Arbitrary Process Termination in Baidu Antivirus BdApiUtil Driver

This repository is a real local BYOVD exploit/research project for CVE-2024-51324 affecting Baidu Antivirus/BdApiUtil64.sys on Windows. The main exploit code is exploit/byovd_killer.py, a Python script using ctypes and standard Windows APIs. It is not part of a common exploit framework. The repository also contains extensive reverse-engineering notes and defensive detections (Sigma and Sysmon). Primary exploit capability: the script operationalizes the driver’s exposed process-kill primitive by opening the user-accessible device \\.\BdApiUtil and sending IOCTL 0x800024B4 with a target PID. The documentation explains that the underlying driver lacks access control on its device object and internally uses PsLookupProcessByProcessId plus ObOpenObjectByPointer(KernelMode), bypassing normal SeAccessCheck logic. As a result, once the vulnerable signed driver has been loaded into the kernel by an administrator, subsequent exploitation can be performed by any local user to terminate arbitrary non-PPL processes. This is suitable for defense evasion, such as killing EDR/AV processes. The included exploit implements four modes: SCANNER (system/driver/process reconnaissance), LOADER (create/start kernel service for the vulnerable driver), KILLER (terminate by process name or PID, with max-instance and dry-run options), and CLEANUP (stop/delete the service and unload the driver). It verifies the driver by SHA-256 before loading. The exploit explanation states it searches for BdApiUtil64.sys in several local paths including drivers/, current directory, Python executable directory, %TEMP%, C:\Windows\Temp, and C:\Users\Public\Downloads. Although the Python exploit mainly weaponizes process termination, the repository’s analysis documents two additional vulnerable driver primitives: IOCTL 0x80002648 for arbitrary file deletion and IOCTL 0x8000264C for deletion of in-use files by temporarily nulling SectionObjectPointer fields. Those capabilities are described in the research docs but are not clearly implemented in the provided Python entry point. Repository structure: README.md provides overview and usage; docs/analysis/*.md contains root-cause analysis, reverse engineering details, and timeline; docs/detection/ contains Sigma and Sysmon detection content keyed to service creation, driver load, hash, and registry artifacts; exploit/byovd_killer.py is the main executable; exploit/exploit-explanation.md documents CLI usage and architecture. Overall, this is an operational local Windows exploit plus research/detection package, not merely a detector or README-only PoC.

This repository is a real local Windows BYOVD exploit and accompanying research package for CVE-2024-51324 in Baidu Antivirus's signed kernel driver BdApiUtil64.sys. The repository contains 7 files total, with one primary code file: exploit/byovd_killer.py. The remaining files are documentation: a top-level README, an exploit usage guide, and three analysis documents covering root cause, reverse engineering findings, and disclosure timeline. The main exploit capability is arbitrary process termination through a vulnerable device interface exposed by the driver. The exploit targets the user-accessible device path \\.\BdApiUtil, which maps to \Device\BdApiUtil / \DosDevices\BdApiUtil in kernel space. It sends a 4-byte PID to IOCTL 0x800024B4 using DeviceIoControl. According to the included analysis, the driver performs no authorization checks before calling ZwOpenProcess(PROCESS_TERMINATE) and ZwTerminateProcess, allowing any local user to kill many elevated or security-relevant processes once the driver is loaded. The exploit is therefore primarily a defense-evasion / process-kill primitive rather than a full privilege-escalation exploit. PPL-protected processes may resist termination. The Python tool is structured as a multi-mode utility with four operational modes: SCANNER (enumerates system/driver status and optionally searches for a target process), LOADER (loads the vulnerable driver into the kernel via Windows service creation), KILLER (terminates processes by name or PID through the vulnerable IOCTL), and CLEANUP (stops the service and unloads/removes the driver). The code also includes driver discovery across multiple filesystem paths, SHA-256 verification of the expected vulnerable driver, admin checks for load/unload operations, and CLI argument parsing. The documented expected hash is 47EC51B5F0EDE1E70BD66F3F0152F9EB536D534565DBB7FCC3A05F542DBE4428. No external C2 or remote network infrastructure is present; this is a local-only exploit. Fingerprintable artifacts are mostly host-based: the device path \\.\BdApiUtil, the driver filename BdApiUtil64.sys, the likely service registry path under HKLM\SYSTEM\CurrentControlSet\Services\<service_name>, and the documented search paths such as drivers/, %TEMP%, C:\Windows\Temp, and C:\Users\Public\Downloads. The repository also documents additional IOCTLs discovered during reverse engineering (0x800024B0, 0x800024B8, 0x800024BC), though the exploit’s core offensive action centers on 0x800024B4. Overall, this is an operational proof-of-concept exploit with practical local post-compromise utility: an operator with admin rights can load the signed vulnerable driver, after which even a standard user context can use the exposed device to terminate selected processes. The repository’s purpose is both exploitation and academic documentation of the vulnerability, with strong emphasis on reverse engineering, BYOVD tradecraft, and defender guidance.