Qilin’s EDR Killer Unleashed: How rwdrvsys and hlpdrvsys Bypass Your Defenses – And How LOLDrivers Fights Back + Video

By /

Listen to this Post

Featured Image

Introduction:

Bring Your Own Vulnerable Driver (BYOVD) attacks have become a preferred weapon for ransomware gangs like Qilin, allowing them to load malicious, signed-but-flawed kernel drivers to terminate endpoint detection and response (EDR) agents. The recent discovery of Qilin’s EDR killer leveraging `rwdrv.sys` and `hlpdrv.sys` highlights the urgent need for organizations to inventory and monitor drivers—a task that the open-source LOLDrivers project has already addressed for months.

Learning Objectives:

  • Understand how BYOVD techniques, specifically using `rwdrv.sys` and hlpdrv.sys, disable EDR protections.
  • Learn to deploy and use the LOLDrivers project to detect vulnerable drivers across your environment.
  • Implement mitigation strategies, including driver inventory, Windows hardening, and real-time monitoring against EDR-killing malware.

You Should Know:

1. Understanding BYOVD and the Qilin EDR Killer

The Qilin ransomware group recently deployed an EDR killer that abuses two vulnerable kernel drivers: `rwdrv.sys` and hlpdrv.sys. These drivers, originally from legitimate hardware vendors, contain flaws that allow any user-mode process to read/write kernel memory or terminate protected processes. The infection chain (detailed in Talos Intelligence’s blog) typically involves dropping the driver file, loading it via the Service Control Manager or sc.exe, then calling specific IOCTLs to kill EDR processes.

Step‑by‑step guide to detect driver loading on Windows:

1. List all loaded drivers:

`driverquery /v /fo csv > drivers.csv`

  1. Check for the presence of `rwdrv.sys` or hlpdrv.sys:

`driverquery | findstr /i “rwdrv hlpdrv”`

  1. Monitor driver load events using PowerShell (requires Sysinternals Sysmon):
    `Get-WinEvent -FilterHashtable @{LogName=’Microsoft-Windows-Sysmon/Operational’; ID=6} | Where-Object {$_.Message -match “rwdrv|hlpdrv”}`

    On Linux, BYOVD is less common, but kernel module abuse exists. List modules with:

`lsmod | grep -i “malicious_module”`

2. LOLDrivers Project: Your Defense Arsenal

LOLDrivers (https://loldrivers.io) is a community-curated database of known vulnerable Windows drivers. It has tracked `rwdrv.sys` since May 29, 2025, and `hlpdrv.sys` since October 27, 2025. Using this project, defenders can correlate their driver inventory against a continuously updated threat feed.

Step‑by‑step guide to using LOLDrivers:

  1. Access the LOLDrivers website or use its API (https://api.loldrivers.io).
  2. Download the latest driver list in JSON or CSV:
    `Invoke-WebRequest -Uri “https://loldrivers.io/api/drivers” -OutFile loldrivers.json`

3. Extract all driver names and hashes:

`Get-Content loldrivers.json | ConvertFrom-Json | Select-Object -ExpandProperty drivers | Format-Table name, md5, sha1`
4. Compare against your running drivers (from step 1.1):

`Compare-Object -ReferenceObject (Get-Content drivers.csv) -DifferenceObject (Import-Csv loldrivers.csv)`

For automation, schedule a PowerShell script that cross-references your driver inventory with the LOLDrivers API daily.

  1. Building a Driver Inventory on Windows and Linux
    You cannot protect what you do not know. A complete driver inventory includes all third-party kernel drivers, their versions, publishers, and cryptographic signatures.

Windows inventory (detailed):

  • Using PowerShell with WMI:
    `Get-WmiObject -Class Win32_SystemDriver | Where-Object {$_.State -eq ‘Running’} | Select-Object Name, PathName, Started, State, ServiceType | Export-Csv -Path driver_inventory.csv`
    – Using Sigcheck from Sysinternals to verify signatures:

`sigcheck64.exe -c -nobanner -s C:\Windows\System32\drivers\.sys > signed_drivers.csv`

  • Enable driver blocklist via Group Policy:
    `Computer Configuration → Administrative Templates → System → Device Installation → Prevent installation of devices not described by other policy settings`

Linux inventory:

  • List all loaded kernel modules with details:
    `lsmod | awk ‘{print $1}’ | tail -n +2 | xargs modinfo | grep -E “filename|description|signer”`
    – Check for unsigned modules (if UEFI Secure Boot enabled):

`mokutil –list-enrolled`

`dmesg | grep “module verification failed”`

4. Hardening Endpoint Defenses Against BYOVD Attacks

Proactive hardening blocks vulnerable drivers before they load. Focus on Windows security features.

Step‑by‑step hardening guide:

1. Enable Hypervisor-protected Code Integrity (HVCI):

`Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity” -Name “Enabled” -Value 1`

Reboot required.

2. Deploy Windows Defender Application Control (WDAC):

  • Generate a base policy allowing only Microsoft and known-good drivers:

`New-CIPolicy -Level Publisher -FilePath C:\WDAC\BasePolicy.xml -UserPEs`

  • Convert to binary and deploy:

`ConvertFrom-CIPolicy -XmlFilePath C:\WDAC\BasePolicy.xml -BinaryFilePath C:\WDAC\BasePolicy.bin`

`Copy-Item C:\WDAC\BasePolicy.bin C:\EFI\Microsoft\Boot\`

3. Block specific vulnerable drivers via Group Policy:

  • Open `gpedit.msc` → Computer Configuration → Administrative Templates → System → Device Installation → Device Installation Restrictions
  • Add driver class GUID or hardware IDs from LOLDrivers.

For Linux servers (cloud hardening):

  • Restrict kernel module loading:

`echo “install MODULE_NAME /bin/false” >> /etc/modprobe.d/blacklist.conf`

  • Use eBPF-based security tools like Falco to detect unauthorized module loads.
  1. Incident Response and Mitigation for EDR Killer Malware
    If you suspect Qilin or a similar BYOVD attack, immediate containment and forensics are critical.

Step‑by‑step IR guide:

  1. Isolate the endpoint from the network (disable NIC or block switch port).
  2. Collect driver evidence without relying on potentially terminated EDR:

– Run from a trusted USB drive:

`robocopy C:\Windows\System32\drivers C:\DFIR_Export\drivers /COPYALL /E`

  • Capture memory dump:

`DumpIt.exe` or `WinPmem`

  1. Identify the malicious driver by comparing hashes against LOLDrivers:

`Get-FileHash C:\Windows\System32\drivers\rwdrv.sys -Algorithm MD5`

Check hash on LOLDrivers API.

4. Block the driver permanently:

  • Add to local security policy (SecPol.msc) under “Software Restriction Policies” or use WDAC block rule.
  • Push via Microsoft Defender for Endpoint indicator:
    `New-MpThreatDetection -ThreatID 12345678 -Name “BYOVD_Block” -Action Quarantine -FileHash `
    5. Hunt for persistence (scheduled tasks, services, WMI event subscriptions):

`schtasks /query /fo csv /v > tasks.csv`

`Get-WmiObject -Namespace root\subscription -Class __EventFilter`

  1. API Security and Cloud Hardening Context (Extending to Workloads)
    While BYOVD primarily targets Windows endpoints, cloud workloads (Azure VMs, AWS EC2) running Windows are equally vulnerable. Attackers can pivot from a compromised container or serverless function to load vulnerable drivers if they gain admin privileges.

Cloud-specific mitigations:

  • Azure: Enable Defender for Cloud’s “Vulnerability assessment for VMs” and deploy Guest Configuration extension to enforce driver inventory.
    `az vm extension set –name ConfigurationForWindows –publisher Microsoft.GuestConfiguration –vm-name –resource-group `
    – AWS: Use Amazon Inspector to scan EC2 instances for vulnerable drivers (custom rules can include LOLDrivers hashes).

`aws inspector2 create-findings-report –filter-criteria ‘{“ec2InstanceTags”:[{“comparison”:”EQUALS”,”value”:”Production”}]}’`

  • API security: Protect the management APIs that deploy EDR agents. Implement mutual TLS (mTLS) and short-lived tokens for any API call that modifies security configurations or loads kernel drivers.

Example API gateway rule (Kong):

curl -X POST http://kong:8001/plugins --data "name=mtls-auth" --data "config.certificates=ca_cert.pem"

What Undercode Say:

  • Key Takeaway 1: The Qilin EDR killer demonstrates that BYOVD remains a highly effective technique; defenders must prioritize driver inventories and real-time blocklisting using projects like LOLDrivers.
  • Key Takeaway 2: Proactive hardening (HVCI, WDAC) and continuous monitoring (Sysmon + LOLDrivers API) are no longer optional—they are the baseline for endpoint resilience.
  • Analysis: The long lag between driver vulnerability disclosure (May–Oct 2025) and public exploitation (now) highlights the need for automated inventory correlation. Most organizations have no idea which drivers are running on their endpoints, making them easy prey. The good news is that free, community-driven data (LOLDrivers) and built‑in Windows security features can stop these attacks if properly configured. The shift-left approach—blocking drivers before they load—is vastly more effective than trying to detect post‑exploitation EDR termination.

Prediction:

Within the next 12 months, we will see ransomware groups move beyond single-driver attacks to multi‑driver chains and abuse of signed, but revoked, drivers from hardware vendors. Microsoft will likely force-enable HVCI by default on all new Windows installations, and cloud providers will embed driver inventory as a standard compliance control. However, legacy systems and air-gapped environments will remain vulnerable, driving a new market for lightweight driver‑blocking agents that operate below the EDR layer. The arms race between BYOVD exploit developers and kernel‑level defensive telemetry is just beginning.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: