What is BYOVD (Bring-Your-Own-Vulnerable-Driver)? (glossary)

BYOVD is the move where an attacker drops a legitimately-signed kernel driver that has a known exploitable bug, loads it, and uses the bug to get ring 0. Driver Signature Enforcement nods politely because the driver is genuinely signed by a real vendor. The vulnerability lives inside the driver itself, usually an IOCTL handler that hands out arbitrary memory read/write to whoever opens the device.

Famous examples: old mhyprot2.sys (Genshin Impact anti-cheat), gdrv.sys (Gigabyte), RTCore64.sys (MSI Afterburner), procexp152.sys (Process Explorer's own driver). The list at loldrivers.io keeps growing.

Why DSE doesn't help#

DSE checks the signing chain. It does not look inside the driver and reason about its IOCTL surface. Once a vulnerable signed driver is loaded, the attacker gets:

  • Disable EDR by patching their kernel callbacks.
  • Read LSASS without triggering MiniDumpWriteDump-style detections.
  • Flip PPL bits to let user-mode tooling touch protected processes.
  • Load a wholly unsigned attacker driver by writing into kernel memory.

Microsoft's recommended driver blocklist exists for this, and on most SKUs it is opt-in or only partially on by default.

How Amcache catches BYOVD#

Root\InventoryDriverBinary holds one record per driver the system has loaded. The fields that matter:

  • DriverTimeStamp: the driver's PE link date.
  • DriverSigned: the signature flag.
  • Hash: SHA-1 of the driver binary.
  • KeyLastWriteTimestamp: when the appraiser wrote the record.

The pattern is simple: signed + old DriverTimeStamp + recent KeyLastWriteTimestamp. A driver compiled in 2014 that first appeared in your hive last Tuesday is BYOVD-shaped by construction.

Import-Csv .\HOST_amcache_DriverBinaries.csv |
  Where-Object {
    $_.DriverSigned -eq 'True' -and
    [DateTime]$_.DriverTimeStamp -lt (Get-Date).AddYears(-2) -and
    [DateTime]$_.KeyLastWriteTimestamp -gt (Get-Date).AddDays(-30)
  } |
  Select DriverName, DriverTimeStamp, KeyLastWriteTimestamp, Hash, Service |
  Sort-Object KeyLastWriteTimestamp

Cross-reference the surviving hashes against loldrivers.io. A match is almost diagnostic.

For the full workflow, see Hunting commodity malware with Amcache.

Related posts

  • What is SRUM (SRUDB.dat)? (glossary)

    SRUM is the ESE database Windows uses to track per-application resource usage by hour over 30-60 days. The only Windows artefact with per-app network-byte totals. Critical for exfil.

  • What is Shimcache (AppCompatCache)? (glossary)

    Shimcache is the kernel-maintained loader cache in the SYSTEM hive. 1024 entries, no hash, stale until reboot. Different from Amcache; pair them.

  • What is Amcache ProgramId? (glossary)

    ProgramId is the 44-character application-identity hash Amcache stores. Stable across hosts for the same install. Catches re-compiles and renames where Hash misses.

  • What is Windows Prefetch? (glossary)

    Windows Prefetch is the directory of .pf files that proves execution. Up to 8-10 run times per binary plus the files loaded in the first ten seconds. The strongest Windows execution evidence.

Back to all posts