CVE-2023-1676

DriverGenius mydrivers64 — arbitrary MSR write and physical memory R/W via IOCTL

Summary

Field	Value
Driver	`mydrivers64.sys`
Vendor	DriverGenius (drivergenius.com)
Vulnerability Class	Arbitrary R/W / MSR Write / Physical Memory Mapping
Abused Version	9.2.707.1214 (DriverGenius 9.70.0.346)
Status	Still loadable — not widely blocklisted
Exploited ITW	No

BYOVD Context

Driver signing: Authenticode-signed by DriverGenius with valid certificate
Vulnerable Driver Blocklist: Not included in Microsoft's recommended driver block rules
HVCI behavior: May load on HVCI-enabled systems if not hash-blocked
KDU integration: Not integrated
LOLDrivers: Not widely listed

Affected IOCTLs

0x9C402088 — Arbitrary MSR write (WRMSR) with user-controlled register index and value
0x9C406104 — Physical memory read at user-controlled address
0x9C40A108 — Physical memory write at user-controlled address

Root Cause

mydrivers64.sys is the kernel driver for DriverGenius, a driver management and system information utility. The driver provides low-level hardware access for system inventory and driver detection. It exposes IOCTLs for MSR read/write and physical memory read/write without access control validation.

CVE-2023-1676 covers the MSR write vulnerability: IOCTL 0x9C402088 calls __writemsr with user-controlled register index and value parameters. Any authenticated user can write to arbitrary MSRs, enabling kernel code execution via IA32_LSTAR redirection.

CVE-2023-1679 covers the physical memory access: IOCTLs 0x9C406104 (read) and 0x9C40A108 (write) provide arbitrary physical memory access. The driver maps physical memory at user-controlled addresses without any range validation.

Additional CVEs from the same driver include CVE-2023-1677 and CVE-2023-1678 (denial of service via NULL pointer dereference).

The zeze-zeze/WindowsKernelVuln repository provides full PoC source code for all three exploitation paths.

Exploitation

MSR-based kernel execution (CVE-2023-1676)

Load mydrivers64.sys (bundled with DriverGenius installer)
Open a handle to the device
Send IOCTL 0x9C402088 to write to IA32_LSTAR (MSR 0xC0000082)
The next syscall dispatches to the attacker's controlled address
Execute arbitrary code in ring 0

The PoC includes writemsr.cpp and ArbitraryKernelExecution.cpp demonstrating the full chain. The attack leverages the msrexec technique for reliable MSR-based kernel code execution.

Physical memory access (CVE-2023-1679)

Open the device handle
Send IOCTL 0x9C406104 to read physical memory at any address
Send IOCTL 0x9C40A108 to write physical memory at any address
Walk page tables to locate kernel structures
Modify EPROCESS tokens for SYSTEM escalation

The PoC (ReadWriteArbitraryPhysicalMemory.cpp) demonstrates reading physical address 0x0 and writing 0xdeadbeef to confirm the arbitrary access.

Detection

YARA Rule

rule CVE_2023_1676_mydrivers64 {
    meta:
        description = "Detects DriverGenius mydrivers64.sys vulnerable driver"
        cve = "CVE-2023-1676"
        author = "KernelSight"
        severity = "critical"
    strings:
        $mz = { 4D 5A }
        $driver_name = "mydrivers64" wide ascii nocase
        $drivergenius = "DriverGenius" wide ascii nocase
        $mydriver = "mydrivers" wide ascii
    condition:
        $mz at 0 and ($driver_name or $drivergenius or $mydriver)
}

ETW Indicators

Provider	Event / Signal	Relevance
Microsoft-Windows-Kernel-File	Driver load event	Detects loading of mydrivers64.sys
Sysmon	Event ID 6 — Driver loaded	Hash and signature capture
Microsoft-Windows-Security-Auditing	Event 4697 — Service installed	Service creation for DriverGenius driver
Microsoft-Windows-Kernel-Process	Process token modification	Post-exploitation token swap

Behavioral Indicators

Loading of mydrivers64.sys from outside DriverGenius installation directory
IOCTL 0x9C402088 (MSR write) from non-DriverGenius processes, especially targeting IA32_LSTAR
Physical memory R/W IOCTLs (0x9C406104, 0x9C40A108) from unknown processes
Service creation for DriverGenius driver by a non-DriverGenius utility
Privilege escalation following mydrivers64 driver interaction