A new discovery from CYBERARK Threat Research team, presents a hooking technique that allows you to control over the way the operating system behaves and enables access to the operating system’s kernel.
The researchers note that this is not an elevation nor an exploitation technique, it is a post-exploitation scenario where the attacker already has control over a system.
The hooking technique, uses Intel PT (Intel® Processor Trace) extension, that captures information about software execution using dedicated hardware facilities.
“Intel PT provides low overhead hardware that executes tracing on each hardware thread using dedicated hardware (implemented entirely in hardware) in the CPU’s Performance Monitoring Unit (PMU). Intel PT can trace any software the CPU runs including hypervisors…”
“This technology is primarily used for performance monitoring, diagnostic code coverage, debugging, fuzzing, malware analysis and exploit detection”.
What the team discovered is that by allocating an extremely small buffer for the CPU’s PT packets, the CPU will quickly run out of buffer space and will jump a PMI handler (Performance Monitoring Interrupt). As described before, this is a post-exploitation technique. In this case, the researchers already have control over the system and the PMI handler is a piece of code controlled by the researchers that will perform the hook in the Windows kernel.
How is it related to PatchGuard?
PatchGuard, or as formally called – Kernel Patch Protection (KPP), is a feature in x64 editions of Windows that prevents patching of the Windows kernel.
The problem with the current implementation of PatchGuard is that registering to PMI is transparent, and a PMI handler can have access to the kernel functions.
“Because this technique uses hardware to gain control of a thread’s execution and kernel code/critical kernel structures aren’t being patched, it would be extremely difficult for Microsoft to detect and defeat this technique.”
Following the discovery of this technique, the researchers informed Microsoft, which responded as follows –
“The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system. As such, this doesn’t meet the bar for servicing in a security update however it may be addressed in a future version of Windows. As such I’ve closed this case.”
As the researchers note, “Microsoft does not seem to realize that PatchGuard is a kernel component that should not be bypassed”.
With latest news and leaks of hacking tools used by the CIA to take control over Windows systems, tools that are already being used by cybercriminals to gain remote access, this technique aggravates the level of access a cybercriminal can have on a compromised system.