This technical analysis explores the evolution and security implications of the GetProcessHandleFromHwnd API, tracking its transition from a hook-based implementation in oleacc.dll to a kernel-mode function in Win32k. The author highlights how historical inaccuracies in documentation led to the discovery of significant vulnerabilities, including UAC bypasses and the ability for lower-privileged processes to obtain handles to protected processes (PPL) by exploiting missing access checks in the kernel implementation.
The article details the discovery of CVE-2023-41772, which allowed processes with UI Access to bypass security boundaries, and examines the subsequent fixes introduced in Windows 11 24H2. These updates include stricter User Interface Privilege Isolation (UIPI) enforcement and the requirement for UI Access flags to even call the API. Finally, the post demonstrates a conceptual exploit for hijacking TCB-level protected processes using WerFaultSecure.exe, emphasizing that while modern Windows versions are patched, legacy systems remain susceptible to these techniques.
Top comments (0)