BYOVKD is the technique of exploiting a target system via a vulnerable, signed kernel driver which an implant brings along with itself and loads to bootstrap into the Kernel.
Think of it as a proxy driver that we
drop'n'load onto a target system to help us step into the
But why is such a proxy even required? Why can't we directly load our rootkits or
Kernel-Mode keyloggers or what have you?
The answer is quite simple. With modern OS mitigations like
Driver Signature Enforcement(DSE), we need to properly sign Kernel drivers for them to load. This implies that we can either steal such valid code-signing certificates or somehow acquire them anonymously, both of which are non-trivial tasks. Abusing proxy drivers is the
Tertia Optio(third option) which is a very viable alternative where we abuse a legitimately signed driver to execute our code in
There are many attractive pros of adopting
BYOVKD. Some of them are:
1. There are so many signed proxy drivers available to us that blacklisting all of them is virtually impossible and we all know how hard maintaining whitelisting can be2. A signed driver is forever. Signature revocation if not impossible is almost certainly improbable
Third Generation Kernel Threats where we introduce a vulnerable third-party driver into the environment to exploit it as compared to
Second Generation Kernel Threats where the vulnerable driver is shipped with the OS itself. Now, it goes without saying that the latter is much stealthier and advanced than the former while subsequently being rarer, expensive and more difficult to exploit.
There are basically two types of attacks we can perform using
1. Data-only attacks2. Ring-0 code execution
BYOVKD is not commonly seen in intrusions, over the years there are some highly publicised cases of this technique being used by Nation-states for
CNE operations. Some of them are:
SandBox.sys(Agnitum Outpost Firewall PRO), AswSnx.sys(Avast Internet Security)
Sandra.sys(SiSoftware Sandra), ElbyCDIO.sys(SlySoft AnyDVD), Speedfan.sys(Almico SpeedFan)
CVE-2010-1592, CVE-2009-0824, CVE-2007-5633
GRU 85th GTsSS/LoJax
PLA Unit 61398/Moriya
physmem.sys(Hilscher Physical Memory Viewer)
This is by no means an exhaustive list and if you are able to find any more examples, I shall be glad to add them to the table with appropriate credits.
Naturally, we are interested in this tactic as it virtually grants us God Mode on the target machine and leads to total system compromise. In this series, we shall look at some of the exploitation scenarios and productizing them.
Special thanks to Chris Neill for taking the time out to answer some of my queries