Qi-Anxin QAX Virus Removal Mini Filter Driver Access Control Vulnerability

A vulnerability has been identified in Qi-Anxin QAX Virus Removal versions prior to 2025-10-22. The issue resides in the Mini Filter Driver component, specifically within the QKSecureIO_Imp.sys library. The vulnerability arises from improper access controls in the ZwTerminateProcess function, allowing for arbitrary process termination. This weakness can be exploited locally by impersonating a legitimate caller process image, potentially targeting protected processes.

Impact

Exploitation of this vulnerability allows for improper access control, enabling unauthorized termination of processes, including those that are protected.

Reproduction

To reproduce this vulnerability, compile the FocusKiller project available on GitHub in x86 mode. Once compiled, upload the executable to the target system and place the driver file QKSecureIO_Imp.sys in the C:\Windows\system32\drivers directory. In an Administrator command prompt, set the target process ID for termination, then run the executable. The driver will terminate the specified process, demonstrating the exploitation of the access control vulnerability.