Skip to content

sf0rzin/CVE-2025-61155

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2025-61155 — Arbitrary Process Termination in GameDriverX64.sys

CVE CVSS 3.1 CWE Exploited in the wild License: MIT

A signed kernel-mode anti-cheat driver — GameDriverX64.sys, shipped with Tower of Fantasy (Hotta Studio / Perfect World) — lets any unprivileged local user terminate arbitrary processes, including PPL-protected antivirus/EDR services. It is the kind of primitive ransomware operators reach for, and it is being actively abused in the wild by the Interlock operation as a BYOVD EDR-killer.

This repository is a full, reproducible teardown: the security advisory, an original IDA Pro reverse-engineering analysis, a proof of concept, and ready-to-use detection and mitigation content.

Researchers: Gabriel Maciel Ramos · Anthony Sforzin · Gabriel Gomes

Demo

Proof of concept terminating a target process through the driver. Inline player not rendering? Download the clip.

At a glance

Driver GameDriverX64.sys (KMDF), versions <= 7.23.4.7
Vendor Hotta Studio / Perfect World — internal PwrdDriver / HtDriver2.0
Signer Fedeen Games Limited (valid Authenticode)
Device \\.\HtAntiCheatDriver
Primitive IOCTL 0x222040, magic 0xFA123456ZwTerminateProcess in kernel context
Privileges required None beyond a standard local user
Impact Terminate any process, incl. PPL AV/EDR → BYOVD EDR-killer
CVSS 3.1 5.5 Medium · AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Status Published, exploited in the wild (Interlock, Reynolds)

The exploit chain

1. LoadLibrary a DLL named QmGUI.dll / QmGUI4.dll / gameuirender.dll
   └─ passes the filename-only "verification" in IRP_MJ_CREATE

2. CreateFile("\\.\HtAntiCheatDriver")          ← default DACL, any user can open

3. DeviceIoControl(0x222040, {0xFA123456, pid}) ← only gate is a hardcoded magic

4. Driver: ZwOpenProcess(GENERIC_ALL) → ZwTerminateProcess
   └─ runs with PreviousMode == KernelMode → access check skipped
   └─ kills ANY process, including protected AV/EDR

Three "guardrails", all defeated: the device has no admin-only ACL, the CREATE check compares a module name string (forge it by loading any same-named DLL), and the IOCTL gate is a constant baked into the binary. The kill then runs in the kernel, so process protection (PPL) does not apply. Full walkthrough in docs/01-technical-analysis.md.

Repository map

Path Contents
advisory.md Formal security advisory
docs/01-technical-analysis.md Original IDA Pro reverse-engineering teardown
docs/02-exploitation.md Exploit chain and PoC walkthrough
docs/03-detection.md How to detect the driver and its abuse
docs/04-mitigation.md HVCI / WDAC blocking and removal
docs/05-in-the-wild.md Interlock / BYOVD usage and timeline
poc/poc.cpp Minimal proof of concept
detection/cve-2025-61155.yar YARA rules
detection/iocs.md Indicators of compromise
sample/SAMPLE.md Sample identity & provenance (binary not committed)
NEWS.md Running log of developments
SECURITY.md Responsible-use policy and contact

Reverse engineering

The analysis in docs/01-technical-analysis.md was produced statically in IDA Pro 9.4 + Hex-Rays against the legitimately-signed, vulnerable sample (SHA-256 9DDAE4…3C9F1E, see sample/SAMPLE.md). Every address, constant and decompiled snippet in this repo was lifted directly from the binary and independently corroborates public reporting on the in-the-wild tooling.

Defenders: start here

  1. Block the driver via the Microsoft Vulnerable Driver Blocklist (HVCI) and/or a WDAC deny rule — docs/04-mitigation.md.
  2. Hunt with the YARA rules and IOCs — detection/.
  3. Detect exploitation (device opens, the 0x222040 IOCTL, kernel-origin process kills) — docs/03-detection.md.

Disclaimer

For defensive security, detection engineering, education and research only. Use the proof of concept only on systems you own or are authorized to test. See SECURITY.md. The vulnerable driver binary is intentionally not included.

References

About

CVE-2025-61155 — arbitrary process termination in GameDriverX64.sys (Tower of Fantasy anti-cheat). Original IDA Pro teardown, PoC, YARA, IOCs, mitigation.

Topics

Resources

License

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors