Arbitrary Process Termination in Tower of Fantasy GameDriverX64.sys

This repository is a real exploit-focused research repo for CVE-2025-61155, not just a README. It documents and demonstrates a local BYOVD-style abuse path in the signed Windows anti-cheat driver GameDriverX64.sys used by Tower of Fantasy. The core exploit capability is arbitrary process termination from kernel context: an unprivileged local process can satisfy the driver's weak create-time gate by loading any DLL named QmGUI.dll, QmGUI4.dll, or gameuirender.dll, then open the exposed device \\.\HtAntiCheatDriver and send IOCTL 0x222040 with an 8-byte buffer containing magic 0xFA123456 and a target PID. The driver then performs ZwOpenProcess(GENERIC_ALL) and ZwTerminateProcess in kernel mode, allowing termination of arbitrary processes including protected AV/EDR services. Repository structure is primarily documentation-heavy, with one actual PoC source file and one YARA detection ruleset. Key files are: poc/poc.cpp (minimal C++ PoC and main entry point), advisory.md (formal advisory), docs/01-technical-analysis.md (reverse-engineering teardown of the driver internals and exploit chain), docs/02-exploitation.md (walkthrough of the abuse flow), docs/03-detection.md and detection/* (YARA and IOC content), docs/04-mitigation.md (blocklist/WDAC guidance), and docs/05-in-the-wild.md (threat-actor usage context). The vulnerable driver binary itself is intentionally omitted; sample/SAMPLE.md provides hashes, signer, and provenance instead. The PoC is operational but basic rather than weaponized: it defaults to targeting notepad.exe, uses hardcoded constants, and does not include driver installation or advanced targeting logic. Still, it clearly demonstrates the exploit chain and the main offensive outcome: local disabling of security tooling via a vulnerable signed driver already reported as abused in the wild.