ed27c0b8-6177-4132-a7af-5c15bcb386f3

PDFWKRNL.sys :inline

Description

AMD USB-C Power Delivery Firmware Update Kernel Library driver with arbitrary physical memory read/write capabilities. Identified in ESET EDR killers research (March 2026) as actively abused by threat actors to disable EDR products.

  • UUID: ed27c0b8-6177-4132-a7af-5c15bcb386f3
  • Created: 2026-03-20
  • Author: Michael Haag
  • Acknowledgement: ESET Research | @ESETresearch

Download

This download link contains the vulnerable driver!

Block PDFWKRNL.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create PDFWKRNL.sys binPath=C:\windows\temp\PDFWKRNL.sys type=kernel && sc.exe start PDFWKRNL.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://www.welivesecurity.com/en/eset-research/edr-killers-explained/

    • Known Vulnerable Samples

    PropertyValue
    FilenamePDFWKRNL.sys
    Creation Timestamp2022-12-22 11:13:53
    MD5b96d75a000367c200958089728fc5cb8
    SHA1f329ae0fdf1e198bea6ba787e59cb73f90714002
    SHA2566e8b49cf70bf854e8c59c7d27cefa89406caf8978461190dabb86dafcd8554e1
    Authentihash MD5d255a6146ab4e75a6ac362cf07641180
    Authentihash SHA1661a1a28950cec3f2c3d0e72ab2a05d4a173cf9a
    Authentihash SHA256fc23abdcf93928e1db8401a7ff53c86c85230a8637c4168f7434208f9e8b5ded
    RichPEHeaderHash MD5eff2e20cff5d56c711ba91e03ead294d
    RichPEHeaderHash SHA194f9b8467857dfe5b38ddaf5b260de7da65563ef
    RichPEHeaderHash SHA2568548170c0fc3ef601bbd115b2ad461be8dd8abcceb062617f2b02469de17f2c0
    CompanyAdvanced Micro Devices, Inc.
    DescriptionUSB-C Power Delivery Firmware Update Utility Driver
    ProductUSB-C Power Delivery Firmware Update Utility Driver
    OriginalFilenamePDFWKRNL.sys

