainbowdynamix, @DbgPrint)

Download

This download link contains the vulnerable driver!

Block GlobalVistaVentures_v3.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create GlobalVistaVentures_v3 binPath=C:\windows\temp\GlobalVistaVentures_v3.sys type=kernel && sc.exe start GlobalVistaVentures_v3
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/325
  • https://github.com/KeServiceDescriptorTable/vulnerable-drivers

    • Known Vulnerable Samples

    PropertyValue
    FilenameGlobalVistaVentures_v3.sys
    Creation Timestamp2025-05-01 03:59:20
    MD5a3e41b5caaabf71f04d110b158fbf2e2
    SHA136175fd1dc300b86af6b6e9f890d07e8a603067e
    SHA2567ccb02b9dc8bb46e5ea32fb8f4c93bac195bcbb0c2fc02d3af28f4208afe7c41
    Authentihash MD5005fefb26c2f32153bda34215f9ef37d
    Authentihash SHA1bf8197d2246cf01f455bb842f3c82dcfb3a9eba5
    Authentihash SHA25681b5ec019957fd1b214e4f73ddfc73d6dfd93d4ec7a5f29580b629ef63283b43
    RichPEHeaderHash MD52eb98651d3fc2f67b20a798bd8bd1d88
    RichPEHeaderHash SHA19d566d1386dc27db55e29a5709f5453dc8c09f30
    RichPEHeaderHash SHA25668c71cc3f2bb0fa93ebe5c8e5bc5f70e54e881d9efabd1bfb01d013a5b5842c7

    Download

    Certificates

    Expand
    Certificate 4c489abdb650d38741eef80e98f910e1
    FieldValue
    ToBeSigned (TBS) MD5fd74b887e48405a254d311662c0432f7
    ToBeSigned (TBS) SHA1094b9bf2e5b782f0af1f7e168c1a2cea67f7f723
    ToBeSigned (TBS) SHA256009b1c19660abc872a00cbb8b498e03ff65dc34d788c4344bd0ece66162f6bde
    SubjectCN=WDKTestCert youss,133730752550224793
    ValidFrom2024-10-10 23:07:35
    ValidTo2034-10-11 00:00:00
    Signature70023230b056964e058614ed2d83f7c540b2344815347295c2c8e9e619689dd6acef6036d0261a9fbfb838e454ba3a9723e2f56630c9d5095780a84294f6e408dc45ff3c7fcd2fc008f9db87d41cca0caf456c981a80399573b8cba2abbd04fa5b12cf2c35d230314c343f60bf5529665b504cb1ce05ddd2a5a63389ff86fd2a64ac85d51aace3ba58840be4ac7cdaceaa9d65bb6416c720759ea09bea027e8845c90ce00229e7eebb92dc6736335ed1f8ad9c17374b50735f38a3cdb1d725bbc659754b82891a746541cc6c23fe2a5b896ab621f4cc6f6d3acb57c286d3e7667bd01185b8e7beb622d2934b5300f670ea9b100ef8e6793cfda414047ef96cc2
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber4c489abdb650d38741eef80e98f910e1
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • RtlInitAnsiString
    • RtlInitUnicodeString
    • RtlAnsiStringToUnicodeString
    • RtlCompareUnicodeString
    • RtlFreeUnicodeString
    • DbgPrintEx
    • RtlGetVersion
    • ExAllocatePool
    • ExFreePoolWithTag
    • IofCompleteRequest
    • IoGetCurrentProcess
    • ObfDereferenceObject
    • KeAttachProcess
    • KeDetachProcess
    • KeStackAttachProcess
    • KeUnstackDetachProcess
    • PsLookupProcessByProcessId
    • ZwAllocateVirtualMemory
    • ZwFreeVirtualMemory
    • ZwQueryVirtualMemory
    • PsGetProcessPeb
    • MmCopyVirtualMemory
    • ZwQuerySystemInformation
    • PsInitialSystemProcess
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • MmProtectMdlSystemAddress
    • MmMapLockedPagesSpecifyCache
    • MmUnmapLockedPages
    • MmAllocatePagesForMdl
    • MmFreePagesFromMdl
    • MmUnmapIoSpace
    • MmMapIoSpaceEx
    • IoFreeMdl
    • MmCopyMemory
    • MmGetVirtualForPhysical
    • MmIsAddressValid

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "4c489abdb650d38741eef80e98f910e1",
      "Signature": "70023230b056964e058614ed2d83f7c540b2344815347295c2c8e9e619689dd6acef6036d0261a9fbfb838e454ba3a9723e2f56630c9d5095780a84294f6e408dc45ff3c7fcd2fc008f9db87d41cca0caf456c981a80399573b8cba2abbd04fa5b12cf2c35d230314c343f60bf5529665b504cb1ce05ddd2a5a63389ff86fd2a64ac85d51aace3ba58840be4ac7cdaceaa9d65bb6416c720759ea09bea027e8845c90ce00229e7eebb92dc6736335ed1f8ad9c17374b50735f38a3cdb1d725bbc659754b82891a746541cc6c23fe2a5b896ab621f4cc6f6d3acb57c286d3e7667bd01185b8e7beb622d2934b5300f670ea9b100ef8e6793cfda414047ef96cc2",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=WDKTestCert youss,133730752550224793",
      "TBS": {
        "MD5": "fd74b887e48405a254d311662c0432f7",
        "SHA1": "094b9bf2e5b782f0af1f7e168c1a2cea67f7f723",
        "SHA256": "009b1c19660abc872a00cbb8b498e03ff65dc34d788c4344bd0ece66162f6bde",
        "SHA384": "33c2319981104cfab7efbd6fb4be7ecc66a7d8aa9ddddba70ee5775cd0e292a038595acb4329a1c6146d11e862ca0ab8"
      },
      "ValidFrom": "2024-10-10 23:07:35",
      "ValidTo": "2034-10-11 00:00:00",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "CN=WDKTestCert youss,133730752550224793",
      "SerialNumber": "4c489abdb650d38741eef80e98f910e1",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-20