f375e53d-db7c-4149-beff-c8b9329f6f9b

devMemDrv.sys :inline

Description

devMemDrv.sys is a vulnerable kernel driver from the KeServiceDescriptorTable/vulnerable-drivers repository. The driver exposes dangerous kernel primitives to usermode.

  • UUID: f375e53d-db7c-4149-beff-c8b9329f6f9b
  • Created: 2026-04-17
  • Author: Michael Haag
  • Acknowledgement: | [@rainbowdynamix, @DbgPrint](https://twitter.com/@rainbowdynamix, @DbgPrint)

Download

This download link contains the vulnerable driver!

Block devMemDrv.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create devMemDrv binPath=C:\windows\temp\devMemDrv.sys type=kernel && sc.exe start devMemDrv
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/325
  • https://github.com/KeServiceDescriptorTable/vulnerable-drivers

    • Known Vulnerable Samples

    PropertyValue
    FilenamedevMemDrv.sys
    Creation Timestamp2012-10-22 02:28:28
    MD563cddb7e887833ecb0aa6c22fe052ed5
    SHA196476499a9ffb823af36e47b8f4bdfff78e3f658
    SHA256b93020428f6d9ca700ab70a14911c7efcbcb1f9b659054add0dd3e7657511eb3
    Authentihash MD51ab964f43e1dabe1ff988eb939dcf369
    Authentihash SHA1844ccf62a1e9719f12d1b438fd02b1dfc52545b4
    Authentihash SHA2569a0c3c967acdacd9f89a557cb226420365de4ea0236fd0250d9c00e721b86e0d
    RichPEHeaderHash MD5b9529b9d2ebdfd46b8de002922605822
    RichPEHeaderHash SHA1916798ba08cb26209e1750d952f530bd34639656
    RichPEHeaderHash SHA25613cbe41785f04563b2c2e14047996532ee6b2ef216106d7b251e06ffa13aa01f
    CompanyAcculogic Inc
    DescriptiondevMemDrv
    ProductIntegrator
    OriginalFilenamedevMemDrv.sys

    Download

    Certificates

    Expand
    Certificate 047a55
    FieldValue
    ToBeSigned (TBS) MD5bf6920398aa3daa5672341db9f6a0325
    ToBeSigned (TBS) SHA1d3a5167a88dc5a1c6b32ae1ef06a89322e3848ed
    ToBeSigned (TBS) SHA256f0af053cfa33afd3cf0bfb01ec5e6e4c033205fbae439c0c4bcd2a6c5a1acc53
    SubjectC=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Time,Stamping Authority
    ValidFrom2009-03-03 12:58:15
    ValidTo2024-03-03 12:58:15
    Signatureaa8b1ba2ec8545eb388b0a4d78cf78895310da575a5b075b270cc9d9b9c40a2a67acbf07ab35c1b40e6f794c7bbf13bffa76d56eaecda114995ff2048114579104e78b9345ae87f2b9e35ae87a35917c3a560e59b7c70da6351bcd9cd0e6553afe1b3948c75f9a2196fd1cb27352c4fef163b352afe424e5bb6790674245b676ae13e722b707cb964601e8be3d0d0de7207e46401389962f54ca345313277fecef66c4b108f73222c214a97f56f931eed42fad79213d1133f7d3aee8cbbc5bcf16f68b684f0d9cf46cb82858e3489695d424925794703c6bda3ae8ce9bd23a2b13e0fd8200577f0ddc56d0a945bcd92b9217a7166d256ff3673da7bee7609f2a
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber047a55
    Version3
    Certificate 0400000000012f4ee1355c
    FieldValue
    ToBeSigned (TBS) MD5f6a9e8eb8784f3f694b4e353c08a0ff5
    ToBeSigned (TBS) SHA1589a7d4df869395601ba7538a65afae8c4616385
    ToBeSigned (TBS) SHA256cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4
    SubjectC=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2
    ValidFrom2011-04-13 10:00:00
    ValidTo2019-04-13 10:00:00
    Signature225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber0400000000012f4ee1355c
    Version3
    Certificate 11216735400c011079d293379a114363a073
    FieldValue
    ToBeSigned (TBS) MD57e2635a634c72f603fc9dd85d14582bd
    ToBeSigned (TBS) SHA11aadb933691d510f3e7e42718e2a1020c6e96b48
    ToBeSigned (TBS) SHA256d3ddbec018c90c9c12705a0cae9e2281b083441e5c3d417e75e096b96cfec79e
    SubjectC=CA, ST=Ontario, L=Markham, O=ACCULOGIC, INC., CN=ACCULOGIC, INC.
    ValidFrom2012-04-23 18:48:57
    ValidTo2013-04-24 18:48:57
    Signature5cd9db0acac77777813e1f914bbbc6a1302f23f348fb79345085e24f4106cfd2f50c3a1289c9792d1183bc19eefb67a9aae49723b399b683c95ed0bd9ca3d2ffe0b0925f3951d3f771b81f73733c1ef9a351f9f50ce0a266ae46a115f284a86cf9eb1c1a16fe991961a7dfbf65557413f461958e65d189ce7797978fa8fb63c21778fe68dab1cebebf8a094996d7d4f2c1755d22c484be7b71dda1f020fe2151fbefa07f80d867d6acdb60159599cbd0b74332abbe01c9a74b1a9d042db5652f6d98910b02a21d24a0c5453ac5776b9a1536ce8a99c1ba38ee54f77e80d8c8a705033dc2fb5fd6d24f55d392bcfe2bb42454c664201b025b0717f6374674ff55
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber11216735400c011079d293379a114363a073
    Version3
    Certificate 6129152700000000002a
    FieldValue
    ToBeSigned (TBS) MD50bb058d116f02817737920f112d9fd3b
    ToBeSigned (TBS) SHA1fd116235171a4feafedee586b7a59185fb5fd7e6
    ToBeSigned (TBS) SHA256f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4
    SubjectC=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA
    ValidFrom2011-04-15 19:55:08
    ValidTo2021-04-15 20:05:08
    Signature5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber6129152700000000002a
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • MmUnmapLockedPages
    • ExAllocatePoolWithTag
    • IoDeleteSymbolicLink
    • ExFreePoolWithTag
    • RtlInitUnicodeString
    • IoDeleteDevice
    • MmUnmapIoSpace
    • MmBuildMdlForNonPagedPool
    • IoFreeMdl
    • MmMapLockedPagesSpecifyCache
    • MmMapIoSpace
    • IofCompleteRequest
    • IoCreateSymbolicLink
    • IoCreateDevice
    • IoAllocateMdl
    • KeBugCheckEx

