Bring Your Own Vulnerable Kernel Driver/BYOVKD

Exploiting Third-Party Kernel Device Drivers

Introduction
BYOVKD is the technique of exploiting a target system via a vulnerable, signed kernel driver which an implant brings along with itself and loads to bootstrap into the Kernel.
Note that this technique requires an attacker to have already gained High-IL code execution in Ring 3 or in simpler words, it needs administrative privileges since it involves loading a driver and such. Also, note that Microsoft does not consider Ring 3(High-IL) -> Ring 0 a serviceable security boundary but even then there are some quirks when we look at productizing our exploits.
Think of it as a proxy driver that we drop'n'load onto a target system to help us step into the Ring-0 realm.
But why is such a proxy even required? Why can't we directly load our rootkits or Kernel-Mode keyloggers or what have you?
The answer is quite simple. With modern OS mitigations like Driver Signature Enforcement(DSE), we need to properly sign Kernel drivers for them to load. This implies that we can either steal such valid code-signing certificates or somehow acquire them anonymously, both of which are non-trivial tasks. Abusing proxy drivers is the Tertia Optio(third option) which is a very viable alternative where we abuse a legitimately signed driver to execute our code in Kernel-Mode.
There are many attractive pros of adopting BYOVKD. Some of them are:
1. There are so many signed proxy drivers available to us that blacklisting all of them is virtually impossible and we all know how hard maintaining whitelisting can be
2. A signed driver is forever. Signature revocation if not impossible is almost certainly improbable
I'm sorry, I just had to
BYOVKD represents Third Generation Kernel Threats where we introduce a vulnerable third-party driver into the environment to exploit it as compared to Second Generation Kernel Threats where the vulnerable driver is shipped with the OS itself. Now, it goes without saying that the latter is much stealthier and advanced than the former while subsequently being rarer, expensive and more difficult to exploit.
There are basically two types of attacks we can perform using BYOVKD:
1. Data-only attacks
2. Ring-0 code execution
Note that we will not be looking at EoP scenarios using BYOVKDfor that is more relevant for LOCAL 2nd Gen kernel threats. The reason being that we are already in High-IL and there are better ways of elevating privileges to local SYSTEM account from User-Mode. 
Although BYOVKD is not commonly seen in intrusions, over the years there have been some highly publicised cases of this technique being leveraged by nation-states for CNE operations. Some of them are:
Actor/Implant
Driver Name/Product
CVE ID
Equation Group/GrayFish/SolarTime
ElbyCDIO.sys(SlySoft AnyDVD)
CVE-2009-0824
Turla/Uroburos
VBoxDrv.sys(Oracle VirtualBox)
CVE-2008-3431
APT41/Derusbi
Nicm.sys(Novell XTier)
CVE-2013-3956
Strider/Project Sauron
SandBox.sys(Agnitum Outpost Firewall PRO), AswSnx.sys(Avast Internet Security)
CVE-2006-5721, CVE-2015-8620
Longhorn/White Lambert
Sandra.sys(SiSoftware Sandra)
CVE-2010-1592
REDACTED/Slingshot
Sandra.sys(SiSoftware Sandra), ElbyCDIO.sys(SlySoft AnyDVD), Speedfan.sys(Almico SpeedFan)
CVE-2010-1592, CVE-2009-0824, CVE-2007-5633
APT28/LoJax
RwDrv.sys(RWEverything)
N.A.
Gamaredon Group/InvisiMole
Speedfan.sys(Almico SpeedFan)
CVE-2007-5633
Unk16/AcidBox/MagicScroll
VBoxDrv.sys(Oracle VirtualBox)
N.A.
TunnelSnake/Moriya
VBoxDrv.sys(Oracle VirtualBox)
CVE-2008-3431
Candiru/DevilsTongue
physmem.sys(Hilscher Physical Memory Viewer)
N.A.
GhostEmperor/Demodex
dbk64.sys(Cheat Engine)
N.A.
There are also recorded cases of ransomware and other commodity malware such as TrickBot using this technique to bypass defences etc. Also, note the considerable overlap in the choice of proxy drivers.
This is by no means an exhaustive list and if you are able to find any more examples, I shall be glad to add them to the table with appropriate credits.
Naturally, we are interested in this tactic as it virtually grants us God Mode on the target machine and leads to total system compromise. In this series, we shall look at some of the exploitation scenarios and productizing them.
Links
Further Reading/References/Credits
1.​Get Off the Kernel if You Can't Drive by Mickey Shkatov and Jesse Michael​
2.​Throwing an AquaWrench into the Kernel by Ruben Boonen a.k.a. FuzzySec​
3.​Kernel Mode Threats and Practical Defenses by Joe Desimone and Gabriel Landau​
4.​Demystifying Modern Windows Rootkits by Bill Demirkapi​
5.​Windows 10 Kernel Mitigations and Exploitation by Jaime Geiger and Stephen Sims​
6.​Device Driver Debauchery and MSR Madness by Ryan Warns and Timothy Harrison
7.​Dangerous 3rd-party drivers on your system or LOLDrivers​
8.Special thanks to Chris Neill for taking the time out to answer some of my queries

Kernel Mitigations

Exploit Primitives

Last modified 1yr ago

Actor/Implant	Driver Name/Product	CVE ID
Equation Group/GrayFish/SolarTime	ElbyCDIO.sys(SlySoft AnyDVD)	CVE-2009-0824
Turla/Uroburos	VBoxDrv.sys(Oracle VirtualBox)	CVE-2008-3431
APT41/Derusbi	Nicm.sys(Novell XTier)	CVE-2013-3956
Strider/Project Sauron	SandBox.sys(Agnitum Outpost Firewall PRO), AswSnx.sys(Avast Internet Security)	CVE-2006-5721, CVE-2015-8620
Longhorn/White Lambert	Sandra.sys(SiSoftware Sandra)	CVE-2010-1592
REDACTED/Slingshot	Sandra.sys(SiSoftware Sandra), ElbyCDIO.sys(SlySoft AnyDVD), Speedfan.sys(Almico SpeedFan)	CVE-2010-1592, CVE-2009-0824, CVE-2007-5633
APT28/LoJax	RwDrv.sys(RWEverything)	N.A.
Gamaredon Group/InvisiMole	Speedfan.sys(Almico SpeedFan)	CVE-2007-5633
Unk16/AcidBox/MagicScroll	VBoxDrv.sys(Oracle VirtualBox)	N.A.
TunnelSnake/Moriya	VBoxDrv.sys(Oracle VirtualBox)	CVE-2008-3431
Candiru/DevilsTongue	physmem.sys(Hilscher Physical Memory Viewer)	N.A.
GhostEmperor/Demodex	dbk64.sys(Cheat Engine)	N.A.