Delaying Kernel Payloads by Hijacking KTIMERs & KDPCs (Part 1)
In this two part blog post series we present KTIMER Hijacking, a novel post-exploitation technique that delays the execution of kernel-mode payloads. This first part will focus on Windows 11 timer internals and deferred procedure calls and how we can hijack KTIMER and KDCP objects to delay the execution of a function pointer. The second part focusses on implementing these findings in a proof of concept, illustrating the delay in execution of a kernel-mode payload. ...