← All drivers
vulnerable
Driver

poisonx.sys

PoisonX EDR-bypass driver

From Microsoft (legitimately signed)
Part of the PoisonX family
Status
On a known-vulnerable list
Known variants
1 distinct hashes
Field notes

poisonx.sys is a Microsoft-signed kernel driver that exposes an undocumented process-termination IOCTL. Any local user can invoke it to kill a process by PID, bypassing Protected Process Light (PPL) safeguards that normally prevent user-mode code from terminating security software.

The driver became the centerpiece of the GentleKiller framework, an EDR-killing toolkit documented by security researchers in 2026. GentleKiller, used by the Gentlemen data-extortion service and the DragonForce group, loads PoisonX alongside other vulnerable drivers to disable over 400 endpoint protection processes before deploying its payload. Xcitium's Threat Labs published a detailed reverse-engineering analysis showing how the IOCTL (0x22E010) bypasses CrowdStrike Falcon and other EDR agents.

The LOLDrivers project catalogs 19 variants (poisonx.sys through poisonx18.sysDriverpoisonx18.sysPoisonX variantOpen plate →), each with a unique hash. Like truesight.sys, the proliferation of variants is a technique for evading hash-based blocklists while reusing the same signed binary.

Not a typical gaming-PC driver. Its presence on a system is a strong indicator of active or recent compromise. If found, escalate to incident response.

What the record shows

poisonx.sys is listed as a known-vulnerable driver on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. Driver files on the LOLDrivers list commonly ship with legitimate hardware tools, gaming software, or vendor utilities. Their presence is recorded as evidence on a record. It is never treated as a verdict about a person.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “poisonx.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/poisonx-sys