Igor Korkin (independent security researcher)
Igor Korkin, Ph.D., is a security researcher, developer, and innovator with over 15 years of experience in system security—holding a Huawei security patent, authoring over 50 research papers and a monograph Kernel Protection of Operating Systems Under Countermeasures.
Specializing in advanced security research and development, he focuses on Windows and Linux kernel security, Rootkit Detection, Memory Forensics, Bare-metal Hypervisors, Data Storage Protection, Ransomware Defense, and Evasion Techniques.
He is open to new challenges and international collaboration, seeking opportunities to work with global partners on innovative security projects.
Session
Modern businesses routinely handle sensitive data—entering passwords, managing internal documents and emails, or conducting confidential meetings in applications such as Zoom and Signal. Windows desktop isolation can block basic keyloggers from capturing keystrokes from applications running on newly created desktops. Several security tools rely on this mechanism by running sensitive applications or password-entry screens on isolated desktops, providing effective defense against unsophisticated keyloggers. In practice, however, this protection is often treated as “good enough” once a protected desktop has been created.
This talk shows why that assumption is wrong: Windows Desktop Isolation is not a true isolation boundary.
The focus of this research is not kernel-mode interception, but high-privilege user-mode keyloggers. In other words, the talk addresses attackers that remain in user space, yet possess enough privileges to actively interfere with desktop-based protections and attach spying logic to sensitive contexts. This makes the problem especially relevant in Man-at-the-End (MATE) scenarios common in business environments.
I will present a series of experiments covering the four most common Windows keystroke interception techniques—SetWindowsHookEx, GetAsyncKeyState, Raw Input, and DirectInput—as well as ETW-based monitoring. The results show that privileged attackers can still capture keystrokes from protected desktop contexts, including Secure Desktop environments such as Winlogon, for example by launching a high-privilege process via PsExec/Sysinternals.
To address this weakness, I will introduce DesktopRanger, an open-source defensive prototype for creating hardened Windows desktops for secret input. DesktopRanger creates a protected desktop with a restrictive security descriptor, expressed in SDDL as D:P, preventing unauthorized opening through the standard desktop access path and limiting the attacker’s ability to obtain even the desktop name. When a legitimate application must be launched, access is relaxed only for a very short period. At the same time, desktop enumeration is blocked at the Window Station level to prevent hostile processes from discovering or attaching to the target desktop. Once the application has been initialized, the original restrictive state is restored: the user can again enumerate active desktops, but the protected desktop does not appear in the returned list.
I will explain the Windows Desktop and Window Station internals behind this design. I will also discuss how this approach can be combined with the open-source MemoryRanger bare-metal hypervisor to protect relevant kernel-side security structures against tampering, including BYOVD-style attacks.
The experiments show a clear contrast: a high-privilege attacker can still spy on Secure Desktop-style protected contexts, including Winlogon, whereas the same attacker is unable to attach to and spy from a desktop created by DesktopRanger.