What is BYOVD (Bring-Your-Own-Vulnerable-Driver)? (glossary)
BYOVD is the move where an attacker drops a legitimately-signed kernel driver that has a known exploitable bug, loads it, and uses the bug to get ring 0. Driver Signature Enforcement nods politely because the driver is genuinely signed by a real vendor. The vulnerability lives inside the driver itself, usually an IOCTL handler that hands out arbitrary memory read/write to whoever opens the device.
Famous examples: old mhyprot2.sys (Genshin Impact anti-cheat), gdrv.sys (Gigabyte), RTCore64.sys (MSI Afterburner), procexp152.sys (Process Explorer's own driver). The list at loldrivers.io keeps growing.
Why DSE doesn't help#
DSE checks the signing chain. It does not look inside the driver and reason about its IOCTL surface. Once a vulnerable signed driver is loaded, the attacker gets:
- Disable EDR by patching their kernel callbacks.
- Read LSASS without triggering
MiniDumpWriteDump-style detections. - Flip PPL bits to let user-mode tooling touch protected processes.
- Load a wholly unsigned attacker driver by writing into kernel memory.
Microsoft's recommended driver blocklist exists for this, and on most SKUs it is opt-in or only partially on by default.
How Amcache catches BYOVD#
Root\InventoryDriverBinary holds one record per driver the system has loaded. The fields that matter:
DriverTimeStamp: the driver's PE link date.DriverSigned: the signature flag.Hash: SHA-1 of the driver binary.KeyLastWriteTimestamp: when the appraiser wrote the record.
The pattern is simple: signed + old DriverTimeStamp + recent KeyLastWriteTimestamp. A driver compiled in 2014 that first appeared in your hive last Tuesday is BYOVD-shaped by construction.
Import-Csv .\HOST_amcache_DriverBinaries.csv |
Where-Object {
$_.DriverSigned -eq 'True' -and
[DateTime]$_.DriverTimeStamp -lt (Get-Date).AddYears(-2) -and
[DateTime]$_.KeyLastWriteTimestamp -gt (Get-Date).AddDays(-30)
} |
Select DriverName, DriverTimeStamp, KeyLastWriteTimestamp, Hash, Service |
Sort-Object KeyLastWriteTimestampCross-reference the surviving hashes against loldrivers.io. A match is almost diagnostic.
For the full workflow, see Hunting commodity malware with Amcache.
Related terms#
Related posts
- What is SRUM (SRUDB.dat)? (glossary)
SRUM is the ESE database Windows uses to track per-application resource usage by hour over 30-60 days. The only Windows artefact with per-app network-byte totals. Critical for exfil.
- What is Shimcache (AppCompatCache)? (glossary)
Shimcache is the kernel-maintained loader cache in the SYSTEM hive. 1024 entries, no hash, stale until reboot. Different from Amcache; pair them.
- What is Amcache ProgramId? (glossary)
ProgramId is the 44-character application-identity hash Amcache stores. Stable across hosts for the same install. Catches re-compiles and renames where Hash misses.
- What is Windows Prefetch? (glossary)
Windows Prefetch is the directory of .pf files that proves execution. Up to 8-10 run times per binary plus the files loaded in the first ten seconds. The strongest Windows execution evidence.