Security Experts:

Windows Kernel Bug Hinders Malware Detection: Researchers

Windows Kernel Bug Has Existed Since Windows 2000, Researchers Say

A kernel bug that impacts Windows versions released over the past decade and a half remains unpatched, enSilo security researchers claim.

The security researchers claim to have discovered a Windows kernel bug created as the result of a programming error and which prevents security vendors from identifying modules that have been loaded at runtime.

The issue, they say, impacts PsSetLoadImageNotifyRoutine, a function that should notify of module loading. However, the researchers discovered that, “after registering a notification routine for loaded PE images with the kernel, the callback may receive invalid image names.”

The issue, they say, affected recent Windows 10 releases, as well as past versions of the operating system, all the way back to Windows 2000. PsSetLoadImageNotifyRoutine was introduced in that platform iteration as a mechanism to notify “registered drivers from various parts in the kernel when a PE image file has been loaded to virtual memory (kernel\user space).”

When invoking the registered notification routine, the kernel supplies a series of parameters that enable the proper identification of the PE image being loaded. These parameters are included in the prototype definition of the callback function.

While Microsoft recommends the use of a file-system mini-filter callback for monitoring PEs that are loaded to memory as executable code, the researchers argue that this method can’t be used to “determine whether the section object is being created for the loading of a PE image or not.”

The enSilo researchers explain that the parameter that can effectively identify the loaded PE file is the FullImageName parameter, but also note that the kernel uses a different format for FullImageName and that paths provided for some dynamically loaded user-mode PEs are missing the volume name. Furthermore, the path is completely malformed in some instances, even pointing to a different or non-existing file, they say.

While digging deeper into the issue, the researchers eventually came to the conclusion that the Cache Manager was responsible for the errors they received. “What seems to be caching behavior, along with the way the file-system driver maintains the file name and a severe coding error is what ultimately causes the invalid name issue,” the security researchers say.

They also note that most of the analysis was performed on an x86 system running Windows 7 Service Pack 1 with the latest patches and updates installed. They also verified the findings on Windows XP SP3, Windows 7 SP1 x64, Windows 10 Anniversary Update (Redstone) both x86 and x64, all fully patched and updated.

Udi Yavo, co-founder and CTO at enSilo, confirmed to SecurityWeek that they reported their findings to Microsoft in January this year, but also revealed that the tech giant doesn’t consider this to be a security issue.

“This bug has security implications on security vendors that rely on Microsoft documentation when using the API in order to monitor loaded files. Since there is no documentation of the bug and no formal workaround this can potentially cause security vendors to miss malware. We are not aware of any intention to create a fix to this,” Yavo said.

Related: GhostHook Attack Can Bypass Windows 10's PatchGuard

Related: Google Researchers Find "Worst" Windows RCE Flaw

Related: Windows, macOS Hacked at Pwn2Own 2017

view counter