Explore the Windows Notification Facility (WNF), a largely undocumented kernel attack surface, in this Black Hat conference talk. Delve into the intricacies of WNF, its purpose, and its role in cross-process data sharing and communication. Learn about state name lifetimes, scopes, sequence numbers, and the processes of registering, publishing, and consuming WNF state data. Examine the high-level API, notification callbacks, and kernel API components. Discover potential security vulnerabilities, including the O-byte write, privileged disclosure, and modern app launcher blocker. Gain insights into discovering state names, permissions, and creating custom WNF state names. Investigate EDR/AM visibility options and explore methods for controlling the system and injecting code using WNF. Presented by Alex Ionescu and Gabrielle Viala, this talk offers key takeaways for Windows researchers and security professionals looking to understand this complex and potentially exploitable kernel mechanism. Read more