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .rsrc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Intermediate",
      "IsCA": false,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "047a55",
      "Signature": "aa8b1ba2ec8545eb388b0a4d78cf78895310da575a5b075b270cc9d9b9c40a2a67acbf07ab35c1b40e6f794c7bbf13bffa76d56eaecda114995ff2048114579104e78b9345ae87f2b9e35ae87a35917c3a560e59b7c70da6351bcd9cd0e6553afe1b3948c75f9a2196fd1cb27352c4fef163b352afe424e5bb6790674245b676ae13e722b707cb964601e8be3d0d0de7207e46401389962f54ca345313277fecef66c4b108f73222c214a97f56f931eed42fad79213d1133f7d3aee8cbbc5bcf16f68b684f0d9cf46cb82858e3489695d424925794703c6bda3ae8ce9bd23a2b13e0fd8200577f0ddc56d0a945bcd92b9217a7166d256ff3673da7bee7609f2a",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Time,Stamping Authority",
      "TBS": {
        "MD5": "bf6920398aa3daa5672341db9f6a0325",
        "SHA1": "d3a5167a88dc5a1c6b32ae1ef06a89322e3848ed",
        "SHA256": "f0af053cfa33afd3cf0bfb01ec5e6e4c033205fbae439c0c4bcd2a6c5a1acc53",
        "SHA384": "e51925eb4526890b7b9bac7689af88ecc1f15cdf01852a15c589c7ec71fc1ec7c5442a6f1b733cdd3a85c3511d4ea3bb"
      },
      "ValidFrom": "2009-03-03 12:58:15",
      "ValidTo": "2024-03-03 12:58:15",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "0400000000012f4ee1355c",
      "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
      "TBS": {
        "MD5": "f6a9e8eb8784f3f694b4e353c08a0ff5",
        "SHA1": "589a7d4df869395601ba7538a65afae8c4616385",
        "SHA256": "cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4",
        "SHA384": "dcec542f242317863d0b3d23947e17d6982e381003831777b07ed75b46fb18bd0392a89c9beb6862981cd05f3f2fb77b"
      },
      "ValidFrom": "2011-04-13 10:00:00",
      "ValidTo": "2019-04-13 10:00:00",
      "Version": 3
    },
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "11216735400c011079d293379a114363a073",
      "Signature": "5cd9db0acac77777813e1f914bbbc6a1302f23f348fb79345085e24f4106cfd2f50c3a1289c9792d1183bc19eefb67a9aae49723b399b683c95ed0bd9ca3d2ffe0b0925f3951d3f771b81f73733c1ef9a351f9f50ce0a266ae46a115f284a86cf9eb1c1a16fe991961a7dfbf65557413f461958e65d189ce7797978fa8fb63c21778fe68dab1cebebf8a094996d7d4f2c1755d22c484be7b71dda1f020fe2151fbefa07f80d867d6acdb60159599cbd0b74332abbe01c9a74b1a9d042db5652f6d98910b02a21d24a0c5453ac5776b9a1536ce8a99c1ba38ee54f77e80d8c8a705033dc2fb5fd6d24f55d392bcfe2bb42454c664201b025b0717f6374674ff55",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=CA, ST=Ontario, L=Markham, O=ACCULOGIC, INC., CN=ACCULOGIC, INC.",
      "TBS": {
        "MD5": "7e2635a634c72f603fc9dd85d14582bd",
        "SHA1": "1aadb933691d510f3e7e42718e2a1020c6e96b48",
        "SHA256": "d3ddbec018c90c9c12705a0cae9e2281b083441e5c3d417e75e096b96cfec79e",
        "SHA384": "f409e60bce5ac7c594e5c9ed3049604bfa979df0f31906d123a548981bb95ce618b909f88d621b278e6654996d83e61f"
      },
      "ValidFrom": "2012-04-23 18:48:57",
      "ValidTo": "2013-04-24 18:48:57",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "6129152700000000002a",
      "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA",
      "TBS": {
        "MD5": "0bb058d116f02817737920f112d9fd3b",
        "SHA1": "fd116235171a4feafedee586b7a59185fb5fd7e6",
        "SHA256": "f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4",
        "SHA384": "c0df876be008c26ca407fe904e6f5e7ccded17f9c16830ce9f8022309c9e64c97f494810f152811ae43e223b82ad7cc6"
      },
      "ValidFrom": "2011-04-15 19:55:08",
      "ValidTo": "2021-04-15 20:05:08",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2",
      "SerialNumber": "11216735400c011079d293379a114363a073",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-20