Q
Problem solve Get help with specific problems with your technologies, process and projects.

How does the GhostHook attack bypass Microsoft PatchGuard?

A technique known as the GhostHook attack can get around PatchGuard, but Microsoft hasn't patched the flaw. Expert Michael Cobb explains why, as well as how the attack works.

Researchers at CyberArk Software Ltd. have developed a technique known as the GhostHook attack, enabling a bypass...

of Microsoft's PatchGuard protections on Windows 64-bit operating systems to install a rootkit. How does the GhostHook attack work?

PatchGuard was first introduced in 2005 in 64-bit editions of Microsoft Windows. It prevents any unsupported modifications of the central component, or kernel, of the Windows operating system by periodically checking to make sure that protected system structures in the kernel have not been modified. It has proved to be a very effective method of preventing rootkits from taking hold of a Windows-based system.

However, researchers at CyberArk found a way of bypassing the protections provided by PatchGuard by leveraging a feature in Intel processors called Intel Processor Trace (IPT).

IPT is generally faster and more flexible in terms of what type and amount of trace information can be recorded compared to similar existing technologies, such as Last Branch Recording and Branch Trace Messages. It provides an API that kernel code can call to receive and read information from the CPU about software and processes running on a device to provide performance monitoring, diagnostic code coverage, debugging, fuzzing, malware analysis and exploit detection.

CyberArk discovered that the way Microsoft implements this API enabled them to take advantage of the buffer-is-going-full notification mechanism during instruction pointer tracing to make the CPU branch to their own code. By allocating extremely small buffers to packets of code in IPT, the CPU is eventually forced to open a performance monitoring interrupt (PMI) handler.

As PatchGuard wasn't designed to monitor what happens within PMI handlers, the GhostHook attack can use the PMI handler to inject a rootkit as the system is being patched. This hooking technique could allow an attack to remain undiscovered, as it is operating at the kernel level, making it invisible to many security products, such as antivirus and intrusion prevention systems.

There is a difference of opinion as to the seriousness of the GhostHook attack. Microsoft has said it will not patch the vulnerability, but the company may address it in a future version of Windows. The reason for this lack of urgency is that an attacker would have to already have control over a compromised machine and already be running kernel code on the system, so this is a post-exploitation technique, not an elevation or exploitation technique. An attacker in that position can already run any code of their choosing without being detected by various security technologies, so this attack doesn't really extend the attack surface of the Windows operating system.

However, some security experts feel that PatchGuard should be able to prevent this type of attack, as any form of stealth technology can aid an attacker by helping them to establish persistence.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

This was last published in December 2017

Dig Deeper on Microsoft Windows security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you think Microsoft should patch GhostHook?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close