Lazarus & BYOVD: Evil to the Windows core.
Contents
28 - 30 September, 2022 / Prague, Czech Republic
LAZARUS & BYOVD: EVIL TO THE
WINDOWS CORE
Peter Kálnai & Matěj Havránek
ESET, Czech Republic
[email protected]
[email protected]
www.virusbulletin.com
LAZARUS & BYOVD: EVIL TO THE WINDOWS CORE KÁLNAI & HAVRÁNEK
ABSTRACT
As defined by the Microsoft Security Serving Criteria for Windows, the administrator-to-kernel transition is not a security
boundary. Nevertheless, it is an advantage to have the ability to modify kernel memory, especially if an attacker can achieve
that from user space. The Bring Your Own Vulnerable Driver (BYOVD) technique is a viable option for doing so: the
attackers carry and load a specific kernel driver with a valid signature, thus overcoming the driver signature enforcement
policy (DSE). Moreover, this driver contains a vulnerability that gives the attacker an arbitrary kernel write primitive. In
such cases, the Windows API ceases to be a restriction, and an adversary can tamper with the most privileged areas of the
operating system at will.
To complete this mission successfully, one must …
LAZARUS & BYOVD: EVIL TO THE
WINDOWS CORE
Peter Kálnai & Matěj Havránek
ESET, Czech Republic
[email protected]
[email protected]
www.virusbulletin.com
LAZARUS & BYOVD: EVIL TO THE WINDOWS CORE KÁLNAI & HAVRÁNEK
ABSTRACT
As defined by the Microsoft Security Serving Criteria for Windows, the administrator-to-kernel transition is not a security
boundary. Nevertheless, it is an advantage to have the ability to modify kernel memory, especially if an attacker can achieve
that from user space. The Bring Your Own Vulnerable Driver (BYOVD) technique is a viable option for doing so: the
attackers carry and load a specific kernel driver with a valid signature, thus overcoming the driver signature enforcement
policy (DSE). Moreover, this driver contains a vulnerability that gives the attacker an arbitrary kernel write primitive. In
such cases, the Windows API ceases to be a restriction, and an adversary can tamper with the most privileged areas of the
operating system at will.
To complete this mission successfully, one must …
IoC
0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5
97C78020EEDFCD5611872AD7C57F812B069529E96107B9A33B4DA7BC967BF38F
97C78020EEDFCD5611872AD7C57F812B069529E96107B9A33B4DA7BC967BF38F