A signed kernel-mode anti-cheat driver — GameDriverX64.sys, shipped with
Tower of Fantasy (Hotta Studio / Perfect World) — lets any unprivileged
local user terminate arbitrary processes, including PPL-protected
antivirus/EDR services. It is the kind of primitive ransomware operators reach
for, and it is being actively abused in the wild by the Interlock operation
as a BYOVD EDR-killer.
This repository is a full, reproducible teardown: the security advisory, an original IDA Pro reverse-engineering analysis, a proof of concept, and ready-to-use detection and mitigation content.
Researchers: Gabriel Maciel Ramos · Anthony Sforzin · Gabriel Gomes
Proof of concept terminating a target process through the driver. Inline player not rendering? Download the clip.
| Driver | GameDriverX64.sys (KMDF), versions <= 7.23.4.7 |
| Vendor | Hotta Studio / Perfect World — internal PwrdDriver / HtDriver2.0 |
| Signer | Fedeen Games Limited (valid Authenticode) |
| Device | \\.\HtAntiCheatDriver |
| Primitive | IOCTL 0x222040, magic 0xFA123456 → ZwTerminateProcess in kernel context |
| Privileges required | None beyond a standard local user |
| Impact | Terminate any process, incl. PPL AV/EDR → BYOVD EDR-killer |
| CVSS 3.1 | 5.5 Medium · AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Status | Published, exploited in the wild (Interlock, Reynolds) |
1. LoadLibrary a DLL named QmGUI.dll / QmGUI4.dll / gameuirender.dll
└─ passes the filename-only "verification" in IRP_MJ_CREATE
2. CreateFile("\\.\HtAntiCheatDriver") ← default DACL, any user can open
3. DeviceIoControl(0x222040, {0xFA123456, pid}) ← only gate is a hardcoded magic
4. Driver: ZwOpenProcess(GENERIC_ALL) → ZwTerminateProcess
└─ runs with PreviousMode == KernelMode → access check skipped
└─ kills ANY process, including protected AV/EDR
Three "guardrails", all defeated: the device has no admin-only ACL, the CREATE
check compares a module name string (forge it by loading any same-named DLL),
and the IOCTL gate is a constant baked into the binary. The kill then runs in
the kernel, so process protection (PPL) does not apply. Full walkthrough in
docs/01-technical-analysis.md.
| Path | Contents |
|---|---|
advisory.md |
Formal security advisory |
docs/01-technical-analysis.md |
Original IDA Pro reverse-engineering teardown |
docs/02-exploitation.md |
Exploit chain and PoC walkthrough |
docs/03-detection.md |
How to detect the driver and its abuse |
docs/04-mitigation.md |
HVCI / WDAC blocking and removal |
docs/05-in-the-wild.md |
Interlock / BYOVD usage and timeline |
poc/poc.cpp |
Minimal proof of concept |
detection/cve-2025-61155.yar |
YARA rules |
detection/iocs.md |
Indicators of compromise |
sample/SAMPLE.md |
Sample identity & provenance (binary not committed) |
NEWS.md |
Running log of developments |
SECURITY.md |
Responsible-use policy and contact |
The analysis in docs/01-technical-analysis.md
was produced statically in IDA Pro 9.4 + Hex-Rays against the
legitimately-signed, vulnerable sample
(SHA-256 9DDAE4…3C9F1E, see sample/SAMPLE.md). Every
address, constant and decompiled snippet in this repo was lifted directly from the
binary and independently corroborates public reporting on the in-the-wild tooling.
- Block the driver via the Microsoft Vulnerable Driver Blocklist (HVCI) and/or
a WDAC deny rule —
docs/04-mitigation.md. - Hunt with the YARA rules and IOCs —
detection/. - Detect exploitation (device opens, the
0x222040IOCTL, kernel-origin process kills) —docs/03-detection.md.
For defensive security, detection engineering, education and research only. Use the
proof of concept only on systems you own or are authorized to test. See
SECURITY.md. The vulnerable driver binary is intentionally not
included.
- NVD — https://nvd.nist.gov/vuln/detail/CVE-2025-61155
- MITRE / CVE.org — https://www.cve.org/CVERecord?id=CVE-2025-61155
- GitHub Advisory — https://github.com/advisories/GHSA-9qfv-m6w2-fhch
- Canonical advisory (co-author) — https://github.com/pollotherunner/CVE-2025-61155
- FortiGuard Labs — https://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks
- Securonix — https://connect.securonix.com/threat-research-intelligence-62/cve-2025-61155-and-interlock-ransomware-a-converging-threat-198
- Vespalec, "Tower of Flaws" — https://vespalec.com/blog/tower-of-flaws/