Turkish security specialist Can Bölük has created a PoC exploit that bypasses the Microsoft Kernel Patch Protection (KPP) security features, better known as PatchGuard.His tool is named ByePg, and the exploit concerns HalPrivateDispatchTable, which ultimately allows the malicious application to interfere with the kernel.
The Microsoft Kernel Patch Protection (KPP) feature, better known as PatchGuard, was introduced back in 2005 in Windows XP. It is available only for 64-bit versions of Windows, and its role is to prevent interference of applications with the kernel.
“Essencially, prior to the release of PatchGuard, many applications allowed themselves to modify the Windows kernel to facilitate their work or gain access to various functions. Antivirus software, drivers, game cheats and malware often “patched” the kernel for completely different purposes”, – said security experts.
In particular, rootkit developers were very fond of such techniques, because this allowed them to implement malware at the OS level, giving it unlimited access to the victim’s machine.
Over time, PatchGuard faded into the background, against the background of numerous Windows security mechanisms, but information security experts continued to use this functionality and look for new ways to bypass protection.
Therefore, in 2015, after the release of Windows 10, CyberArk specialists introduced a PatchGuard detour called GhostHook. He used the Intel Processor Trace (PT) feature to bypass PatchGuard and patch the kernel. Then, in the summer of this year, the Riot Games expert found another way to bypass the protection, which was called InfinityHook and used the NtTraceEvent API to work.
Now has been created ByePg with HalPrivateDispatchTable to bypass protection.
“The potential for using ByePg is limited solely by the creativity of the person who uses it. Worse, ByePG helps circumvent not only PatchGuard, but also Hypervisor-Protected Code Integrity (HVCI), a feature that Microsoft uses to blacklist drivers”, – notes the developer of the exploit.
All three of these methods of bypassing security features have become publicly available, as Microsoft does not rash to issue patches and close these gaps (although patches for GhostHook and InfinityHook were ultimately created). The fact is that such exploits require administrator rights to work that is why the company refuses to classify them as security problems.
Microsoft developers are confident that if an attacker gained access to the local system with administrator rights, then he can perform any operations. The question is that this “excuse” is hardly applicable to PatchGuard, because the protective mechanism was designed specifically to protect the kernel from processes with high privileges, such as drivers or antivirus software.
It is also complicated by the fact that problems in PatchGuard do not fall under the bug bounty program, and specialists who find such bugs cannot expect cash reward. A Microsoft employee who wished to remain anonymous told ZDNet reporters that the company’s PatchGuard problems are not ignored at all, and fixes for them come out, albeit a little slower than other patches.
However, the researchers, knowing that they will not receive money, and that CVE identifiers will not be assigned vulnerabilities, prefer to publish the results of their research in the public domain and are generally reluctant to study such problems.