// REVERSE ENGINEERING

kernel driver analysis — cldflt.sys patch diffing

binary analysis of Windows kernel drivers to understand silent patches and find alternative attack surfaces

00 — OBJECTIVE

The CfAbortOperation TOCTOU race primitive (used by MiniPlasma for CVE-class EoP) was found to be PATCHED on Windows 11 Build 26200 (25H2). CfAbortOperation returns S_OK but no longer triggers HsmOsBlockPlaceholderAccess to create or modify the CloudFiles\BlockedApps registry key.

This section documents the reverse engineering process used to understand what Microsoft changed and whether alternative code paths in cldflt.sys remain exploitable.

CORE FINDING — Primitive Dead on Build 26200

CfAbortOperation(pid, 0, BLOCK) returns 0x00000000 (S_OK) but the CloudFiles\BlockedApps registry key is never created under HKU\.DEFAULT\Software\Policies\Microsoft\. Confirmed on both main machine and Radon laptop. The kernel code path that performed the registry write has been silently removed or gated.

01 — DIAGNOSTIC EVIDENCE

Build Verification

MachineOS VersionBuildCloudFiles KeyPrimitive
Main (gwu07)Win11 25H226200.8655MISSINGDEAD
Radon (Ghaleb Jomma)Win11 25H226200MISSINGDEAD

CfAbortOperation Test (PowerShell Add-Type)

PS> # Add-Type wrapper — calls cldapi.dll CfAbortOperation directly
PS> # Bypasses Defender EXE flagging by compiling in-memory

CfGetPlatformInfo: 0x00000000 Build=26100 Rev=8655 Int=1576
PID: 55300

--- BEFORE CfAbortOperation ---
HKCU:\...\CloudFiles EXISTS (current user hive)
HKU\.DEFAULT\...\CloudFiles MISSING (SYSTEM hive)

CfAbortOperation x1000: 0 errors, all returned S_OK

--- AFTER CfAbortOperation ---
HKU\.DEFAULT\...\CloudFiles STILL MISSING

Conclusion: CfAbortOperation succeeds but never creates the registry key.
The kernel code path (HsmOsBlockPlaceholderAccess) no longer writes to the registry.

Registry Path Analysis

PS> reg.exe query "HKU\.DEFAULT\Software\Policies\Microsoft"

HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\SystemCertificates

# Only SystemCertificates exists. No CloudFiles subtree.
# MiniPlasma targets: \Policies\Microsoft\CloudFiles\BlockedApps
# VaderPrime (bug #3 — FIXED): was targeting wrong path under \CurrentVersion\

02 — VADEREPRIME RACE ENGINE — 3 BUGS FIXED

Before discovering the patch, three architectural bugs were identified and fixed in VaderPrime's race engine. These were real bugs that would have prevented the race even on an unpatched build.

#BugImpactFix
1 Thread A was a stub Race thread never called CfAbortOperation — just incremented a counter Calling thread becomes Thread A, calls CfAbortOperation(pid, 0, BLOCK) in tight loop
2 Wrong thread handle GetCurrentThread() returns pseudo-handle (-2) — Thread B toggled its OWN token NtThread.OpenCurrent() for real handle, passed to Thread B for cross-thread toggle
3 Wrong registry path Targeted \CurrentVersion\CloudFiles instead of \Policies\Microsoft\CloudFiles Path corrected to match MiniPlasma's proven target
KEY LEARNING — GetCurrentThread() vs NtThread.OpenCurrent()

GetCurrentThread() returns pseudo-handle -2 which always refers to the calling thread. Passing it to another thread means that thread toggles its own impersonation. NtThread.OpenCurrent() returns a real kernel handle that can be passed between threads for cross-thread token manipulation. This distinction is critical for any confused deputy race condition.

