64601d77-61ea-43b7-8178-9d45dfba6022

CmUpx.sys :inline

Description

CmUpx.sys is a vulnerable kernel driver from the KeServiceDescriptorTable/vulnerable-drivers repository. The driver exposes dangerous kernel primitives to usermode.

  • UUID: 64601d77-61ea-43b7-8178-9d45dfba6022
  • Created: 2026-04-17
  • Author: Michael Haag
  • Acknowledgement: | [@rainbowdynamix, @DbgPrint](https://twitter.com/@rainbowdynamix, @DbgPrint)

Download

This download link contains the vulnerable driver!

Block CmUpx.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create CmUpx binPath=C:\windows\temp\CmUpx.sys type=kernel && sc.exe start CmUpx
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/325
  • https://github.com/KeServiceDescriptorTable/vulnerable-drivers

    • Known Vulnerable Samples

    PropertyValue
    FilenameCmUpx.sys
    Creation Timestamp2021-03-02 01:47:49
    MD50463f185ac41aa492bd35dceb5de2ffc
    SHA10e03d54a6fb230f54127363013770468dd156ba4
    SHA256cdf38928a13dfe0e6de054f0229945b9f7db9f88eb7269ecefdceb4b5fab4bfa
    Authentihash MD5d30f54980f19a18359999c0cb4195ad8
    Authentihash SHA1d27a90e89b920c9553770d6d218e1d36a0381271
    Authentihash SHA2560dbd363c5cf7878d2b375554fb23b4986cc1e40baed15255ce5336618c70a8e7
    RichPEHeaderHash MD5ae86a7dd76598959a84fde249fa9078c
    RichPEHeaderHash SHA13259e91046b6730a9ae978bd578f3b481ee5de3e
    RichPEHeaderHash SHA25679dbcf255d4ba197d0deedd5df34d59f5b3d8cdde78f3627386fec18d56bc399
    CompanyRealtek Semiconductor Corp.
    DescriptionCmUpx driver for Realtek USB device
    ProductCmUpx driver for Realtek USB device
    OriginalFilenameCmUpx

    Download

    Certificates

    Expand
    Certificate 61204db4000000000027
    FieldValue
    ToBeSigned (TBS) MD58e3ffc222fbcebdbb8b23115ab259be7
    ToBeSigned (TBS) SHA1ee20bff28ffe13be731c294c90d6ded5aae0ec0e
    ToBeSigned (TBS) SHA25659826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
    ValidFrom2011-04-15 19:45:33
    ValidTo2021-04-15 19:55:33
    Signature208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber61204db4000000000027
    Version3
    Certificate 055958f8a90b14fa25436b89fb307660
    FieldValue
    ToBeSigned (TBS) MD57cf520ea386381ad62a761efd3b052ba
    ToBeSigned (TBS) SHA128b349f35bda08a60b10e762aa1a195082bd7698
    ToBeSigned (TBS) SHA2560801c6e6de661fc7fe455628578b89780d786cdf81e471ef00f70c3d9959fed8
    SubjectJURISDICTION_OF_INCORPORATION_C=TW, BUSINESS_CATEGORY=Private Organization, serialNumber=22671299, C=TW, L=HSINCHU, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.
    ValidFrom2019-01-03 00:00:00
    ValidTo2022-01-06 12:00:00
    Signature924e84c9c2a2e2f4545bac3c15c06c60770988641c9ec3573d1cba701ba074f5423ff32df8c0a9c793536419b4cfef609e28f9169b4d84801d7804d609f06747bdc097fb938b04dc8c48b4d26b2e3b73dae411b388c44afaffc45de30a952345cb0f6c3d7c2d2695bfc0750ca59059a51bcfea9da2270507aded3aa0e85aad5cb5d60df77cb6ed7c6780ecdb6dc071b3f4562e0cea13080328032b80a933a64d5c512880e9da8f4382771e9ba08c48fbce35cd5012a7c309251f01fe4fccf4d4993028a26ed1575de6602ec8acf39d6c62eaa25b1bf462fe0a3d068520a618a7181350fff3bfcdca86cde76529c8d74fbfd0200af2f5ef872cafd7ed162600e6
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber055958f8a90b14fa25436b89fb307660
    Version3
    Certificate 03f1b4e15f3a82f1149678b3d7d8475c
    FieldValue
    ToBeSigned (TBS) MD583f5de89f641d0fbf60248e10a7b9534
    ToBeSigned (TBS) SHA1382a73a059a08698d6eb98c87e1b36fc750933a4
    ToBeSigned (TBS) SHA256eec58131dc11cd7f512501b15fdbc6074c603b68ca91f7162d5a042054edb0cf
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)
    ValidFrom2012-04-18 12:00:00
    ValidTo2027-04-18 12:00:00
    Signature19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber03f1b4e15f3a82f1149678b3d7d8475c
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • RtlInitUnicodeString
    • KeInitializeEvent
    • KeWaitForSingleObject
    • KeAcquireSpinLockRaiseToDpc
    • KeReleaseSpinLock
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • MmProbeAndLockPages
    • MmUnlockPages
    • MmBuildMdlForNonPagedPool
    • MmMapLockedPagesSpecifyCache
    • MmUnmapLockedPages
    • MmMapIoSpace
    • MmUnmapIoSpace
    • IoAllocateMdl
    • IoBuildDeviceIoControlRequest
    • IoBuildSynchronousFsdRequest
    • IofCallDriver
    • IoCancelIrp
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • IoFreeMdl
    • IoGetDeviceObjectPointer
    • IoGetRelatedDeviceObject
    • ObReferenceObjectByHandle
    • ObfDereferenceObject
    • ObQueryNameString
    • FsRtlIsNameInExpression
    • __C_specific_handler
    • IoFileObjectType

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "61204db4000000000027",
      "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA",
      "TBS": {
        "MD5": "8e3ffc222fbcebdbb8b23115ab259be7",
        "SHA1": "ee20bff28ffe13be731c294c90d6ded5aae0ec0e",
        "SHA256": "59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821",
        "SHA384": "f2dab7e56a33298654924501499487f6ba72c7d9477476a186e1ed7a9be031fade0e35ac09eff5e56bbbab95ae5374e7"
      },
      "ValidFrom": "2011-04-15 19:45:33",
      "ValidTo": "2021-04-15 19:55:33",
      "Version": 3
    },
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "055958f8a90b14fa25436b89fb307660",
      "Signature": "924e84c9c2a2e2f4545bac3c15c06c60770988641c9ec3573d1cba701ba074f5423ff32df8c0a9c793536419b4cfef609e28f9169b4d84801d7804d609f06747bdc097fb938b04dc8c48b4d26b2e3b73dae411b388c44afaffc45de30a952345cb0f6c3d7c2d2695bfc0750ca59059a51bcfea9da2270507aded3aa0e85aad5cb5d60df77cb6ed7c6780ecdb6dc071b3f4562e0cea13080328032b80a933a64d5c512880e9da8f4382771e9ba08c48fbce35cd5012a7c309251f01fe4fccf4d4993028a26ed1575de6602ec8acf39d6c62eaa25b1bf462fe0a3d068520a618a7181350fff3bfcdca86cde76529c8d74fbfd0200af2f5ef872cafd7ed162600e6",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "JURISDICTION_OF_INCORPORATION_C=TW, BUSINESS_CATEGORY=Private Organization, serialNumber=22671299, C=TW, L=HSINCHU, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.",
      "TBS": {
        "MD5": "7cf520ea386381ad62a761efd3b052ba",
        "SHA1": "28b349f35bda08a60b10e762aa1a195082bd7698",
        "SHA256": "0801c6e6de661fc7fe455628578b89780d786cdf81e471ef00f70c3d9959fed8",
        "SHA384": "647ca0e5d33bf5235bb46f482bda43dfc4993718608a83881d03ca9ee6e81c27f2f834fbb69fedd558d4891f26b51510"
      },
      "ValidFrom": "2019-01-03 00:00:00",
      "ValidTo": "2022-01-06 12:00:00",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "03f1b4e15f3a82f1149678b3d7d8475c",
      "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)",
      "TBS": {
        "MD5": "83f5de89f641d0fbf60248e10a7b9534",
        "SHA1": "382a73a059a08698d6eb98c87e1b36fc750933a4",
        "SHA256": "eec58131dc11cd7f512501b15fdbc6074c603b68ca91f7162d5a042054edb0cf",
        "SHA384": "4a25018683cabfb8ec2cad136334f37f33c89aa8540326322991d997c8adfb7faf06ab602ebd46630fe75fe3d2edc6b1"
      },
      "ValidFrom": "2012-04-18 12:00:00",
      "ValidTo": "2027-04-18 12:00:00",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)",
      "SerialNumber": "055958f8a90b14fa25436b89fb307660",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-20