BYOVD technique for obtaining Ring 0 privileges on Windows

Security researcher Rossario Matteo Grammatico (zer0matt) presented at Milan0day 2026 a practical use case of the BYOVD (Bring Your Own Vulnerable Driver) technique to invoke arbitrary Windows kernel functions with Ring 0 privileges.

At the core of the technique is the signed driver ThrottleStop.sys (CVE-2025-7771). The driver calls MmMapIoSpace without validating the provided addresses, allowing any Ring 3 (user-mode) process to access physical kernel memory.

💣 What the PoC does: 🎯 Locates the virtual address of the NtAddAtom function in the kernel, which is directly accessible from user mode via ntdll.dll 🎯 Translates the virtual address to a physical address 🎯 Use IOCTL 0x8000649C to overwrite the first instructions of NtAddAtom with shellcode

🔗 Article: https://zer0matt.blogspot.com/2026/05/whoops-i-did-it-again-i-patched-windows.html

⚙️PoC: https://github.com/zer0matt/Milan0day2026