I'm not sure why I'm replying to the proverbial as you seem to have made up your mind, but being the original author of the blog post I thought I'd at least try and correct some seeming misconceptions.
First off, the reason it's called "Windows Exploitation Tricks" is it's a blog post series ([1], [2], [3], [4]) of behaviors/tricks of the Windows OS that allow you to exploit security vulnerabilities, specifically logical privilege escalation vulnerabilities. If you read the introduction to [1] it outlines the purpose of the series, it's based on ways of exploiting real world vulnerabilities that I've discovered in real software whether it be in core Windows or third-parties. The rationale for writing them up is if you look for exploitation techniques and tricks on any platform almost everything you'll find it based around memory corruption, I don't look for fuzzed bugs so having a cool ROP chain is going to be much help to me and no doubt others who find themselves in this situation. So I write up interesting techniques I've discovered over my years of research to the benefit of others.
There are secondary benefits to blogging about these techniques, for example it can act as developer education. If you look at the API referenced in the blog [5], you'll not see any security warning or advice associated with it. This leads developers to misuse the functionality without understanding how the OS works. The irony is not lost on AV vendors having no clue about the security principles of the OS they're protecting from security threats. Still if you've never seen a program using the PID (through whatever means it's got that value) being used for authentication on Windows or any other OS then I can only assume you've never really looked very hard for logical vulnerabilities.
Another benefit is an aid to reporting. What I blog about in the series are not security issues in a traditional sense, instead they're chain building 'gadgets'. You might have a root vulnerability but not the means of exploiting it. In an ideal world a vendor would remove all non-essential functionality which could facilitate exploitation but we live in the real world and MS are not generally going to spend their time fixing something like this as a real security issue with a CVE etc. Therefore there's no real reporting process for me to follow to report it and demonstrate impact to MS, and as is typical if I find instances of the bug class which can be exploited with the trick they'll fix the reported bug, not the technique. However by making it very public it gets noticed by MS, for example [1] and [2] are both now fix/mitigated in the Windows 10 1903 in direct response to the blog posts.
Finally I think you don't fully understood the scope of the example vulnerability I gave. The root cause of the Check Point bug is the service 100% trusted that the PID being passed from the named pipe was a useful piece of information to base a local security decision on (see end of the "Interacting with the Service" section). It used that PID as the start of a chain of checks to determine if the process at the other side of the pipe was a Check Point trusted application. The fact that in this case the whole logic of the check was fundamentally flawed is irrelevant for the purposes of the blog post. If their certificate checks had been completely robust and it wasn't possible to either spoof them or just inject a DLL then spoofing the PID would absolutely have allowed you to exploit that vulnerability.
Thank you for taking the time to respond. I concede that I did not think about ROP chains at all (which is sad because that's my favorite part about Project Zero and other such Windows bug exploit info dumps) and thus undervalued the spoofing techniques because they required higher priveleges.
On to the crow eating:
The first two spoofing techniques seem like OS bugs that will hopefully attract some attention from MS because of your post.
Given that making the API lie about the process ID is possible, your point about Checkpoint (haha) is also well made.
I guess I got too hung up on the "PID for authentication" phrasing and didn't pay close enough attention to what you were actually saying.That (beyond the obvious race condition between getting the PID and opening the process) there are ways for the API call itself to lie to you so you probably don't want to use the PID to get information about a named pipe client.
Man, I wish HN had a "delete all my posts so I can slink away in shame" button. I guess I'll just live with it.
Aren't you being a bit... dramatic?