    Download

    Certificates

    Expand
    Certificate 535091e6cab13af393b51ead0825f627
    FieldValue
    ToBeSigned (TBS) MD5f2f60243e26dcdf4729d28b1beb55f01
    ToBeSigned (TBS) SHA1a23ac91136dd79d77b93b12c813e0c6669ed9f4d
    ToBeSigned (TBS) SHA256192ee517f8ae928808632422a6461613d65ee324fa58d2f099a27a3d0da9ca6b
    SubjectC=US, ST=California, L=Santa Clara, O=Advanced Micro Devices Inc., CN=Advanced Micro Devices Inc.
    ValidFrom2021-05-11 00:00:00
    ValidTo2024-05-10 23:59:59
    Signature8444e268ff381c9148985f408e5cc1453a560c9dd94d2a6cfa01dd7f2adc8af633053d2c79027db4f185f477b0d5db8b362b37dbd0d258823831ace7058baf3feb80a9eb2de9dd886bcf390fae9b586fc833e63db5c6a07019f35a9fce6899502852737b32d25ea7832c3786df0642d21622e56c0b0171e96f9520d07f73950376ff555bcf9c8a55bf4f86c088b58e2cb625a0ef4680ed7281f09a40c7be9f69cba77a6967030e39b2cfa46692698ced9e5347dd7056b476545c3442f934cb2c30cb986afabd29a9a9e2eb28c5bd6ee47dabf5ef587f850ea49b124eb868aac68de949616d08f875192b93388549c7327a3ef085e287d5a743810c151b250c64
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber535091e6cab13af393b51ead0825f627
    Version3
    Certificate 1da248306f9b2618d082e0967d33d36a
    FieldValue
    ToBeSigned (TBS) MD5c1eabfb5994258ad955adb7c2df165e6
    ToBeSigned (TBS) SHA1fa33b3c00cebc469b269220d9eab26926c9b8ad8
    ToBeSigned (TBS) SHA25670dffac37eb787b2198816982c7d44f541d2e39a7dac069d37b367dc9f354b32
    SubjectC=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA
    ValidFrom2018-11-02 00:00:00
    ValidTo2030-12-31 23:59:59
    Signature4d6350ed47344a61a4dbde6a2a8c9bf100001e1d627b3ad732c2f6b3e063b3fb6100889a1b6d1007044fbeb8ea897822eb0f46ecf3465e40468912f40b775a9c2a413afcd6f4ebe7f7159533c3a18328b7de2fe494f78533832d4a4048bf9ac24f4ab18f24f4b38137d3b764b0a6236a596852425fff04ebe174657908f5a993de6b71409996ba78f1b9c8e2c30816b1ab635ac815806d745e4a757ea5b8c36cb5cfdf4a79875cc7404d6335f630d3cfb50a0e0b047fa04baebba3a5d08400933e535d34a50035696cbe9f2025100d19fb509061be398f7a8e4df69f0e1efe075112668326194895ce4ac9c17ff33a059bf96fdf887fc0239ed21e437a4531c19c4da9f059b25919e86a8d290402777c4b4bcd70be3ab2555a783ebcbb6f0310257715348af936cc4392e4ba4ff1629328255729fb5119c7a125406a8457c6b29db1bc1c0ada7c677e7d2ee9284c187ec47b3141719a4b29ec0b3d5750d2caddfd9e0551e54478dd01deb175980d5424fdf04ee3e2f883bd72bacb3d3aeef05e1792686dc861f9a6f12a0a0ba5b9f49eee983205859eebf98329d3c62c7dbd3a772e8b3742a06a82ed3b4aaa9410a4e10df817c5b65a79331892e3b575f8a1e98e0a251ee41ef19f5a8723ff9fa4519efb398011cddbb5c4a7a8806fe553d4e0e3a2c2d25b1afa32262d6a57701c3ca4582ea3f35b4b07dc3259f387a71a6d58
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityTrue
    SerialNumber1da248306f9b2618d082e0967d33d36a
    Version3
    Certificate 3300000044b73ffcef5acfa27a000000000044
    FieldValue
    ToBeSigned (TBS) MD5a2d2ae7554f77f6e9ffb0b1a9b700ac4
    ToBeSigned (TBS) SHA19f69ff166f5dc446578a45d7d69482373755e141
    ToBeSigned (TBS) SHA256ad394b7e5cb9ccf6429762405f9840b648e38e8faf2de376f1aa375c6729abb7
    SubjectC=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
    ValidFrom2015-07-22 21:03:49
    ValidTo2025-07-22 21:03:49
    Signature6b22933c3d395471646b0ef2e43c3011c5204a4b860f92f1ff33793ad9e498a70e40a022807e61b2e0a719cf2695312a65d46a4f3186eac0c62ec5648c3d4859cd0b2f743d9426131042d49798275e3c76d278691d1a64e7057275e0eb6640439f8f0c46ff9760a6c867ad10089b62a6e9be3a8ad3074d9f729325bc0611e02c90383e671cfd19d79e90ce3dc2e0e761acc0e504f51e99540c910d01567137ae27d49e4322a5c927cd4de571123924a5415687ffbc55140f25ca89eec797e5d213ff3d7e1aa08f3fc82cd7a370d0c760c0fcd83e51e797c63e3bedcf78be8acae3c4f2a7a7ed9eae08028fa052db721ed53bc34d9f8efa9b70c7f8e3bf6c3f929be4373eec6a8c29f9c1a2bf8b3e1a6966fb1c634f2601c902c43ed2ffc343a81bfd99fad4bca5b9e2932f3b01c5d1f43a2f68c3e064b75a955e46cc078369bb3c05925673357345984e7cd812a5b742e9a263f642601870d13b6f31c087c7e671e1f34616e9f5b872b3e96d1f622649a3498bdd68c78b6856f7defcfa8724b80381178fe5f1676a1daed374f78ca55db30b8e422996ce49c4777e667c01171a6c1424c3b0177705d81a40b7866bd8e47b40ac7edf4e6f24f92080828c33e7e5fa29d89dda8b705d2bc91d824c0b67cb84419ee7067e1183442d8a19eef47f9add791c37191e9f3f8c29ba0d5c1086376c48cd455dcd70bcbcd14d5dd8c5b876
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber3300000044b73ffcef5acfa27a000000000044
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • MmBuildMdlForNonPagedPool
    • IoAllocateMdl
    • RtlInitUnicodeString
    • MmMapIoSpace
    • MmFreeContiguousMemory
    • IoDeleteDevice
    • MmUnmapIoSpace
    • MmGetPhysicalAddress
    • IoDeleteSymbolicLink
    • IoFreeMdl
    • MmAllocateContiguousMemorySpecifyCache
    • IoCreateDevice
    • ExFreePoolWithTag
    • MmUnmapLockedPages
    • IofCompleteRequest
    • IoCreateSymbolicLink
    • MmMapLockedPages

