d474d8ad-14d9-4664-addd-86b4a9b7a1a5

NeacSafe64.sys :inline

Description

NetEase NeacSafe64.sys is an anti-cheat mini-filter driver referenced by KDU and public NeacController research. Versions prior to 1.0.0.8 expose IOCTL/message-handler paths that provide arbitrary kernel read/write primitives and can be chained for SYSTEM privilege escalation or kernel-mode code execution.

  • UUID: d474d8ad-14d9-4664-addd-86b4a9b7a1a5
  • Created: 2026-06-16
  • Author: Michael Haag
  • Acknowledgement: smallzhong | @smallzhong

Download

This download link contains the vulnerable driver!

Block NeacSafe64.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create NeacSafe64 binPath=C:\windows\temp\NeacSafe64.sys type=kernel && sc.exe start NeacSafe64
Use CasePrivilegesOperating System
Abuse arbitrary kernel read/write primitives for local privilege escalation and kernel-mode code execution.kernelWindows 10, Windows 11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/smallzhong/NeacController
  • https://github.com/hfiref0x/KDU/blob/master/Help/providers.md

    • CVE

  • C
  • V
  • E
  • -
  • 2
  • 0
  • 2
  • 5
  • -
  • 4
  • 5
  • 7
  • 3
  • 7

    • Known Vulnerable Samples

    PropertyValue
    FilenameNeacSafe64.sys
    Creation Timestamp2025-02-20 04:13:54
    MD5dcc288fafad0bf3b505c4b44791d423d
    SHA17e6dd5f1363c3070c59378ec8b23b6ec7b5671b4
    SHA25665447f727801e8be8a51aaaafc07618c8196553e683affb0721da441e2430bad
    Authentihash MD59caa8f73259bba3021b7384c637db9fe
    Authentihash SHA15c41fa80052c332f7d6323c91e84e1204ba1c1c7
    Authentihash SHA256caac9e1cbeaf4c1e05298e9b0f29468b35a36badd443eb6146e59c5fe520a52e
    RichPEHeaderHash MD5c9465872e493ccc48ad7c44938da729f
    RichPEHeaderHash SHA124e46b810b18225f69b5e5167218720128641e7a
    RichPEHeaderHash SHA2561f608b6c31312466b8d9492bdea5dc696140f55773fb7f58ba9318f4ee2ed6b0
    Company网易(杭州)网络有限公司杭州
    Productneacsafe
    OriginalFilenameneacsafe

    Download

    Certificates

    Expand
    Certificate 330000006daa072f958218c9e300000000006d
    FieldValue
    ToBeSigned (TBS) MD54320213204f73b9d506bbcbb35111c2d
    ToBeSigned (TBS) SHA1d3cbbc8331d4d84555a6726d48dfd9571738bd25
    ToBeSigned (TBS) SHA256fe99f47e601d6b8ab1e89961000f680bf3b0e0629a8a59864e76f135e0c89699
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher
    ValidFrom2024-10-10 19:04:52
    ValidTo2025-10-08 19:04:52
    Signature1bfc71b1c6ae1f779c132566b0692231de393c7578f2ae3adafa2968f4c01599d9dde8827a1f2ec65c46c56cad36987c0df5b1ec1c36576126f5fb988923b3c7f3f111749105254facfc1831516dba7fa7265753447f94b11979a3e9aba7f5dbd87e3f0f034229a34c7fb10cb7a90f197ffd35432e4244ee7666d4a48de1586b61b1072d441cd345eb140b613fd0fef87ab5eef73985d940029d30870053909e8550e94cb4e63696e82a182a7632267efb6056cf7c7b05c108645ea8698bba379bfa31e6bf7e179edbc3e559bbfe1fa8bf5c6b0c783edebac68aefa287bd16c1fcf2e00839c693e40e79f7c63447712a321c2ca5ee1dd2a0e03bde2702d9320a50d20439f395257fb6c5af0c11432c52801127d4bc45c0a65c660f5769fdf250aaba99a74bef0885f21a040f11e6364ba7499c795b39ca0972ff857d4e7c9bc08f257cb8dadb28817b62de202f3639de9db076ad8ee6b71a3cea1a1a476a510a3197fce4592654389629c6108656d9132971b2e55f3d19963d966a6869712265b662dcc7c92d6e3659d429c814f3efdf05ded84fe8654a039222dbe133a7992e04f05d8d7642ceb159cc705b832ec2f507ba8604047a01ff37fd69397ad861ad766df8e4e296199d81d89f708550a04d774da5c1b50062e06a72badcdb12f94820b5b834442ada4a82ce25d0450a519cac28d8362bd182257b1b80cf930e92d0
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber330000006daa072f958218c9e300000000006d
    Version3
    Certificate 330000000d690d5d7893d076df00000000000d
    FieldValue
    ToBeSigned (TBS) MD583f69422963f11c3c340b81712eef319
    ToBeSigned (TBS) SHA10c5e5f24590b53bc291e28583acb78e5adc95601
    ToBeSigned (TBS) SHA256d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae
    SubjectC=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014
    ValidFrom2014-10-15 20:31:27
    ValidTo2029-10-15 20:41:27
    Signature96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber330000000d690d5d7893d076df00000000000d
    Version3

