News

The expert created a PoC exploit that bypasses PatchGuard protection

Turkish security specialist Can Bölük has created a PoC exploit that bypasses the Microsoft Kernel Patch Protection (KPP) security features, better known as PatchGuard.

His tool is named ByePg, and the exploit concerns HalPrivateDispatchTable, which ultimately allows the malicious application to interfere with the kernel.

The Microsoft Kernel Patch Protection (KPP) feature, better known as PatchGuard, was introduced back in 2005 in Windows XP. It is available only for 64-bit versions of Windows, and its role is to prevent interference of applications with the kernel.

“Essencially, prior to the release of PatchGuard, many applications allowed themselves to modify the Windows kernel to facilitate their work or gain access to various functions. Antivirus software, drivers, game cheats and malware often “patched” the kernel for completely different purposes”, – said security experts.

In particular, rootkit developers were very fond of such techniques, because this allowed them to implement malware at the OS level, giving it unlimited access to the victim’s machine.

Over time, PatchGuard faded into the background, against the background of numerous Windows security mechanisms, but information security experts continued to use this functionality and look for new ways to bypass protection.

Therefore, in 2015, after the release of Windows 10, CyberArk specialists introduced a PatchGuard detour called GhostHook. He used the Intel Processor Trace (PT) feature to bypass PatchGuard and patch the kernel. Then, in the summer of this year, the Riot Games expert found another way to bypass the protection, which was called InfinityHook and used the NtTraceEvent API to work.

Now has been created ByePg with HalPrivateDispatchTable to bypass protection.

“The potential for using ByePg is limited solely by the creativity of the person who uses it. Worse, ByePG helps circumvent not only PatchGuard, but also Hypervisor-Protected Code Integrity (HVCI), a feature that Microsoft uses to blacklist drivers”, – notes the developer of the exploit.

All three of these methods of bypassing security features have become publicly available, as Microsoft does not rash to issue patches and close these gaps (although patches for GhostHook and InfinityHook were ultimately created). The fact is that such exploits require administrator rights to work that is why the company refuses to classify them as security problems.

Microsoft developers are confident that if an attacker gained access to the local system with administrator rights, then he can perform any operations. The question is that this “excuse” is hardly applicable to PatchGuard, because the protective mechanism was designed specifically to protect the kernel from processes with high privileges, such as drivers or antivirus software.

Read also: The famous infostealer “Agent Tesla” has an unusual dropper

It is also complicated by the fact that problems in PatchGuard do not fall under the bug bounty program, and specialists who find such bugs cannot expect cash reward. A Microsoft employee who wished to remain anonymous told ZDNet reporters that the company’s PatchGuard problems are not ignored at all, and fixes for them come out, albeit a little slower than other patches.

However, the researchers, knowing that they will not receive money, and that CVE identifiers will not be assigned vulnerabilities, prefer to publish the results of their research in the public domain and are generally reluctant to study such problems.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Streamingsafevpn.com Pop-up Ads

About Streamingsafevpn.com Streamingsafevpn.com pop-ups can not expose out of nowhere. If you have actually clicked…

15 hours ago

Remove Psegeevalrat.net Pop-up Ads

About Psegeevalrat.net Psegeevalrat.net pop-ups can not launch out of the blue. If you have clicked…

16 hours ago

Remove Thi-tl-310-a.buzz Pop-up Ads

About Thi-tl-310-a.buzz Thi-tl-310-a.buzz pop-ups can not expose out of the blue. If you have clicked…

2 days ago

Remove Toreffirmading.com Pop-up Ads

About Toreffirmading.com Toreffirmading.com pop-ups can not open out of the blue. If you have clicked…

2 days ago

Remove News-xboveho.site Pop-up Ads

About News-xboveho.site News-xboveho.site pop-ups can not introduce out of the blue. If you have actually…

2 days ago

Remove Glayingly.com Pop-up Ads

About Glayingly.com Glayingly.com pop-ups can not open out of the blue. If you have clicked…

2 days ago