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "535091e6cab13af393b51ead0825f627",
      "Signature": "8444e268ff381c9148985f408e5cc1453a560c9dd94d2a6cfa01dd7f2adc8af633053d2c79027db4f185f477b0d5db8b362b37dbd0d258823831ace7058baf3feb80a9eb2de9dd886bcf390fae9b586fc833e63db5c6a07019f35a9fce6899502852737b32d25ea7832c3786df0642d21622e56c0b0171e96f9520d07f73950376ff555bcf9c8a55bf4f86c088b58e2cb625a0ef4680ed7281f09a40c7be9f69cba77a6967030e39b2cfa46692698ced9e5347dd7056b476545c3442f934cb2c30cb986afabd29a9a9e2eb28c5bd6ee47dabf5ef587f850ea49b124eb868aac68de949616d08f875192b93388549c7327a3ef085e287d5a743810c151b250c64",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=California, L=Santa Clara, O=Advanced Micro Devices Inc., CN=Advanced Micro Devices Inc.",
      "TBS": {
        "MD5": "f2f60243e26dcdf4729d28b1beb55f01",
        "SHA1": "a23ac91136dd79d77b93b12c813e0c6669ed9f4d",
        "SHA256": "192ee517f8ae928808632422a6461613d65ee324fa58d2f099a27a3d0da9ca6b",
        "SHA384": "beb93a1ff1715564a418ecb07cee42465dbf9c76cc703e7088bdafb2099b003afa0c335bcd15d318dcb2bf8519c199da"
      },
      "ValidFrom": "2021-05-11 00:00:00",
      "ValidTo": "2024-05-10 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "1da248306f9b2618d082e0967d33d36a",
      "Signature": "4d6350ed47344a61a4dbde6a2a8c9bf100001e1d627b3ad732c2f6b3e063b3fb6100889a1b6d1007044fbeb8ea897822eb0f46ecf3465e40468912f40b775a9c2a413afcd6f4ebe7f7159533c3a18328b7de2fe494f78533832d4a4048bf9ac24f4ab18f24f4b38137d3b764b0a6236a596852425fff04ebe174657908f5a993de6b71409996ba78f1b9c8e2c30816b1ab635ac815806d745e4a757ea5b8c36cb5cfdf4a79875cc7404d6335f630d3cfb50a0e0b047fa04baebba3a5d08400933e535d34a50035696cbe9f2025100d19fb509061be398f7a8e4df69f0e1efe075112668326194895ce4ac9c17ff33a059bf96fdf887fc0239ed21e437a4531c19c4da9f059b25919e86a8d290402777c4b4bcd70be3ab2555a783ebcbb6f0310257715348af936cc4392e4ba4ff1629328255729fb5119c7a125406a8457c6b29db1bc1c0ada7c677e7d2ee9284c187ec47b3141719a4b29ec0b3d5750d2caddfd9e0551e54478dd01deb175980d5424fdf04ee3e2f883bd72bacb3d3aeef05e1792686dc861f9a6f12a0a0ba5b9f49eee983205859eebf98329d3c62c7dbd3a772e8b3742a06a82ed3b4aaa9410a4e10df817c5b65a79331892e3b575f8a1e98e0a251ee41ef19f5a8723ff9fa4519efb398011cddbb5c4a7a8806fe553d4e0e3a2c2d25b1afa32262d6a57701c3ca4582ea3f35b4b07dc3259f387a71a6d58",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA",
      "TBS": {
        "MD5": "c1eabfb5994258ad955adb7c2df165e6",
        "SHA1": "fa33b3c00cebc469b269220d9eab26926c9b8ad8",
        "SHA256": "70dffac37eb787b2198816982c7d44f541d2e39a7dac069d37b367dc9f354b32",
        "SHA384": "20adc5b59cb532e215f01ba09a9c745898c206555613512fea7c295ccfd17ced4fe2c5bc3274ca8a270fc68799b8343c"
      },
      "ValidFrom": "2018-11-02 00:00:00",
      "ValidTo": "2030-12-31 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "3300000044b73ffcef5acfa27a000000000044",
      "Signature": "6b22933c3d395471646b0ef2e43c3011c5204a4b860f92f1ff33793ad9e498a70e40a022807e61b2e0a719cf2695312a65d46a4f3186eac0c62ec5648c3d4859cd0b2f743d9426131042d49798275e3c76d278691d1a64e7057275e0eb6640439f8f0c46ff9760a6c867ad10089b62a6e9be3a8ad3074d9f729325bc0611e02c90383e671cfd19d79e90ce3dc2e0e761acc0e504f51e99540c910d01567137ae27d49e4322a5c927cd4de571123924a5415687ffbc55140f25ca89eec797e5d213ff3d7e1aa08f3fc82cd7a370d0c760c0fcd83e51e797c63e3bedcf78be8acae3c4f2a7a7ed9eae08028fa052db721ed53bc34d9f8efa9b70c7f8e3bf6c3f929be4373eec6a8c29f9c1a2bf8b3e1a6966fb1c634f2601c902c43ed2ffc343a81bfd99fad4bca5b9e2932f3b01c5d1f43a2f68c3e064b75a955e46cc078369bb3c05925673357345984e7cd812a5b742e9a263f642601870d13b6f31c087c7e671e1f34616e9f5b872b3e96d1f622649a3498bdd68c78b6856f7defcfa8724b80381178fe5f1676a1daed374f78ca55db30b8e422996ce49c4777e667c01171a6c1424c3b0177705d81a40b7866bd8e47b40ac7edf4e6f24f92080828c33e7e5fa29d89dda8b705d2bc91d824c0b67cb84419ee7067e1183442d8a19eef47f9add791c37191e9f3f8c29ba0d5c1086376c48cd455dcd70bcbcd14d5dd8c5b876",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority",
      "TBS": {
        "MD5": "a2d2ae7554f77f6e9ffb0b1a9b700ac4",
        "SHA1": "9f69ff166f5dc446578a45d7d69482373755e141",
        "SHA256": "ad394b7e5cb9ccf6429762405f9840b648e38e8faf2de376f1aa375c6729abb7",
        "SHA384": "eda103bac2997f31d778637ce8d1fa1263485a9d6a77d6e381bad8312e6bbec020ce5036e16ca96087e50f6ab200944a"
      },
      "ValidFrom": "2015-07-22 21:03:49",
      "ValidTo": "2025-07-22 21:03:49",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA",
      "SerialNumber": "535091e6cab13af393b51ead0825f627",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-06