KDU Provider Compatibility Analysis
KDU (Kernel Driver Utility) by hfiref0x is the most widely used framework for BYOVD exploitation. It uses vulnerable signed drivers as "providers" to perform actions ranging from loading unsigned kernel code to manipulating kernel objects. Each action requires specific memory primitives: MapDriver needs both physical and virtual memory read/write, DKOM needs virtual memory write, and DSECorruption needs the ability to patch ci.dll!g_CiOptions.
This page maps every driver in the LOLDrivers catalog against KDU's provider requirements. The analysis goes beyond import checking: Tier 2 Ghidra analysis confirms which dangerous APIs are actually reachable from IOCTL dispatch handlers, distinguishing between drivers that import MmMapIoSpace for internal use and those that expose it to any process that can open the device handle.
Last updated: 2026-03-12 Drivers analyzed: 1775 (Tier 1) / 1775 (Tier 2 Ghidra)
Key Findings
| Metric | Count |
|---|---|
| Total drivers analyzed | 1,775 |
| KDU-compatible | 1404 (79%) |
| Tier 2 confirmed | 354 |
| Tier 1 likely | 1050 |
| MapDriver capable | 391 |
| MapDriver (physical brute-force) | 393 |
| DKOM / DSECorruption | 620 |
| DumpProcess | 0 |
What This Means
KDU uses vulnerable signed drivers to load unsigned kernel code. A driver is "KDU-compatible" if it exposes memory primitives through its IOCTL handlers that an attacker can chain into kernel code execution.
- Confirmed: Ghidra analysis verified the dangerous API is reachable from an IOCTL handler
- Likely: The driver imports the API, but we haven't confirmed IOCTL reachability yet
KDU supports these actions, from most to least powerful:
- MapDriver - Load arbitrary unsigned code into the kernel (needs physical + virtual memory R/W)
- MapDriver (physical brute-force) - Same, but uses only physical memory with PML4 brute-forcing
- DKOM - Direct Kernel Object Manipulation, e.g. hiding processes (needs virtual memory write)
- DSECorruption - Patch
ci.dll!g_CiOptionsto disable driver signature enforcement - DumpProcess - Read arbitrary process memory (needs process handle + virtual memory read)
Confirmed MapDriver Candidates
These 122 drivers have Ghidra-confirmed physical + virtual memory primitives reachable from IOCTL handlers. They could load unsigned kernel code.
| # | Driver | Primitives (confirmed IOCTLs) | NEITHER I/O | Mitigations OFF |
|---|---|---|---|---|
| 1 | segwindrvx64.sys |
PortIO, QueryPML4Value, ReadKVM, ReadPhysMem, VToPhys, WriteKVM, WritePhysMem | GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 2 | PDFWKRNL.sys |
QueryPML4Value, ReadKVM, ReadPhysMem, VToPhys, WriteKVM, WritePhysMem | YES | GUARD_CF, GS_COOKIE |
| 3 | PDFWKRNL.sys |
QueryPML4Value, ReadKVM, ReadPhysMem, VToPhys, WriteKVM, WritePhysMem | YES | GUARD_CF, GS_COOKIE |
| 4 | PDFWKRNL.sys |
QueryPML4Value, ReadKVM, ReadPhysMem, VToPhys, WriteKVM, WritePhysMem | YES | GUARD_CF, GS_COOKIE |
| 5 | PDFWKRNL.sys |
QueryPML4Value, ReadKVM, ReadPhysMem, VToPhys, WriteKVM, WritePhysMem | YES | GUARD_CF, GS_COOKIE |
| 6 | WinFlash64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 7 | kerneld.amd64 |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 8 | kerneld.amd64 |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 9 | atillk64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 10 | atillk64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 11 | atillk64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 12 | atillk64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 13 | kerneld.amd64 |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 14 | kerneld.amd64 |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 15 | kerneld.amd64 |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 16 | kerneld.amd64 |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 17 | atillk64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 18 | TdkLib64.sys |
QueryPML4Value, ReadKVM, ReadPhysMem, VToPhys, WriteKVM, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 19 | CP2X72C.SYS |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 20 | CP2X72C.SYS |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 21 | hw.sys |
PortIO | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 22 | dbk64.sys |
OpenProcess, ReadKVM, WriteKVM | GUARD_CF, GS_COOKIE | |
| 23 | dbk64.sys |
OpenProcess, ReadKVM, WriteKVM | GUARD_CF, GS_COOKIE | |
| 24 | TdkLib64.sys |
QueryPML4Value, ReadKVM, ReadPhysMem, VToPhys, WriteKVM, WritePhysMem | YES | GUARD_CF, GS_COOKIE |
| 25 | TdkLib64.sys |
ReadKVM, WriteKVM | YES | GUARD_CF, FORCE_INTEGRITY, GS_COOKIE |
| 26 | TdkLib64.sys |
QueryPML4Value, ReadKVM, ReadPhysMem, VToPhys, WriteKVM, WritePhysMem | YES | GUARD_CF, FORCE_INTEGRITY, GS_COOKIE |
| 27 | TdkLib64.sys |
QueryPML4Value, ReadKVM, ReadPhysMem, VToPhys, WriteKVM, WritePhysMem | YES | GUARD_CF, FORCE_INTEGRITY, GS_COOKIE |
| 28 | TdkLib64.sys |
ReadKVM, WriteKVM | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 29 | TdkLib64.sys |
ReadKVM, WriteKVM | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 30 | NCHGBIOS2x64.SYS |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 31 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 32 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 33 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 34 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 35 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 36 | AODDriver.sys |
PortIO, QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 37 | ATSZIO.sys |
PortIO, QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 38 | NCHGBIOS2x64.SYS |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 39 | BioNTdrv.sys |
OpenProcess, QueryPML4Value, ReadKVM, ReadPhysMem, VToPhys, WriteKVM, WritePhysMem | GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 40 | driver7-x86.sys |
PortIO | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 41 | gdrv.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 42 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 43 | AODDriver.sys |
PortIO, QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 44 | gpcidrv64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 45 | rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys |
PortIO, QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 46 | rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys |
PortIO, QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 47 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 48 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 49 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 50 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 51 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 52 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 53 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 54 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 55 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 56 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 57 | rtkiow8x64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | GUARD_CF, GS_COOKIE |
| 58 | AsUpIO.sys, AsUpIO64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 59 | AsUpIO.sys, AsUpIO64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | GUARD_CF, GS_COOKIE | |
| 60 | DirectIo32.sys |
PortIO | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 61 | DirectIo32.sys |
PortIO | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 62 | rtif.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 63 | gdrv.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 64 | gdrv.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 65 | gdrv.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 66 | driver7-x86-withoutdbg.sys |
PortIO | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 67 | directio32_legacy.sys, DirectIo32.sys |
PortIO | GUARD_CF, GS_COOKIE | |
| 68 | rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 69 | rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 70 | rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 71 | rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | GUARD_CF, FORCE_INTEGRITY, GS_COOKIE |
| 72 | rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 73 | rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 74 | WinFlash64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 75 | directio64.sys |
OpenProcess | GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 76 | AODDriver.sys |
PortIO | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 77 | AODDriver.sys |
PortIO | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 78 | AODDriver.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 79 | AODDriver.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 80 | atlAccess.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 81 | TdkLib64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 82 | TdkLib64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 83 | TdkLib64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 84 | TdkLib64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 85 | TdkLib64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 86 | phymem_ext64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 87 | phymem_ext64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 88 | phymem_ext64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 89 | phymem_ext64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 90 | nvoclock.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 91 | nvoclock.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 92 | nvoclock.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 93 | nvoclock.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 94 | BS_Flash64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 95 | WinFlash64.sys |
QueryPML4Value, ReadPhysMem, VToPhys, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 96 | directio64.sys |
OpenProcess | GUARD_CF, GS_COOKIE | |
| 97 | directio64.sys |
OpenProcess | GUARD_CF, GS_COOKIE | |
| 98 | aswArPot.sys |
ReadKVM, WriteKVM | YES | GUARD_CF, GS_COOKIE |
| 99 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | GUARD_CF, GS_COOKIE |
| 100 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | GUARD_CF, GS_COOKIE |
| 101 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 102 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 103 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | GUARD_CF, GS_COOKIE |
| 104 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | GUARD_CF, GS_COOKIE |
| 105 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 106 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | GUARD_CF, GS_COOKIE |
| 107 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | GUARD_CF, GS_COOKIE |
| 108 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | GUARD_CF, GS_COOKIE |
| 109 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | GUARD_CF, GS_COOKIE |
| 110 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | GUARD_CF, GS_COOKIE |
| 111 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 112 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 113 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 114 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | GUARD_CF, GS_COOKIE |
| 115 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 116 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | GUARD_CF, GS_COOKIE |
| 117 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 118 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | GUARD_CF, GS_COOKIE |
| 119 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 120 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 121 | aswArPot.sys, avgArPot.sys |
ReadKVM, WriteKVM | YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 122 | directio64.sys, utiA2D4.sys |
OpenProcess | GUARD_CF, GS_COOKIE |
Confirmed Physical Brute-Force Candidates
These 157 drivers have confirmed physical memory R/W but lack virtual memory. KDU can brute-force PML4 via physical scanning to achieve MapDriver.
