375e8de3-aae4-488d-8273-66744978b45f

szkg64.sys :inline

Description

The StopZilla driver is a forgotten but still exploitable vulnerable driver that allows arbitrary kernel memory writes via unvalidated IOCTLs (0x80002063 and 0x8000206F). Attackers can leverage it to escalate privileges, disable LSASS PPL protection, and even modify PreviousMode in _KTHREAD to execute user-mode code as kernel-mode, effectively bypassing security checks. Despite its risks, it remains unblocked by Microsoft’s Driver Block List and many AV/EDR solutions. This driver highlights the persistent threat of forgotten vulnerable drivers still exploitable in modern Windows environments.

  • UUID: 375e8de3-aae4-488d-8273-66744978b45f
  • Created: 2025-01-10
  • Author: decoder
  • Acknowledgement: |

DownloadBlock

This download link contains the vulnerable driver!

Commands

sc.exe create szkg64.sys binPath=C:\windows\temp\szkg64.sys type=kernel && sc.exe start szkg64.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://www.greyhathacker.net/?p=1025
  • https://decoder.cloud/2025/01/09/the-almost-forgotten-vulnerable-driver/

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2011-09-26 09:16:17
    MD58598e4a12eaa945b35365dd2750b9777
    SHA1d7698828cdc3c96cc17fe2d4ff6d93bb0cd355d8
    SHA2566bc0e1c104fac4a8caa4237c7ae181ca11a043a3ee26426aeb7a90dc40281fad
    Authentihash MD5392ed92d6a91fa7cd318e2846ce07490
    Authentihash SHA1c516d0e96129086f6096e1e38ae90ed4da736ccb
    Authentihash SHA25695ca14e045618fb38834d17c5cc176162a29d846c1463b840c9129fb9af47c68
    RichPEHeaderHash MD547a1b6291b2b38ecad52872b32e76144
    RichPEHeaderHash SHA11ecb1c14211313369b4a0fffe21905815b091c3f
    RichPEHeaderHash SHA2566496d78731fbd793b73e87549d6bfc4935243fcb60e48729009e68cd5dd6927a
    CompanyiS3 Inc.
    Descriptionszkg Device Driver
    ProductStopzilla
    OriginalFilenameszkg64.sys