03 — TOOLCHAIN

ToolVersionPurpose
Ghidra12.1.2 (2026-06-05)Kernel driver disassembly and decompilation
Java (OpenJDK)21.0.10 LTSGhidra runtime
dumpbin.exeVS 2022 BuildToolsPE export/import analysis
PowerShell Add-Type5.1 / 7+In-memory C# compilation for testing (bypasses Defender)
NtApiDotNet1.1.33.NET NT API bindings for registry/thread/token operations

Installation

PS> java -version
openjdk version "21.0.10" 2026-01-20 LTS

PS> gh release download Ghidra_12.1.2_build --repo NationalSecurityAgency/ghidra -D "$HOME\Desktop"
# Downloaded ghidra_12.1.2_PUBLIC_20260605.zip

PS> Expand-Archive "$HOME\Desktop\ghidra_12.1.2_PUBLIC_20260605.zip" "$HOME\Desktop\ghidra"
# Extracted to C:\Users\gwu07\Desktop\ghidra\ghidra_12.1.2_PUBLIC\

PS> Copy-Item "C:\Windows\System32\drivers\cldflt.sys" "vader-prime\cldflt_26200.sys"
# 593,920 bytes — Build 26200 (25H2), last modified 2026-06-10

04 — GHIDRA ANALYSIS IN PROGRESS

Target: cldflt_26200.sys (593 KB). Primary function of interest: HsmOsBlockPlaceholderAccess — the function MiniPlasma's race triggered via CfAbortOperation.

Analysis Goals

  1. Locate HsmOsBlockPlaceholderAccess in the decompiled output
  2. Identify what changed — was the registry write removed? Gated behind a check? Moved?
  3. Map all Cloud Files API entry points that reach registry write code paths
  4. Identify alternative functions that could trigger the same TOCTOU window

Project Setup

Ghidra> File → New Project → Non-Shared Project
Directory: C:\Users\gwu07\Desktop\ghidra_projects
Name: cldflt_analysis

Ghidra> File → Import File → cldflt_26200.sys
Format: PE (Portable Executable)
Language: x86:LE:64:default
# Auto-detected — accept defaults

Ghidra> Double-click cldflt_26200.sys → CodeBrowser opens
"Analyze now?" → Yes → all analyzers checked → Analyze
# ~30-60 seconds for full analysis pass

Ghidra> Symbol Tree → Functions → filter: "HsmOs"
Target: HsmOsBlockPlaceholderAccess
# Double-click → Decompile window shows C pseudocode

What to Look For

PatternMeaning
Calls to ZwCreateKey / ZwSetValueKey / ZwOpenKeyRegistry write path — the thing that stopped working
New conditional checks gating registry writesMicrosoft may have added a feature flag or version check
Early return STATUS_SUCCESS before registry codeFunction still exists but bails out early — "soft patch"
Cross-references to HsmOsBlockPlaceholderAccessOther entry points that could reach the same code path
Token/impersonation checks (SeAccessCheck, PsReferenceImpersonationToken)Where the TOCTOU window was — is the check still there?

Decompiled findings will be added as the Ghidra session progresses.

05 — ALTERNATIVE ATTACK SURFACES

Path 1 — Other cldflt.sys Entry Points

CfAbortOperation was one function in cldapi.dll. The Cloud Files API exposes many others that may trigger registry writes through cldflt:

FunctionPurposeStatus
CfConnectSyncRootRegister a sync root with cldfltUNTESTED
CfRegisterSyncRootRegister sync providerUNTESTED
CfHydratePlaceholderRequest file hydrationUNTESTED
CfDehydratePlaceholderConvert to placeholderUNTESTED
CfSetInSyncStateMark file sync stateUNTESTED
CfConvertToPlaceholderConvert file to cloud placeholderUNTESTED

Path 2 — Different Minifilter Driver

The confused deputy pattern (impersonation toggle TOCTOU) is not cldflt-specific. Any kernel minifilter that reads the calling thread's token and performs a privileged operation is vulnerable. Candidates:

DriverPurposeDefault on Win11Status
WdFilter.sysWindows Defender minifilterYesUNTESTED
wcifs.sysWindows Container IsolationYesUNTESTED
luafv.sysLUA File VirtualizationYesUNTESTED
bindflt.sysBind filter driverYesUNTESTED