今日已更新 166 条资讯 | 累计 20138 条内容
关于我们

BYOVD Explained — How Attackers Use Signed Drivers to Kill EDRs

nimesh nakum 2026年06月09日 11:21 3 次阅读 来源:Dev.to

Your EDR sees everything. Process launches, thread injections, DLL loads, filesystem writes. It has eyes inside the kernel — little hooks that fire before anything consequential happens, passing information up to the agent, letting it decide whether to block or alert. Now imagine something reaches into that kernel and quietly removes the hooks. No crash. No blue screen. No alert. The EDR process is still running, the dashboard still shows healthy, but the inputs it depends on are just gone. This is part of windows internals I've been exploring — understanding how systems actually behave under the hood, not just how tools interact with them. That's not a Windows bug. That's a trust problem. BYOVD doesn't exploit Windows — it exploits trust. Ring 0 vs Ring 3 — The Boundary That Matters Windows splits execution into privilege levels. Your applications, your malware, your EDR agent — they all run in Ring 3, user mode. The kernel runs in Ring 0. In my previous posts, I focused on how processes and execution work from an attacker's perspective. This goes one layer deeper — into the kernel where those assumptions start to break. This isn't just organizational. The CPU enforces it. Ring 3 code cannot directly read kernel memory. It cannot call kernel functions. Every interaction goes through a controlled interface — syscalls — and the kernel decides whether to honor each request. This is why typical malware stays loud. It has to use syscalls. Syscalls can be intercepted and monitored. At Ring 0, security tools are just data structures. Get code running in the kernel and those data structures become writable. The callback tables EDRs rely on, the hook registrations, the minifilter stack — all of it is reachable, readable, modifiable. A Quick Personal Note on Why This Boundary Matters Early on when I was messing around with kernel concepts, I tried doing something simple from user mode — reading a memory address that I knew belonged to a kernel structure. The kind of thing th

本文内容来源于互联网,版权归原作者所有
查看原文