New GhostHook Attack Bypasses Windows PatchGuard Protections

Share this…

Security experts have discovered a method of bypassing Windows PatchGuard protections and hooking malicious code into the Windows kernel, which allows an attacker to plant rootkits on systems previously thought to be impregnable.

PatchGuard, known under its official name of Kernel Patch Protection (KPP), is a security feature for Windows 64-bit editions that prevents third-party code from patching the Windows kernel with additional routines.

Microsoft introduced PatchGuard in 2005, starting with Windows XP, and the feature has prevented most rootkits from working on 64-bit editions.

GhostHook attack leverages Intel PT feature

Today, security researchers from CyberArk published research on a new technique named GhostHook that successfully bypasses PatchGuard using a feature of Intel CPUs.

According to researchers, GhostHook works only against systems running Intel Processor Trace (PT), a feature of Intel CPUs that uses dedicated hardware to capture information about current software execution to aid with debugging operations and the detection of malicious code.

Normally, tapping into Intel PT operations would require an attacker to patch his malicious functions into kernel-level code, an operation that PatchGuard would immediately detect and block.

CyberArk researchers said they found that by allocating an extremely small buffer for the processing of Intel PT packets would result in the CPU running out of buffer space and opening a PMI handler to manage the overflowing code.

The problem is that PatchGuard doesn’t monitor the PMI handler and an attacker could hook his malicious code to patch kernel operations via that PMI handler.

This provides attackers with an undetectable method of patching the Windows kernel and embedding rootkits on Windows 64-bit versions. GhostHook works even on Windows 10, where very few rootkits have proven to be effective since the operating system’s launch in the summer of 2015.

Microsoft won’t patch GhostHook attack vector

CyberArk says it contacted Microsoft about the GhostHook attack, but the OS maker declined to issue a security update. Microsoft said it might patch the issue during its regular bug fixing cycle, but would not treat GhostHook as a security flaw.

Microsoft justified its decision by saying that an attacker needs to have kernel-level access on an infected machine to perform a GhostHook attack. An attacker with kernel-level rights could perform many other malicious actions, and users should focus on preventing an attacker from gaining this much level of access in the first place.

Responding to Microsoft’s refusal to patch this attack vector, CyberArk reiterated that the issue is “the bypassing of PatchGuard” which opens the door for rootkits on 64-bit Windows versions, and not necessarily the attacker’s access level.

The real problem is that attackers have a technique at their disposal to implant rootkits on platforms they did not have access in past years.

Currently, 64-bit malware makes up less than 1% of the entire malware landscape, and PatchGuard was one of the reasons that helped keep 64-bit versions secure and harder to infect.