BYOVD (Vulnerable Driver) × Microsoft Windows HVCI (Hypervisor-protected Code Integrity)

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Windows HVCI (Hypervisor-protected Code Integrity), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows HVCI (Hypervisor-protected Code Integrity)

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

poc

Disclosed

2026-02-10

Config / version noted

Yes

Provenance

github.com
disclosed 2026-02-14 · original source · via exa
github.com
disclosed 2026-02-10 · original source · via exa

Reported as

BusterCall is a proof-of-concept tool demonstrating a technique to bypass Windows Hypervisor-protected Code Integrity (HVCI)

Mechanism

The attack identifies a target read-only kernel code page (e.g., SSDT) and a writable donor page (e.g., from a driver's .data section). It copies the target page content to the donor's physical memory, modifies the copy (e.g., altering a syscall entry), then swaps the PFN in the target's page table entry to point to the donor's physical page. Since HVCI only checks the PTE attributes (which remain read-only), the modified code executes without triggering HVCI violations.

Detection & mitigation

Monitor for loading of vulnerable or unsigned kernel drivers using Sysmon Event ID 6 (driver loaded) and Windows Event ID 7045 (service creation). Enforce driver blocklist policies (e.g., WDAC) and enable HVCI with secure boot to prevent unauthorized kernel code modification.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.