| # | Driver | Confirmed APIs | NEITHER I/O | Mitigations OFF |
|---|---|---|---|---|
| 1 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 2 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 3 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 4 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 5 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 6 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 7 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 8 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 9 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 10 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 11 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 12 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 13 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 14 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 15 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 16 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 17 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 18 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 19 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 20 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 21 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 22 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 23 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 24 | kerneld.amd64 |
MmMapIoSpace |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 25 | CP2X72C.SYS |
MmMapIoSpace, READ_PORT_UCHAR, READ_PORT_ULONG, WRITE_PORT_UCHAR |
DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 26 | kerneld.amd64 |
MmMapIoSpace |
DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 27 | kerneld.amd64 |
MmMapIoSpace |
DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 28 | kerneld.amd64 |
MmMapIoSpace |
DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 29 | kerneld.amd64 |
MmMapIoSpace |
DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 30 | CP2X72C.SYS |
MmMapIoSpace, READ_PORT_UCHAR, READ_PORT_ULONG, WRITE_PORT_UCHAR |
DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| ... | 127 more |
Confirmed DKOM / DSECorruption Candidates
These 75 drivers have confirmed virtual memory write primitives. They can manipulate kernel objects or patch ci.dll to disable signature enforcement.
| # | Driver | Confirmed APIs | NEITHER I/O | Mitigations OFF |
|---|---|---|---|---|
| 1 | procexp.Sys |
ObOpenObjectByPointer, ObReferenceObjectByHandle, ZwOpenProcess |
GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 2 | procexp.Sys |
ObOpenObjectByPointer, ObReferenceObjectByHandle, ZwOpenProcess |
GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 3 | procexp.Sys |
ObOpenObjectByPointer, ObReferenceObjectByHandle, ZwOpenProcess |
GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 4 | procexp.Sys |
ObOpenObjectByPointer, ObReferenceObjectByHandle, ZwOpenProcess |
GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 5 | procexp.Sys |
ObOpenObjectByPointer, ObReferenceObjectByHandle, ZwOpenProcess |
GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 6 | procexp.Sys |
ObOpenObjectByPointer, ObReferenceObjectByHandle, ZwOpenProcess |
GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 7 | procexp.Sys |
ObOpenObjectByPointer, ObReferenceObjectByHandle, ZwOpenProcess |
GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 8 | echo_driver.sys |
KeStackAttachProcess, ObOpenObjectByPointer, ObReferenceObjectByHandle, PsLookupProcessByProcessId |
GUARD_CF, GS_COOKIE | |
| 9 | kprocesshacker.sys |
ObReferenceObjectByHandle |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 10 | inpout32.sys |
READ_PORT_ULONG, WRITE_PORT_UCHAR, WRITE_PORT_ULONG |
DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 11 | inpout32.sys |
READ_PORT_UCHAR, READ_PORT_ULONG, WRITE_PORT_UCHAR, WRITE_PORT_ULONG |
DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 12 | inpout32.sys |
READ_PORT_UCHAR, READ_PORT_ULONG, WRITE_PORT_UCHAR, WRITE_PORT_ULONG |
DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 13 | inpout32.sys |
READ_PORT_UCHAR, READ_PORT_ULONG, WRITE_PORT_UCHAR, WRITE_PORT_ULONG |
DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 14 | inpout32.sys |
READ_PORT_UCHAR, READ_PORT_ULONG, WRITE_PORT_UCHAR, WRITE_PORT_ULONG |
DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 15 | procexp.Sys |
KeStackAttachProcess, ObReferenceObjectByHandle, ZwOpenProcess |
GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 16 | procexp.Sys |
KeStackAttachProcess, ObReferenceObjectByHandle, ZwOpenProcess |
GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 17 | procexp.Sys |
KeStackAttachProcess, ObReferenceObjectByHandle, ZwOpenProcess |
GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 18 | procexp.Sys |
KeStackAttachProcess, ObReferenceObjectByHandle, ZwOpenProcess |
GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 19 | procexp.Sys |
ZwOpenProcess |
GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 20 | procexp.Sys |
ZwOpenProcess |
GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 21 | procexp.Sys |
ZwOpenProcess |
GUARD_CF, FORCE_INTEGRITY, GS_COOKIE | |
| 22 | echo_driver.sys |
ObOpenObjectByPointer, ObReferenceObjectByHandle, PsLookupProcessByProcessId |
GUARD_CF, GS_COOKIE | |
| 23 | DirectIo.sys |
READ_PORT_UCHAR, WRITE_PORT_UCHAR, WRITE_PORT_ULONG |
DYNAMIC_BASE, NX_COMPAT, GUARD_CF | |
| 24 | DirectIo.sys |
READ_PORT_ULONG, WRITE_PORT_UCHAR |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 25 | DirectIo.sys |
READ_PORT_ULONG, WRITE_PORT_UCHAR |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 26 | DirectIo32.sys |
READ_PORT_ULONG, WRITE_PORT_UCHAR |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 27 | DirectIo32.sys |
READ_PORT_ULONG, WRITE_PORT_UCHAR |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 28 | DirectIo32.sys |
READ_PORT_ULONG, WRITE_PORT_UCHAR |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 29 | DirectIo32.sys |
READ_PORT_ULONG, WRITE_PORT_UCHAR |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 30 | DirectIo32.sys |
READ_PORT_ULONG, WRITE_PORT_UCHAR |
YES | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| ... | 45 more |
Likely MapDriver Candidates (Tier 1 only)
These 269 drivers import the right APIs but haven't been Ghidra-confirmed yet. The dangerous imports may be used internally rather than exposed through IOCTLs.
| # | Driver | Imported Primitives | Mitigations OFF |
|---|---|---|---|
| 1 | RtsPer.sys |
OpenProcess, PortIO, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | GUARD_CF, GS_COOKIE |
| 2 | AODDriver.sys |
OpenProcess, PortIO, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 3 | ATSZIO.sys |
OpenProcess, PortIO, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | GUARD_CF, FORCE_INTEGRITY, GS_COOKIE |
| 4 | ATSZIO.sys |
OpenProcess, PortIO, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | GUARD_CF, FORCE_INTEGRITY, GS_COOKIE |
| 5 | gdrv.sys |
OpenProcess, PortIO, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 6 | iqvw64e.sys, iQVW64.SYS, IQVW32.sys, NalDrv.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 7 | rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 8 | cg6kwin2k.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 9 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 10 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 11 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 12 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 13 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 14 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 15 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 16 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 17 | asio.sys, AsIO32.sys, AsIO3.sys, AsIO3_64.sys, AsIO2.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 18 | nvaudio.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 19 | AMDPowerProfiler.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | GUARD_CF, FORCE_INTEGRITY, GS_COOKIE |
| 20 | pchunter.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | GUARD_CF, FORCE_INTEGRITY, GS_COOKIE |
| 21 | hw.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | GUARD_CF, FORCE_INTEGRITY, GS_COOKIE |
| 22 | IoAccess.sys |
PortIO, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | GUARD_CF, FORCE_INTEGRITY, GS_COOKIE |
| 23 | GEDevDrv.SYS |
PortIO, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 24 | GEDevDrv.SYS |
PortIO, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 25 | driver7-x64.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 26 | directio64.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 27 | directio64.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 28 | directio64.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 29 | directio64.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | DYNAMIC_BASE, NX_COMPAT, GUARD_CF |
| 30 | directio64.sys |
OpenProcess, ReadKVM, ReadPhysMem, WriteKVM, WritePhysMem | GUARD_CF, GS_COOKIE |
| ... | 239 more |
Methodology
- Tier 1 (all drivers): PE parsing extracts imports, device names, IOCTLs, and mitigations
- Tier 2 (Ghidra): Headless decompilation traces which imports are called from which IOCTL handlers
- KDU scoring: Maps confirmed IOCTL-reachable APIs to KDU primitive types (ReadPhysicalMemory, WriteKernelVM, OpenProcess, etc.)
- Action assessment: Determines which KDU actions the primitives support (MapDriver > DKOM > DSECorruption > DumpProcess)
Confirmed = Ghidra verified the API call exists inside an IOCTL dispatch handler
Likely = The driver imports the API, but IOCTL reachability is unverified
Generated by DriverAtlas × KernelSight