95fc9bf0-ec86-44b3-abad-a4c922aa7742

pmxdrv64.sys :inline

Description

Intel PMxDrv / pmxdrv64.sys is listed as a KDU provider for Intel Management Engine Tools driver abuse. Public vulnerable-driver research also documents physical-memory access through this driver family.

  • UUID: 95fc9bf0-ec86-44b3-abad-a4c922aa7742
  • Created: 2026-06-16
  • Author: Michael Haag
  • Acknowledgement: KDU Project / SharpKernel | [@hfiref0x / @hsheric0210](https://twitter.com/@hfiref0x / @hsheric0210)

Download

This download link contains the vulnerable driver!

Block pmxdrv64.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create pmxdrv64 binPath=C:\windows\temp\pmxdrv64.sys type=kernel && sc.exe start pmxdrv64
Use CasePrivilegesOperating System
Access privileged kernel or physical-memory primitives through a vulnerable Intel Management Engine Tools driver.kernelWindows 10, Windows 11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/hfiref0x/KDU/blob/master/Help/providers.md
  • https://github.com/GetRektBoy724/vuln-drivers/tree/main/pmxdrv.sys

    • Known Vulnerable Samples

    PropertyValue
    Filenamepmxdrv64.sys
    Creation Timestamp2019-07-16 05:45:38
    MD53807073232994eca5dafe266b9674743
    SHA19e5fcaea33c9a181c56f7d0e4d9c42f8edead252
    SHA256b1a8ee1222eea5f199028d90b9b77c2acf46d6d84a9e125403b2888c6f681c72
    Authentihash MD5e98caa099ab8e87140954476824ab409
    Authentihash SHA17919108cb1278503ec4a78dd25694c6770eaa989
    Authentihash SHA256b80303d69de7ca0cb35c5cc7da1e479f088595493b3fb69a1fe9e895c0915d27
    RichPEHeaderHash MD584ea813dde4e12b1deb378d7a0e2292b
    RichPEHeaderHash SHA1d8bb01b670ebf11c7018f6e012b55c12c8d6a847
    RichPEHeaderHash SHA256b94ca28e7c79a2026357b63c58ab32d92d27f5a8d08c2eea32b1088cbe523f8e
    CompanyIntel Corporation
    DescriptionIntel(R) Management Engine Tools Driver
    ProductIntel(R) Management Engine Tools Driver
    OriginalFilenamepmxdrv.sys

    Download

    Certificates

    Expand
    Certificate 3300000035d8d5595b0671412b000000000035
    FieldValue
    ToBeSigned (TBS) MD53d488d41aaeb5661974952080abef2fd
    ToBeSigned (TBS) SHA1df01e35e6befc7d65625319f17397b861e618d56
    ToBeSigned (TBS) SHA2563d6ef38b5d26773dc77392e415e88b3a744b30ea9f2081e2a992b5818db2f0c4
    SubjectC=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
    ValidFrom2013-08-15 20:26:30
    ValidTo2023-08-15 20:36:30
    Signature362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber3300000035d8d5595b0671412b000000000035
    Version3
    Certificate 2766ee56eb49f38eabd770a2fc84de22
    FieldValue
    ToBeSigned (TBS) MD5be5bfbe77379139ac5cdcbcc8d4d3b34
    ToBeSigned (TBS) SHA1606b701bc9f448ddbfe6fa63ccb8061b838ee254
    ToBeSigned (TBS) SHA2560d73a614eef7596cf5a34733f74daf2ccfe4df7b4a40069bf43c43e428264177
    SubjectC=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
    ValidFrom2000-05-30 10:48:38
    ValidTo2020-05-30 10:48:38
    Signature64bf83f15f9a85d0cdb8a129570de85af7d1e93ef276046ef15270bb1e3cff4d0d746acc818225d3c3a02a5d4cf5ba8ba16dc4540975c7e3270e5d847937401377f5b4ac1cd03bab1712d6ef34187e2be979d3ab57450caf28fad0dbe5509588bbdf8557697d92d852ca7381bf1cf3e6b86e661105b31e942d7f91959259f14ccea391714c7c470c3b0b19f6a1b16c863e5caac42e82cbf90796ba484d90f294c8a973a2eb067b239ddea2f34d559f7a6145981868c75e406b23f5797aef8cb56b8bb76f46f47bf13d4b04d89380595ae041241db28f15605847dbef6e46fd15f5d95f9ab3dbd8b8e440b3cd9739ae85bb1d8ebcdc879bd1a6eff13b6f10386f
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityTrue
    SerialNumber2766ee56eb49f38eabd770a2fc84de22
    Version3
    Certificate 560000082b1e36c56b00276a8a00000000082b
    FieldValue
    ToBeSigned (TBS) MD5331ec619ef072338d07d58d4a9bf18a0
    ToBeSigned (TBS) SHA1c323a8b30fee4163661f91a5da28e9cc5ef6367c
    ToBeSigned (TBS) SHA2563828bf03931bcd9852da938bc5bfc92e9e645c98990e78526c5aead23f21c02d
    SubjectC=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=EIG, CN=Intel(R) Embedded Subsystems and IP Blocks Group
    ValidFrom2018-10-24 06:57:56
    ValidTo2020-10-23 06:57:56
    Signature6f3af94b1922f4cc85afe7a29c6a264d86a1a98aafe3dc9522876c55b6e5d2df8ad0e647229465f28bab44738201812a5dcab12c0a01cd0dd910ade768a669e11988fdcaf1647a590c2db96ad04c8324fde0b41808574951f6bc41e28b2c4312e12186f25bd4ebd2d77b7b5e9bffb380f91c9232ad948b7da48c0d342b923069fdfdb7ddb46d0abb96b927154ee1931501f0323b36d84fc433610553231aab433e79935aab76d5e67479b364e2ccf7fe1264b94e7d9956144b17e02b210a175ff01f58e0508b4d19c7a1f985646d563fae876183b8b5487415a9cf421c77eafb6dcf4ece2caddbbfbbbcd55576a20c7dcfebef27f8c8708a8a523173b14b443481f29c463831e8fd71b8c8a1dafc70cc91f251a840e9cd2373c1bbdf9250a110ec6fb78c473c5966e02fc993b862f6619b08fd7e9efd0d426ee3f713147a9cf0e45654ef2b1f7952277df2ae6376a489b08e0bfeddcb26012a9e494110f508358b6a662041b7eaa4bbd4ee82f8ac45a3ffec641935a9708c8482bc94ff1dc1239d1860428fb7b5f925510bb4c7a3ddcfb513491be26d2d66c0b2ec012f895e3199d51fd9ec7b983d716539c7c64a2373b92a2e90c368c07d4625bf1abd7039efcc1c911ae15756b33a9929cdeee470fcbf6eb1f55755f79612063cd10eba81577dc4c6c834666d633c6698def6f08f8c92d884ce182879d4cab8abf94d0d66da
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber560000082b1e36c56b00276a8a00000000082b
    Version3
    Certificate 069b5e99277284c8767f1368a7deb0f3
    FieldValue
    ToBeSigned (TBS) MD55578c7331db18bb448db403ad32c94ee
    ToBeSigned (TBS) SHA1dfcfe5d6087cf830513d705aa701ff957d960298
    ToBeSigned (TBS) SHA2565b619f82064ace7ecf48d26ce8ae6fa3b52671915fa81ee81cddbe740dd8698b
    SubjectC=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B
    ValidFrom2015-10-28 00:00:00
    ValidTo2021-06-17 23:59:59
    Signature35bb03eacc9b601a13d075528e8095454e9ebf6ec0bb64aac36eb1021d465e2fe82f48cc8410f7ad993bfffa856829b0d37c31e21ab47bc166e2a53bc729189835ae6301a845209561db104db90d6bd39964ce5f8bb86c1346a06e5a0d3ee790ebb731a121f58dde3b7b6936f10800b9aabf1c566156d7cc923f29d4d96bd8222f0e56f56ad146e8808f397a923c6748b7e2fa190f3767e2df292d02aa43282eae2c464224be6dbb6a8849a64c20dfe5654ffae1c1be71d5f85ef59d6692b23b64e1e8aeac995517bddb1bdfa0934f3f56f23b83d5d2b7c1085a524042e33e9120f735b491f04de134694879c0ed30c9931a84d572198f6d8039f459ab2016d8f9ff7026237becc50033227c3d203aedb428bc7a810ce70bc13f7c300c4e50b8670fd76417b7c3c52085ca8fced5262a1254b9ff22f8a8273cca0e853714ee02e52f66156263876a5ecf29d3b89178b76172177bc119a6180822dad09125f606090926b02dac808874335fc7e044c1309976d877b14701ef69922bedae582963a0358ee41db704f1da3ab23280b1c8bcf0e70f71007a333a06e8a4d879d9d953cd9bfeb2685b8884856b0771d04f930a0760033408d273bf141adfe3c7041b2d999e931c95b38798425a1c916352398a8f4a2ac24c7b70693a3cf1fb2fff0e0a8794e4016acf9bb41fa30ea9ea2adcaf2b8c4401fd3a587d3278a219d5c974c5
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityTrue
    SerialNumber069b5e99277284c8767f1368a7deb0f3
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • IoIs32bitProcess
    • __C_specific_handler
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • MmUnlockPages
    • IoFreeMdl
    • ObReferenceObjectByHandle
    • ZwClose
    • ZwOpenSection
    • ZwMapViewOfSection
    • ZwUnmapViewOfSection
    • strncpy
    • MmGetSystemRoutineAddress
    • IofCompleteRequest
    • DbgPrint
    • IoDeviceObjectType
    • IoCreateDevice
    • ObOpenObjectByPointer
    • RtlGetDaclSecurityDescriptor
    • RtlGetGroupSecurityDescriptor
    • RtlGetOwnerSecurityDescriptor
    • RtlGetSaclSecurityDescriptor
    • SeCaptureSecurityDescriptor
    • _snwprintf
    • RtlLengthSecurityDescriptor
    • SeExports
    • RtlCreateSecurityDescriptor
    • _wcsnicmp
    • wcschr
    • RtlAbsoluteToSelfRelativeSD
    • RtlAddAccessAllowedAce
    • RtlLengthSid
    • IoIsWdmVersionAvailable
    • RtlSetDaclSecurityDescriptor
    • ZwOpenKey
    • ZwSetValueKey
    • ZwQueryValueKey
    • ZwCreateKey
    • RtlFreeUnicodeString
    • KeBugCheckEx
    • ZwSetSecurityObject
    • RtlInitUnicodeString
    • HalGetBusDataByOffset
    • HalSetBusDataByOffset

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • text
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "3300000035d8d5595b0671412b000000000035",
      "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root",
      "TBS": {
        "MD5": "3d488d41aaeb5661974952080abef2fd",
        "SHA1": "df01e35e6befc7d65625319f17397b861e618d56",
        "SHA256": "3d6ef38b5d26773dc77392e415e88b3a744b30ea9f2081e2a992b5818db2f0c4",
        "SHA384": "ac7c06916fe4a00307834b2499f12799d3fe463c2e63d1881df669a2786745beeee2b3a7d87cd6bc9e4fe293c22e5a59"
      },
      "ValidFrom": "2013-08-15 20:26:30",
      "ValidTo": "2023-08-15 20:36:30",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "2766ee56eb49f38eabd770a2fc84de22",
      "Signature": "64bf83f15f9a85d0cdb8a129570de85af7d1e93ef276046ef15270bb1e3cff4d0d746acc818225d3c3a02a5d4cf5ba8ba16dc4540975c7e3270e5d847937401377f5b4ac1cd03bab1712d6ef34187e2be979d3ab57450caf28fad0dbe5509588bbdf8557697d92d852ca7381bf1cf3e6b86e661105b31e942d7f91959259f14ccea391714c7c470c3b0b19f6a1b16c863e5caac42e82cbf90796ba484d90f294c8a973a2eb067b239ddea2f34d559f7a6145981868c75e406b23f5797aef8cb56b8bb76f46f47bf13d4b04d89380595ae041241db28f15605847dbef6e46fd15f5d95f9ab3dbd8b8e440b3cd9739ae85bb1d8ebcdc879bd1a6eff13b6f10386f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority",
      "TBS": {
        "MD5": "be5bfbe77379139ac5cdcbcc8d4d3b34",
        "SHA1": "606b701bc9f448ddbfe6fa63ccb8061b838ee254",
        "SHA256": "0d73a614eef7596cf5a34733f74daf2ccfe4df7b4a40069bf43c43e428264177",
        "SHA384": "7ce102d63c57cb48f80a65d1a5e9b350a7a618482aa5a36775323ca933ddfcb00def83796a6340dec5ebf7596cfd8e5d"
      },
      "ValidFrom": "2000-05-30 10:48:38",
      "ValidTo": "2020-05-30 10:48:38",
      "Version": 3
    },
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "560000082b1e36c56b00276a8a00000000082b",
      "Signature": "6f3af94b1922f4cc85afe7a29c6a264d86a1a98aafe3dc9522876c55b6e5d2df8ad0e647229465f28bab44738201812a5dcab12c0a01cd0dd910ade768a669e11988fdcaf1647a590c2db96ad04c8324fde0b41808574951f6bc41e28b2c4312e12186f25bd4ebd2d77b7b5e9bffb380f91c9232ad948b7da48c0d342b923069fdfdb7ddb46d0abb96b927154ee1931501f0323b36d84fc433610553231aab433e79935aab76d5e67479b364e2ccf7fe1264b94e7d9956144b17e02b210a175ff01f58e0508b4d19c7a1f985646d563fae876183b8b5487415a9cf421c77eafb6dcf4ece2caddbbfbbbcd55576a20c7dcfebef27f8c8708a8a523173b14b443481f29c463831e8fd71b8c8a1dafc70cc91f251a840e9cd2373c1bbdf9250a110ec6fb78c473c5966e02fc993b862f6619b08fd7e9efd0d426ee3f713147a9cf0e45654ef2b1f7952277df2ae6376a489b08e0bfeddcb26012a9e494110f508358b6a662041b7eaa4bbd4ee82f8ac45a3ffec641935a9708c8482bc94ff1dc1239d1860428fb7b5f925510bb4c7a3ddcfb513491be26d2d66c0b2ec012f895e3199d51fd9ec7b983d716539c7c64a2373b92a2e90c368c07d4625bf1abd7039efcc1c911ae15756b33a9929cdeee470fcbf6eb1f55755f79612063cd10eba81577dc4c6c834666d633c6698def6f08f8c92d884ce182879d4cab8abf94d0d66da",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=EIG, CN=Intel(R) Embedded Subsystems and IP Blocks Group",
      "TBS": {
        "MD5": "331ec619ef072338d07d58d4a9bf18a0",
        "SHA1": "c323a8b30fee4163661f91a5da28e9cc5ef6367c",
        "SHA256": "3828bf03931bcd9852da938bc5bfc92e9e645c98990e78526c5aead23f21c02d",
        "SHA384": "83393ccb67300fa6cd7c29f10dcc560f0ce0d8f21c57d803cb6ef6e75fb40247444d06f5c883559960793277ac2a9378"
      },
      "ValidFrom": "2018-10-24 06:57:56",
      "ValidTo": "2020-10-23 06:57:56",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "069b5e99277284c8767f1368a7deb0f3",
      "Signature": "35bb03eacc9b601a13d075528e8095454e9ebf6ec0bb64aac36eb1021d465e2fe82f48cc8410f7ad993bfffa856829b0d37c31e21ab47bc166e2a53bc729189835ae6301a845209561db104db90d6bd39964ce5f8bb86c1346a06e5a0d3ee790ebb731a121f58dde3b7b6936f10800b9aabf1c566156d7cc923f29d4d96bd8222f0e56f56ad146e8808f397a923c6748b7e2fa190f3767e2df292d02aa43282eae2c464224be6dbb6a8849a64c20dfe5654ffae1c1be71d5f85ef59d6692b23b64e1e8aeac995517bddb1bdfa0934f3f56f23b83d5d2b7c1085a524042e33e9120f735b491f04de134694879c0ed30c9931a84d572198f6d8039f459ab2016d8f9ff7026237becc50033227c3d203aedb428bc7a810ce70bc13f7c300c4e50b8670fd76417b7c3c52085ca8fced5262a1254b9ff22f8a8273cca0e853714ee02e52f66156263876a5ecf29d3b89178b76172177bc119a6180822dad09125f606090926b02dac808874335fc7e044c1309976d877b14701ef69922bedae582963a0358ee41db704f1da3ab23280b1c8bcf0e70f71007a333a06e8a4d879d9d953cd9bfeb2685b8884856b0771d04f930a0760033408d273bf141adfe3c7041b2d999e931c95b38798425a1c916352398a8f4a2ac24c7b70693a3cf1fb2fff0e0a8794e4016acf9bb41fa30ea9ea2adcaf2b8c4401fd3a587d3278a219d5c974c5",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B",
      "TBS": {
        "MD5": "5578c7331db18bb448db403ad32c94ee",
        "SHA1": "dfcfe5d6087cf830513d705aa701ff957d960298",
        "SHA256": "5b619f82064ace7ecf48d26ce8ae6fa3b52671915fa81ee81cddbe740dd8698b",
        "SHA384": "5fa042c979faba67de861093b4aca808ae4be0fcedf123cb8afe126856c0b6ac3451393048211db8993914c5ff410bd8"
      },
      "ValidFrom": "2015-10-28 00:00:00",
      "ValidTo": "2021-06-17 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B",
      "SerialNumber": "560000082b1e36c56b00276a8a00000000082b",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-06-16