Cristian Souza

**Name of the Vulnerable Software and Affected Versions** ThrottleStop.sys version 3.0.0.0 ThrottleStop.sys (affected versions not specified) **Description** The ThrottleStop.sys driver contains an insecure implementation of the `MmMapIoSpace()` function, which exposes two IOCTL interfaces allowing arbitrary read and write access to physical memory. This allows a local user-mode application to patch the running Windows kernel and invoke arbitrary kernel functions with ring-0 privileges (the highest level of privilege in the Windows architecture). Attackers can use this to execute arbitrary code in the kernel context, leading to privilege escalation and the ability to bypass kernel-level protections or disable security software. Real-world exploitation has been observed in BYOVD (Bring Your Own Vulnerable Driver) attacks. Malware known as AV Killer and Gentlemen ransomware have used this issue to terminate antivirus and EDR processes, including Windows Defender, CrowdStrike, and BitDefender, to facilitate the deployment of MedusaLocker ransomware. These attacks have specifically targeted organizations in Russia, Belarus, Ukraine, Kazakhstan, and Brazil. Technical details include the use of IOCTL `0x8000649C` to overwrite kernel instructions, such as those in the `NtAddAtom()` function, with shellcode. The malware may also use the `NtQuerySystemInformation()` function to identify active security processes. **Recommendations** Update ThrottleStop.sys to the latest security update provided by TechPowerUp. Disable public RDP access. Implement multi-factor authentication (MFA). Apply strict access controls and network segmentation.