Last week, CyberArk Labs demonstrated an attack that can enable the installation of rootkit malware under Windows 10 64-bit. The proof-of-concept attack overrides the operating system's PatchGuard feature.
Microsoft's PatchGuard was designed to prevent malicious code from patching the kernel of 64-bit Windows operating systems. The feature's official name is Kernel Patch Protection, and it was introduced with 64-bit Windows XP in 2005. One type of attack that PatchGuard was designed to mitigate is malware that poses as Windows security updates.
CyberArk Labs researchers' GhostHook attack method targets a vulnerability in how Windows 10 implements Intel Processor Trace. Intel PT can be used in debugging, malware analysis, and exploit detection. The researchers discovered that if they allocate a very small memory buffer for processing Intel PT packets, a buffer overflow can trigger which opens a PMI handler. Unfortunately, PatchGuard isn't designed to monitor PMI handlers.
When CyberArk Labs informed Microsoft of the vulnerability, they decided not to include a patch in a security update. Microsoft claims that an attacker would need to have kernel-level access on a targeted machine. They said they might patch the Intel PT vulnerability in a future bug fix, but they don't consider it to be a security flaw. According to a Microsoft engineer, “As such, this doesn’t meet the bar for servicing in a security update; however it may be addressed in a future version of Windows. As such I’ve closed this case.”
CyberArk researcher Kasif Dekel disagreed with Microsoft's claim that an attacker would require kernel-level access for an attack to be successful. “Gaining this level of access is table stakes for attackers, typically accomplished through simple phishing emails. This technique is about moving beyond admin rights and exploiting the machine at the kernel level. Attackers would be able to gain full control over the network and gain the ability to intercept anything on a system", he said.
GhostHook is the first known attack method for using hooking to acquire kernel-level control of 64-bit Windows operating systems.