BYOVD Scanner Design — Saku Grossarth

The BYOVD Problem

"Bring Your Own Vulnerable Driver" attacks exploit signed drivers with security flaws to gain kernel execution. Identifying these drivers proactively is essential for security teams.

BYOVD is particularly dangerous because:

Vulnerable drivers are often signed by trusted vendors
Anti-cheat and EDR often whitelist known drivers
Blocking them breaks legitimate hardware functionality
New vulnerable drivers are discovered continuously

Scanner Architecture

Detection Methods

Signature Analysis — Known vulnerable driver signatures
Function Analysis — Dangerous IOCTL handlers
Import Analysis — Suspicious API usage patterns
String Analysis — Known debug strings and paths
Behavioral Patterns — Memory access without validation

IOC Database

The scanner maintains an IOC (Indicator of Compromise) cache containing:

IOC Types:
  - Driver file hashes (MD5, SHA1, SHA256)
  - Signer information (thumbprint, name)
  - Export function names
  - IOCTL code patterns
  - Known vulnerable version ranges
  - Vendor blocklist status

Static Analysis Pipeline

1. PE Header Analysis

Digital certificate information
Section characteristics (executable + writable)
Import table contents
Export table analysis

2. Code Pattern Matching

Vulnerable drivers often share code patterns:

IOCTL handlers without parameter validation
Direct memory access from user-controlled input
Pointer dereferencing without null checks
Buffer operations with unchecked sizes

3. Heuristic Scoring

Each driver receives a risk score based on:

Scoring factors:
  - Known vulnerable signature match: +50
  - Suspicious IOCTL patterns: +20
  - Dangerous imports (MmMapIoSpace, etc.): +15
  - Writable + Executable sections: +10
  - Debug strings present: +5
  - Valid Microsoft signature: -20

Output Formats

Technical Report (output_tech.txt)

Detailed analysis for security researchers:

Per-driver vulnerability analysis
Specific indicators detected
Confidence scores with reasoning
Remediations or mitigations

JSON Output (output.json)

Machine-readable format for automation:

Structured driver metadata
Normalized IOC data
Risk scores and classifications
SIEM integration ready

Scanner Operation

Collection Phase

1. Enumerate driver store paths
2. Collect .sys files from various sources:
   - C:\Windows\System32\drivers
   - Driver Store
   - Third-party driver directories

Analysis Phase

3. For each driver:
   - Calculate file hashes
   - Parse PE headers
   - Check IOC cache
   - Perform heuristic analysis
   - Generate risk score

Reporting Phase

4. Aggregate results
5. Generate reports in all formats
6. Update IOC cache with new findings

Integration with kdmapper

The scanner helps identify drivers suitable for kdmapper:

Scan potential target drivers
Review output for exploitable vulnerabilities
Verify driver is signed and likely whitelisted
Use with kdmapper for driver loading

What I Learned

Building this scanner taught me about driver vulnerabilities at scale. The most interesting insight is how similar vulnerable drivers are: missing parameter validation, unchecked pointers, and dangerous IOCTL designs that trust user input too much.

Applications

Blue Team — Identify vulnerable drivers in environment
Red Team — Find exploitable drivers for testing
Driver Developers — Understand common vulnerabilities
Security Analysts — Track BYOVD trends