b3f7c8d2-4a19-4e5b-9d6c-2f8e1a3b7c04

DriversCloud_amd64.sys :inline :inline

Description

CYBELSOFT DriversCloud_amd64.sys exposes 7 IOCTLs with no access checks and a zero security descriptor on the device object, meaning any user (including low-integrity processes) can open a handle. Primitives include arbitrary physical memory read via MmMapIoSpace (up to 2MB per call), arbitrary MSR read/write (including IA32_LSTAR for instant kernel code execution), arbitrary I/O port read/write, and arbitrary PCI configuration space read/write. A full LSTAR hijack PoC with crash-safe ROP restore has been demonstrated. The developer acknowledged the issue and is working on a rewritten driver.

  • UUID: b3f7c8d2-4a19-4e5b-9d6c-2f8e1a3b7c04
  • Created: 2026-04-06
  • Author: Michael Haag
  • Acknowledgement: weezerOSINT | @weezerOSINT

Download

This download link contains the vulnerable driver!

Block DriversCloud_amd64.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create DriversCloud_amd64 binPath=C:\windows\temp\DriversCloud_amd64.sys type=kernel && sc.exe start DriversCloud_amd64
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/284
  • https://www.virustotal.com/gui/file/2bc72d11fa0beda25dc1dbc372967db49bd3c3a3903913f0877bff6792724dfe

    • Known Vulnerable Samples

    PropertyValue
    FilenameDriversCloud_amd64.sys
    Creation Timestamp
    MD549d1002443655bc63b8d49fef0b584fd
    SHA16397f7a838b541614a03379787033be9285053cb
    SHA2562bc72d11fa0beda25dc1dbc372967db49bd3c3a3903913f0877bff6792724dfe
    Authentihash MD575eb4c5b4810d7255c86e67134d63b22
    Authentihash SHA1b4f6bd67bbd4f89809959f40bd6066a101d080b6
    Authentihash SHA25652dd5cb7c2ed6c3b9416811fa9a26fe7a20e25c8ed8c950130c532b30c431dec
    RichPEHeaderHash MD56ada1f8444b65e75388b68056e76a6c4
    RichPEHeaderHash SHA127cc1e9f6a8de8990dc6c1aaa479b730c3d8baf6
    RichPEHeaderHash SHA256f62702f65b34e57b07de477fe7408d625599ede343fa964bb541366572ca2f44
    CompanyCybelSoft
    DescriptionDriver NT DriversCloud
    ProductDriversCloud.com
    OriginalFilenameDriversCloud_amd64.sys

    Download

    Certificates

    Expand
    Certificate 7e93ebfb7cc64e59ea4b9a77d406fc3b
    FieldValue
    ToBeSigned (TBS) MD5d0785ad36e427c92b19f6826ab1e8020
    ToBeSigned (TBS) SHA1365b7a9c21bd9373e49052c3e7b3e4646ddd4d43
    ToBeSigned (TBS) SHA256c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2
    ValidFrom2012-12-21 00:00:00
    ValidTo2020-12-30 23:59:59
    Signature
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber7e93ebfb7cc64e59ea4b9a77d406fc3b
    Version3
    Certificate 0ecff438c8febf356e04d86a981b1a50
    FieldValue
    ToBeSigned (TBS) MD5e9d38360b914c8863f6cba3ee58764d3
    ToBeSigned (TBS) SHA14cba8eae47b6bf76f20b3504b98b8f062694a89b
    ToBeSigned (TBS) SHA25688901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976
    SubjectC=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4
    ValidFrom2012-10-18 00:00:00
    ValidTo2020-12-29 23:59:59
    Signature
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber0ecff438c8febf356e04d86a981b1a50
    Version3
    Certificate 1ed4e373be2e790f645ce34dbea68e3e
    FieldValue
    ToBeSigned (TBS) MD543ea2602f24c0aa2266a73e0e487baec
    ToBeSigned (TBS) SHA193da6736ddfa27b99f54b751b1039cbf6a7fec8f
    ToBeSigned (TBS) SHA2560967480b9830e5525b56eab108fcb711d1245f9c1d9a7d0848354d39dae442bb
    SubjectC=FR, ST=Vienne, L=Saint Benoit, O=Cybelsoft, CN=Cybelsoft
    ValidFrom2016-09-04 00:00:00
    ValidTo2017-04-24 23:59:59
    Signature
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber1ed4e373be2e790f645ce34dbea68e3e
    Version3
    Certificate 611993e400000000001c
    FieldValue
    ToBeSigned (TBS) MD578a717e082dcc1cda3458d917e677d14
    ToBeSigned (TBS) SHA14a872e0e51f9b304469cd1dedb496ee9b8b983a4
    ToBeSigned (TBS) SHA256317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5
    ValidFrom2011-02-22 19:25:17
    ValidTo2021-02-22 19:35:17
    Signature
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611993e400000000001c
    Version3
    Certificate 5200e5aa2556fc1a86ed96c9d44b33c7
    FieldValue
    ToBeSigned (TBS) MD5b30c31a572b0409383ed3fbe17e56e81
    ToBeSigned (TBS) SHA14843a82ed3b1f2bfbee9671960e1940c942f688d
    ToBeSigned (TBS) SHA25603cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
    ValidFrom2010-02-08 00:00:00
    ValidTo2020-02-07 23:59:59
    Signature
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber5200e5aa2556fc1a86ed96c9d44b33c7
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • IoDeleteSymbolicLink
    • RtlInitUnicodeString
    • IoDeleteDevice
    • IofCompleteRequest
    • MmMapIoSpace
    • IoCreateSymbolicLink
    • IoCreateDevice
    • KeBugCheckEx
    • MmUnmapIoSpace
    • __C_specific_handler
    • HalSetBusDataByOffset
    • HalGetBusDataByOffset

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "7e93ebfb7cc64e59ea4b9a77d406fc3b",
      "Signature": "",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2",
      "TBS": {
        "MD5": "d0785ad36e427c92b19f6826ab1e8020",
        "SHA1": "365b7a9c21bd9373e49052c3e7b3e4646ddd4d43",
        "SHA256": "c2abb7484da91a658548de089d52436175fdb760a1387d225611dc0613a1e2ff",
        "SHA384": "eab4fe5ef90e0de4a6aa3a27769a5e879f588df5e4785aa4104debd1f81e19ea56d33e3a16e5facf99f68b5d8e3d287b"
      },
      "ValidFrom": "2012-12-21 00:00:00",
      "ValidTo": "2020-12-30 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "Intermediate",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": false,
      "SerialNumber": "0ecff438c8febf356e04d86a981b1a50",
      "Signature": "",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4",
      "TBS": {
        "MD5": "e9d38360b914c8863f6cba3ee58764d3",
        "SHA1": "4cba8eae47b6bf76f20b3504b98b8f062694a89b",
        "SHA256": "88901d86a4cc1f1bb193d08e1fb63d27452e63f83e228c657ab1a92e4ade3976",
        "SHA384": "e9f2a75334a9e336c5a4712eadee88d0374b0fdc273262f4e65c9040ad2793067cc076696db5279a478773485e285652"
      },
      "ValidFrom": "2012-10-18 00:00:00",
      "ValidTo": "2020-12-29 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "1ed4e373be2e790f645ce34dbea68e3e",
      "Signature": "",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=FR, ST=Vienne, L=Saint Benoit, O=Cybelsoft, CN=Cybelsoft",
      "TBS": {
        "MD5": "43ea2602f24c0aa2266a73e0e487baec",
        "SHA1": "93da6736ddfa27b99f54b751b1039cbf6a7fec8f",
        "SHA256": "0967480b9830e5525b56eab108fcb711d1245f9c1d9a7d0848354d39dae442bb",
        "SHA384": "d2810ae3da9dc3f3d7165ade6d365380cd8590467ea08a0995d206810128b39b724ef8ea7ff612cffcf2d1670037c3e5"
      },
      "ValidFrom": "2016-09-04 00:00:00",
      "ValidTo": "2017-04-24 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "611993e400000000001c",
      "Signature": "",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5",
      "TBS": {
        "MD5": "78a717e082dcc1cda3458d917e677d14",
        "SHA1": "4a872e0e51f9b304469cd1dedb496ee9b8b983a4",
        "SHA256": "317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8",
        "SHA384": "b71052da4eb9157c8c1a5d7f55df19d69b9128598b72fcca608e5b7cc7d64c43c5504b9c86355a6dc22ee40c88cc385c"
      },
      "ValidFrom": "2011-02-22 19:25:17",
      "ValidTo": "2021-02-22 19:35:17",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "5200e5aa2556fc1a86ed96c9d44b33c7",
      "Signature": "",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA",
      "TBS": {
        "MD5": "b30c31a572b0409383ed3fbe17e56e81",
        "SHA1": "4843a82ed3b1f2bfbee9671960e1940c942f688d",
        "SHA256": "03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9",
        "SHA384": "bbda8407c4f9fc4e54d772f1c7fb9d30bc97e1f97ecd51c443063d1fa0644e266328781776cd5c44896c457c75f4d7da"
      },
      "ValidFrom": "2010-02-08 00:00:00",
      "ValidTo": "2020-02-07 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA",
      "SerialNumber": "1ed4e373be2e790f645ce34dbea68e3e",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-06