Bring Your Own Vulnerable Kernel Driver/BYOVKD
Exploiting Third-Party Kernel Device Drivers
BYOVKD
is the technique of exploiting a target system via a vulnerable, signed kernel driver which an implant brings along with itself and loads to bootstrap into the Kernel.Note that this technique requires an attacker to have already gained
High-IL
code execution in Ring 3
or in simpler words, it needs administrative privileges since it involves loading a driver and such. Also, note that Microsoft does not consider Ring 3(High-IL) -> Ring 0
a serviceable security boundary but even then there are some quirks when we look at productizing our exploits.Think of it as a proxy driver that we
drop'n'load
onto a target system to help us step into the Ring-0
realm.But why is such a proxy even required? Why can't we directly load our rootkits or
Kernel-Mode
keyloggers or what have you?The answer is quite simple. With modern OS mitigations like
Driver Signature Enforcement(DSE)
, we need to properly sign Kernel drivers for them to load. This implies that we can either steal such valid code-signing certificates or somehow acquire them anonymously, both of which are non-trivial tasks. Abusing proxy drivers is the Tertia Optio
(third option) which is a very viable alternative where we abuse a legitimately signed driver to execute our code in Kernel-Mode
.There are many attractive pros of adopting
BYOVKD
. Some of them are:1. There are so many signed proxy drivers available to us that blacklisting all of them is virtually impossible and we all know how hard maintaining whitelisting can be
2. A signed driver is forever. Signature revocation if not impossible is almost certainly improbable

I'm sorry, I just had to
BYOVKD
represents Third Generation Kernel Threats
where we introduce a vulnerable third-party driver into the environment to exploit it as compared to Second Generation Kernel Threats
where the vulnerable driver is shipped with the OS itself. Now, it goes without saying that the latter is much stealthier and advanced than the former while subsequently being rarer, expensive and more difficult to exploit.There are basically two types of attacks we can perform using
BYOVKD
:1. Data-only attacks
2. Ring-0 code execution
Note that we will not be looking at
EoP
scenarios using BYOVKD
for that is more relevant for LOCAL
2nd Gen kernel threats. The reason being that we are already in High-IL
and there are better ways of elevating privileges to local SYSTEM
account from User-Mode
. Although
BYOVKD
is not commonly seen in intrusions, over the years there have been some highly publicised cases of this technique being leveraged by nation-states for CNE
operations. Some of them are:Actor/Implant | Driver Name/Product | CVE ID |
Equation Group/GrayFish/SolarTime | ElbyCDIO.sys(SlySoft AnyDVD) | CVE-2009-0824 |
Turla/Uroburos | VBoxDrv.sys(Oracle VirtualBox) | CVE-2008-3431 |
APT41/Derusbi | Nicm.sys(Novell XTier) | CVE-2013-3956 |
Strider/Project Sauron | SandBox.sys(Agnitum Outpost Firewall PRO), AswSnx.sys(Avast Internet Security) | CVE-2006-5721, CVE-2015-8620 |
Longhorn/White Lambert | Sandra.sys(SiSoftware Sandra) | CVE-2010-1592 |
REDACTED/Slingshot | Sandra.sys(SiSoftware Sandra), ElbyCDIO.sys(SlySoft AnyDVD), Speedfan.sys(Almico SpeedFan) | CVE-2010-1592, CVE-2009-0824, CVE-2007-5633 |
APT28/LoJax | RwDrv.sys(RWEverything) | N.A. |
Gamaredon Group/InvisiMole | Speedfan.sys(Almico SpeedFan) | CVE-2007-5633 |
Unk16/AcidBox/MagicScroll | VBoxDrv.sys(Oracle VirtualBox) | N.A. |
TunnelSnake/Moriya | VBoxDrv.sys(Oracle VirtualBox) | CVE-2008-3431 |
Candiru/DevilsTongue | physmem.sys(Hilscher Physical Memory Viewer) | N.A. |
GhostEmperor/Demodex | dbk64.sys(Cheat Engine) | N.A. |
There are also recorded cases of ransomware and other commodity malware such as
TrickBot
using this technique to bypass defences etc. Also, note the considerable overlap in the choice of proxy drivers.This is by no means an exhaustive list and if you are able to find any more examples, I shall be glad to add them to the table with appropriate credits.
Naturally, we are interested in this tactic as it virtually grants us God Mode on the target machine and leads to total system compromise. In this series, we shall look at some of the exploitation scenarios and productizing them.
- 6.
- 8.Special thanks to Chris Neill for taking the time out to answer some of my queries
Last modified 1yr ago