Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Kernel Exploitation

Vulnerable Drivers

Vulnerable kernel drivers can expose dangerous functionality to low-privileged users.

This is commonly seen in BYOVD attacks, where an attacker brings or abuses a signed vulnerable driver to interact with the kernel.

Depending on the driver, exposed functionality may include:

  • Arbitrary read/write
  • Process termination
  • Memory manipulation
  • Security product tampering
  • Kernel callback removal
  • Driver loading abuse

Enumeration

List drivers:

driverquery /v

List driver services:

sc query type= driver

List driver packages:

pnputil /enum-drivers

Inspect suspicious driver paths:

icacls "C:\Path\To\driver.sys"

Check driver signatures:

Get-AuthenticodeSignature "C:\Path\To\driver.sys"

Interesting findings include:

  • Known vulnerable drivers
  • Old vendor drivers
  • Signed drivers with public exploit history
  • Drivers loaded from non-standard paths
  • Writable driver directories
  • Security tooling drivers
  • Hardware management drivers
  • Anti-cheat or monitoring drivers

Exploit

  1. Identify the driver
  2. Extract the filename, path, hash, signer, and version
  3. Compare it against known vulnerable driver databases
  4. Confirm whether the driver is loaded
  5. Confirm what primitive the driver exposes
  6. Use only an exploit matching the exact driver and version

Useful driver metadata includes:

Get-Item "C:\Path\To\driver.sys" | Select-Object Name, Length, FullName
Get-AuthenticodeSignature "C:\Path\To\driver.sys"

Hash the driver:

Get-FileHash "C:\Path\To\driver.sys" -Algorithm SHA256

The hash is often more reliable than the filename.

Filenames can be renamed. Hashes are harder to fake accidentally.

Once a vulnerable driver is confirmed, the next step depends entirely on the exposed primitive. Some drivers allow process termination. Others expose arbitrary kernel memory access. Others are useful only in very specific chains.

Do not treat all vulnerable drivers as interchangeable.