Windows 10 PatchGuard bypassed by GhostHook Attack

Microsoft says it may fix GhostHook in the next version of Windows

  1. Techook
  2. News
  3. Windows 10 PatchGuard bypassed by GhostHook Attack


    • Security firm bypasses Microsoft’s PatchGuard
    • GhostHook attack allows kernel level exploits on 64-bit Windows 10
    • Microsoft doesn’t consider this a high-level vulnerability

Microsoft’s latest and most secure operating system, Windows 10 could lose the title soon. A new exploit has surfaced which could result in hackers bypassing the PatchGuard kernel, allowing hackers to install rootkits on the system kernel running the operating system. The exploit has been developed and reported by CyberArk Labs a publicly traded information security company has developed the attack technique which will bypass the PatchGuard kernel and allow hackers to plant rootkits in the system. This new attack technique has been named GhostHook.

What is PatchGuard
PatchGuard is a tool designed by Microsoft to forbid the kernel of a 64-bit Windows machine from being patched, which, in turn, stops hackers from installing rootkits at a kernel level. It does so by monitoring if the key resources used by the kernel have been modified. If the operating system detects an unauthorised patch it will shut down the system.

What does GhostHook do?
GhostHook, once executed on a target machine, allows the hacker to further place rootkits or exploits in the system Kernel. Though, GhostHook can only work when a hacker is present on site with the compromised system and running the code in the kernel, which makes this a post exploitation attack.

[GhostHook] is neither an elevation nor an exploitation technique. This technique is intended for a post-exploitation scenario where the attacker has control over the asset,
CyberArk researchers said.

For this attack to work the hacker would need to first compromise the target’s machine by means of a hacking exploit or malware, then deploy the GhostHook attack. After the hacker has deployed the attack, he simply needs to plant a rootkit in the kernel, which will then be undetectable to any third party anti-virus software along with being invisible to the PatchGuard tool from Microsoft.

CyberArk stated that Microsoft will have its work cut out to fix this issue, as the technique is exploiting a hardware level weakness to gain access.

GhostHook Exploits Intel Processor Trace
This attack leverages a weakness in Microsoft’s implementation of the new feature in Intel Processors namely the Intel Processor Trace (Intel PT). Intel PT enables security vendors to trace commands executed in the CPU, this would make it easy to identify malicious code before it reaches the operating system. Attackers can take advantage of the relatively new Intel PT by executing buffer-is-going-full notification mechanism to control the thread’s execution.

“How can we achieve that with Intel PT? Allocate an extremely small buffer for the CPU’s PT packets,” the researchers said. “This way, the CPU will quickly run out of buffer space and will jump the PMI handler. The PMI handler is a piece of code controlled by us and will perform the hook,”

CyberArk researchers said

These hooking techniques can give the hackers control of how an operating system or a software works.

Microsoft’s reply to CyberArk
Microsoft has told CyberArk that GhostHook currently is not a serious threat to its operating system, they also told the security firm that they might address this attacking technique in a future version of Windows.

“The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system. As such, this does not meet the bar for servicing in a security update however it may be addressed in a future version of Windows. As such I have closed this case,”

said a Microsoft’s spokesperson.

“This technique requires that an attacker has already fully compromised the targeted system. We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers,”

Statement released by Microsoft

CyberArk also commented, that Microsoft is taking GhostHook very lightly and should realise that PatchGuard is a kernel component which should never be bypassed.