Microsoft Windows 8.1 Console Driver Job Object Process Limit Bypass
Posted by deepcore on April 7, 2016 – 9:56 am
One change in Windows 8.1 from Windows 7 is the introduction of the console driver (condrv.sys) which is responsible for handling the management of consoles. It contains a method, CdpLaunchServerProcess which creates an instance of conhost.exe. This method calls ZwCreateUserProcess which means that the system call runs with kernel permissions, it also passes a flag (0x400) to the system call which indicates that the new process should not be assigned to the parent job. This allows for the conhost process to bypass the job restrictions.
Post a reply
You must be logged in to post a comment.