9bf541fb-a68e-41a5-aab2-b939acc22bb1

iOCdrv.sys :inline

Description

iOCdrv.sys is a vulnerable kernel driver from the KeServiceDescriptorTable/vulnerable-drivers repository. The driver exposes dangerous kernel primitives to usermode.

  • UUID: 9bf541fb-a68e-41a5-aab2-b939acc22bb1
  • Created: 2026-04-17
  • Author: Michael Haag
  • Acknowledgement: | [@rainbowdynamix, @DbgPrint](https://twitter.com/@rainbowdynamix, @DbgPrint)

Download

This download link contains the vulnerable driver!

Block iOCdrv.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create iOCdrv binPath=C:\windows\temp\iOCdrv.sys type=kernel && sc.exe start iOCdrv
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/325
  • https://github.com/KeServiceDescriptorTable/vulnerable-drivers

    • Known Vulnerable Samples

    PropertyValue
    FilenameiOCdrv.sys
    Creation Timestamp2020-07-23 13:08:31
    MD54b1d81db39537320eb823f5b4f2489e2
    SHA18a76cad761b978934d45584d4af8eb5b67f6fed1
    SHA256b936c4ba80ccee3b0b3b67fc88c8caa103fcfc47888e976f6d5b6f113d22f41f
    Authentihash MD5e7d3089cafa734d8799aed54b501e386
    Authentihash SHA1ca8cded2bbfea3ba693be4beeb10635b143ed594
    Authentihash SHA2565d108befdc9c3e226b12a22e306ccaa1e66ffd14a328b1ddb1f0ab0c32798bb7
    RichPEHeaderHash MD5e9d4aa9760fe3cc1586128d89cc46892
    RichPEHeaderHash SHA108dec5fbb888b9148fa70c8ea2829b7e7f73eaf9
    RichPEHeaderHash SHA256535bd5ccc0bb4d88661fa7cc3dec1a0d48eb80b6230e3deeb793911ab7b9a976
    CompanyIntel Corporation
    DescriptionIntel(R) Overclocking Device Driver
    ProductIntel(R) Extreme Tuning Utility
    OriginalFilenameiOCdrv.sys

    Download

    Certificates

    Expand
    Certificate 00b15fddbbcd5912920ffab85c4f6064d5
    FieldValue
    ToBeSigned (TBS) MD532a3732172f561fb923a5c8273bf6805
    ToBeSigned (TBS) SHA13366584c1135074a0941467978003eb63fe05c41
    ToBeSigned (TBS) SHA256382da6fff95b4f4fa6b721edd0482e6b84bd08bfa96e73704f92681d631a164d
    SubjectserialNumber=2189074, JURISDICTION_OF_INCORPORATION_C=US, JURISDICTION_OF_INCORPORATION_SP=Delaware, BUSINESS_CATEGORY=Private Organization, C=US, postalCode=95054, ST=California, L=Santa Clara, STREET_ADDRESS=2200 Mission College Blvd, O=Intel Corporation, OU=OWR EV, CN=Intel Corporation
    ValidFrom2019-08-07 00:00:00
    ValidTo2020-08-06 23:59:59
    Signature2056844a095b36042c3c02832cbddd5d29ede4114998a0e0308f53010f6e4d34155da204e393f6583b6a077f941bd5668b07d3a36bf8f792491913c5151e51130f66e4b893b66f58682b907d9809dae57d20903ebdb989eda82a487dafca6cd92524f6850be94453ef0829a7f768df847f5812f01707de421505bf44f8edd4de6ce44893f7879e77219c958ed16e000398d4f0b199b8485d7576f39a83ddc0e46f50931ae408a702c4382a0cd45d86da72cee4e70fde7d380b81f5473fc182cd2743af6d182f742c6418ca62fe90f08afe725b9cc8bd9fa8cc3e66acc69b0c50e77d3292a62bb03739d453b6fb5a6b03525b2874ee3dfd703c99e318d7c18a0b
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber00b15fddbbcd5912920ffab85c4f6064d5
    Version3
    Certificate 6dd472eb02ae0406e3dd843f5fe145e1
    FieldValue
    ToBeSigned (TBS) MD5e3898a5cae592360ce7bfdf5ff3fb13f
    ToBeSigned (TBS) SHA1217c51b90dbb7f0528e8ba170d227f647fbc995b
    ToBeSigned (TBS) SHA2563a9b4006a9e125b4458344389c86dfb4f6728848b9871654c615a138514d02ec
    SubjectC=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA
    ValidFrom2014-12-03 00:00:00
    ValidTo2029-12-02 23:59:59
    Signature664eecb716776f11e81b5d6a4ed9f28b6cb15628408bc031c49948233df80ee88097ef6d200b1f13c486fb173415e18e54f7c2b8007315e028d9dabafa8254c2f7ebbfc336d0309fe5a11c94dfef7ce8f62c78a2accf266a15a11531d6313498bd534fc48483a3c4965c3dd8fed6f954ff67936df83e2b6b2ca2087c5648813218b26eac90c1dbe4de398b86e5c7184059a4df9647bab27fb1f8570f858074380e3a58621efe52e3e6ae530986fe8f9bdb5656cc07b089c104f1530b6c6f77ecb21fecf65b4043600f1bab1854b410048ef80ee9cb83b17af2344e6a544ce9832ae9b030251cce628e0eeb85e629feb14ae3f2ae3c91f54ca1bec8170e5cbb424de31a8a92cd3e207edde975b1ea1f745c9e54c29437b261dd0716597f968016e099b5d26eb0c9230615acd123f4338bce75f0c186d3ffe12efa904ffe46f9bbdb4fbbb7fed10d2b04f1d2d195852c8a2eb88556f2c38452a1e933b1eb50c8a1b09fe3c38b3a879ee755d3d36d3417300d68220bd5b9ed733572c3eda737cde343ae45cd34bf28ca8762ed43a4affacb31cb215861465eb6c67aa61e532aa8f85c511f3a5a100f28c0e4748b74c604aaf84b26280a3289db9d2a60716ac3964e16b963bf6195678c4b2ebbb04e83e94d31e58e2722f53c267b4491d3d45af0d37cf438be149a990e8bb15beae48b0f119d7742821c5c3ad4daab882f8d573054
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityTrue
    SerialNumber6dd472eb02ae0406e3dd843f5fe145e1
    Version3
    Certificate 61185486000000000024
    FieldValue
    ToBeSigned (TBS) MD5ad73330abdd8883ba17ac2572100221e
    ToBeSigned (TBS) SHA13770402ce3d71f9823386167aa35a7c862f409d3
    ToBeSigned (TBS) SHA25604bc415adcb4ef7df32b9dfe199d92a4078cbd132fd5173961211e7f75385491
    SubjectC=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
    ValidFrom2011-04-11 22:06:20
    ValidTo2021-04-11 22:16:20
    Signature81980792fe6f325fd9d24bf57dd971e0fdfc169205b4ce67f5cc4bd4c7109854fa521b48582f73bf19d937a0ad33f351052379d9b277648aebbdc3b39db7b1e637d1d2597e41d98fb314ab15774d6cda40245bb207b8582c4b0c2b5351b3df2eb976ac69c9c2ed64377b8d217accdc9fbc172804cc2547242a85cc56e639398775181f46f6910faa46fa4de64754e2322c76eefbcdbd62e1962429064b0cfe344ae9101d74e57a2f954bcc6ebafdd7355f91e45942defb008e08f151512d62258415081911864061d52553232c297738cc58d38c5fbc19b866064c6310dbb2ac306c16bc8bbcd21bc603131546a550f49a9684bb721038db519ad4c55327cbbf28159e086b3d3f4cc00c911cbf19848b3751a0199d8555c55da56479ef10a5ebf4231cda6fe32e7d17b037761f4d8dc102411f363e067bc5b7602d416251dedde4512da7de81f4c3e0e0e9c31680dd9c497d17cfcb556307d66952f4a49d248dbe1bc98099874548cb49c5ed703500267ca70f7532f7ed088ff0bca560a022d5331efbe5022c95a607f4be14de704c8ea97e41dea9d95064866f9424f7abf683955d0d45d18c238c030a13e40eb943030a4367b3107446e46dbd65de4541867072040bbaddba591f571393b00bedb1144169d3090459c7368e7db64b9df120fcd0f18bbd68ca3eb131cf43d066f5a3ddafb1dcc3178cfa3128c73e4927ab6a1b
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber61185486000000000024
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • MmMapIoSpace
    • MmUnmapIoSpace
    • __C_specific_handler
    • RtlInitUnicodeString
    • RtlGetVersion
    • KeInitializeDpc
    • KeInsertQueueDpc
    • KeSetImportanceDpc
    • KeSetTargetProcessorDpc
    • KeInitializeEvent
    • KeClearEvent
    • KeSetEvent
    • KeWaitForSingleObject
    • KeQueryActiveProcessors
    • ExCreateCallback
    • ExRegisterCallback
    • ExUnregisterCallback
    • ExFreePoolWithTag
    • IofCompleteRequest
    • IoCreateDevice
    • IoIsWdmVersionAvailable
    • IoCreateNotificationEvent
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • IoAllocateWorkItem
    • IoFreeWorkItem
    • ObfDereferenceObject
    • ZwClose
    • SeSinglePrivilegeCheck
    • KeBugCheckEx
    • ExAllocatePoolWithTag
    • ExNotifyCallback
    • memcpy_s
    • HalGetBusDataByOffset
    • HalSetBusDataByOffset

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "00b15fddbbcd5912920ffab85c4f6064d5",
      "Signature": "2056844a095b36042c3c02832cbddd5d29ede4114998a0e0308f53010f6e4d34155da204e393f6583b6a077f941bd5668b07d3a36bf8f792491913c5151e51130f66e4b893b66f58682b907d9809dae57d20903ebdb989eda82a487dafca6cd92524f6850be94453ef0829a7f768df847f5812f01707de421505bf44f8edd4de6ce44893f7879e77219c958ed16e000398d4f0b199b8485d7576f39a83ddc0e46f50931ae408a702c4382a0cd45d86da72cee4e70fde7d380b81f5473fc182cd2743af6d182f742c6418ca62fe90f08afe725b9cc8bd9fa8cc3e66acc69b0c50e77d3292a62bb03739d453b6fb5a6b03525b2874ee3dfd703c99e318d7c18a0b",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "serialNumber=2189074, JURISDICTION_OF_INCORPORATION_C=US, JURISDICTION_OF_INCORPORATION_SP=Delaware, BUSINESS_CATEGORY=Private Organization, C=US, postalCode=95054, ST=California, L=Santa Clara, STREET_ADDRESS=2200 Mission College Blvd, O=Intel Corporation, OU=OWR EV, CN=Intel Corporation",
      "TBS": {
        "MD5": "32a3732172f561fb923a5c8273bf6805",
        "SHA1": "3366584c1135074a0941467978003eb63fe05c41",
        "SHA256": "382da6fff95b4f4fa6b721edd0482e6b84bd08bfa96e73704f92681d631a164d",
        "SHA384": "b19d40e38c549eb2008f07a43167a666af71bb00615dbbf776f5d477c310e6176e2e032999e96cfb97008feeb6412afd"
      },
      "ValidFrom": "2019-08-07 00:00:00",
      "ValidTo": "2020-08-06 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "6dd472eb02ae0406e3dd843f5fe145e1",
      "Signature": "664eecb716776f11e81b5d6a4ed9f28b6cb15628408bc031c49948233df80ee88097ef6d200b1f13c486fb173415e18e54f7c2b8007315e028d9dabafa8254c2f7ebbfc336d0309fe5a11c94dfef7ce8f62c78a2accf266a15a11531d6313498bd534fc48483a3c4965c3dd8fed6f954ff67936df83e2b6b2ca2087c5648813218b26eac90c1dbe4de398b86e5c7184059a4df9647bab27fb1f8570f858074380e3a58621efe52e3e6ae530986fe8f9bdb5656cc07b089c104f1530b6c6f77ecb21fecf65b4043600f1bab1854b410048ef80ee9cb83b17af2344e6a544ce9832ae9b030251cce628e0eeb85e629feb14ae3f2ae3c91f54ca1bec8170e5cbb424de31a8a92cd3e207edde975b1ea1f745c9e54c29437b261dd0716597f968016e099b5d26eb0c9230615acd123f4338bce75f0c186d3ffe12efa904ffe46f9bbdb4fbbb7fed10d2b04f1d2d195852c8a2eb88556f2c38452a1e933b1eb50c8a1b09fe3c38b3a879ee755d3d36d3417300d68220bd5b9ed733572c3eda737cde343ae45cd34bf28ca8762ed43a4affacb31cb215861465eb6c67aa61e532aa8f85c511f3a5a100f28c0e4748b74c604aaf84b26280a3289db9d2a60716ac3964e16b963bf6195678c4b2ebbb04e83e94d31e58e2722f53c267b4491d3d45af0d37cf438be149a990e8bb15beae48b0f119d7742821c5c3ad4daab882f8d573054",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA",
      "TBS": {
        "MD5": "e3898a5cae592360ce7bfdf5ff3fb13f",
        "SHA1": "217c51b90dbb7f0528e8ba170d227f647fbc995b",
        "SHA256": "3a9b4006a9e125b4458344389c86dfb4f6728848b9871654c615a138514d02ec",
        "SHA384": "fcd8dd15125f14b84fec55838806355ec3787407188bac83c2c0d6c841adf9ac76ee83eccc5c9463f1f88fc5295a31ee"
      },
      "ValidFrom": "2014-12-03 00:00:00",
      "ValidTo": "2029-12-02 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "61185486000000000024",
      "Signature": "81980792fe6f325fd9d24bf57dd971e0fdfc169205b4ce67f5cc4bd4c7109854fa521b48582f73bf19d937a0ad33f351052379d9b277648aebbdc3b39db7b1e637d1d2597e41d98fb314ab15774d6cda40245bb207b8582c4b0c2b5351b3df2eb976ac69c9c2ed64377b8d217accdc9fbc172804cc2547242a85cc56e639398775181f46f6910faa46fa4de64754e2322c76eefbcdbd62e1962429064b0cfe344ae9101d74e57a2f954bcc6ebafdd7355f91e45942defb008e08f151512d62258415081911864061d52553232c297738cc58d38c5fbc19b866064c6310dbb2ac306c16bc8bbcd21bc603131546a550f49a9684bb721038db519ad4c55327cbbf28159e086b3d3f4cc00c911cbf19848b3751a0199d8555c55da56479ef10a5ebf4231cda6fe32e7d17b037761f4d8dc102411f363e067bc5b7602d416251dedde4512da7de81f4c3e0e0e9c31680dd9c497d17cfcb556307d66952f4a49d248dbe1bc98099874548cb49c5ed703500267ca70f7532f7ed088ff0bca560a022d5331efbe5022c95a607f4be14de704c8ea97e41dea9d95064866f9424f7abf683955d0d45d18c238c030a13e40eb943030a4367b3107446e46dbd65de4541867072040bbaddba591f571393b00bedb1144169d3090459c7368e7db64b9df120fcd0f18bbd68ca3eb131cf43d066f5a3ddafb1dcc3178cfa3128c73e4927ab6a1b",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority",
      "TBS": {
        "MD5": "ad73330abdd8883ba17ac2572100221e",
        "SHA1": "3770402ce3d71f9823386167aa35a7c862f409d3",
        "SHA256": "04bc415adcb4ef7df32b9dfe199d92a4078cbd132fd5173961211e7f75385491",
        "SHA384": "a6c44d9022b3fb3e679acfa266bd26c0bf6a20bb244ef486c04b55539b10ddaa4894c4e0420dfdd025850c5094bb23d1"
      },
      "ValidFrom": "2011-04-11 22:06:20",
      "ValidTo": "2021-04-11 22:16:20",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA",
      "SerialNumber": "00b15fddbbcd5912920ffab85c4f6064d5",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-20