Reference
The exploitation pipeline describes how vulnerabilities become exploits. The reference section provides the data that grounds that pipeline in the real-world driver ecosystem. These pages are data-driven analyses generated by DriverAtlas, covering the full LOLDrivers catalog of 1,775 vulnerable and malicious drivers.
Where the pipeline pages describe individual vulnerability classes and exploitation primitives in the abstract, the reference pages answer concrete questions. How many drivers in the wild can serve as KDU providers for loading unsigned kernel code? Which drivers expose physical memory mapping through IOCTL handlers confirmed by Ghidra analysis? What does the BYOVD attack pattern look like end-to-end, and which campaigns have used it? What tools and resources does the community provide for this research area?
| Page | What It Covers |
|---|---|
| BYOVD | Bring Your Own Vulnerable Driver -- how attackers load signed drivers to gain kernel access, with campaign case studies and detection strategies |
| LOLDrivers Deep Analysis | All 1,775 LOLDrivers scored across imports, mitigations, IOCTLs, and ROP gadgets |
| KDU Provider Compatibility | Which LOLDrivers could serve as KDU providers -- 122 confirmed MapDriver candidates with Ghidra-verified IOCTL reachability |
| Resources | Key researchers, blogs, tools, training materials, and conferences for Windows kernel security research |