b4f3a1c2-e8d7-4f92-a301-5c6d9e0b1a2f

TVicPort64.sys :inline

Description

Load TVicPort64.sys kernel driver. Once loaded, device \.\TVicPortDevice0 is accessible from any integrity level (no DACL). Send IOCTL 0x80002008 to map arbitrary physical memory into user-mode VA space via ZwMapViewOfSection and perform token stealing for LPE to SYSTEM.

  • UUID: b4f3a1c2-e8d7-4f92-a301-5c6d9e0b1a2f
  • Created: 2026-02-13
  • Author: Joao Leko Monteiro
  • Acknowledgement: Joao Leko Monteiro | @lleekkoo-0xdeadbeeftimestwo

Download

This download link contains the vulnerable driver!

Block TVicPort64.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create TVicPort64 binPath=C:\windows\temp\TVicPort64.sys type=kernel && sc.exe start TVicPort64
Use CasePrivilegesOperating System
Arbitrary physical memory read/write from user mode. Exploitable from Low Integrity Level, Guest, or any AppContainer. Used for local privilege escalation to NT AUTHORITY\SYSTEM via token stealing, KASLR bypass, and kernel code execution.User (Low Integrity sufficient — no DACL on device object)Windows 10, Windows 11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://www.entechtaiwan.com/dev/port/index.shtm

    • CVE

  • CVE-PENDING

    • Known Vulnerable Samples

    PropertyValue
    FilenameTVicPort64.sys
    Creation Timestamp
    MD5A65643ED30A30E46317C0B25818BC9B7
    SHA13740F2BC7E81D75604E47A3119FAA887D4A92A44
    SHA2569C9AB56C8BCF5EC958E7C2346F23A3027F69ABDF8AF923B591518EEE64AD98AD
    Authentihash MD5A65643ED30A30E46317C0B25818BC9B7
    Authentihash SHA13740F2BC7E81D75604E47A3119FAA887D4A92A44
    Authentihash SHA2569C9AB56C8BCF5EC958E7C2346F23A3027F69ABDF8AF923B591518EEE64AD98AD
    PublisherEnTech Taiwan
    Date10:20 AM 10/13/2006
    CompanyEnTech Taiwan
    DescriptionTVicPort Generic Device Driver for direct hardware I/O
    ProductTVicPort
    OriginalFilenameTVicPort64.sys

    Download

    Imports

    Expand
    • ntoskrnl.exe
    • hal.dll

    Imported Functions

    Expand

    Exported Functions

    Expand
    • D
    • r
    • i
    • v
    • e
    • r
    • E
    • n
    • t
    • r
    • y

    Sections

    Expand

    Signature

    Expand

    source

    last_updated: 2026-04-06