BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.pass-the-salt.org//pts2026//talk//FJZPZL BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-pts2026-FJZPZL@cfp.pass-the-salt.org DTSTART;TZID=CET:20260702T154500 DTEND;TZID=CET:20260702T160500 DESCRIPTION:Modern businesses routinely handle sensitive data—entering pa sswords\, managing internal documents and emails\, or conducting confident ial meetings in applications such as Zoom and Signal. **Windows desktop is olation** can block basic keyloggers from capturing keystrokes from applic ations running on newly created desktops. Several security tools rely on t his mechanism by running sensitive applications or password-entry screens on isolated desktops\, providing effective defense against unsophisticated keyloggers. In practice\, however\, this protection is often treated as “good enough” once a protected desktop has been created.\n\nThis talk shows why that assumption is wrong: **Windows Desktop Isolation is not a t rue isolation boundary**.\n\nThe focus of this research is not kernel-mode interception\, but high-privilege user-mode keyloggers. In other words\, the talk addresses attackers that remain in user space\, yet possess enoug h privileges to actively interfere with desktop-based protections and atta ch spying logic to sensitive contexts. This makes the problem especially r elevant in **Man-at-the-End (MATE)** scenarios common in business environm ents.\n\nI will present a series of experiments covering the four most com mon Windows keystroke interception techniques—**SetWindowsHookEx**\, **G etAsyncKeyState**\, **Raw Input**\, and **DirectInput**—as well as **ETW -based monitoring**. The results show that privileged attackers can still capture keystrokes from protected desktop contexts\, including Secure Desk top environments such as Winlogon\, for example by launching a high-privil ege process via **PsExec/Sysinternals**.\n\nTo address this weakness\, I w ill introduce **DesktopRanger**\, an open-source defensive prototype for c reating hardened Windows desktops for secret input. **DesktopRanger** crea tes a protected desktop with a restrictive security descriptor\, expressed in SDDL as `D:P`\, preventing unauthorized opening through the standard d esktop access path and limiting the attacker’s ability to obtain even th e desktop name. When a legitimate application must be launched\, access is relaxed only for a very short period. At the same time\, desktop enumerat ion is blocked at the **Window Station** level to prevent hostile processe s from discovering or attaching to the target desktop. Once the applicatio n has been initialized\, the original restrictive state is restored: the u ser can again enumerate active desktops\, but the protected desktop does n ot appear in the returned list.\n\nI will explain the **Windows Desktop** and **Window Station** internals behind this design. I will also discuss h ow this approach can be combined with the open-source **MemoryRanger** bar e-metal hypervisor to protect relevant kernel-side security structures aga inst tampering\, including **BYOVD-style attacks**.\n\nThe experiments sho w a clear contrast: a high-privilege attacker can still spy on Secure Desk top-style protected contexts\, including **Winlogon**\, whereas the same a ttacker is unable to attach to and spy from a desktop created by **Desktop Ranger**. DTSTAMP:20260514T115340Z LOCATION:Amphitheater 122 SUMMARY:DesktopRanger Blocks Keystroke Spying: Hardening Windows Desktop Is olation - Igor Korkin (independent security researcher) URL:https://cfp.pass-the-salt.org/pts2026/talk/FJZPZL/ END:VEVENT END:VCALENDAR