Windows Exploitation Technique Amplifying Race Windows via S...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://projectzero.google/2025/12/windows-exploitation-techniques.html
• Blog Title: Windows Exploitation Technique: Amplifying Race Windows via Slow Object Manager Lookups
• Suggested Section: 🪟 Windows Hardening -> Windows Exploiting (Basic Guide - OSCP lvl) or Windows Local Privilege Escalation (new subsection on 'Kernel Race Condition Exploitation – Object Manager Path Slowdown')

🎯 Content Summary

This post documents a generic Windows kernel exploitation trick: amplifying race-condition windows by deliberately slowing down the Object Manager Namespace (OMNS) lookup of attacker-controlled named objects. The author originally developed this in 2016 and revalidated it on a modern Windows 11 24H2 (Surface Pro, Snapdragon X Elite 3.40GHz).

Background: Typical Windows race-condition pattern

Many Windows kernel vulnerabilities follo...

🔧 Technical Details

Trick 1 – Exploiting UNICODE_STRING length for slow single-component lookups:
Windows Object Manager paths are stored in UNICODE_STRING structures with a 16-bit Length field, limiting paths to ~32767 UTF-16 characters. An attacker can create a named object (e.g. event) in a writable directory like \BaseNamedObjects using a single extremely long component (e.g. \BaseNamedObjects\A[~32k chars]). When vulnerable code invokes NtOpenX() on that name, the kernel must perform a full Unicode string comparison to match the component in the directory. This yields roughly linear growth in lookup time with name length, slowing calls from ~2 μs (normal names) to ~35 μs at maximum length. For any race pattern of check() -> NtOpenX(long_name) -> secure_action(), this directly increases the race window by an order of magnitude without special privileges.

Trick 2 – ...

🤖 Agent Actions

Summary:

• Added a dedicated page on amplifying Windows kernel race-condition windows via Object Manager slow paths (max-length components, deep directory chains), including measurement harness, exploitation workflow, and defensive notes, all referenced to the Project Zero research.
• Updated the Windows Local Privilege Escalation guide’s driver section to reference the new technique so readers can quickly pivot when facing OM path race bugs.

Testing:

• Not run (not applicable).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 925
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://projectzero.google/2025/12/windows-exploitation-techniques.html

Content Categories: Based on the analysis, this content was categorized under "🪟 Windows Hardening -> Windows Exploiting (Basic Guide - OSCP lvl) or Windows Local Privilege Escalation (new subsection on 'Kernel Race Condition Exploitation – Object Manager Path Slowdown')".

Repository Maintenance:

• MD Files Formatting: 925 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge