96501e5b-e4f2-41a9-a8ee-d09e36d31a39

WinIo64.sys :inline :inline

Description

WinIo64.sys is a hardware access driver based on the WinIo library that provides direct physical memory access and I/O port operations from usermode. The driver maps the \Device\PhysicalMemory section object to user space via ZwOpenSection and ZwMapViewOfSection (IOCTL 0x80102040), with corresponding unmap (IOCTL 0x80102044), and provides arbitrary I/O port read (IOCTL 0x80102050) and write (IOCTL 0x80102054) in byte, word, and dword widths. Physical address translation via HalTranslateBusAddress is also available. WHQL attestation signed via Microsoft Windows Third Party Component CA 2014. Distributed by multiple OEM utilities and heavily abused in the wild with 61 malicious execution parents on VT including malware droppers and BYOVD tools. Used by KDU (Kernel Driver Utility) as a provider.

  • UUID: 96501e5b-e4f2-41a9-a8ee-d09e36d31a39
  • Created: 2026-04-22
  • Author: Michael Haag
  • Acknowledgement: Will Dormann | @wdormann

Download

This download link contains the vulnerable driver!

Block WinIo64.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create WinIo64 binPath=C:\windows\temp\WinIo64.sys type=kernel && sc.exe start WinIo64
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/222
  • https://github.com/hfiref0x/KDU

    • Known Vulnerable Samples

    PropertyValue
    FilenameWinIo64.sys
    Creation Timestamp2018-07-18 00:58:37
    MD566ab7f46db42bf52db06840ec3b4deb3
    SHA19745d77e3c27437bbccf39e074f7d57a99fe83b1
    SHA256eaaed21c1788baca09ee16b06e1a231cb11c8417b3949d7d90596d50305dc604
    Authentihash MD51e57dea8b5fd6d017784014b01b6194b
    Authentihash SHA11419392fc1ec6ef497442fee3f7553a68b78a03d
    Authentihash SHA256b12c8f36a9498df244c0659efae6f5f942068a1e0e9e0f1ba02baa4a378056be
    RichPEHeaderHash MD5b91c3947afb68deeeef5f332dddad745
    RichPEHeaderHash SHA126f7d3371d483be1c1cff52181be4a1d055dfb7d
    RichPEHeaderHash SHA256ef0915f4bb6788ffe57afdbbc5ca7f2b8144101e7bc0db67eb38f40933e89a68

    Download

    Certificates

    Expand
    Certificate 3929d40d67da14bc419f0a4e9a0e61b8
    FieldValue
    ToBeSigned (TBS) MD52a7bd7d7793c032a40a30203a939dd55
    ToBeSigned (TBS) SHA1558c7400e13d0d84223be2f21d56d85e84f960eb
    ToBeSigned (TBS) SHA256400f3627f818bfe6bcd601f020e1c845cb2e89f6440ffccb4ba852027bab20bc
    SubjectCN=WDKTestCert heavenluo,131620253795976757
    ValidFrom2018-02-02 06:09:40
    ValidTo2028-02-02 00:00:00
    Signature16abb711854cdb85e055bfd2e70c684f102fd6a8bef366ac8a4f9366f345b9c904476c8e41fe7eb3c5bde66b10c5ca12640e69c9fd9166793a49760eca4338d45d36bd8fd7e6db8b87410d4caf916e191cec9091def57c6de19d588be69a5071b8f27bd775d84a09178cfd25008e1f473843b026182c813fcd69a4898c3e49631db649953dbbcfac97ed9ed8ea7f939f0e68b6f7630f5960094a8d8588be2b7c6b65ab146ee79afee5a77d698355da178d58a79fce619c0ef7ad6b93f05a48f4fd501d92b1cd0bd17c6e3abadd6cf02c624dd73baea780cecd9a76441ca6dc379aea846461375ecfdfd5c0a060a1cb0382117beae85b2b45beafceb734f8ec0f
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber3929d40d67da14bc419f0a4e9a0e61b8
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • IofCompleteRequest
    • ObfDereferenceObject
    • ZwClose
    • ZwOpenSection
    • ZwMapViewOfSection
    • ZwUnmapViewOfSection
    • ObReferenceObjectByHandle
    • RtlInitUnicodeString
    • HalTranslateBusAddress

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "3929d40d67da14bc419f0a4e9a0e61b8",
      "Signature": "16abb711854cdb85e055bfd2e70c684f102fd6a8bef366ac8a4f9366f345b9c904476c8e41fe7eb3c5bde66b10c5ca12640e69c9fd9166793a49760eca4338d45d36bd8fd7e6db8b87410d4caf916e191cec9091def57c6de19d588be69a5071b8f27bd775d84a09178cfd25008e1f473843b026182c813fcd69a4898c3e49631db649953dbbcfac97ed9ed8ea7f939f0e68b6f7630f5960094a8d8588be2b7c6b65ab146ee79afee5a77d698355da178d58a79fce619c0ef7ad6b93f05a48f4fd501d92b1cd0bd17c6e3abadd6cf02c624dd73baea780cecd9a76441ca6dc379aea846461375ecfdfd5c0a060a1cb0382117beae85b2b45beafceb734f8ec0f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=WDKTestCert heavenluo,131620253795976757",
      "TBS": {
        "MD5": "2a7bd7d7793c032a40a30203a939dd55",
        "SHA1": "558c7400e13d0d84223be2f21d56d85e84f960eb",
        "SHA256": "400f3627f818bfe6bcd601f020e1c845cb2e89f6440ffccb4ba852027bab20bc",
        "SHA384": "459f736aa86a9e671483266beadfc4690f09fefcab4e40aad4c7f2a5ab78e0daf598088568ecc1a915d144656eb56492"
      },
      "ValidFrom": "2018-02-02 06:09:40",
      "ValidTo": "2028-02-02 00:00:00",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "CN=WDKTestCert heavenluo,131620253795976757",
      "SerialNumber": "3929d40d67da14bc419f0a4e9a0e61b8",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-05-04