    Download

    Certificates

    Expand
    Certificate 3825d7faf861af9ef490e726b5d65ad5
    FieldValue
    ToBeSigned (TBS) MD5d6c7684e9aaa508cf268335f83afe040
    ToBeSigned (TBS) SHA118066d20ad92409c567cdfde745279ff71c75226
    ToBeSigned (TBS) SHA256a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff
    SubjectC=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2
    ValidFrom2007-06-15 00:00:00
    ValidTo2012-06-14 23:59:59
    Signature50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber3825d7faf861af9ef490e726b5d65ad5
    Version3
    Certificate 47bf1995df8d524643f7db6d480d31a4
    FieldValue
    ToBeSigned (TBS) MD5518d2ea8a21e879c942d504824ac211c
    ToBeSigned (TBS) SHA121ce87d827077e61abddf2beba69fde5432ea031
    ToBeSigned (TBS) SHA2561ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7
    SubjectC=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA
    ValidFrom2003-12-04 00:00:00
    ValidTo2013-12-03 23:59:59
    Signature4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber47bf1995df8d524643f7db6d480d31a4
    Version3
    Certificate 4191a15a3978dfcf496566381d4c75c2
    FieldValue
    ToBeSigned (TBS) MD541011f8d0e7c7a6408334ca387914c61
    ToBeSigned (TBS) SHA1c7fc1727f5b75a6421a1f95c73bbdb23580c48e5
    ToBeSigned (TBS) SHA25688dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA
    ValidFrom2004-07-16 00:00:00
    ValidTo2014-07-15 23:59:59
    Signatureae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber4191a15a3978dfcf496566381d4c75c2
    Version3
    Certificate 62cbc29a336a0ac6486b699bddb44775
    FieldValue
    ToBeSigned (TBS) MD5444683938e8730c9f041139b55f53200
    ToBeSigned (TBS) SHA1967c2149fe1b6b5e943e379e3eebe6348854257f
    ToBeSigned (TBS) SHA256fa40c70ff827045085bc3735824d13649713c5ddcc5b0efe9fa898502ecf3c29
    SubjectC=US, ST=Florida, L=Boynton Beach, O=iS3, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Technology, CN=iS3, Inc.
    ValidFrom2009-04-23 00:00:00
    ValidTo2012-04-22 23:59:59
    Signature6ba64a9cead5d92fb6f5659b343281f596a8d79f550a5fc7d8f6bffc19132bce36dbbd685da570a5c7ce12a16c503c353e7be570f15e7133bae99cb5e64cfcf044f989345466feb5a0f06713b9aa982786013bcf1a88a9ef5b1dae8aad91838742876eb9014f83d5d037fb93bb2ae06eed0702110f25d00c66ca554fc2b7e73b07b426e1b3c1673c3671c96b421b991bef95f8412c6fa16a4ffe261822d38ec97e63b7890e7f6c7a7105a99664000ebed8ea390d74ef6eb6471fe51d23d5d794bfd111727fb62aa9252b509eadb6dfb300024c17c526fb6cc51682519891a1f785b8188858f77f9c97a0328a89ca049d2617fa6d6e8517a1ba29e888216e4383
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber62cbc29a336a0ac6486b699bddb44775
    Version3
    Certificate 610c120600000000001b
    FieldValue
    ToBeSigned (TBS) MD553c41bc1164e09e0cd1617a5bf913efd
    ToBeSigned (TBS) SHA193c03aac8951d494ecd5696b1c08658541b18727
    ToBeSigned (TBS) SHA25640bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b
    SubjectC=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
    ValidFrom2006-05-23 17:01:29
    ValidTo2016-05-23 17:11:29
    Signature01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber610c120600000000001b
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • ExFreePoolWithTag
    • ZwQuerySymbolicLinkObject
    • RtlInitUnicodeString
    • MmGetSystemRoutineAddress
    • ZwOpenSymbolicLinkObject
    • ObQueryNameString
    • ExAllocatePool
    • ZwClose
    • RtlAppendUnicodeStringToString
    • ObReferenceObjectByHandle
    • PsGetVersion
    • ObfDereferenceObject
    • ZwDeleteKey
    • RtlDeleteRegistryValue
    • MmUnmapLockedPages
    • ExReleaseFastMutex
    • ExAcquireFastMutex
    • MmMapLockedPages
    • PsSetLoadImageNotifyRoutine
    • ZwReadFile
    • KeSetEvent
    • ProbeForWrite
    • KeInitializeEvent
    • KeReleaseSpinLock
    • PsSetCreateProcessNotifyRoutine
    • IoFreeMdl
    • ZwQueryDirectoryFile
    • PsTerminateSystemThread
    • IoGetCurrentProcess
    • IofCompleteRequest
    • KeWaitForSingleObject
    • PsGetCurrentProcessId
    • ZwOpenFile
    • wcsncmp
    • IoReleaseCancelSpinLock
    • MmIsNonPagedSystemAddressValid
    • IoAcquireCancelSpinLock
    • DbgPrint
    • ZwOpenKey
    • KeAcquireSpinLockRaiseToDpc
    • ExAllocatePoolWithTag
    • ZwOpenProcess
    • RtlCopyUnicodeString
    • swprintf
    • RtlUpcaseUnicodeChar
    • tolower
    • ZwSetInformationFile
    • IoReuseIrp
    • IoGetBaseFileSystemDeviceObject
    • IoGetRelatedDeviceObject
    • MmBuildMdlForNonPagedPool
    • ZwCreateFile
    • IoFreeIrp
    • IoAllocateIrp
    • IoAllocateMdl
    • IofCallDriver
    • KeBugCheckEx
    • IoDeleteSymbolicLink
    • IoRegisterShutdownNotification
    • IoDeleteDevice
    • IoUnregisterShutdownNotification
    • IoCreateSymbolicLink
    • IoCreateDevice
    • ZwQueryInformationFile
    • ZwWriteFile
    • ZwSetValueKey
    • ZwEnumerateValueKey
    • ZwEnumerateKey
    • PsCreateSystemThread
    • __chkstk
    • __C_specific_handler

