[novaleaf]

The microsoft article mentions that Windows Defender caught multiple machines performing kernel injections near the same time with this driver as the root cause. Meaning it was already being exploited.

This doesn't mean the actual flaw was malicious, but being actively exploited, it seems intent doesn't really matter.

[monocasa]

I don't see anything saying this was being actively exploited; the non malicious use case would set off their scanners on all MateBooks running this driver.

[novaleaf]

from the article:

> While monitoring alerts related to kernel-mode attacks, one alert drew our attention:

>The alert process tree showed an abnormal memory allocation and execution in the context of services.exe by a kernel code. Investigating further, we found that an identical alert was fired on another machine around the same time.

This shows code injection taking place, via the exploited code. You are right that they don't mention what code was injected (probably they don't know)

[monocasa]

> via the exploited code

Their scanner doesn't show any exploitation happening, and they don't say that it does.

[novaleaf]

I admit that I am reading into the line "abnormal memory allocation and execution" and thinking it's intentional.

You are right that they don't seem to know what code was being executed. Just that some code (be it real code or random garbage) was injected and executed.

[monocasa]

It's intentional; it's not "exploitation". It's really doing privilege deescalation of the shellcode.

They know the code it's running for the most part, it's the CreatProcessW stuff they talk about.