← All drivers
vulnerable
Driver

elrawdsk.sys

EldoS RawDisk direct disk access driver

From EldoS (now /n software)
Status
On a known-vulnerable list
Known variants
2 distinct hashes
Field notes

elrawdsk.sys is the kernel driver for EldoS RawDisk, a legitimate toolkit that gives user-mode applications direct read/write access to raw disk sectors, bypassing the file system. EldoS (now part of /n software) sold it as a developer tool for backup, forensics, and disk-imaging applications.

The driver became widely known in the security community because it was used in the destructive Shamoon/Disttrack incidents in 2012 and again in 2016-2017, where criminal threat actors used the legitimate signed driver to overwrite disk sectors and destroy data on thousands of machines in targeted organizations. The driver's presence on a gaming PC would be unusual.

If you find it and did not install a disk-imaging or forensics tool, investigate what placed it there.

What the record shows

elrawdsk.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 2 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.

What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “elrawdsk.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/elrawdsk-sys