Researchers Detail BYOVD Technique to Exploit Hardware-Gated Windows Drivers Without Physical Hardware
New research reveals how attackers can interact with vulnerable Windows kernel-mode drivers from user mode even when the drivers require specific hardware, expanding the BYOVD attack surface for privilege escalation.
Security researchers have published a detailed technical analysis demonstrating how Windows kernel-mode drivers that are normally gated by the presence of specific physical hardware can be interacted with and exploited from user mode. The work, published by Atos Cyber Shield researchers, focuses on the Bring Your Own Vulnerable Driver (BYOVD) attack surface and addresses a gap in existing research: the role of hardware-gating in driver vulnerability reachability.
The technique is significant because many vulnerable drivers only create their device objects or expose vulnerable code paths when the corresponding hardware is detected on the system. Without that hardware, drivers often either skip device object creation entirely or delete device objects shortly after creation. The researchers show how attackers can bypass these checks solely from userland, without physical or hypervisor access, by manipulating the Windows Plug and Play architecture and device stack interactions.
The analysis is structured around device objects, which the researchers identify as the most viable attack vector for reaching vulnerable driver code. Two common obstacles are identified: the device object is not created at all, or the driver's internal state prevents the vulnerable behavior from being exercised despite the device object being accessible. Both scenarios are typical when a device driver is deployed on a system lacking the corresponding hardware.
The researchers categorize drivers into two patterns. The first includes drivers that create device objects unconditionally upon loading, often directly from their DriverEntry function. These can be deployed with simple `sc.exe` commands and are already well-documented in BYOVD resources like the LOL Drivers project. The second, more challenging pattern involves conditional device creation, where drivers check for hardware presence or product-specific registry keys before creating device objects.
For conditional drivers, the researchers detail methods to trigger vulnerable code paths by emulating or bypassing hardware presence checks. This includes techniques to work around drivers that create and then quickly delete device objects, creating a race condition window that attackers can exploit. The work also covers how kernel-mode components of security software, such as EDR and anti-virus products, often check for product-specific registry entries that can be manipulated from user mode.
The research is particularly relevant given the continued abuse of vulnerable drivers in BYOVD attacks, a post-exploitation technique used by ransomware groups and advanced threat actors to disable security products and gain kernel-level access. The researchers note that while BYOVD attacks have been well documented, none of the existing public reports specifically examine how hardware-gating affects driver vulnerability reachability.
All tests were conducted on Windows 11 23H2 (build 10.0.22631.3007), and the methodology is designed to help security researchers and defenders determine whether a particular Windows kernel-mode driver vulnerability remains reachable and potentially exploitable even without the intended hardware. The findings expand the attack surface for local privilege escalation and kernel compromise, and underscore the importance of driver blocklist updates and hardware-enforced security measures.