ae2a6048-3896-4dd8-9eb1-a4a66104b0cf

MemCtl.sys :inline

Description

MemCtl.sys is a vulnerable kernel driver from the KeServiceDescriptorTable/vulnerable-drivers repository. The driver exposes dangerous kernel primitives to usermode.

  • UUID: ae2a6048-3896-4dd8-9eb1-a4a66104b0cf
  • Created: 2026-04-17
  • Author: Michael Haag
  • Acknowledgement: | [@rainbowdynamix, @DbgPrint](https://twitter.com/@rainbowdynamix, @DbgPrint)

Download

This download link contains the vulnerable driver!

Block MemCtl.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create MemCtl binPath=C:\windows\temp\MemCtl.sys type=kernel && sc.exe start MemCtl
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/325
  • https://github.com/KeServiceDescriptorTable/vulnerable-drivers

    • Known Vulnerable Samples

    PropertyValue
    FilenameMemCtl.sys
    Creation Timestamp2011-06-22 00:07:13
    MD5bc19a1a76e61bd56544c0e82c8a99979
    SHA150df08355fca51fd5d6a22f8220a2fc45f858f2b
    SHA256fe9323ede771de8ff389ba161ad8696cd6cd788dbf7dd382b6b79011544eed73
    Authentihash MD52abb632c0eb107bfe466c5a828257ce1
    Authentihash SHA16df86643d30590d45c0dbac9a40bb59c7859f60b
    Authentihash SHA256414d56461869ed3f6a5a04b3c50aefe90275288d303cce14c5b06b6ec12fb376
    RichPEHeaderHash MD590449f83e72b66c088503e1d5f63068c
    RichPEHeaderHash SHA193036b902dfb7d808b43d1920d36e367ef49358c
    RichPEHeaderHash SHA256aabf616c9082c171f26154dec729da89115f0555479f82c170d3befda7b38700
    CompanyDFI
    DescriptionMemory Access Driver
    ProductMemory Access Driver
    OriginalFilenameMemCtl

    Download

    Certificates

    Expand
    Certificate 0400000000012f4ee1355c
    FieldValue
    ToBeSigned (TBS) MD5f6a9e8eb8784f3f694b4e353c08a0ff5
    ToBeSigned (TBS) SHA1589a7d4df869395601ba7538a65afae8c4616385
    ToBeSigned (TBS) SHA256cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4
    SubjectC=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2
    ValidFrom2011-04-13 10:00:00
    ValidTo2019-04-13 10:00:00
    Signature225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber0400000000012f4ee1355c
    Version3
    Certificate 112100bbf0d6bb541d0c0a32f80bc10eeec9
    FieldValue
    ToBeSigned (TBS) MD5371a871a669e2ebc0ff009df9d5e4089
    ToBeSigned (TBS) SHA1caa2a7a9fe9214eec19ab70f1e95219caf5ac79b
    ToBeSigned (TBS) SHA25695cb56f95c51a3172f5792399f1a8501e5a6478548374fb210ce36f87844fce6
    SubjectC=TW, ST=TAIWAN, L=NEW TAIPEI, O=DFI INC., OU=DFI INC., CN=DFI INC.
    ValidFrom2012-09-10 08:13:30
    ValidTo2015-09-11 08:13:30
    Signature57f67ea5a2b37d7da0b013bdd12bb9226d3f3825c35ffa2015695593a18ea770c431b855ab35205cff8c2767f6a486aeffc34cb4b6f1725d68b7a4a5f106598f48fbc40438874a4df1dbd69dc15f9fdce783724b4305a253192f58dff1982a5dd2901202ca81592ea1ba61b749ada2cd0417cb583eb54eacfc2452c3ffc8cbba1e08efec2716a71c9a50f23b71cc13d5452e0a66914b4180588d68738807a88440afbcb94e02e5d88288581170f4706d4fda022521b7eed080b7ebd83e51d0157260a1707c74e7596c350c6523a1fbcfbbd143d8772bc83b5bcc95ecb8c60c3bb8233602f1ed6500fb3390f6557c574f4cbf815384ad237c7534510712511a7f
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber112100bbf0d6bb541d0c0a32f80bc10eeec9
    Version3
    Certificate 610b7f6b000000000019
    FieldValue
    ToBeSigned (TBS) MD54798d55be7663a75649cda4dedc686ef
    ToBeSigned (TBS) SHA10f1ab2937b245d9466ea6f9bf056a5942e3989cf
    ToBeSigned (TBS) SHA256ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1
    SubjectC=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA
    ValidFrom2006-05-23 17:00:51
    ValidTo2016-05-23 17:10:51
    Signature13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber610b7f6b000000000019
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • IoDeleteSymbolicLink
    • RtlInitUnicodeString
    • IoDeleteDevice
    • MmUnmapIoSpace
    • MmMapIoSpace
    • IofCompleteRequest
    • IoCreateSymbolicLink
    • IoCreateDevice
    • KeBugCheckEx

