CVE-2020-15368
HW.sys — physical memory read/write via unrestricted MmMapIoSpace
Summary
| Field | Value |
|---|---|
| Driver | HW.sys (also known as HW64.sys) |
| Vendor | Marvin Test Solutions |
| Vulnerability Class | Arbitrary R/W / Physical Memory Mapping |
| Abused Version | 4.8.0 and earlier |
| Status | Blocklisted — included in Microsoft Vulnerable Driver Blocklist |
| Exploited ITW | Yes |
BYOVD Context
- Driver signing: Authenticode-signed by Marvin Test Solutions with valid certificate
- Vulnerable Driver Blocklist: Included in Microsoft's recommended driver block rules
- HVCI behavior: Blocked on HVCI-enabled systems via the blocklist
- KDU integration: Integrated as a KDU provider
- LOLDrivers: Listed at loldrivers.io
Affected IOCTLs
- Physical memory read via MmMapIoSpace
- Physical memory write via MmMapIoSpace
- I/O port read (IN)
- I/O port write (OUT)
- PCI configuration space access
Root Cause
HW.sys is a generic hardware access driver from Marvin Test Solutions (previously known as Geotest), used for hardware testing and diagnostic applications. The driver provides unrestricted physical memory access via MmMapIoSpace IOCTLs, I/O port access, and PCI configuration space read/write — all without access control checks.
The driver was documented by stong on GitHub as a teaching case for BYOVD exploitation. It provides a clean, simple example of the vendor utility BYOVD pattern: a legitimately signed driver that intentionally exposes dangerous hardware access primitives without authorization checks.
Exploitation
Exploitation follows the standard physical memory R/W BYOVD pattern:
- Load
HW.sysand open the device handle - Use
MmMapIoSpaceIOCTL to map physical memory at controlled addresses - Walk the page table hierarchy via physical memory reads to translate virtual to physical addresses
- Locate and modify kernel structures (EPROCESS tokens) via their physical addresses
- Achieve SYSTEM privilege escalation
stong's GitHub repository provides a complete, well-documented exploit suitable for educational purposes.
Detection
YARA Rule
rule CVE_2020_15368_HW_sys {
meta:
description = "Detects HW.sys/HW64.sys vulnerable driver"
cve = "CVE-2020-15368"
author = "KernelSight"
severity = "critical"
strings:
$mz = { 4D 5A }
$hw_name = "HW.sys" wide ascii nocase
$hw64 = "HW64.sys" wide ascii nocase
$marvin = "Marvin Test" wide ascii
condition:
$mz at 0 and ($hw_name or $hw64 or $marvin)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of HW.sys or HW64.sys |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Service creation for HW driver |
| Sysmon | Event ID 6 — Driver loaded | Hash and signature capture |
| Microsoft-Windows-Kernel-Process | Process token modification | Post-exploitation detection |
Behavioral Indicators
- Loading of
HW.sysorHW64.sysfrom a non-standard path - Physical memory mapping IOCTLs from processes unrelated to Marvin Test Solutions software
- Page table walking pattern: sequential physical memory reads at aligned addresses
- SYSTEM token acquisition following HW driver interaction