Merge pull request #539 from peass-ng/update_PEASS-winpeas-Windows_Exploitation_Technique__Ampl_20251217_012647

[WINPEAS] Add privilege escalation check: Windows Exploitation Technique Amplifyin...

winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs

@@ -82,6 +82,7 @@ namespace winPEAS.Checks
                 PrintKrbRelayUp,
                 PrintInsideContainer,
                 PrintAlwaysInstallElevated,
+                PrintObjectManagerRaceAmplification,
                 PrintLSAInfo,
                 PrintNtlmSettings,
                 PrintLocalGroupPolicy,
@@ -734,6 +735,31 @@ namespace winPEAS.Checks
             }
         }
 
+        static void PrintObjectManagerRaceAmplification()
+        {
+            try
+            {
+                Beaprint.MainPrint("Object Manager race-window amplification primitives");
+                Beaprint.LinkPrint("https://projectzero.google/2025/12/windows-exploitation-techniques.html", "Project Zero write-up:");
+
+                if (ObjectManagerHelper.TryCreateSessionEvent(out var objectName, out var error))
+                {
+                    Beaprint.BadPrint($"    Created a test named event ({objectName}) under \\BaseNamedObjects.");
+                    Beaprint.InfoPrint("    -> Low-privileged users can slow NtOpen*/NtCreate* lookups using ~32k-character names or ~16k-level directory chains.");
+                    Beaprint.InfoPrint("    -> Point attacker-controlled symbolic links to the slow path to stretch kernel race windows.");
+                    Beaprint.InfoPrint("    -> Use this whenever a bug follows check -> NtOpenX -> privileged action patterns.");
+                }
+                else
+                {
+                    Beaprint.InfoPrint($"    Could not create a test event under \\BaseNamedObjects ({error}). The namespace might be locked down.");
+                }
+            }
+            catch (Exception ex)
+            {
+                Beaprint.PrintException(ex.Message);
+            }
+        }
+
         private static void PrintNtlmSettings()
         {
             Beaprint.MainPrint($"Enumerating NTLM Settings");

winPEAS/winPEASexe/winPEAS/Helpers/ObjectManagerHelper.cs

@@ -0,0 +1,34 @@
+using System;
+using System.Diagnostics;
+using System.Threading;
+
+namespace winPEAS.Helpers
+{
+    internal static class ObjectManagerHelper
+    {
+        public static bool TryCreateSessionEvent(out string objectName, out string error)
+        {
+            objectName = $"PEAS_OMNS_{Process.GetCurrentProcess().Id}_{Guid.NewGuid():N}";
+            error = string.Empty;
+
+            try
+            {
+                using (var handle = new EventWaitHandle(initialState: false, EventResetMode.ManualReset, objectName, out var createdNew))
+                {
+                    if (!createdNew)
+                    {
+                        error = "A test event with the generated name already existed.";
+                        return false;
+                    }
+                }
+
+                return true;
+            }
+            catch (Exception ex)
+            {
+                error = ex.Message;
+                return false;
+            }
+        }
+    }
+}

winPEAS/winPEASexe/winPEAS/winPEAS.csproj

@@ -1360,6 +1360,7 @@
     <Compile Include="KnownFileCreds\Vault\Structs\VAULT_ITEM_WIN8.cs" />
     <Compile Include="KnownFileCreds\Vault\VaultCli.cs" />
     <Compile Include="Helpers\MyUtils.cs" />
+    <Compile Include="Helpers\ObjectManagerHelper.cs" />
     <Compile Include="Info\UserInfo\SAM\Enums.cs" />
     <Compile Include="Info\UserInfo\SAM\SamServer.cs" />
     <Compile Include="Info\UserInfo\SAM\Structs.cs" />