Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime.
The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space.
The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation.
Bug affects all Windows versions released in the past 17 years
The issue came to light earlier this year when enSilo researchers were analyzing the Windows kernel code. Omri Misgav, Security Researcher at enSilo and the one who discovered the issue, says the bug affects all Windows versions released since Windows 2000.
Misgav’s tests showed that the programming error has survived up to the most recent Windows 10 releases.
Microsoft introduced the PsSetLoadImageNotifyRoutine notification mechanism as a way to programmatically notify app developers of newly registered drivers. Because the system could also detect when a PE image was loaded into virtual memory, the mechanism was also integrated with antivirus software as a way to detect some types of malicious operations.
Microsoft did not see this as a security issue
Right now, the biggest problem is that security software relies on this method to detect some types of malicious operations.
“We did not test any specific security software,” Misgav told Bleeping Computer via email. “We are aware that some vendors do use this mechanism, however at this point in time we cannot say if and how the use of the faulty [PsSetLoadImageNotifyRoutine] information affects them.”
“We [also] contacted MSRC [Microsoft Security Response Center] about this issue at the beginning of this year,” Misgav told Bleeping. “They did not deem it as a security issue.”
“Some references online indicate that the bug was somewhat known, but as far as we can tell its root cause and full implications weren't described in detail up until now,” the researcher also said.
For technical details, an enSilo blog post details the fine intricacies of how PsSetLoadImageNotifyRoutine works and how the bug alters its normal, supposed behavior.
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Comments
LadislavZezula - 8 years ago
Yeah the file name problem was in the Windows File System field since Windows NT 4.0 (probably 3.5 as well). Everyone who was developing a file system filter knows the pain of retrieving file name from a file object. Minifilters (since WinXP SP2) solved the problem but the minifilter help did not make any influence on the LoadImage callback.
Another scenario that causes the LoadImage receive invalid name is when you create a process from a subdirectory, then exit the process, rename subdirectory, run the process again -> you get the name with the old subdirectory.
https://www.osronline.com/showThread.CFM?link=157104
Occasional - 8 years ago
Then, presumably, Windows Defender does not rely on it?
GT500 - 8 years ago
More people suddenly "discovering" really old things in Windows that are well documented, and declaring them security vulnerabilities?