CVE-2020-15368
HW.sys, physical memory read/write via unrestricted MmMapIoSpace
Summary
| Field | Value |
|---|---|
| Driver | HW.sys (also known as HW64.sys) |
| Vendor | Marvin Test Solutions |
| Vulnerability Class | Arbitrary R/W / Physical Memory Mapping |
| Abused Version | 4.8.0 and earlier |
| Status | Blocklisted — included in Microsoft Vulnerable Driver Blocklist |
| Exploited ITW | Yes |
The Story
HW.sys is a generic hardware access driver from Marvin Test Solutions (previously known as Geotest), designed for hardware testing and diagnostic applications. It provides a clean, minimal interface to physical memory, I/O ports, and PCI configuration space, all without access control checks. stong documented the driver on GitHub specifically as a teaching case for BYOVD exploitation.
What makes this driver stand out is its simplicity. Unlike more complex vendor utility drivers that have dozens of IOCTLs covering various hardware features, HW.sys provides a straightforward, well-organized set of primitives. This makes it both easier to exploit and easier to learn from. stong's GitHub repository includes a complete, well-documented exploit that walks through the exploitation process step by step, making it one of the best educational resources for understanding physical memory BYOVD attacks.
The driver was integrated into KDU as an exploitation provider, and it has been observed in active threat campaigns.
BYOVD Context
- Driver signing: Authenticode-signed by Marvin Test Solutions with valid certificate
- Vulnerable Driver Blocklist: Included in Microsoft's recommended driver block rules
- HVCI behavior: Blocked on HVCI-enabled systems via the blocklist
- KDU integration: Integrated as a KDU provider
- LOLDrivers: Listed at loldrivers.io
Affected IOCTLs
- Physical memory read via MmMapIoSpace
- Physical memory write via MmMapIoSpace
- I/O port read (IN)
- I/O port write (OUT)
- PCI configuration space access
How It Gets Exploited
The exploitation follows the standard physical memory R/W pattern. Load HW.sys, open the device handle, use the MmMapIoSpace IOCTL to map physical memory at controlled addresses, walk the page table hierarchy via sequential physical memory reads at aligned addresses, locate and modify kernel structures (EPROCESS tokens) via their physical addresses, and achieve SYSTEM privilege escalation.
The PCI configuration space access IOCTL adds an additional attack vector: on systems where MMIO regions are mapped through PCI BARs, the attacker can access chipset-specific resources beyond what physical memory mapping alone provides.
Detection
YARA Rule
rule CVE_2020_15368_HW_sys {
meta:
description = "Detects HW.sys/HW64.sys vulnerable driver"
cve = "CVE-2020-15368"
author = "KernelSight"
severity = "critical"
strings:
$mz = { 4D 5A }
$hw_name = "HW.sys" wide ascii nocase
$hw64 = "HW64.sys" wide ascii nocase
$marvin = "Marvin Test" wide ascii
condition:
$mz at 0 and ($hw_name or $hw64 or $marvin)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of HW.sys or HW64.sys |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Service creation for HW driver |
| Sysmon | Event ID 6 — Driver loaded | Hash and signature capture |
| Microsoft-Windows-Kernel-Process | Process token modification | Post-exploitation detection |
Behavioral Indicators
- Loading of
HW.sysorHW64.sysfrom a non-standard path - Physical memory mapping IOCTLs from processes unrelated to Marvin Test Solutions software
- Page table walking pattern: sequential physical memory reads at aligned addresses
- SYSTEM token acquisition following HW driver interaction
Broader Significance
CVE-2020-15368 is most valuable as an educational case. The clean, minimal interface of HW.sys combined with stong's well-documented exploit makes it the ideal starting point for understanding physical memory BYOVD exploitation. The driver also represents the "hardware test tool" subcategory of BYOVD, where drivers built for legitimate diagnostic and testing purposes expose the same dangerous primitives as consumer utility drivers.