CyberArk, a security company that specializes in stopping targeted attacks against other companies, has found a hooking technique that can bypass the Windows 10 “PatchGuard” kernel protection using hardware functionality found on Intel processors. The technique can be used to create persistent malware after a computer has already been infected.
A hooking technique gives an attacker control over how an operating system or piece of software operates. The type of software that uses operating system hooks includes software security tools, system utilities, debugging tools, and malicious software.
According to CyberArk, the hooking technique is not a way to exploit a piece of software or to elevate privileges. Those would have to be achieved through other means by the attacker. A rootkit is installed on a computer after the malware has already infected it, for example, in order to gain persistence.
CyberArk named the hooking technique that could be used by malicious actors to bypass Microsoft’s PatchGuard kernel protection “GhostHook.” According to the company, this technique allows an attacker to hook almost any piece of code running on a computer.
Intel PT At Fault
The issue seems to be created by the Intel Processor Trace (IPT), which is an extension of the Intel architecture that captures information about software execution using dedicated hardware. The information is collected in data packets, which can be processed by a software decoder.
The packets include information such as: timing, program flow information (e.g. branch targets, branch taken/not taken indications) and program-induced mode related information (e.g. Intel TSX state transitions). The packets may first be buffered internally before they are transmitted to the memory subsystem or another output mechanism. Then, the debugging software can process the data and reconstruct the program flow.
Intel PT, which was introduced on the Broadwell generation of chips and expanded on Skylake, can trace any software that runs on the CPU, except for SGX-protected containers. The technology is used mainly for performance monitoring, code diagnostic, debugging, fuzzing, and malware analysis and detection.
However, an attacker can also exploit this technology to take control of a thread’s execution. The idea is to make the CPU branch to the malicious piece of code. One way to do this is to allocate extremely small buffers to the Intel PT packets. When the CPU runs out of buffer space, it will jump to the malicious piece of code that will create the “hook.”
No Short-Term Fix
Because this operation is executed in hardware, below the Windows operating system, CyberArk said that it would be “extremely difficult for Microsoft to detect and defeat this technique.”
In a reply to CyberArk, Microsoft stated:
“The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system. As such, this doesn’t meet the bar for servicing in a security update however it may be addressed in a future version of Windows. As such I’ve closed this case.”
Microsoft may have realized that it can’t easily fix this with a simple update, as CyberArk also said. Therefore, it may have postponed the fix until either it creates a more advanced kernel protection architecture in a future version of Windows or until Intel finds a way to stop this type of attack in future chip generations. Until then, Windows 10 will likely continue to be vulnerable to rootkits enabled by malware that has already bypassed Windows Defender or other Windows protections.
GhostHook wouldn’t be the first time an Intel processor functionality has been used to bypass software security. Researchers have recently also discovered that Intel’s ME processor and AMT technology could be used to remotely install malware on enterprise computers.