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "0400000000012f4ee1355c",
      "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
      "TBS": {
        "MD5": "f6a9e8eb8784f3f694b4e353c08a0ff5",
        "SHA1": "589a7d4df869395601ba7538a65afae8c4616385",
        "SHA256": "cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4",
        "SHA384": "dcec542f242317863d0b3d23947e17d6982e381003831777b07ed75b46fb18bd0392a89c9beb6862981cd05f3f2fb77b"
      },
      "ValidFrom": "2011-04-13 10:00:00",
      "ValidTo": "2019-04-13 10:00:00",
      "Version": 3
    },
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "112100bbf0d6bb541d0c0a32f80bc10eeec9",
      "Signature": "57f67ea5a2b37d7da0b013bdd12bb9226d3f3825c35ffa2015695593a18ea770c431b855ab35205cff8c2767f6a486aeffc34cb4b6f1725d68b7a4a5f106598f48fbc40438874a4df1dbd69dc15f9fdce783724b4305a253192f58dff1982a5dd2901202ca81592ea1ba61b749ada2cd0417cb583eb54eacfc2452c3ffc8cbba1e08efec2716a71c9a50f23b71cc13d5452e0a66914b4180588d68738807a88440afbcb94e02e5d88288581170f4706d4fda022521b7eed080b7ebd83e51d0157260a1707c74e7596c350c6523a1fbcfbbd143d8772bc83b5bcc95ecb8c60c3bb8233602f1ed6500fb3390f6557c574f4cbf815384ad237c7534510712511a7f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=TW, ST=TAIWAN, L=NEW TAIPEI, O=DFI INC., OU=DFI INC., CN=DFI INC.",
      "TBS": {
        "MD5": "371a871a669e2ebc0ff009df9d5e4089",
        "SHA1": "caa2a7a9fe9214eec19ab70f1e95219caf5ac79b",
        "SHA256": "95cb56f95c51a3172f5792399f1a8501e5a6478548374fb210ce36f87844fce6",
        "SHA384": "a7ba7f45b67f2d62a027d068c0bb87c1fc9a0a55dcf90cb700130993d6dd18f986f56339416b29e417d40d868c5fe3bb"
      },
      "ValidFrom": "2012-09-10 08:13:30",
      "ValidTo": "2015-09-11 08:13:30",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "610b7f6b000000000019",
      "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA",
      "TBS": {
        "MD5": "4798d55be7663a75649cda4dedc686ef",
        "SHA1": "0f1ab2937b245d9466ea6f9bf056a5942e3989cf",
        "SHA256": "ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1",
        "SHA384": "6e7450a139856aeda6fa6284ff89b3752a9b646e096b4d33dd7e8e727742a2111481531581c0aa2cda0338e22cfdbad3"
      },
      "ValidFrom": "2006-05-23 17:00:51",
      "ValidTo": "2016-05-23 17:10:51",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
      "SerialNumber": "112100bbf0d6bb541d0c0a32f80bc10eeec9",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-20