Skip to content

pwnfuzz/byovd-watchdog

BranchesTags

Repository files navigation

🛡️ BYOVD Watchdog

Real-time analysis of LOLDrivers against Microsoft's HVCI blocklist. This tool is the updated version of BYOVDFinder. It automatically monitors drivers from loldrivers.io that are not blocked by the current HVCI (Hypervisor Code Integrity) blocklist on your system. This is particularly useful for identifying BYOVD (Bring Your Own Vulnerable Driver) attack paths, where vulnerable drivers are allowed to load despite HVCI being enabled.

🔗 Live Demo: byovd-watchdog.pwnfuzz.com
📦 Repository: BYOVD Watchdog

What It Does

  • Periodically fetches Microsoft's latest HVCI blocklist (SiPolicy_Enforced.xml)
  • Parses and converts it to a JSON format using byovd.py
  • Compares** the parsed blocklist with the known LOLDrivers list from loldrivers.io using compare_hvci.py
  • Generates a changelog to track newly blocked or unblocked drivers
  • Feeds data into a web frontend that displays live results and historical changes

How It Works

1. byovd.py

  • Takes an HVCI blocklist XML file (SiPolicy_Enforced.xml) as input
  • Parses it to extract driver rules
  • Outputs a structured byovd_finder_results_*.json file

2. compare_hvci.py

  • Compares the newly generated byovd_finder_results_*.json with the previous version
  • Identifies changes (newly blocked or removed drivers)
  • Generates:
    • byovd_changelog.json — tracks what's added or removed
    • results_index.json — used by the website frontend

3. GitHub Actions Workflow

  • Automates the entire pipeline:
    • Periodic blocklist download
    • Script execution
    • JSON output generation
    • Auto-pushes changes to the repo
  • The website dynamically fetches the latest results from GitHub

Website Preview

  • View current unblocked LOLDrivers not covered by the HVCI policy
  • Explore historical changelog of added or removed drivers

🔗 byovd-watchdog.pwnfuzz.com

Why This Matters

HVCI is a security feature in Windows that helps protect against attacks like kernel exploits by verifying the integrity of code running at the kernel level. It blocks drivers that are unsigned or known to be malicious by checking them against an internal blocklist. If a driver is not recognized, it will be blocked to prevent possible exploitation. However, according to Microsoft, the list is updated once or twice a year, giving us plenty of time to use drivers that haven't yet been blocked.

Author

Nikhil John Thomas (@ghostbyt3)

Acknowledgments

  • Robin (@D4mianWayne) - Contributor
  • loldrivers.io - Driver vulnerability database

License

Apache License 2.0 - See LICENSE file for details

⚠️ Disclaimer: This tool is for research and educational purposes only. Always follow responsible disclosure practices when working with security vulnerabilities.

About

Identifies LOLDrivers that are not blocked by the active HVCI policy — ideal for BYOVD scenarios.

byovd-watchdog.pwnfuzz.com/

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

34 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages