Bypass Record
BYOVD (Vulnerable Driver) × Baidu BdApiUtil64.sys driver
A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Baidu BdApiUtil64.sys driver, recorded with its original source. Factual record; no assessment of any specific deployment.
Reported as
Attackers drop the signed Baidu driver and create a service to load it, gaining Ring-0 privileges. The driver exposes IOCTL interfaces that allow user-mode malware to terminate processes (including security products)
Mechanism
Attackers drop the signed Baidu driver and create a service to load it, gaining Ring-0 privileges. The driver exposes IOCTL interfaces that allow user-mode malware to terminate processes (including security products), access protected memory, and manipulate system configurations, defeating all user-mode security controls.
Detection & mitigation
Monitor for driver load events (Event ID 6 in Microsoft-Windows-Sysmon/Operational) for known vulnerable drivers like BdApiUtil64.sys (hash 47ec51b5f0ede1e70bd66f3f0152f9eb536d534565dbb7fcc3a05f542dbe4428). Deploy Windows Defender Application Control (WDAC) or the Microsoft Vulnerable Driver Blocklist to prevent loading. Hunt for service creation events (Event ID 7045) with service name 'Bprotect' or driver path pointing to suspicious locations.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.