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • .STL
    • .CRT
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "3825d7faf861af9ef490e726b5d65ad5",
      "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2",
      "TBS": {
        "MD5": "d6c7684e9aaa508cf268335f83afe040",
        "SHA1": "18066d20ad92409c567cdfde745279ff71c75226",
        "SHA256": "a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff",
        "SHA384": "35c249d6ad0261a6229b2a727067ac6ba32a5d24b30b9249051f748c7735fbe2ec2ef26a702c50df1790fbe32a65aee7"
      },
      "ValidFrom": "2007-06-15 00:00:00",
      "ValidTo": "2012-06-14 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "47bf1995df8d524643f7db6d480d31a4",
      "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA",
      "TBS": {
        "MD5": "518d2ea8a21e879c942d504824ac211c",
        "SHA1": "21ce87d827077e61abddf2beba69fde5432ea031",
        "SHA256": "1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7",
        "SHA384": "53e346bbde23779a5d116cc9d86fdd71c97b1f1b343439f8a11aa1d3c87af63864bb8488a5aeb2d0c26a6a1e0b15f03f"
      },
      "ValidFrom": "2003-12-04 00:00:00",
      "ValidTo": "2013-12-03 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "4191a15a3978dfcf496566381d4c75c2",
      "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA",
      "TBS": {
        "MD5": "41011f8d0e7c7a6408334ca387914c61",
        "SHA1": "c7fc1727f5b75a6421a1f95c73bbdb23580c48e5",
        "SHA256": "88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0",
        "SHA384": "a00aa5ed457c41e37967882644d63366bae014f03a986576d8514164d7027acf7d0b5e03d764db2558f60db148954459"
      },
      "ValidFrom": "2004-07-16 00:00:00",
      "ValidTo": "2014-07-15 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "62cbc29a336a0ac6486b699bddb44775",
      "Signature": "6ba64a9cead5d92fb6f5659b343281f596a8d79f550a5fc7d8f6bffc19132bce36dbbd685da570a5c7ce12a16c503c353e7be570f15e7133bae99cb5e64cfcf044f989345466feb5a0f06713b9aa982786013bcf1a88a9ef5b1dae8aad91838742876eb9014f83d5d037fb93bb2ae06eed0702110f25d00c66ca554fc2b7e73b07b426e1b3c1673c3671c96b421b991bef95f8412c6fa16a4ffe261822d38ec97e63b7890e7f6c7a7105a99664000ebed8ea390d74ef6eb6471fe51d23d5d794bfd111727fb62aa9252b509eadb6dfb300024c17c526fb6cc51682519891a1f785b8188858f77f9c97a0328a89ca049d2617fa6d6e8517a1ba29e888216e4383",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, ST=Florida, L=Boynton Beach, O=iS3, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Technology, CN=iS3, Inc.",
      "TBS": {
        "MD5": "444683938e8730c9f041139b55f53200",
        "SHA1": "967c2149fe1b6b5e943e379e3eebe6348854257f",
        "SHA256": "fa40c70ff827045085bc3735824d13649713c5ddcc5b0efe9fa898502ecf3c29",
        "SHA384": "688a757994b6a32948f7b8ef5350ffd188785ed7844846c9e22286a8ec80b32bb3f0a16cf20b7f0299140af3174ed584"
      },
      "ValidFrom": "2009-04-23 00:00:00",
      "ValidTo": "2012-04-22 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "610c120600000000001b",
      "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority",
      "TBS": {
        "MD5": "53c41bc1164e09e0cd1617a5bf913efd",
        "SHA1": "93c03aac8951d494ecd5696b1c08658541b18727",
        "SHA256": "40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b",
        "SHA384": "f51d4e75ba638f7314cd59b8d6d45f3b34d35ce6986e9d205cd6f333e8e8d8e9c91f636e6bc84731b6661673f40963d8"
      },
      "ValidFrom": "2006-05-23 17:01:29",
      "ValidTo": "2016-05-23 17:11:29",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA",
      "SerialNumber": "62cbc29a336a0ac6486b699bddb44775",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2025-01-29