a7c3e2d1-8f4b-4e6a-b5d9-3c1f0e7a9b82

CorMem.sys :inline

Description

Teledyne Digital Imaging CorMem.sys (Sapera Memory Manager) exposes physical memory read/write, contiguous memory allocation, and I/O port access to user-mode processes via CorMem.dll wrapper functions. The driver provides 36 exported functions including CorMemGetPhysMemory, CorMemMapPhysMemory, CorMemAllocPhysMemory, CorMemReadIo, and CorMemWriteIo. Actively abused for BYOVD with 0/71 VT detection. Execution parents include Cobalt Strike/IcedID malware and game cheat kernel loaders.

  • UUID: a7c3e2d1-8f4b-4e6a-b5d9-3c1f0e7a9b82
  • Created: 2026-04-06
  • Author: Michael Haag
  • Acknowledgement: skept1kal | @skept1kal

Download

This download link contains the vulnerable driver!

Block CorMem.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create CorMem.sys binPath=C:\windows\temp\CorMem.sys type=kernel && sc.exe start CorMem.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/KeServiceDescriptorTable/cormem.sys-vulnerable-driver
  • https://www.virustotal.com/gui/file/40c855d20d497823716a08a443dc85846233226985ee653770bc3b245cf2ed0f
  • https://x.com/skept1kal/status/2040200734570877354

    • Known Vulnerable Samples

    PropertyValue
    FilenameCorMem.sys
    Creation Timestamp
    MD578fb9882e498d964f42169ce511f07fc
    SHA1bceae6dc87c9c6c33555a4a9008be14c66fd1e20
    SHA25640c855d20d497823716a08a443dc85846233226985ee653770bc3b245cf2ed0f
    Authentihash MD5559ede4607c9953fc5804a575c9a661b
    Authentihash SHA1505b7c56888009ab3b9531caeee6fa9a9b88916a
    Authentihash SHA256475df18e82d6e8ee09cbc9896f23f75b71aba43b7592d4962737cdc9230eb52d
    RichPEHeaderHash MD5
    RichPEHeaderHash SHA1
    RichPEHeaderHash SHA256
    CompanyTeledyne Digital Imaging Inc.
    DescriptionSapera Memory Manager
    ProductSapera LT
    OriginalFilenameCorMem.sys

    Download

    Certificates

    Expand
    Certificate 08ad40b260d29c4c9f5ecda9bd93aed9
    FieldValue
    ToBeSigned (TBS) MD55d8003a64dfa5a4d88365da1566038cb
    ToBeSigned (TBS) SHA179465b56bc7ad55a37bdf633943da8bfc84db228
    ToBeSigned (TBS) SHA25684bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332
    SubjectC=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
    ValidFrom2021-04-29 00:00:00
    ValidTo2036-04-28 23:59:59
    Signature
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityTrue
    SerialNumber08ad40b260d29c4c9f5ecda9bd93aed9
    Version3
    Certificate 0297014378a2ab05fe62be6d3e7c603c
    FieldValue
    ToBeSigned (TBS) MD5bf2a8e47bb6af5750895d048d721c56a
    ToBeSigned (TBS) SHA1e01a1d7b642c57506cfa33d18de17f7effa4c223
    ToBeSigned (TBS) SHA2568b8e750fe315e9d2a90b47edd334ef8ac9061e755098d4910e112b688b1be065
    SubjectC=CA, ST=Quebec, L=Saint,Laurent, O=Teledyne Digital Imaging Inc., CN=Teledyne Digital Imaging Inc.
    ValidFrom2023-02-02 00:00:00
    ValidTo2026-03-06 23:59:59
    Signature
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityFalse
    SerialNumber0297014378a2ab05fe62be6d3e7c603c
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • RtlQueryRegistryValues
    • MmGetSystemRoutineAddress
    • RtlWriteRegistryValue
    • RtlCopyUnicodeString
    • RtlAppendUnicodeStringToString
    • RtlGetVersion
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • ObReferenceObjectByHandle
    • ZwClose
    • ZwOpenSection
    • ZwMapViewOfSection
    • KeInitializeEvent
    • IoBuildDeviceIoControlRequest
    • IofCallDriver
    • IoGetDeviceObjectPointer
    • ObReferenceObjectByPointer
    • ObfDereferenceObject
    • _vsnprintf
    • PsGetProcessId
    • KeInitializeMutex
    • RtlInitUnicodeString
    • KeWaitForSingleObject
    • MmProbeAndLockPages
    • MmUnlockPages
    • MmMapLockedPagesSpecifyCache
    • MmUnmapLockedPages
    • MmAllocatePagesForMdl
    • MmFreePagesFromMdl
    • MmAllocateContiguousMemory
    • MmFreeContiguousMemory
    • IoAllocateMdl
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • IoFreeMdl
    • IoGetCurrentProcess
    • IoIs32bitProcess
    • ZwUnmapViewOfSection
    • MmGetPhysicalAddress
    • MmIsAddressValid
    • __C_specific_handler
    • KeReleaseMutex
    • HalTranslateBusAddress

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • NONPAGE
    • .gfids
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "08ad40b260d29c4c9f5ecda9bd93aed9",
      "Signature": "",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
      "TBS": {
        "MD5": "5d8003a64dfa5a4d88365da1566038cb",
        "SHA1": "79465b56bc7ad55a37bdf633943da8bfc84db228",
        "SHA256": "84bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332",
        "SHA384": "65b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e64"
      },
      "ValidFrom": "2021-04-29 00:00:00",
      "ValidTo": "2036-04-28 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "0297014378a2ab05fe62be6d3e7c603c",
      "Signature": "",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=CA, ST=Quebec, L=Saint,Laurent, O=Teledyne Digital Imaging Inc., CN=Teledyne Digital Imaging Inc.",
      "TBS": {
        "MD5": "bf2a8e47bb6af5750895d048d721c56a",
        "SHA1": "e01a1d7b642c57506cfa33d18de17f7effa4c223",
        "SHA256": "8b8e750fe315e9d2a90b47edd334ef8ac9061e755098d4910e112b688b1be065",
        "SHA384": "7b3e6d39e0b6fdcd90d176a7fc107a8b2da2ca2f4f4bf7bfc1498a7e1bbe027ba49cd9e2542d39b8f7a7f36ecb985bf7"
      },
      "ValidFrom": "2023-02-02 00:00:00",
      "ValidTo": "2026-03-06 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
      "SerialNumber": "0297014378a2ab05fe62be6d3e7c603c",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-06