Bug in Windows Kernel Could Prevent Security Software From Identifying Malware

itman · Sep 7, 2017

Another one that Microsoft won't patch.

Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime.

The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space.

The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation.

Bug affects all Windows versions released in the past 17 years

The issue came to light earlier this year when enSilo researchers were analyzing the Windows kernel code. Omri Misgav, Security Researcher at enSilo and the one who discovered the issue, says the bug affects all Windows versions released since Windows 2000.

Microsoft did not see this as a security issue

Right now, the biggest problem is that security software relies on this method to detect some types of malicious operations.

“We did not test any specific security software,” Misgav told Bleeping Computer via email. “We are aware that some vendors do use this mechanism, however at this point in time we cannot say if and how the use of the faulty [PsSetLoadImageNotifyRoutine] information affects them.”

“We [also] contacted MSRC [Microsoft Security Response Center] about this issue at the beginning of this year,” Misgav told Bleeping. “They did not deem it as a security issue.”
Click to expand...

https://www.bleepingcomputer.com/ne...t-security-software-from-identifying-malware/

Peter2150 · Sep 7, 2017

They would have to patch to much, so it's easier not to do so. Then people wonder why I don't trust MS with my security

Robin A. · Sep 7, 2017

Maybe what you mean is that you don´t trust Windows with your security. The post doesn´t refer to MS security software.

Peter2150 · Sep 7, 2017

Robin A. said: ↑

Maybe what you mean is that you don´t trust Windows with your security. The post doesn´t refer to MS security software.
Click to expand...

No Robin, what I said is exactly what I meant. Period. And yes it does refer to MS security software

itman · Sep 7, 2017

A few details about PsSetLoadImageNotifyRoutine:

The PsSetLoadImageNotifyRoutine routine registers a driver-supplied callback that is subsequently notified whenever an image is loaded (or mapped into memory

Highest-level system-profiling drivers can call PsSetLoadImageNotifyRoutine to set up their load-image notify routines
Click to expand...

https://msdn.microsoft.com/en-us/library/windows/hardware/ff559957(v=vs.85).aspx

Used in conjunction with PLOAD_IMAGE_NOTIFY_ROUTINE callback function:

Called by the operating system to notify the driver when a driver image or a user image (for example, a DLL or EXE) is mapped into virtual memory.

When the main executable image for a newly created process is loaded, the load-image notify routine runs in the context of the new process. The operating system calls the driver's load-image notify routine at PASSIVE_LEVEL inside a critical region with normal kernel APCs always disabled and sometimes with both kernel and special APCs disabled.
Click to expand...

https://msdn.microsoft.com/en-us/library/windows/hardware/mt764088(v=vs.85).aspx

It is fairly obvious that this bug if exploited would nullify HIPS and anti-exec capability to detect new process startup activities.

Microsoft doesn't care since none of their "security" software mechanisms ever used or ever will use this capability. -EDIT- Or and more likely, Microsoft's "neglect" is just one more attempt to cripple third party security software to support their new profit making woefully deficit security software development.

itman · Sep 8, 2017

A comment from the original bleepingcomputer.com article:

Yeah the file name problem was in the Windows File System field since Windows NT 4.0 (probably 3.5 as well). Everyone who was developing a file system filter knows the pain of retrieving file name from a file object. Minifilters (since WinXP SP2) solved the problem but the minifilter help did not make any influence on the LoadImage callback.

Another scenario that causes the LoadImage receive invalid name is when you create a process from a subdirectory, then exit the process, rename subdirectory, run the process again -> you get the name with the old subdirectory.
https://www.osronline.com/showThread.CFM?link=157104
Click to expand...

Your malware bypass is in the second paragraph.

Log in or Sign up

Bug in Windows Kernel Could Prevent Security Software From Identifying Malware

itman Registered Member

Peter2150 Global Moderator

Robin A. Registered Member

Peter2150 Global Moderator

itman Registered Member

itman Registered Member

Log in or Sign up

Bug in Windows Kernel Could Prevent Security Software From Identifying Malware

itman Registered Member

Peter2150 Global Moderator

Robin A. Registered Member

Peter2150 Global Moderator

itman Registered Member

itman Registered Member

Useful Searches