DsArk64

April 13, 2026 ยท View on GitHub

DsArk64.sys ships with 360 Total Security. WHQL-signed by Microsoft. LOLDrivers: magicsword-io/LOLDrivers#308. CVE: Requested (MITRE).

Primitives

Process kill (ring 0)

  • IOCTL 0x80863008, input: 4-byte raw PID
  • Driver calls ZwOpenProcess(ALL_ACCESS) + ZwTerminateProcess from kernel
  • No encryption on this IOCTL
  • Bypasses PPL, EDR self-protection, anti-tamper

Kernel read

  • IOCTL 0x80863028, AES-128-CBC encrypted input
  • memcpy(out, kernel_addr, n), max 512 bytes
  • Only validation: MmIsAddressValid()

Kernel write

  • IOCTL 0x80863028, same encryption
  • MDL map + DPC broadcast memcpy, max 32 bytes

Encryption

  • AES-128-CBC, static key embedded in .data section
  • Key: 62b456ec407f0a9a05911cb6f238a7fe
  • IV: e59329b6d408e7fa557637e62c9eaa43
  • Buffer layout after decryption: [MD5(payload) 16B][payload]

Access

The driver checks the caller process has a Qihoo Authenticode signature before granting device access. Bypassed via process hollowing:

  1. Download any 360 installer from 360.cn (no account, no CAPTCHA)
  2. Spawn it suspended (CREATE_SUSPENDED)
  3. Inject shellcode via CreateRemoteThread; shellcode calls CreateFileW("\\.\DsArk")
  4. Driver checks IoGetCurrentProcess() image name, sees Qihoo cert, allows open
  5. DuplicateHandle the result back to the attacker process
  6. TerminateProcess the donor

The installer's WinMain never runs.

Requirements

  • Admin (for driver load and registry write)
  • Windows 10 / Windows 11 x64
  • pycryptodome or cryptography pip package (for encrypted IOCTL tests)

PoC Results

8/8 passed:

  1. Registry key HKLM\...\360FsFlt\daboot=1 created
  2. Driver loaded via sc create/start (WHQL-signed, no test-signing)
  3. Device opened via process hollowing bypass
  4. Version IOCTL 0x80863000 responded
  5. Process kill IOCTL 0x80863008 terminated notepad.exe
  6. Kernel address check IOCTL 0x80863020 reached handler
  7. Encrypted IOCTL 0x80863028 crypto verified (AES key/IV correct, MD5 accepted)
  8. Unknown IOCTL 0xDEAD0000 rejected

Hashes

FileSHA256
dsark64.syscd3d1a2e119cbbb41ec0e7d7fb17bac106735d62b33ed3cde10087af1da89403
DsArk64_win10.sys86127dbc92e2896319d1c9117b85e6db01ff001f3a85614d5ef9088d181b044a

Credit

X: @weezerOSINT / Telegram: @weezer