    Imports

    Expand
    • FLTMGR.SYS
    • ntoskrnl.exe
    • HAL.dll
    • WDFLDR.SYS

    Imported Functions

    Expand
    • FltCloseClientPort
    • FltCloseCommunicationPort
    • FltUnregisterFilter
    • FltGetFileNameInformation
    • FltReleaseFileNameInformation
    • FltGetVolumeName
    • FltGetRequestorProcessId
    • FltGetDestinationFileNameInformation
    • FltFreeGenericWorkItem
    • FltAllocateGenericWorkItem
    • FltQueueGenericWorkItem
    • FltSendMessage
    • FltRegisterFilter
    • FltBuildDefaultSecurityDescriptor
    • FltCreateCommunicationPort
    • FltFreeSecurityDescriptor
    • FltStartFiltering
    • DbgPrint
    • ExAllocatePoolWithTag
    • KdDebuggerNotPresent
    • KeBugCheckEx
    • KeBugCheck
    • ExInitializeResourceLite
    • ZwWaitForSingleObject
    • ZwClose
    • ExDeleteResourceLite
    • IoRegisterBootDriverReinitialization
    • KeDelayExecutionThread
    • ExSystemTimeToLocalTime
    • RtlTimeToTimeFields
    • IoGetCurrentProcess
    • PsGetProcessImageFileName
    • PsGetCurrentThreadId
    • PsGetProcessId
    • RtlInitUnicodeString
    • MmGetSystemRoutineAddress
    • ZwCreateFile
    • PsCreateSystemThread
    • PsTerminateSystemThread
    • KeEnterCriticalRegion
    • ExAcquireResourceExclusiveLite
    • KeAcquireInStackQueuedSpinLock
    • KeReleaseInStackQueuedSpinLock
    • ZwWriteFile
    • ExReleaseResourceLite
    • KeLeaveCriticalRegion
    • DbgPrintEx
    • KeAcquireInStackQueuedSpinLockAtDpcLevel
    • KeReleaseInStackQueuedSpinLockFromDpcLevel
    • RtlFindClearBitsAndSet
    • RtlClearBits
    • ExCreateCallback
    • ExRegisterCallback
    • ExUnregisterCallback
    • MmSystemRangeStart
    • RtlCopyUnicodeString
    • KeNumberProcessors
    • KeSetSystemAffinityThread
    • KeRevertToUserAffinityThread
    • KeQueryActiveProcessorCountEx
    • KeInsertQueueDpc
    • RtlCompareMemory
    • MmGetPhysicalAddress
    • MmGetVirtualForPhysical
    • MmAllocateContiguousMemory
    • MmFreeContiguousMemory
    • __C_specific_handler
    • MmBuildMdlForNonPagedPool
    • MmMapLockedPagesSpecifyCache
    • MmUnmapLockedPages
    • IoFreeMdl
    • KeAreApcsDisabled
    • ExAcquireRundownProtection
    • ExReleaseRundownProtection
    • ExAcquireSpinLockSharedAtDpcLevel
    • ExReleaseSpinLockSharedFromDpcLevel
    • MmGetPhysicalMemoryRanges
    • PsInitialSystemProcess
    • KeInitializeEvent
    • ExQueueWorkItem
    • KeWaitForSingleObject
    • KeSetSystemGroupAffinityThread
    • KeRevertToUserGroupAffinityThread
    • RtlInitializeBitMap
    • MmAllocateMappingAddress
    • MmFreeMappingAddress
    • MmIsAddressValid
    • RtlLookupFunctionEntry
    • RtlImageNtHeader
    • RtlCaptureContext
    • KeCapturePersistentThreadState
    • ObQueryNameString
    • RtlPrefixUnicodeString
    • RtlFormatCurrentUserKeyPath
    • RtlAppendUnicodeStringToString
    • RtlFreeUnicodeString
    • RtlAppendUnicodeToString
    • CmRegisterCallback
    • CmUnRegisterCallback
    • IoDriverObjectType
    • ObReferenceObjectByName
    • MmUserProbeAddress
    • ProbeForRead
    • MmLockPagableDataSection
    • MmUnlockPagableImageSection
    • MmCreateMdl
    • RtlGetVersion
    • ExAllocatePool
    • ExAcquireFastMutex
