9905c737-83ad-4801-a573-8267f3aea924

bsitf.sys :inline :inline

Description

bsitf.sys is a vulnerable kernel driver from the KeServiceDescriptorTable/vulnerable-drivers repository. The driver exposes dangerous kernel primitives to usermode.

  • UUID: 9905c737-83ad-4801-a573-8267f3aea924
  • Created: 2026-04-17
  • Author: Michael Haag
  • Acknowledgement: | [@rainbowdynamix, @DbgPrint](https://twitter.com/@rainbowdynamix, @DbgPrint)

Download

This download link contains the vulnerable driver!

Block bsitf.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create bsitf binPath=C:\windows\temp\bsitf.sys type=kernel && sc.exe start bsitf
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/325
  • https://github.com/KeServiceDescriptorTable/vulnerable-drivers

    • Known Vulnerable Samples

    PropertyValue
    Filenamebsitf.sys
    Creation Timestamp2023-05-15 03:26:29
    MD54d59cc4dd2c94cdb78e561f3a422e899
    SHA1e77af2651fb4a4ff0fe80bf838ebe0b76aa8edd4
    SHA256602bef923ddbf2ea7967cedf56866b9db10fb43f0e90a9681cd021f1cddc05c9
    Authentihash MD5090861039dcbcfc0feecdbaf1aa577cc
    Authentihash SHA165d2ac2cabd251c0eab84cf4c0ab57ed15504f4f
    Authentihash SHA256678d7d011499c5793ca87b29c7179d0d959f8d6d5b3b966ee619c3d0cfcb6bc1
    RichPEHeaderHash MD5a17da6e24f9d7f5d4335a7c4f22cd502
    RichPEHeaderHash SHA15b43331ee12aad91ad19fcafe4106b122494c7cd
    RichPEHeaderHash SHA25664b94de97b482bdd0ff9f96d307093e6c2f631bcd1b1089ca53f5ae789628711
    CompanyASUSTek Computer Inc.
    DescriptionASUS BIOS Flash Driver
    ProductASUS BIOS Flash Driver
    OriginalFilenamebsitf.sys

    Download

    Certificates

    Expand
    Certificate 3300000061c88b129c2a7f1d87000000000061
    FieldValue
    ToBeSigned (TBS) MD5686c5dd3e6c0c4d6888c652ee9a76e0b
    ToBeSigned (TBS) SHA148c84f19d968d167bb3dad0bfeffcc659269aa03
    ToBeSigned (TBS) SHA2561fe207964146bdf934dc0c17aefaa75e78aea3d6a3935cc96e64511d7d469b29
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher
    ValidFrom2023-04-06 19:16:28
    ValidTo2024-04-03 19:16:28
    Signature0449290d26112d6053cc65c76ab953df62d870517fec16470e3bef28a20b21c099f4609adc713af367ac47fe49cb0f22c001e774ca0c9b13e86c59ec4b03ccdff30a8d38960e09584a895e6a87b0a481a57dc0ef10819ce8b226667f6a646adff7bfa61981a31ed6890e65afa47e7f27991e13fe39a54544aff9116bf5a737a4c33c92c1659a58b33cf3aa94b997e0c636f30e90776eb343874c6e0c7efa3a2d135ec3dd781b97e6ad41fc21adc7bd9b2d9b49e504a32846f541349c64f41396b43622015916fe46907431768a58c24e3f8d46c5cd8276fa1d92ba7aab4ccd77c5f7778b3fa0f5afa6fe6bfdba544b5af0a8597a073b0c7eed8caa5a11cb9dc4c415c8119bd2545f77b93886c40842a9b28b3128bcd257a4365c1e7afa22a5a2d46b936ed7ff7fa1db7801f26552c3ebd7832cc9475390ecbf3898855d16f270652b7fcc319d2415e2b10e8f61f0f4b6c7187739ed7752978fe4870650f3cd838f19b9c43804324f093eba2591c09cdcd46f1f0f8ad10779eed7467030721563f4e810982b42f8c6dfcfd0401d4569a74ccc13df5a9d2347883e776e98ed7fb32bb3f99c688e30b92c78c756b5242c632e5692a5bf564060961f5d55cfb82f150a50714885b378ce803b505b52c99ee339d84f6b9a5e6b86819c525088d9785771e3d1ed24746abd12bd6348a11e5a1cb545228aa270d3ac67b9dcd93d19fdf4
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber3300000061c88b129c2a7f1d87000000000061
    Version3
    Certificate 330000000d690d5d7893d076df00000000000d
    FieldValue
    ToBeSigned (TBS) MD583f69422963f11c3c340b81712eef319
    ToBeSigned (TBS) SHA10c5e5f24590b53bc291e28583acb78e5adc95601
    ToBeSigned (TBS) SHA256d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014
    ValidFrom2014-10-15 20:31:27
    ValidTo2029-10-15 20:41:27
    Signature96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber330000000d690d5d7893d076df00000000000d
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • RtlInitUnicodeString
    • MmGetSystemRoutineAddress
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • MmBuildMdlForNonPagedPool
    • MmMapLockedPages
    • MmUnmapLockedPages
    • MmMapIoSpace
    • MmUnmapIoSpace
    • MmAllocateContiguousMemory
    • MmFreeContiguousMemory
    • IoAllocateMdl
    • IofCompleteRequest
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • IoFreeMdl
    • IoWMIRegistrationControl
    • IoWMIOpenBlock
    • IoWMIQueryAllData
    • ObfDereferenceObject
    • MmGetPhysicalAddress
    • ZwCreateKey
    • ZwClose
    • ZwSetSecurityObject
    • IoDeviceObjectType
    • IoCreateDevice
    • ObOpenObjectByPointer
    • RtlGetDaclSecurityDescriptor
    • RtlGetGroupSecurityDescriptor
    • RtlGetOwnerSecurityDescriptor
    • RtlGetSaclSecurityDescriptor
    • SeCaptureSecurityDescriptor
    • _snwprintf
    • RtlLengthSecurityDescriptor
    • SeExports
    • RtlCreateSecurityDescriptor
    • _wcsnicmp
    • wcschr
    • RtlAbsoluteToSelfRelativeSD
    • RtlAddAccessAllowedAce
    • RtlLengthSid
    • IoIsWdmVersionAvailable
    • RtlSetDaclSecurityDescriptor
    • ZwOpenKey
    • ZwSetValueKey
    • ZwQueryValueKey
    • RtlFreeUnicodeString

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "3300000061c88b129c2a7f1d87000000000061",
      "Signature": "0449290d26112d6053cc65c76ab953df62d870517fec16470e3bef28a20b21c099f4609adc713af367ac47fe49cb0f22c001e774ca0c9b13e86c59ec4b03ccdff30a8d38960e09584a895e6a87b0a481a57dc0ef10819ce8b226667f6a646adff7bfa61981a31ed6890e65afa47e7f27991e13fe39a54544aff9116bf5a737a4c33c92c1659a58b33cf3aa94b997e0c636f30e90776eb343874c6e0c7efa3a2d135ec3dd781b97e6ad41fc21adc7bd9b2d9b49e504a32846f541349c64f41396b43622015916fe46907431768a58c24e3f8d46c5cd8276fa1d92ba7aab4ccd77c5f7778b3fa0f5afa6fe6bfdba544b5af0a8597a073b0c7eed8caa5a11cb9dc4c415c8119bd2545f77b93886c40842a9b28b3128bcd257a4365c1e7afa22a5a2d46b936ed7ff7fa1db7801f26552c3ebd7832cc9475390ecbf3898855d16f270652b7fcc319d2415e2b10e8f61f0f4b6c7187739ed7752978fe4870650f3cd838f19b9c43804324f093eba2591c09cdcd46f1f0f8ad10779eed7467030721563f4e810982b42f8c6dfcfd0401d4569a74ccc13df5a9d2347883e776e98ed7fb32bb3f99c688e30b92c78c756b5242c632e5692a5bf564060961f5d55cfb82f150a50714885b378ce803b505b52c99ee339d84f6b9a5e6b86819c525088d9785771e3d1ed24746abd12bd6348a11e5a1cb545228aa270d3ac67b9dcd93d19fdf4",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
      "TBS": {
        "MD5": "686c5dd3e6c0c4d6888c652ee9a76e0b",
        "SHA1": "48c84f19d968d167bb3dad0bfeffcc659269aa03",
        "SHA256": "1fe207964146bdf934dc0c17aefaa75e78aea3d6a3935cc96e64511d7d469b29",
        "SHA384": "6a4750403abdcdb9a23184d3d5ccdb537c32933818740e3531afbc162d90bdee62592e16e7b920dba759938d469cbe49"
      },
      "ValidFrom": "2023-04-06 19:16:28",
      "ValidTo": "2024-04-03 19:16:28",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "330000000d690d5d7893d076df00000000000d",
      "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "TBS": {
        "MD5": "83f69422963f11c3c340b81712eef319",
        "SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
        "SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
        "SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
      },
      "ValidFrom": "2014-10-15 20:31:27",
      "ValidTo": "2029-10-15 20:41:27",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "SerialNumber": "3300000061c88b129c2a7f1d87000000000061",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-20