Unveiling BYOVD Threats: Malware's Use and Abuse of Kernel Drivers
Andrea Monzani
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Malware & RE
**Bring Your Own Vulnerable Driver (BYOVD)** is an increasingly prevalent technique where attackers use legitimate, signed kernel drivers containing exploitable flaws to achieve kernel-level privilege escalation, kill security solutions, access arbitrary memory, or load unsigned drivers. Detected in state-sponsored espionage and ransomware operations like **Qilin 2025**, BYOVD exploits the trust placed in digitally signed drivers to bypass Windows kernel protections. This talk presents the first **virtualization-based sandbox** for monitoring BYOVD behavior, built by extending **DRAKVUF** with a custom plugin called **KernelMon** that hooks driver loads, IOCTL handlers, and kernel structures to trace multi-stage exploitation chains across user-kernel boundaries. Testing on a real-world malware dataset, the researchers identified **48 suspicious drivers**, of which **7 were previously unknown vulnerable and exploitable drivers** reported to Microsoft and vendors.
AI review
A virtualization-based sandbox for monitoring BYOVD exploitation chains at kernel level, discovering 7 previously unknown vulnerable drivers. Directly relevant for anyone doing Windows offensive operations or defending against kernel-level attacks.