BYOVD (Vulnerable Driver) × Microsoft Windows 10

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Windows 10, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows 10

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-11-07

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-11-07 · original source · via exa

Reported as

bypass Driver Signature Enforcement (DSE) on Windows 10 and 11 by surgically patching SeCiCallbacks in the kernel

Mechanism

The framework patches the SeCiCallbacks array in the kernel to disable code integrity checks, allowing unsigned drivers to load. It operates via two paths: a boot-time native application (BootBypass) that patches the SYSTEM registry hive to disable HVCI and then patches kernel callbacks before Win32 initialization, and a runtime GUI loader (drvloader) that performs the patching post-boot. The boot method uses a chunked rolling scan to locate and modify the HVCI 'Enabled' value in the registry hive, then resolves SeCiCallbacks and ZwFlushInstructionCache from ntoskrnl.exe to apply patches.

Detection & mitigation

Monitor for unexpected modifications to the SYSTEM registry hive, especially changes to HVCI settings, and use kernel-level telemetry (e.g., ETW for registry operations, driver load events) to detect patching of SeCiCallbacks or loading of unsigned drivers. Mitigate by enforcing Secure Boot, HVCI, and WDAC policies to prevent unauthorized kernel code modifications.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.