The exploit leverages WinDbg Preview, available through the Microsoft Store, to inject malicious code into legitimate processes, effectively bypassing security controls designed to prevent unauthorized code execution. The bypass works because WinDbg Preview uses SetThreadContext() API calls under the hood, which security products may not flag when executed by a trusted Microsoft application. This discovery underscores the constant challenge security teams face with application control strategies and the importance of regularly reviewing and updating security policies to address emerging bypass techniques that leverage trusted applications. The vulnerability stems from Microsoft’s recommended WDAC blocklist, which includes the legacy windbg.exe but fails to address the newer WinDbg Preview (WinDbgX.exe) available through the Microsoft Store. “To my surprise, the Microsoft Store had not been disabled and allowed installing verified applications such as WinDbg Preview edition”. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The entire attack leverages WinDbg’s built-in r and eq commands to set up the 64-bit calling convention parameters in appropriate registers (RCX, RDX, R8, R9) before redirecting execution flow to the Windows API functions. With the shellcode loaded into memory, the attacker then exploits WinDbg’s ability to manipulate register states through a series of commands that set up and execute Windows API calls for remote process injection. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 21 Apr 2025 14:30:17 +0000