    • ExReleaseFastMutex
    • ExAcquireRundownProtectionEx
    • ExReleaseRundownProtectionEx
    • ObfReferenceObject
    • RtlCompareUnicodeString
    • ProbeForWrite
    • KeStackAttachProcess
    • KeUnstackDetachProcess
    • PsGetProcessInheritedFromUniqueProcessId
    • PsGetProcessCreateTimeQuadPart
    • ZwOpenProcess
    • ZwQueryInformationProcess
    • PsGetProcessWow64Process
    • PsGetProcessDebugPort
    • PsGetProcessSectionBaseAddress
    • MmHighestUserAddress
    • ExGetPreviousMode
    • ZwQuerySystemInformation
    • ZwOpenFile
    • ZwQueryInformationFile
    • ZwCreateSection
    • ZwMapViewOfSection
    • ZwUnmapViewOfSection
    • FsRtlGetFileSize
    • FsRtlCreateSectionForDataScan
    • PsGetProcessPeb
    • IoQueryFileInformation
    • RtlInitAnsiString
    • RtlCopyString
    • PsLookupThreadByThreadId
    • ObOpenObjectByPointer
    • ZwQueryInformationThread
    • PsIsSystemThread
    • PsGetThreadProcessId
    • PsIsThreadTerminating
    • IoGetStackLimits
    • PsProcessType
    • ObReferenceObjectByHandle
    • ExEnumHandleTable
    • ZwWaitForMultipleObjects
    • ZwOpenSymbolicLinkObject
    • ZwQuerySymbolicLinkObject
    • IoFileObjectType
    • IoQueryFileDosDeviceName
    • IoVolumeDeviceToDosName
    • KeWaitForMultipleObjects
    • RtlSetDaclSecurityDescriptor
    • HalPrivateDispatchTable
    • ZwAllocateVirtualMemory
    • NtClose
    • PsThreadType
    • KeClearEvent
    • MmAllocatePagesForMdl
    • MmFreePagesFromMdl
    • ZwOpenThread
    • PsGetThreadId
    • PsRemoveLoadImageNotifyRoutine
    • PsSetCreateProcessNotifyRoutine
    • KeEnterGuardedRegion
    • ExfAcquirePushLockShared
    • ExfReleasePushLockShared
    • KeLeaveGuardedRegion
    • ExInitializeRundownProtection
    • PsSetLoadImageNotifyRoutine
    • PsSetCreateThreadNotifyRoutine
    • ExWaitForRundownProtectionRelease
    • ExRundownCompleted
    • PsRemoveCreateThreadNotifyRoutine
    • IoGetInitialStack
    • ExAcquireSpinLockShared
    • ExReleaseSpinLockShared
    • RtlClearAllBits
    • RtlFindSetBits
    • RtlFindNextForwardRunClear
    • KeInitializeApc
    • KeInsertQueueApc
    • RtlSetBit
    • ExfReleasePushLock
    • MmUnlockPages
    • MmSizeOfMdl
    • ExAllocatePoolWithQuotaTag
    • MmProbeAndLockPages
    • RtlAnsiStringToUnicodeString
    • ExRaiseStatus
    • ZwOpenDirectoryObject
    • IoDeviceObjectType
    • RtlWalkFrameChain
    • RtlVirtualUnwind
    • RtlEnumerateGenericTableAvl
    • MmAllocateNonCachedMemory
    • MmFreeNonCachedMemory
    • RtlImageDirectoryEntryToData
    • ZwReadFile
    • KeInitializeAffinityEx
    • KeAddProcessorAffinityEx
    • KeQueryActiveProcessorCount
    • KeQueryTimeIncrement
    • KeRegisterNmiCallback
    • KeDeregisterNmiCallback
    • RtlUpcaseUnicodeToMultiByteN
    • RtlAnsiCharToUnicodeChar
    • RtlUnicodeToMultiByteN
    • strncpy
    • qsort
    • PsGetCurrentProcessId
    • KeSetEvent
    • ExFreePoolWithTag
    • PsGetProcessExitStatus
    • ObfDereferenceObject
    • PsLookupProcessByProcessId
    • MmMapLockedPages
    • HalGetBusDataByOffset
    • KeQueryPerformanceCounter
    • WdfVersionUnbind
    • WdfVersionBind
    • WdfVersionBindClass
    • WdfVersionUnbindClass

