- May 17, 2017
Researchers at CyberArk Labs have developed a new attack technique which could allow hackers to completely bypass PatchGuard, and hook a malicious kernel code (rootkits) at the kernel level.
PatchGuard, or (or Kernel Patch Protection) is a software tool that has been designed to forbid the kernel of 64-bit versions of Windows OS from being patched, preventing hackers from running rootkits or executing malicious code at the kernel level.
Dubbed GhostHook, the attack is what the CyberArk Labs researchers call the first attack technique that thwarts the defensive technology to bypass PatchGuard, though it requires a hacker to already be present on a compromised system and running code in the kernel.
So, basically, this is a post-exploitation attack.
"[GhostHook] is neither an elevation nor an exploitation technique. This technique is intended for a post-exploitation scenario where the attacker has control over the asset," CyberArk researchers said. "Since malicious kernel code (rootkits) often seeks to establish persistence in unfriendly territory, stealth technology plays a fundamental role."
Running Rootkit at Kernel-Level in Windows 10
An attack scenario would include using a hacking exploit or malware first to compromise a target machine and then deploy GhostHook to set up a permanent, secret presence on a compromised 64-bit Windows 10 PC.
Once compromised, an attacker can plant a rootkit in the kernel of the compromised machine, which would be completely undetectable to third-party antivirus and security products and invisible to Microsoft's PatchGuard itself.
GhostHook Exploits Weakness Microsoft's Implementation of Intel PT
GhostHook attack bypasses PatchGuard by leveraging a weakness in Microsoft's implementation of a relatively new feature in Intel processors called Intel PT (Processor Trace), specifically at the point where Intel PT talks to the operating system
Released months after PatchGuard, Intel PT enables security vendors to monitor and trace commands that are executed in the CPU in an attempt to identify exploits, malware or code before they reach the main operating system.
Although this technology can be abused for legitimate purposes, attackers can also take advantage of the "buffer-is-going-full notification mechanism" in order to take control of a thread’s execution.
"How can we achieve that with Intel PT? Allocate an extremely small buffer for the CPU’s PT packets," the researchers said. "This way, the CPU will quickly run out of buffer space and will jump the PMI handler. The PMI handler is a piece of code controlled by us and will perform the 'hook.'"Hooking techniques, which have both harmless (like application security solutions, system utilities, and tools for programming), as well as malicious (like rootkits) purpose, can give hackers control over the way an operating system or a piece of software behaves.
Microsoft in No Mood to Release a Fix, at least Right Now
Microsoft did not consider GhostHook as a serious threat and told the security firm that the company does not think any emergency any patch is needed but may address in a future version of Windows.
"The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system," said a Microsoft's spokesperson. "As such, this does not meet the bar for servicing in a security update however it may be addressed in a future version of Windows. As such I have closed this case."In response to this report, Microsoft also released a statement, which reads:
"This technique requires that an attacker has already fully compromised the targeted system. We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers."However, CyberArk is disappointed with the company's response, saying Microsoft should realize that PatchGuard is a kernel component which, in any case, should not be bypassed.