Skip to content

WNF State Data

Windows Notification Facility state data objects as pool spray and R/W primitives.

Description

WNF (Windows Notification Facility) state data objects are kernel pool allocations with attacker-controlled sizes. They are useful for pool spray and as corruption targets for relative read/write primitives.

Exploitation

  • NtUpdateWnfStateData — allocate controlled-size pool chunk
  • NtQueryWnfStateData — read back data (relative read after corruption)
  • Size flexibility makes them ideal for targeting specific pool buckets