BYOVD and LSASS Dumping in the Era of Modern EDR

BYOVD and LSASS Dumping in the Era of Modern EDR

The author examines the BYOVD (Bring Your Own Vulnerable Driver) technique as a method to bypass modern Windows protections and EDR solutions. The article demonstrates how using a vulnerable but signed driver (e.g., PDFWKRNL.sys) enables access to kernel operations through insecure IOCTL interfaces, effectively creating primitives for kernel-level memory manipulation.

The exploitation is structured as a chain of techniques: loading a vulnerable driver, obtaining a kernel-level primitive, disabling LSASS protection, and subsequently dumping its memory. To evade EDR, additional stealth methods are employed, including process cloning via NtCreateProcessEx (instead of direct access to LSASS), hooking MiniDumpWriteDump via a callback to perform in-memory dumping only, and applying XOR obfuscation before writing data to disk.

📎 Article: https://g3tsyst3m.com/byovd/BYOVD-and-Looting-LSASS-in-the-Modern-EDR-Era/