November 30, 2023

A security researcher has discovered a bug in PatchGuard a crucial Windows security feature that can allow threat actors to load unsigned (malicious) code into the Windows operating system kernel. remains unfixed


Microsoft Kernel Patch Protection (KPP) but more commonly known as PatchGuard, this security feature made its way into the Windows OS in 2005, when Microsoft launched the 64-bit editions of Windows XP Professional and Windows Server 2003. All 64bit version of Windows comes with KPP support foundation to the ecosystem.Earlier days it was developed to prevent kernel patching

Kernel patching is where low-level apps tap into the core of the Windows OS, known as the kernel, and modify its structure to allow the app to run its operations with the highest level of privileges, known as kernel mode.

Microsoft decided to stomp on this tactic and took the opportunity to add a series of checks and defenses to the kernel, which eventually became known as KPP or PatchGuard.

PatchGuard is just one of an entire arsenal of security features that makes hacking Windows operating systems much harder, and especially Windows 10. But ways are found by researchers to bypass it

Techniques like GhostHook, InfinityHook, and ByePg were disclosed in 2017 and 2019, all allowing threat actors a slip through the PatchGuard cracks and tap into the kernel via a legitimate function and then modify its internal structure. Recent is Kento’s bypass

When the malware wants to register a callback routine function that mapped in their unsigned code kernel virtual address, that usually not possible at all with legitimate ways. To bypass all require that the attacker’s code runs with admin privileges, so it can perform the illicit kernel patch.

This requirement is what made Microsoft ignore all the three previous reports, with the company arguing that once an attacker has admin rights on a Windows system, it is game over, and any attack escalation is possible.

Microsoft did eventually patch the three PatchGuard bypasses months after they became public, years later, their classification of PatchGuard bypasses as a security non-issue is now having repercussions.

Microsoft still values PatchGuard and is committed to fixing these flaws, the OS maker has historically ignored bug reports like these, which has led to situations where a PatchGuard bypass is now broadly available in the public domain again

Leave a Reply

%d bloggers like this: