gmer64.sys
GMER anti-rootkit scanner driver
gmer64.sys is the kernel driver for GMER, a free rootkit detection and removal tool created by Polish researcher Przemyslaw Gmerek. The tool detects hidden processes, modules, services, files, and registry modifications by inspecting kernel structures directly. It has been a staple of the Windows security community since the mid-2000s.
The driver is Microsoft-signed. It is on the public LOLDrivers list because the same kernel-level inspection capabilities that make it useful for rootkit detection also make it useful as a BYOVD target. Binary Defense documented the "Blackout" technique, in which adversaries load gmer64.sys and use its thread-suspension IOCTL to disable endpoint protection from a medium-integrity context. The Iranian state-sponsored group Agrius has been documented using it for EDR evasion.
If you installed GMER to scan for rootkits, the driver is expected. If you find it and did not install GMER, investigate what placed it there.
gmer64.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “gmer64.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/gmer64-sys
