Nmedia - Fotolia

How does the GhostHook attack bypass Microsoft PatchGuard?

A technique known as the GhostHook attack can get around PatchGuard, but Microsoft hasn't patched the flaw. Expert Michael Cobb explains why, as well as how the attack works.

Researchers at CyberArk Software Ltd. have developed a technique known as the GhostHook attack, enabling a bypass of Microsoft's PatchGuard protections on Windows 64-bit operating systems to install a rootkit. How does the GhostHook attack work?

PatchGuard was first introduced in 2005 in 64-bit editions of Microsoft Windows. It prevents any unsupported modifications of the central component, or kernel, of the Windows operating system by periodically checking to make sure that protected system structures in the kernel have not been modified. It has proved to be a very effective method of preventing rootkits from taking hold of a Windows-based system.

However, researchers at CyberArk found a way of bypassing the protections provided by PatchGuard by leveraging a feature in Intel processors called Intel Processor Trace (IPT).

IPT is generally faster and more flexible in terms of what type and amount of trace information can be recorded compared to similar existing technologies, such as Last Branch Recording and Branch Trace Messages. It provides an API that kernel code can call to receive and read information from the CPU about software and processes running on a device to provide performance monitoring, diagnostic code coverage, debugging, fuzzing, malware analysis and exploit detection.

CyberArk discovered that the way Microsoft implements this API enabled them to take advantage of the buffer-is-going-full notification mechanism during instruction pointer tracing to make the CPU branch to their own code. By allocating extremely small buffers to packets of code in IPT, the CPU is eventually forced to open a performance monitoring interrupt (PMI) handler.

As PatchGuard wasn't designed to monitor what happens within PMI handlers, the GhostHook attack can use the PMI handler to inject a rootkit as the system is being patched. This hooking technique could allow an attack to remain undiscovered, as it is operating at the kernel level, making it invisible to many security products, such as antivirus and intrusion prevention systems.

There is a difference of opinion as to the seriousness of the GhostHook attack. Microsoft has said it will not patch the vulnerability, but the company may address it in a future version of Windows. The reason for this lack of urgency is that an attacker would have to already have control over a compromised machine and already be running kernel code on the system, so this is a post-exploitation technique, not an elevation or exploitation technique. An attacker in that position can already run any code of their choosing without being detected by various security technologies, so this attack doesn't really extend the attack surface of the Windows operating system.

However, some security experts feel that PatchGuard should be able to prevent this type of attack, as any form of stealth technology can aid an attacker by helping them to establish persistence.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing