Description
This is a vulnerable driver per Microsoft.
- UUID: f654ad84-c61d-477c-a0b2-d153b927dfcc
- Created: 2023-05-20
- Author: Michael Haag
Download
This download link contains the vulnerable driver!
Block EIO.sys across your endpoints
Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.
Start Blocking for FreeCommands
sc.exe create EIO.sys binPath=C:\windows\temp\EIO.sys type=kernel && sc.exe start EIO.sys
| Use Case | Privileges | Operating System |
|---|
| Elevate privileges | kernel | Windows 10 |
Detections
Sigma 🛡️
Expand
Names
detects loading using name only
Hashes
detects loading using hashes only
Resources
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rulesKnown Vulnerable Samples
Download
Imports
Expand
Imported Functions
Expand
- IoCreateSymbolicLink
- IoCreateDevice
- ExAllocatePoolWithTag
- IofCallDriver
- IoDeleteSymbolicLink
- KeInitializeMutex
- IoAttachDeviceToDeviceStack
- IoDeleteDevice
- IoDetachDevice
- MmUnmapIoSpace
- KeReleaseMutex
- KeWaitForSingleObject
- KeBugCheckEx
- IofCompleteRequest
- RtlInitUnicodeString
- MmMapIoSpace
- KeStallExecutionProcessor
- HalTranslateBusAddress
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- INIT
- .rsrc
Signature
Expand
Download
Imports
Expand
Imported Functions
Expand
- KeInitializeMutex
- RtlInitUnicodeString
- IoDeleteDevice
- IoDetachDevice
- MmUnmapIoSpace
- MmMapIoSpace
- PoStartNextPowerIrp
- IofCompleteRequest
- ExFreePoolWithTag
- PoCallDriver
- IoCreateSymbolicLink
- IoCreateDevice
- IofCallDriver
- KeReleaseMutex
- KeWaitForSingleObject
- KeBugCheckEx
- IoDeleteSymbolicLink
- IoAttachDeviceToDeviceStack
- ExAllocatePoolWithTag
- KeStallExecutionProcessor
- HalTranslateBusAddress
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- INIT
- .rsrc
Signature
Expand
Download
Certificates
Expand
Certificate 0c5167c023b9adedf0f8918ee65712a1
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | b9dcc79e9817431a597f16b483f5bab2 |
| ToBeSigned (TBS) SHA1 | fae5bf9779eed37708a44ba44f440c60174daa14 |
| ToBeSigned (TBS) SHA256 | e6d299f754eaa1c55b8485adf0eeefdde50a924207ff0e36333c4fe1729e2376 |
| Subject | ??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTEK COMPUTER INC., CN=ASUSTEK COMPUTER INC. |
| ValidFrom | 2019-03-18 00:00:00 |
| ValidTo | 2022-03-23 12:00:00 |
| Signature | 05ab2d8216108391cd6f6a64cecefc78936899f2c3d6144e5b457ee70ab001e557a55c07a40a6b5395045e43bf1a320e79e2c12e11446a1e1426530b434e778abc836198ecce68769fa499016f2883e65104cb36a976c4986263485b774f36522f50432ee823651a17d03787ff672db6689a10cb58d84bb7bacf5da54ee5ebe4bae7c9a1ed2d95ecd7e42bb354d375fe94661df0acb3a64aa6866822140a716049924aab891e4955d7321a25875331f5f8b744ad39bbba4c564711273ae5675afd06175243e5e5940afe9fac413170ef21ac125e698edadefea6026eb7117c506fe422867b6479c34ae0300caf99c75dbf5f60465d5677831a55e9fdc10d621b |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 0c5167c023b9adedf0f8918ee65712a1 |
| Version | 3 |
Certificate 03f1b4e15f3a82f1149678b3d7d8475c
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | 83f5de89f641d0fbf60248e10a7b9534 |
| ToBeSigned (TBS) SHA1 | 382a73a059a08698d6eb98c87e1b36fc750933a4 |
| ToBeSigned (TBS) SHA256 | eec58131dc11cd7f512501b15fdbc6074c603b68ca91f7162d5a042054edb0cf |
| Subject | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2) |
| ValidFrom | 2012-04-18 12:00:00 |
| ValidTo | 2027-04-18 12:00:00 |
| Signature | 19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 03f1b4e15f3a82f1149678b3d7d8475c |
| Version | 3 |
Imports
Expand
Imported Functions
Expand
- IoDetachDevice
- IofCallDriver
- PoCallDriver
- PoStartNextPowerIrp
- MmUnmapIoSpace
- MmMapIoSpace
- READ_REGISTER_UCHAR
- READ_REGISTER_USHORT
- READ_REGISTER_ULONG
- WRITE_REGISTER_UCHAR
- WRITE_REGISTER_USHORT
- RtlInitUnicodeString
- ExFreePoolWithTag
- IoDeleteSymbolicLink
- IofCompleteRequest
- KeQuerySystemTime
- memmove
- ExAllocatePoolWithTag
- memset
- KeWaitForSingleObject
- KeReleaseMutex
- KeTickCount
- KeBugCheckEx
- IoCreateDevice
- IoCreateSymbolicLink
- IoDeleteDevice
- IoAttachDeviceToDeviceStack
- WRITE_REGISTER_ULONG
- KeInitializeMutex
- KeStallExecutionProcessor
- WRITE_PORT_UCHAR
- READ_PORT_ULONG
- WRITE_PORT_ULONG
- HalTranslateBusAddress
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- INIT
- .rsrc
- .reloc
Signature
Expand
Download
Certificates
Expand
Certificate 0c5167c023b9adedf0f8918ee65712a1
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | b9dcc79e9817431a597f16b483f5bab2 |
| ToBeSigned (TBS) SHA1 | fae5bf9779eed37708a44ba44f440c60174daa14 |
| ToBeSigned (TBS) SHA256 | e6d299f754eaa1c55b8485adf0eeefdde50a924207ff0e36333c4fe1729e2376 |
| Subject | ??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTEK COMPUTER INC., CN=ASUSTEK COMPUTER INC. |
| ValidFrom | 2019-03-18 00:00:00 |
| ValidTo | 2022-03-23 12:00:00 |
| Signature | 05ab2d8216108391cd6f6a64cecefc78936899f2c3d6144e5b457ee70ab001e557a55c07a40a6b5395045e43bf1a320e79e2c12e11446a1e1426530b434e778abc836198ecce68769fa499016f2883e65104cb36a976c4986263485b774f36522f50432ee823651a17d03787ff672db6689a10cb58d84bb7bacf5da54ee5ebe4bae7c9a1ed2d95ecd7e42bb354d375fe94661df0acb3a64aa6866822140a716049924aab891e4955d7321a25875331f5f8b744ad39bbba4c564711273ae5675afd06175243e5e5940afe9fac413170ef21ac125e698edadefea6026eb7117c506fe422867b6479c34ae0300caf99c75dbf5f60465d5677831a55e9fdc10d621b |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 0c5167c023b9adedf0f8918ee65712a1 |
| Version | 3 |
Certificate 03f1b4e15f3a82f1149678b3d7d8475c
| Field | Value |
|---|
| ToBeSigned (TBS) MD5 | 83f5de89f641d0fbf60248e10a7b9534 |
| ToBeSigned (TBS) SHA1 | 382a73a059a08698d6eb98c87e1b36fc750933a4 |
| ToBeSigned (TBS) SHA256 | eec58131dc11cd7f512501b15fdbc6074c603b68ca91f7162d5a042054edb0cf |
| Subject | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2) |
| ValidFrom | 2012-04-18 12:00:00 |
| ValidTo | 2027-04-18 12:00:00 |
| Signature | 19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 03f1b4e15f3a82f1149678b3d7d8475c |
| Version | 3 |
Imports
Expand
Imported Functions
Expand
- KeInitializeMutex
- RtlInitUnicodeString
- IoDeleteDevice
- IoDetachDevice
- MmUnmapIoSpace
- MmMapIoSpace
- PoStartNextPowerIrp
- IofCompleteRequest
- ExFreePoolWithTag
- PoCallDriver
- IoCreateSymbolicLink
- IoCreateDevice
- IofCallDriver
- KeReleaseMutex
- KeWaitForSingleObject
- KeBugCheckEx
- IoDeleteSymbolicLink
- IoAttachDeviceToDeviceStack
- ExAllocatePoolWithTag
- KeStallExecutionProcessor
- HalTranslateBusAddress
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- INIT
- .rsrc
Signature
Expand
source
last_updated: 2026-05-04
