This blog post provides insights about our recent paper, which investigates how attackers exploit legitimate signed Windows drivers to gain kernel-level control, in the context of an academic collaboration between EURECOM and the University of Milan.
Malware authors have long sought ways to bypass Windows' protections and operate with system-level privileges. But even with administrator rights, attackers still face an obstacle: modern Windows versions restrict what administrators can do. Critical components, such as antivirus services, system processes, and kernel memory, are protected from modification, even by admin users.
To truly control the system, attackers must move inside the kernel, where such protections no longer apply. Drivers could be a solution, but the problem is that Windows (since version 8 x64) enforces Driver Signature Enforcement (DSE): only digitally signed kernel drivers can be loaded. This is where the Bring Your Own Vulnerable Driver (BYOVD) technique comes in: malware simply brings along a legitimate, signed driver that contains a security flaw. Once loaded, the driver gives attackers a safe bridge into kernel space, letting them disable defenses, tamper with memory, or execute arbitrary code – all while appearing completely legitimate.
In our paper recently accepted at the Network and Distributed System Security (NDSS) Symposium 2026 (which will take place at the end of February 2026 in San Diego, California), we dissect how BYOVD attacks operate, why traditional defenses fail to see them, and how we can detect such kernel-level abuses in a principled and automated way.
A New Way to See Inside the Kernel
Most malware sandboxes and Endpoint Detection & Response (EDR) systems stop at user-space monitoring. But BYOVD happens below the surface, in the kernel, where visibility is scarce, detection is notoriously difficult, and it is often overlooked by sandboxes.
To address this blind spot, we developed a virtualization-based sandbox that traces, in real time, every kernel function executed by a driver – in the spirit of reproducibility, shared as open source. Our system, built on top of DRAKVUF and extended with a custom plugin called Kernelmon, observes every call, memory mapping, and system event initiated by a driver, all without modifying the guest OS.
We coupled this with the first dynamic taxonomy of BYOVD behaviors, breaking down attacks into five key stages:
- Driver dropping
- Loading
- Communication
- Execution complexity
- Observable suspicious behavior
This taxonomy not only structures the analysis but also enables automatic classification of what each driver is actually doing inside the kernel.
Two Large Datasets, One Goal: Mapping BYOVD Abuse
A cornerstone of our work was the construction of two complementary datasets:
Known Vulnerable Drivers (KVD): a curated collection of 917 signed 64-bit drivers already known to be exploitable, sourced from the LOLDrivers project and Microsoft’s official Vulnerable Driver Blocklist. These served as a control group to validate our detection framework and to benchmark its behavior on known malicious samples.
Potentially Vulnerable Drivers (PVD): a much larger dataset of 5,589 signed 64-bit drivers that were not previously reported as vulnerable. We built this dataset by mining VirusTotal for drivers importing risky kernel APIs (e.g., ZwTerminateProcess, MmMapIoSpace, MmMapLockedPagesSpecifyCache); namely, functions that can be misused to kill protected processes, alter kernel memory, or execute arbitrary code.
We then collected over 8,700 malware samples (the “execution parents”) that dropped or interacted with these drivers in the wild, dynamically analyzing how they behaved inside our sandbox.
What We Found
The results were striking. Our sandbox identified suspicious behaviors in 48 distinct drivers, including several not previously associated with BYOVD abuse. Manual investigation confirmed that seven of them are currently operational and weaponized, but none of these drivers were known to be used in BYOVD attacks.
We adhered to responsible disclosure guidelines with Microsoft and the corresponding vendors. We also submitted them to the LOLDrivers project. One of them has since been assigned CVE-2024-26506.
One of them is a legacy Microsoft-signed driver, used to disable Code Integrity protections and load unsigned kernel code. Another seemed purposefully designed to terminate protected processes, but we do not have sufficient context to claim that it was purposely developed for malicious use.
By uncovering these previously unknown attack vectors, our study exposes how legitimate drivers continue to serve as enablers of stealthy, kernel-level compromise and shows that behavior-based dynamic analysis can be a powerful tool to stop them!
Learn More
- Paper: Unveiling BYOVD Threats: Malware’s Use and Abuse of Kernel Drivers
- Artifact & Dataset: Zenodo Repository
Authors
- Andrea Monzani [x.com]
- Antonio Parata [x.com]
- Andrea Oliveri [x.com]
- Simone Aonzo [x.com]
- Davide Balzarotti [x.com]
- Andrea Lanzi [x.com]