BYOVD (Vulnerable Driver) × EasyAntiCheat

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing EasyAntiCheat, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

EasyAntiCheat

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-11-05

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-11-05 · original source · via exa

Reported as

bypasses EasyAntiCheat's kernel-mode integrity checks by patching both the live driver and its hidden copy in memory

Mechanism

EasyAntiCheat compares sections of its kernel driver against a copy stored in a pool. The bypass locates the pool via ZwQuerySystemInformation with SystemBigPoolInformation, then patches both the original and the copy to disable integrity checks, allowing arbitrary code modification without detection.

Detection & mitigation

Monitor for loading of vulnerable or unsigned kernel drivers using Sysmon Event ID 6 (driver loaded) and Windows Event ID 7045 (service creation). Enforce driver blocklist policies (e.g., Windows Defender Application Control) to prevent known vulnerable drivers from loading.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat Elastic Fortinet F-Secure

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.