ghosthook attack bypasses windows 10 PatchGuard
Ever since PatchGuard and DeviceGuard have been introduced to Windows 10’s security, there have been few 64-bit rootkits. However, a bypass to PatchGuard Kernel protection has been developed by CyberArk and termed “GhostHook”.
The attack is known as a post exploitation attack as it only works if the attacker has already fully compromised the system therefore Microsoft has not decided to release a security update but stated they might fix it in future Windows OS versions. “We are able to execute code in the kernel and go unnoticed by any security feature Microsoft produces,” said Kobi Ben Naim, senior director of cyber research. “Many other security vendors rely on PatchGuard and on DeviceGuard in order to receive reliable information and analyze whether it’s benign or an attack. This bypass enables us to go unnoticed versus the security vendors we checked (this includes antimalware, firewalls, host-based intrusion detection and more) that rely on those security layers to provide reliable information.”
The attack is done by exploiting Intel’s processor new feature called Intel PT. “The Intel feature is an API that the kernel code can ask to receive and read information from the CPU. The way that Microsoft implemented this API is the issue we found,” Naim said. “This enabled us to not only read information but enter our code into a secure location in the kernel.”