Windows Notification Facility - Peeling the Onion of the Most Undocumented Kernel Attack Surface Yet

Explore the Windows Notification Facility (WNF), a largely undocumented kernel attack surface, in this Black Hat conference talk. Delve into the intricacies of WNF, its purpose, and its role in cross-process data sharing and communication. Learn about state name lifetimes, scopes, sequence numbers, and the processes of registering, publishing, and consuming WNF state data. Examine the high-level API, notification callbacks, and kernel API components. Discover potential security vulnerabilities, including the O-byte write, privileged disclosure, and modern app launcher blocker. Gain insights into discovering state names, permissions, and creating custom WNF state names. Investigate EDR/AM visibility options and explore methods for controlling the system and injecting code using WNF. Presented by Alex Ionescu and Gabrielle Viala, this talk offers key takeaways for Windows researchers and security professionals looking to understand this complex and potentially exploitable kernel mechanism.

Intro
About Alex lonescu
What is WNF?
Why does WNF exist?
State Name Lifetime
State Scopes
Sequence Numbers
Registering a WNF State Name
Publishing WNF State Data
Consuming WNF Data
WNF Notifications
High Level API
Notification Callback
Kernel API
WNF Name Instance
WNF Scope Instance
WNF Scope Map
WNF Subscription
WNF Process Context
WinDBG Custom Extension
The O-byte Write
The Privileged Disclosure
The Modern App Launcher Blocker
The Crashing Service
Discovering State Names and Permissions
Discovering Volatile Names
Brute Forcing Security Descriptors
Creating custom WNF State Names
EDR/AM Visibility Options
Controlling the System with WNF
Interesting Insider Settings
Injecting Code with WNF
Modifying Callbacks/Contexts for Code Redirection
Key Takeaways