Security Experts:

Connect with us

Hi, what are you looking for?



New Attack Bypasses Microsoft’s Code Integrity Guard

Morphisec security researchers warn of a newly discovered attack vector that allows attackers to bypass Microsoft’s Code Integrity Guard (CIG) in order to load malicious libraries into protected processes.

Morphisec security researchers warn of a newly discovered attack vector that allows attackers to bypass Microsoft’s Code Integrity Guard (CIG) in order to load malicious libraries into protected processes.

Dubbed CIGslip, the new attack vector relies on manipulating the manner in which CIG functions, thus bypassing its controls without the need to inject unsigned image code pages into memory. With a low footprint on the targeted system and likely to go unnoticed, the attack has great damaging potential.

The security researchers have already reported their findings to Microsoft, along with a proof-of-concept, but the software giant responded that the technique is outside the scope of CIG. Because of that, Morphisec believes that “Windows users are vulnerable in multiple ways.”

“The attack POC takes advantage of a non-CIG enabled process, which is the most popular form of process on Windows, in order to sneak into a CIG-enabled target process, and uses it as an entry point to load any kind of DLL, including a malicious one,” the researchers say.

By abusing CIGslip, an attacker could insert browser malware or adware, Morphisec claims, arguing that it is difficult for third-party security solutions to defend CIG protected process without Microsoft-signed DLLs.

Introduced in Windows 10 as an improved protection for Microsoft Edge, CIG would prevent the “injection of DLLs into the browser unless they are Windows components or signed device drivers.”

According to Morphisec, the mechanism is efficient at blocking malware and adware already on the computer, but also makes it “harder for third party security vendors to apply runtime protection for any CIG protected processes.”

In order to compromise a targeted process, one would have to perform reflective memory based injection, which works against CIG protected processes too, the security researchers say. This technique, however, can generally be detected and Microsoft does not consider it within the scope of bounty programs.

According to Morphisec, however, CIG can be bypassed without any in-memory injection of unsigned image code pages. The newly discovered method, the security firm says, mimics natural Windows DLL loading from disk.

The technique is based on the assumption that the attacker can execute a non-CIG protected process on disk, given that “there is no feasible way to protect all processes with CIG.” Since a CIG-protected process is able to execute a non-CIG protected process, the attacker would focus on backward injection, attempting to bypass “the CIG verification during the section create in the target process.”

“In order to detour the code integrity verification, we would need to hijack the control when the section is created within the targeted process,” Morphisec notes.

The section handlers are managed by Kernel and could be duplicated between processes, the researchers explain. Thus, “section that correlated to a non-signed DLL could be created within the context of the malicious process and then duplicated into the target process.”

Thus, Morphisec discovered that the injection of a malicious, non-signed DLL into a target process would require hooking the createsection method within the target process to return the duplicated section handle. Given that createsection returns an already existing verified section handle, the verification of the section is successful and the targeted process maps the DLL code page into its memory.

“The risks inherent in this new technique, which can be used or is possibly in use already, are high as the attack has very low footprint on the system and will go undetected by almost all security mechanisms,” Morphisec says.

Related: Windows 10 Boosts Protections Against Code Injection Attacks

Related: Microsoft Blocks Unauthorized Code Injection in Edge

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet