Why does BYOVD work on modern Windows?

Because the dropped driver is signed by a legitimate vendor — Windows' signature checks pass. The exploit lives inside the driver's logic (often an IOCTL handler that grants arbitrary memory read/write to user-mode), not in its signing chain.

What's a common BYOVD example?

Old versions of mhyprot2.sys (Genshin Impact's anti-cheat driver), gdrv.sys (Gigabyte), RTCore64.sys (MSI RGB controllers), and Process Explorer's own driver have all been weaponised by attackers.

How does Amcache help detect BYOVD?

Root\InventoryDriverBinary records every driver loaded on the host, with DriverTimeStamp (PE link date), DriverSigned flag, and Hash. Sort by DriverTimeStamp ascending and look for old-but-signed drivers that recently appeared in the hive.

What does an Amcache BYOVD investigation look like?

Parse Amcache and filter the DriverBinaries CSV for entries with DriverTimeStamp older than 2 years AND KeyLastWriteTimestamp within the suspected intrusion window. Old binaries newly loaded are the classic BYOVD signature.

Are there public BYOVD-driver blocklists?

Yes — Microsoft's recommended driver block rules (loldrivers.io maintains an open community database) list known-abused drivers by hash and Authenticode-signer. Cross-reference Amcache DriverBinary hashes against this list.

What is BYOVD (Bring-Your-Own-Vulnerable-Driver)? (glossary)

BYOVD (Bring-Your-Own-Vulnerable-Driver) is an attacker technique in which the attacker loads a legitimately-signed but vulnerable kernel driver to gain kernel-mode execution on a modern Windows host. The driver passes signature checks because it is signed; the vulnerability inside it — typically an IOCTL handler that exposes arbitrary memory read/write to user-mode — is what the attacker exploits.

Famous examples include old versions of mhyprot2.sys (Genshin Impact anti-cheat), gdrv.sys (Gigabyte), RTCore64.sys (MSI Afterburner), and Process Explorer's procexp152.sys.

Why it bypasses Windows defences#

Modern Windows enforces Driver Signature Enforcement (DSE): unsigned drivers cannot load on x64 desktop builds in production mode. BYOVD sidesteps DSE entirely by using drivers that are signed. The exploit is in the driver's behaviour, not its signing chain.

Once loaded, the vulnerable driver gives the attacker kernel-mode primitives — typically arbitrary memory read/write — which is enough to:

Disable EDR / AV by patching their callbacks.
Steal LSASS process memory without MiniDumpWriteDump triggering.
Modify Protected Process Light (PPL) flags.
Load the attacker's own unsigned driver via kernel-mode write.

How Amcache helps detect BYOVD#

Amcache's Root\InventoryDriverBinary key records every driver loaded on the host, with:

DriverTimeStamp — the driver's PE link date.
DriverSigned — whether it claimed a valid signature.
Hash — SHA-1 of the driver binary.
KeyLastWriteTimestamp — when Amcache recorded the entry.

The standard BYOVD-detection filter on *_DriverBinaries.csv:

Import-Csv .\HOST_amcache_DriverBinaries.csv |
  Where-Object {
    $_.DriverSigned -eq 'True' -and
    [DateTime]$_.DriverTimeStamp -lt (Get-Date).AddYears(-2) -and
    [DateTime]$_.KeyLastWriteTimestamp -gt (Get-Date).AddDays(-30)
  } |
  Select-Object DriverName, DriverTimeStamp, KeyLastWriteTimestamp, Hash, Service |
  Sort-Object KeyLastWriteTimestamp

A driver compiled in 2014 that first shows up in Amcache today is suspicious by construction.

Then cross-reference the hash against loldrivers.io — the community-maintained database of known-abused drivers. If the hash matches a known-BYOVD entry, you have very high confidence.

For the broader investigation playbook, see Hunting commodity malware with Amcache.

Amcache.hve — the hive holding driver records.
DFIR triage — the workflow BYOVD hunting fits into.
InventoryApplicationFile — the equivalent userspace key.

What is BYOVD (Bring-Your-Own-Vulnerable-Driver)? (glossary)

Why it bypasses Windows defences#

How Amcache helps detect BYOVD#

Related terms#

Related posts