Hackers can weaponize a legitimately signed Lenovo driver to terminate security processes, highlighting a dangerous Bring Your Own Vulnerable Driver (BYOVD) attack vector that can bypass endpoint protection controls.
Security researcher Jehad Abudagga has analyzed a Lenovo driver, BootRepair.sys, originally associated with the Lenovo PC Manager utility, and discovered that it can be abused to kill arbitrary processes at the kernel level.
The driver (SHA-256: 5ab36c116767eaae53a466fbc2dae7cfd608ed77721f65e83312037fbd57c946) is digitally signed by Lenovo and, at the time of analysis, showed no detections on VirusTotal, making it an attractive candidate for stealthy abuse.
Lenovo Driver Kills EDR
Reverse engineering of the driver reveals multiple security weaknesses that enable unprivileged access and process termination capabilities:
- The driver creates a device object named \Device\::BootRepair without applying a secure DACL, allowing low-privileged users to interact with it.
- A symbolic link \DosDevices\BootRepair exposes the device to user-mode applications.
- No access control checks are enforced when handling IRP_MJ_CREATE requests, meaning any user can obtain a handle to the driver.
Further analysis of the IOCTL handler shows that the driver exposes a single control code, 0x222014, which accepts a 4-byte input buffer. This buffer contains a process ID (PID) that is passed to an internal routine that terminates processes.
The underlying function leverages the Windows kernel API ZwTerminateProcess to kill the specified PID, effectively granting any user the ability to terminate arbitrary processes, including protected or security-critical services.
The vulnerabilities enable two primary attack scenarios:
- If the driver is already present on a system, a low-privileged attacker can directly interact with it to terminate antivirus or EDR processes.
- If not present, attackers can deploy the signed driver as part of a BYOVD attack, loading it into the kernel to turn off defenses before executing post-exploitation tools.
In a proof-of-concept demonstration, the researcher showed that even protected processes, such as CrowdStrike’s Falcon sensor, can be terminated after the driver is loaded.
Once disabled, offensive tools like credential dumpers can be executed without interference.
Researcher Jehad Abudagga said in a report shared with Cyber Security News that the PoC interacts with the driver using standard Windows APIs:
- Opens a handle to \.BootRepair.
- Sends a target PID via IOCTL 0x222014.
- The driver terminates the process in kernel mode.
This simple interaction demonstrates how minimal effort is required to weaponize the flaw once the driver is accessible.
Security Implications
This issue underscores the growing threat of BYOVD attacks, in which adversaries exploit trusted, signed drivers to undermine endpoint protections.
Because the driver is legitimately signed and initially undetected, it can evade traditional security controls that rely on signature trust.
Organizations should consider:
- Blocking known vulnerable drivers using Microsoft’s recommended driver blocklist.
- Monitoring for suspicious driver loads and kernel-level behavior.
- Restricting the ability to load unsigned or unapproved drivers.
- Leveraging EDR protections that detect abuse of legitimate drivers.
As attackers continue to abuse trusted components, proactive driver control and behavioral detection remain critical to defending modern endpoints.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
