6eca187c-8fb2-4eae-9c80-fd9ef9d8c91e

QIOMem.sys :inline

Description

QIOMem.sys is the Generic IO & Memory Access driver included with Toshiba and Dynabook password utilities. It binds to ACPI\QCI0701; on systems without that firmware device, the public proof of concept creates a matching software PnP device to trigger loading of an already-installed driver package. Six IOCTLs (0x08012000 through 0x08012014) pass an unvalidated 32-bit physical address to MmMapIoSpace, allowing a low-privileged process to read or write one, two, or four bytes of physical memory below 4 GiB.

  • UUID: 6eca187c-8fb2-4eae-9c80-fd9ef9d8c91e
  • Created: 2026-07-10
  • Author: valium
  • Acknowledgement: Akshit Yadav | @valium007

Download

This download link contains the vulnerable driver!

Block QIOMem.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

acpi.exe
Use CasePrivilegesOperating System
Read or write physical memory from a low-privileged process.UserWindows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/valium007/qiomem
  • https://valium007.github.io/posts/toshiba-vuln/
  • https://jvn.jp/vu/JVNVU91051826/
  • https://www.cve.org/CVERecord?id=CVE-2026-56129
  • https://dynabook.com/assistpc/info/2026/20260619_security.htm

  • CVE

  • CVE-2026-56129
  • Known Vulnerable Samples

    PropertyValue
    FilenameQIOMem.sys
    Creation Timestamp2015-05-05 05:40:35
    MD543252ab49c9a43d22aa583c15e96f7b7
    SHA1ee37a040b6ec7882b4e240e70da67bc0900fd799
    SHA2566abd8d0d541bcf9e257c65122216b1d2ae92cbf8a3a3cb7ce340846e66c449ca
    Authentihash MD5e7d3aa85b456b305803472f276dd29f0
    Authentihash SHA1927108063af531702e54c89d3beb395f715f9706
    Authentihash SHA256de7b59f676aadcc0173e5a8d6b22f74f6a7f9c0ed906e5cc5f3e0fd821adb813
    RichPEHeaderHash MD5b06ee72c38688c22e116ef8109e4c6c8
    RichPEHeaderHash SHA16fb19cea0bf673048937137ae021785a3c50f51b
    RichPEHeaderHash SHA256acace1751c5a54f5b9a1906ac66d24a79e8c8fa9148b50b2b8ebd4861ca91f10
    PublisherMicrosoft Windows Hardware Compatibility Publisher
    CompanyTOSHIBA
    DescriptionGeneric IO & Memory Access
    OriginalFilenameQIOMem.sys

    Download

    Certificates

    Expand
    Certificate 1fa194ec05480faf4587210ed5dadd0e
    FieldValue
    ToBeSigned (TBS) MD5320eaa8b2d51fe81279df22ddf8ad432
    ToBeSigned (TBS) SHA1c4cd618c351fb3ebeb4a311be5309c63c3b9a4c1
    ToBeSigned (TBS) SHA256f6b8e27adc02bc59edb9eba387c5e063ff0c3260567c5ab714e397ad8d916551
    SubjectCN=WDKTestCert 1,130752733198717037
    ValidFrom2015-05-05 04:22:00
    ValidTo2025-05-05 00:00:00
    Signature37263cc0f54f52c4e64f0c6352d5ace94b517ef3603ec03fe1d1f319d6e21e92f09dec78062be4bb8bd8bbd186b0244ac737c36a71c1369711ed41d33d3df12ea4e101cf87513257cce90d77b5b2c11124481b2c7af558bfe326909638bcd33dd2b5740db59e314b43e22ccb7bc6b12e66ab8a72a50d818e5beb1e897ae3b43e5f4437a4dccb05ab96ec5a3ea2315325c0399ce0854f14f2e2dbd0a64dc0abcd8b25be28d18eb93b96ee2f661ed467c51b5ae696e55ca46b123ae8c900bdee2124f210ad640a040eac4a6222ba1f880a2e8c214a81c4251ed1b3c33ca7d5f6ce77400f5f20a84fb39e0d27d9e57626fa3acc17e6f387852c461eeac29cd7e738
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber1fa194ec05480faf4587210ed5dadd0e
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • RtlFreeUnicodeString
    • KeInitializeSpinLock
    • IoAttachDeviceToDeviceStack
    • IofCallDriver
    • IofCompleteRequest
    • IoCreateDevice
    • IoDeleteDevice
    • IoRegisterDeviceInterface
    • KeInitializeEvent
    • KeSetEvent
    • KeWaitForSingleObject
    • IoDetachDevice
    • IoSetDeviceInterfaceState
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • MmMapIoSpace
    • MmUnmapIoSpace
    • IoWMIOpenBlock
    • IoWMIQuerySingleInstance
    • IoWMISetSingleInstance
    • IoReportTargetDeviceChangeAsynchronous
    • PoRequestPowerIrp
    • PoSetPowerState
    • PoCallDriver
    • PoStartNextPowerIrp
    • IoAllocateIrp
    • IoBuildDeviceIoControlRequest
    • IoFreeIrp
    • IoGetAttachedDeviceReference
    • ObfDereferenceObject

    Exported Functions

    Expand

    Sections

    Expand
    • LOCKED
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
      "Certificates": [
        {
          "CertificateType": "Leaf (Code Signing)",
          "IsCA": false,
          "IsCertificateAuthority": true,
          "IsCodeSigning": true,
          "SerialNumber": "1fa194ec05480faf4587210ed5dadd0e",
          "Signature": "37263cc0f54f52c4e64f0c6352d5ace94b517ef3603ec03fe1d1f319d6e21e92f09dec78062be4bb8bd8bbd186b0244ac737c36a71c1369711ed41d33d3df12ea4e101cf87513257cce90d77b5b2c11124481b2c7af558bfe326909638bcd33dd2b5740db59e314b43e22ccb7bc6b12e66ab8a72a50d818e5beb1e897ae3b43e5f4437a4dccb05ab96ec5a3ea2315325c0399ce0854f14f2e2dbd0a64dc0abcd8b25be28d18eb93b96ee2f661ed467c51b5ae696e55ca46b123ae8c900bdee2124f210ad640a040eac4a6222ba1f880a2e8c214a81c4251ed1b3c33ca7d5f6ce77400f5f20a84fb39e0d27d9e57626fa3acc17e6f387852c461eeac29cd7e738",
          "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
          "Subject": "CN=WDKTestCert 1,130752733198717037",
          "TBS": {
            "MD5": "320eaa8b2d51fe81279df22ddf8ad432",
            "SHA1": "c4cd618c351fb3ebeb4a311be5309c63c3b9a4c1",
            "SHA256": "f6b8e27adc02bc59edb9eba387c5e063ff0c3260567c5ab714e397ad8d916551",
            "SHA384": "e30ec578d02909be1d8cd6a5b7b3d405ccd4422531d8dcd9e738ecdd8155cd4c1216e66ed5e4b96e09f61aed4021bf37"
          },
          "ValidFrom": "2015-05-05 04:22:00",
          "ValidTo": "2025-05-05 00:00:00",
          "Version": 3
        }
      ],
      "CertificatesInfo": "",
      "Signer": [
        {
          "Issuer": "CN=WDKTestCert 1,130752733198717037",
          "SerialNumber": "1fa194ec05480faf4587210ed5dadd0e",
          "Version": 1
        }
      ],
      "SignerInfo": ""
    }
    

    source

    last_updated: 2026-07-10