[muststopmyths]

Thank you for taking the time to respond. I concede that I did not think about ROP chains at all (which is sad because that's my favorite part about Project Zero and other such Windows bug exploit info dumps) and thus undervalued the spoofing techniques because they required higher priveleges.

On to the crow eating:

The first two spoofing techniques seem like OS bugs that will hopefully attract some attention from MS because of your post.

Given that making the API lie about the process ID is possible, your point about Checkpoint (haha) is also well made.

I guess I got too hung up on the "PID for authentication" phrasing and didn't pay close enough attention to what you were actually saying.That (beyond the obvious race condition between getting the PID and opening the process) there are ways for the API call itself to lie to you so you probably don't want to use the PID to get information about a named pipe client.

Man, I wish HN had a "delete all my posts so I can slink away in shame" button. I guess I'll just live with it.

cheers.