Connect with us

Hi, what are you looking for?



GhostHook Attack Can Bypass Windows 10’s PatchGuard

A newly discovered attack targeting Windows 10’s PatchGuard can bypass the protection and hook a malicious kernel code (rootkit) at the kernel level, CyberArk Labs security researchers warn.

A newly discovered attack targeting Windows 10’s PatchGuard can bypass the protection and hook a malicious kernel code (rootkit) at the kernel level, CyberArk Labs security researchers warn.

Also known as Kernel Patch Protection, PatchGuard was designed to prevent running rootkits or other malicious code at kernel level on 64-bit versions of Windows. Dubbed GhostHook, the newly discovered attack method can completely bypass the protection, as long as the attacker has already managed to get a foothold on the vulnerable system.

“The GhostHook technique we discovered can provide malicious actors or information security products with the ability to hook almost any piece of code running on the machine,” CyberArk’s Kasif Dekel explains.

The attack, however, isn’t an elevation or an exploitation technique, and is intended solely for post-exploitation scenarios, when the attacker already has control over the asset, the researcher says. The attack, however, can provide rootkits with stealthy persistence on compromised systems.

Weaknesses in Microsoft’s implementation of Intel Processor Trace (Intel PT), specifically at the level where Intel PT communicates to Windows, make the attack possible, Dekel says.

Intel PT “provides low overhead hardware that executes tracing on each hardware thread using dedicated hardware” and can be used for various legitimate purposes, including performance monitoring, diagnostic code coverage, debugging, fuzzing, and more. However, it can also be abused for PatchGuard bypass.

By allocating “an extremely small buffer for the CPU’s PT packets,” the buffer space will be filled almost immediately and the CPU will jump to a PMI handler, which is code controlled by the attacker and designed to perform the “hook”. This eventually provides an attacker with control over how the operating system behaves.

Advertisement. Scroll to continue reading.

The technique is very difficult to detect because it uses hardware to take over a thread’s execution and because kernel code/critical kernel structures aren’t being patched, Dekel says.

In Microsoft’s view, however, the issue isn’t critical and a security update won’t be released for it, although the researcher underlines “that PatchGuard is a kernel component that should not be bypassed,” specifically because it blocks rootkits from SSDT hooking and not code execution in kernel-mode.

“The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system. As such, this doesn’t meet the bar for servicing in a security update however it may be addressed in a future version of Windows. As such I’ve closed this case,” a Microsoft engineer reportedly told the researcher.

Related: App Paths Used to Bypass User Account Control in Windows 10

Related: Windows 10 Option to Block Installation of Win32 Apps

Related: SHIFT+F10 During Windows 10 Updates Can Bypass BitLocker

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.