d6dc9b52-9918-442d-b03a-f1f614aa4cce

ppa_x64.sys :inline

Description

ppa_x64.sys is a kernel driver by Remko Weijnen that provides physical memory access via the PhysicalMemory section object. The device name PhyMem indicates this is part of the PhyMem driver family, of which several variants are already tracked in LOLDrivers (phymem64.sys, Phymemx64.sys, phymem_ext64.sys). The driver is available in the KeServiceDescriptorTable/vulnerable-drivers repository.

  • UUID: d6dc9b52-9918-442d-b03a-f1f614aa4cce
  • Created: 2026-04-17
  • Author: Michael Haag
  • Acknowledgement: | [@rainbowdynamix, @DbgPrint](https://twitter.com/@rainbowdynamix, @DbgPrint)

Download

This download link contains the vulnerable driver!

Block ppa_x64.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create ppa_x64 binPath=C:\windows\temp\ppa_x64.sys type=kernel && sc.exe start ppa_x64
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/magicsword-io/LOLDrivers/issues/315
  • https://github.com/KeServiceDescriptorTable/vulnerable-drivers

    • Known Vulnerable Samples

    PropertyValue
    Filenameppa_x64.sys
    Creation Timestamp2009-12-29 02:36:19
    MD59851c3d7aee98aa0d712c50e9ca20eb9
    SHA1513e8fc423ce2737843053852a0a672c43d2db9e
    SHA256988960e31a258ea71cf93a7791ae8c91c8cefb6ad8a50cdbd1b07f73b524aa61
    Authentihash MD5a7c7afe04a23793de0fe3b0d99cc20bd
    Authentihash SHA1ce465a42be6f19ca8e99c23b78c42b6073c8b673
    Authentihash SHA2565721c075bfec3ce946b8a96a58551a765be294212eaf27e5ffd6b738baef57d3
    RichPEHeaderHash MD51ca376dfca09b19f2421324c4fb8a536
    RichPEHeaderHash SHA127b8b4fa4e7b64527ab469cda082f8d62e8ddd3b
    RichPEHeaderHash SHA256e437729618db22b65d8932ba76cec6eb1f742c8462dd3f0df1c5b34c958a5555

    Download

    Certificates

    Expand
    Certificate 0f4e02f997b62a18c0983bddeda309ab
    FieldValue
    ToBeSigned (TBS) MD5a8524495a477651182b4bde5e7067ee3
    ToBeSigned (TBS) SHA1421ef2e5d418e5a362fbf80a163bd98a6ff655a4
    ToBeSigned (TBS) SHA25671d19c0f529996809f7cead25d8bf89b4433e5886dc824276c9bcc2cc1c3059c
    SubjectC=NL, ST=Noord Brabant, L='s,Hertogenbosch, O=Remko Weijnen, CN=Remko Weijnen
    ValidFrom2015-06-30 00:00:00
    ValidTo2018-07-06 12:00:00
    Signature7b492458bed209ba27f8cd4671fc3af69f9dee6c6c380454a9f83028a20602a759a0b4998bb91a8219bd9741b57ff30837473f495d77a1a111f12dd986f1eb0c7485c0a681553c1df12d2dbc1e18082991350515d30e838b2cd22911c5ab5582a2f9e58759fac9a3feb2d6724529e6fd9a68752a6b38a5e0d4311501eda6e82a3657f0fd031fbb58774933634d472e39513e207cfd1467852f47a56d3b4ee55f5c831cdeb4e7d50c71faff4a250c24ed4e9f0b7073ae6858110c6a297a159c3387eec686370f7e55cba1a8aaf721a26c44fc59a2ab85b98464e7829842f1c23e26fde1af8538b25d9e0eb05a01ba7eb53f92644a393e56fdaa8e24214caea373
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0f4e02f997b62a18c0983bddeda309ab
    Version3
    Certificate 61204db4000000000027
    FieldValue
    ToBeSigned (TBS) MD58e3ffc222fbcebdbb8b23115ab259be7
    ToBeSigned (TBS) SHA1ee20bff28ffe13be731c294c90d6ded5aae0ec0e
    ToBeSigned (TBS) SHA25659826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
    ValidFrom2011-04-15 19:45:33
    ValidTo2021-04-15 19:55:33
    Signature208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber61204db4000000000027
    Version3
    Certificate 0b7e10903c38490ffa2f679a87a1a7b9
    FieldValue
    ToBeSigned (TBS) MD57b0fbcf5c5aa55932726e9222f56efe2
    ToBeSigned (TBS) SHA1f09486b2b82a88a8b82aa2a12440496c8e53c452
    ToBeSigned (TBS) SHA2560bf095b845b69928b5d7dfd1c42ae4f90feb8dc97f7830598c93e848877021fb
    SubjectC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA
    ValidFrom2013-10-22 12:00:00
    ValidTo2028-10-22 12:00:00
    Signature6a0eff7e137c06a54bc02e8cf9536409e2ba58913050eccc9fe1d3a82f4846361829d078285f9856400f1ebabdb13b875cdc5bd8200ded1a164dd51124214bf127699013eb11a101dafdb54e795975bd382a6ac3f68e412b8aa28bd72c5151d99ca0c8e34eba6ca847d24ed1681f8c02573bb3296a8e6a202ab9f2006264bac8e900f9cca4d4ba9a35d8af2c656c167c5821de4a30d0faeb245d06c99d16b7ad4a45d325e20cf040aa5c4dac7ecd0682b976466908d832b682fee3a95834431b8e6767973f6831163638953e87f7c7c3af9d7a7719d9de93b5fd6e2bfc94f93db74c12352c30bee88d9e05709a4813f48cd6e71eac38e7a8f3ad0cb77aec67ed
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber0b7e10903c38490ffa2f679a87a1a7b9
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • KeWaitForSingleObject
    • IofCallDriver
    • IoBuildSynchronousFsdRequest
    • KeInitializeEvent
    • IoDeleteDevice
    • IoCreateSymbolicLink
    • IoCreateDevice
    • RtlInitUnicodeString
    • ExAllocatePool
    • IofCompleteRequest
    • ExFreePoolWithTag
    • IoFreeMdl
    • MmUnmapLockedPages
    • MmUnmapIoSpace
    • MmMapLockedPages
    • MmBuildMdlForNonPagedPool
    • IoAllocateMdl
    • MmMapIoSpace
    • IoDeleteSymbolicLink
    • MmMapLockedPagesSpecifyCache
    • IoGetDeviceObjectPointer

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "0f4e02f997b62a18c0983bddeda309ab",
      "Signature": "7b492458bed209ba27f8cd4671fc3af69f9dee6c6c380454a9f83028a20602a759a0b4998bb91a8219bd9741b57ff30837473f495d77a1a111f12dd986f1eb0c7485c0a681553c1df12d2dbc1e18082991350515d30e838b2cd22911c5ab5582a2f9e58759fac9a3feb2d6724529e6fd9a68752a6b38a5e0d4311501eda6e82a3657f0fd031fbb58774933634d472e39513e207cfd1467852f47a56d3b4ee55f5c831cdeb4e7d50c71faff4a250c24ed4e9f0b7073ae6858110c6a297a159c3387eec686370f7e55cba1a8aaf721a26c44fc59a2ab85b98464e7829842f1c23e26fde1af8538b25d9e0eb05a01ba7eb53f92644a393e56fdaa8e24214caea373",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=NL, ST=Noord Brabant, L=\u0027s,Hertogenbosch, O=Remko Weijnen, CN=Remko Weijnen",
      "TBS": {
        "MD5": "a8524495a477651182b4bde5e7067ee3",
        "SHA1": "421ef2e5d418e5a362fbf80a163bd98a6ff655a4",
        "SHA256": "71d19c0f529996809f7cead25d8bf89b4433e5886dc824276c9bcc2cc1c3059c",
        "SHA384": "fb0da82f5b925a27bae035cc0d2787160a709e66a644accf576c8d2aab86ff901f95896c4fd8c1631cb2ef72e305f530"
      },
      "ValidFrom": "2015-06-30 00:00:00",
      "ValidTo": "2018-07-06 12:00:00",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "61204db4000000000027",
      "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA",
      "TBS": {
        "MD5": "8e3ffc222fbcebdbb8b23115ab259be7",
        "SHA1": "ee20bff28ffe13be731c294c90d6ded5aae0ec0e",
        "SHA256": "59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821",
        "SHA384": "f2dab7e56a33298654924501499487f6ba72c7d9477476a186e1ed7a9be031fade0e35ac09eff5e56bbbab95ae5374e7"
      },
      "ValidFrom": "2011-04-15 19:45:33",
      "ValidTo": "2021-04-15 19:55:33",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "0b7e10903c38490ffa2f679a87a1a7b9",
      "Signature": "6a0eff7e137c06a54bc02e8cf9536409e2ba58913050eccc9fe1d3a82f4846361829d078285f9856400f1ebabdb13b875cdc5bd8200ded1a164dd51124214bf127699013eb11a101dafdb54e795975bd382a6ac3f68e412b8aa28bd72c5151d99ca0c8e34eba6ca847d24ed1681f8c02573bb3296a8e6a202ab9f2006264bac8e900f9cca4d4ba9a35d8af2c656c167c5821de4a30d0faeb245d06c99d16b7ad4a45d325e20cf040aa5c4dac7ecd0682b976466908d832b682fee3a95834431b8e6767973f6831163638953e87f7c7c3af9d7a7719d9de93b5fd6e2bfc94f93db74c12352c30bee88d9e05709a4813f48cd6e71eac38e7a8f3ad0cb77aec67ed",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA",
      "TBS": {
        "MD5": "7b0fbcf5c5aa55932726e9222f56efe2",
        "SHA1": "f09486b2b82a88a8b82aa2a12440496c8e53c452",
        "SHA256": "0bf095b845b69928b5d7dfd1c42ae4f90feb8dc97f7830598c93e848877021fb",
        "SHA384": "f2a7644292efe9a7adc26cdeb0aa13980ea792d21845ba696684ac64d7f906839f3ec7625c3a88efefe3a451d961d317"
      },
      "ValidFrom": "2013-10-22 12:00:00",
      "ValidTo": "2028-10-22 12:00:00",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA",
      "SerialNumber": "0f4e02f997b62a18c0983bddeda309ab",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-20