← All drivers
malicious
Driver

gmer64.sys

GMER anti-rootkit scanner driver

From Przemyslaw Gmerek
Status
On a known malicious list
Known variants
1 distinct hashes
Field notes

gmer64.sys is the kernel driver for GMER, a free rootkit detection and removal tool created by Polish researcher Przemyslaw Gmerek. The tool detects hidden processes, modules, services, files, and registry modifications by inspecting kernel structures directly. It has been a staple of the Windows security community since the mid-2000s.

The driver is Microsoft-signed. It is on the public LOLDrivers list because the same kernel-level inspection capabilities that make it useful for rootkit detection also make it useful as a BYOVD target. Binary Defense documented the "Blackout" technique, in which adversaries load gmer64.sys and use its thread-suspension IOCTL to disable endpoint protection from a medium-integrity context. The Iranian state-sponsored group Agrius has been documented using it for EDR evasion.

If you installed GMER to scan for rootkits, the driver is expected. If you find it and did not install GMER, investigate what placed it there.

What the record shows

gmer64.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. This filename matches a public malicious list. Vera notes it as evidence on a record; the meaning still belongs to the people with the context.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “gmer64.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/gmer64-sys