Critical Vulnerabilities Uncovered in Tower of Fantasy’s Anti‑Cheat Kernel Driver

Introduction – Why This Matters

Security professionals, game developers, and tech enthusiasts have been closely watching the

original Vespalec article
that dissected the anti‑cheat kernel driver shipped with Tower of Fantasy. The game’s
anti‑cheat component, GameDriverX64.sys, runs with kernel‑level privileges, meaning any flaw
can compromise the entire operating system. This news article condenses the key findings, explains the two
critical vulnerabilities, and offers practical mitigation steps for developers and defenders.

Summary of the Anti‑Cheat Kernel Driver Analysis

Un‑obfuscated Code and HVCI Issues

Unlike many modern drivers that hide behind packers such as VMProtect, the Tower of Fantasy driver is
delivered in clean, readable form. This is a direct consequence of Windows 11’s
Hypervisor‑Protected Code Integrity (HVCI),
which enforces a strict W^X policy. Obfuscation techniques that require writable‑and‑executable pages are
rejected, forcing the developers to ship an unobfuscated binary.

Driver Registration and DLL‑Based Checks

The driver registers a device object \Device\HtAntiCheatDriver with a symbolic link
\\.\HtAntiCheatDriver. Its IRP_MJ_CREATE handler only verifies that the
calling process has loaded one of three specific DLLs (QmGUI4.dll, QmGUI.dll,
gameuirender.dll). Because the check merely inspects module names in the process’s PEB,
an attacker can satisfy it by renaming any benign DLL (e.g., version.dll) to one of the
expected names.

Handle‑Protection Callbacks

Using ObRegisterCallbacks, the driver strips dangerous access rights from handles that
target protected processes. The callbacks deliberately preserve PROCESS_TERMINATE, allowing
external processes to kill the game or any other process that the driver later marks as protected.

Minimal Authentication Scheme

Every IOCTL request must contain a hard‑coded 32‑bit magic value (0xFA123456). No
cryptographic signatures, no challenge‑response, and no per‑session tokens are used. This single static
constant is trivially extracted from the binary, rendering the authentication ineffective.

• Four layers of “security” – DLL presence, process‑name whitelist, checksum validation, magic number – all
  can be bypassed independently.
• The driver exposes ten IOCTL codes; seven are relevant to the vulnerabilities discussed below.

Detailed Explanation of the Two Critical Vulnerabilities

Vulnerability #1 – Arbitrary Process Termination

The IOCTL 0x222040 accepts a structure containing the magic value and a target PID.
After validation, the driver calls ZwOpenProcess with GENERIC_ALL and then
ZwTerminateProcess. Because Zw* system calls run in kernel mode with
PreviousMode = KernelMode, Windows skips all security descriptor checks. The result:

• Any process, including privileged system services or Protected Process Light (PPL) binaries, can be
  terminated.
• The termination bypasses Windows’ built‑in anti‑tampering mechanisms, effectively giving an attacker
  a “kill‑switch” for the entire OS.

Vulnerability #2 – Arbitrary Process Protection

IOCTL 0x222004 registers an arbitrary PID as “protected.” The driver then applies the
same ObRegisterCallbacks used for the game to any process you specify. This has two
consequences:

1. Future handle creations for the protected process have critical rights stripped (e.g., no
   PROCESS_VM_READ, PROCESS_VM_WRITE).
2. The driver can retroactively strip rights from existing handles via IOCTL 0x222044,
   which enumerates the system handle table and removes dangerous access bits.

While the protection appears beneficial, it is effectively a weapon: an attacker can first protect a
security‑software process, then use the termination IOCTL to kill it, or vice‑versa, creating a
“protect‑then‑kill” chain that defeats most endpoint detection and response (EDR) solutions.

“The driver ships with full BYOVD (Bring Your Own Vulnerable Driver) capabilities, yet it never even
loads in the game. That makes it a dormant, high‑value attack surface on every player’s machine.”

The combination of these two IOCTLs mirrors the infamous mhyprot2 driver used by Genshin Impact,
which ransomware groups weaponized for rapid system compromise. The Tower of Fantasy driver is even more
dangerous because its authentication is weaker.

Impact on the Gaming Community and Security Recommendations

For gamers, the immediate risk is low because the driver is not actively loaded. However, the mere presence
of such a powerful, unprotected kernel component on millions of PCs creates a massive attack surface.
Threat actors can copy the driver, load it manually, and exploit the vulnerabilities to gain persistent
kernel‑level access, bypassing anti‑cheat and anti‑malware defenses.

Recommendations for Developers

• Enforce Strong Authentication: Replace the static magic number with a per‑session
  token signed by a TPM‑backed key.
• Validate DLLs Cryptographically: Use signed code‑integrity checks instead of simple
  name matching.
• Apply Principle of Least Privilege: Limit driver capabilities to the minimum
  required (e.g., avoid ZwTerminateProcess).
• Leverage HVCI Properly: If obfuscation is needed, use HVCI‑compatible techniques
  such as control‑flow flattening that do not require writable‑executable pages.
• Dynamic Loading Guardrails: Register the driver only when the game process is
  verified, and unload it cleanly on exit.

Recommendations for Security Professionals

• Monitor for the presence of GameDriverX64.sys in the System32\drivers
  directory, even if the service is not running.
• Detect the specific IOCTL codes (0x222040, 0x222004, 0x222044) using kernel‑mode telemetry or
  Sysmon event filters.
• Deploy endpoint protection that blocks unsigned kernel drivers from loading.
• Educate users that uninstalling the game does not automatically remove the driver file; manual
  cleanup may be required.

Visual Illustration

The illustration above visualizes the two exploit paths: (1) the Terminate path, where an
attacker sends the magic‑value‑protected IOCTL to kill any PID, and (2) the Protect path,
where a chosen process is marked as protected and its handles are stripped. The diagram also highlights
the weak authentication layer that sits atop both flows.

Related UBOS Resources

While the vulnerabilities discussed are specific to a gaming anti‑cheat driver, the underlying lessons
apply to any high‑privilege software stack. UBOS offers a suite of tools and platforms that help
organizations build secure, AI‑enhanced applications without exposing such attack surfaces.

• UBOS homepage – Overview of the
  ecosystem.
• UBOS platform overview –
  Learn how UBOS abstracts low‑level driver interactions.
• UBOS pricing plans –
  Transparent pricing for enterprises and SMBs.
• Enterprise AI
  platform by UBOS – Secure AI workloads with built‑in compliance.
• UBOS partner program –
  Collaborate on secure AI solutions.
• Web app editor on UBOS –
  Rapidly prototype secure web interfaces.
• Workflow automation
  studio – Automate security checks and deployment pipelines.
• UBOS templates for quick start –
  Jump‑start projects with vetted security patterns.
• AI marketing agents –
  Example of safe AI integration.
• OpenAI
  ChatGPT integration – Securely embed LLMs.
• ChatGPT
  and Telegram integration – Demonstrates safe external communication.
• Chroma DB integration –
  Vector store best practices.
• ElevenLabs
  AI voice integration – Voice AI without kernel exposure.
• AI SEO Analyzer –
  Optimize content like this article.
• AI Article
  Copywriter – Generate high‑quality, plagiarism‑free copy.
• AI
  YouTube Comment Analysis tool – Secure sentiment analysis pipelines.

Conclusion

The “Tower of Flaws” report is a stark reminder that kernel‑mode components must be designed with
defense‑in‑depth, not just functional correctness. By adopting strong authentication, proper code‑signing,
and least‑privilege principles, developers can avoid creating the very backdoors they aim to block.

If you’re building AI‑driven or high‑privilege applications, consider leveraging UBOS’s secure platform
and its extensive library of vetted integrations. Protect your users, protect your brand, and stay ahead of
attackers.

Ready to secure your next AI project? Explore the UBOS portfolio examples and start building with confidence today.