Windows Exploitation Tricks: Trapping Virtual Memory Access (2025 Update)

Posted by James Forshaw, Google Project Zero

Back in 2021 I wrote a blog post about various ways you can build a virtual memory access trap primitive on Windows. The goal was to cause a reader or writer of a virtual memory address to halt for a significant (e.g. 1 or more seconds) amount of time, generally for the purpose of exploiting TOCTOU memory access bugs in the kernel.

The solutions proposed in the blog post were to either map an SMB file on a remote server, or abuse the Cloud Filter API. This blog isn't going to provide new solutions, instead I wanted to highlight a new feature of Windows 11 24H2 that introduces the ability to abuse the SMB file server directly on the local machine, no remote server required. This change also introduces the ability to locally exploit vulnerabilities which are of the so-called "False File Immutability" bug class.

All Change Please

The change was first made public, at least as far as I know, in this blog post. Microsoft's blog post described this change in Windows Insider previews, however it has subsequently shipped in Windows 11 24H2 which is generally available.

The TL;DR; is the SMB client on Windows now supports specifying the destination TCP port from the command line's net command. For example, you can force the SMB client to use port 12345 through the command net use \\localhost\c$ /TCPPORT:12345. Now accessing the UNC path \\localhost\c$\blah will connect through port 12345 instead of the old, fixed port of 445. This feature works from any user, administrator access is not required as it only affects the current user's logon session.

The problem encountered in the previous blog post was you couldn't bind your fake SMB server to port 445 without shutting down the local SMB server. Shutting down the server can only be done as an administrator, defeating most of the point of the exploitation trick. By changing the client port to one which isn't currently in use, we can open files via our fake SMB server and perform the delay locally without needing to use the Cloud Filter API. This still won't allow the technique to work in a sandbox fortunately.

Note, that an administrator can disable this feature through Group Policy, but it is enabled by default and non-enterprise users are never likely to change that. I personally think making it enabled by default is a mistake that will come back to cause problems for Windows going forward.

I've updated the example fake SMB server to allow you to bind to a different port so that you can perform the attack locally. Hopefully someone finds it useful.