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "330000006daa072f958218c9e300000000006d",
      "Signature": "1bfc71b1c6ae1f779c132566b0692231de393c7578f2ae3adafa2968f4c01599d9dde8827a1f2ec65c46c56cad36987c0df5b1ec1c36576126f5fb988923b3c7f3f111749105254facfc1831516dba7fa7265753447f94b11979a3e9aba7f5dbd87e3f0f034229a34c7fb10cb7a90f197ffd35432e4244ee7666d4a48de1586b61b1072d441cd345eb140b613fd0fef87ab5eef73985d940029d30870053909e8550e94cb4e63696e82a182a7632267efb6056cf7c7b05c108645ea8698bba379bfa31e6bf7e179edbc3e559bbfe1fa8bf5c6b0c783edebac68aefa287bd16c1fcf2e00839c693e40e79f7c63447712a321c2ca5ee1dd2a0e03bde2702d9320a50d20439f395257fb6c5af0c11432c52801127d4bc45c0a65c660f5769fdf250aaba99a74bef0885f21a040f11e6364ba7499c795b39ca0972ff857d4e7c9bc08f257cb8dadb28817b62de202f3639de9db076ad8ee6b71a3cea1a1a476a510a3197fce4592654389629c6108656d9132971b2e55f3d19963d966a6869712265b662dcc7c92d6e3659d429c814f3efdf05ded84fe8654a039222dbe133a7992e04f05d8d7642ceb159cc705b832ec2f507ba8604047a01ff37fd69397ad861ad766df8e4e296199d81d89f708550a04d774da5c1b50062e06a72badcdb12f94820b5b834442ada4a82ce25d0450a519cac28d8362bd182257b1b80cf930e92d0",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
      "TBS": {
        "MD5": "4320213204f73b9d506bbcbb35111c2d",
        "SHA1": "d3cbbc8331d4d84555a6726d48dfd9571738bd25",
        "SHA256": "fe99f47e601d6b8ab1e89961000f680bf3b0e0629a8a59864e76f135e0c89699",
        "SHA384": "e0a64b97e2ac3d56d42b593fccee2d0e80fc626b8161f60a36a2adef8fe94c7c06c7509816d1c2211400626fc1fc63c7"
      },
      "ValidFrom": "2024-10-10 19:04:52",
      "ValidTo": "2025-10-08 19:04:52",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "330000000d690d5d7893d076df00000000000d",
      "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "TBS": {
        "MD5": "83f69422963f11c3c340b81712eef319",
        "SHA1": "0c5e5f24590b53bc291e28583acb78e5adc95601",
        "SHA256": "d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae",
        "SHA384": "260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63"
      },
      "ValidFrom": "2014-10-15 20:31:27",
      "ValidTo": "2029-10-15 20:41:27",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014",
      "SerialNumber": "330000006daa072f958218c9e300000000006d",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-06-16