Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Windows Kernel Bug Hinders Malware Detection: Researchers

Windows Kernel Bug Has Existed Since Windows 2000, Researchers Say

A kernel bug that impacts Windows versions released over the past decade and a half remains unpatched, enSilo security researchers claim.

Windows Kernel Bug Has Existed Since Windows 2000, Researchers Say

A kernel bug that impacts Windows versions released over the past decade and a half remains unpatched, enSilo security researchers claim.

The security researchers claim to have discovered a Windows kernel bug created as the result of a programming error and which prevents security vendors from identifying modules that have been loaded at runtime.

The issue, they say, impacts PsSetLoadImageNotifyRoutine, a function that should notify of module loading. However, the researchers discovered that, “after registering a notification routine for loaded PE images with the kernel, the callback may receive invalid image names.”

The issue, they say, affected recent Windows 10 releases, as well as past versions of the operating system, all the way back to Windows 2000. PsSetLoadImageNotifyRoutine was introduced in that platform iteration as a mechanism to notify “registered drivers from various parts in the kernel when a PE image file has been loaded to virtual memory (kerneluser space).”

When invoking the registered notification routine, the kernel supplies a series of parameters that enable the proper identification of the PE image being loaded. These parameters are included in the prototype definition of the callback function.

While Microsoft recommends the use of a file-system mini-filter callback for monitoring PEs that are loaded to memory as executable code, the researchers argue that this method can’t be used to “determine whether the section object is being created for the loading of a PE image or not.”

The enSilo researchers explain that the parameter that can effectively identify the loaded PE file is the FullImageName parameter, but also note that the kernel uses a different format for FullImageName and that paths provided for some dynamically loaded user-mode PEs are missing the volume name. Furthermore, the path is completely malformed in some instances, even pointing to a different or non-existing file, they say.

While digging deeper into the issue, the researchers eventually came to the conclusion that the Cache Manager was responsible for the errors they received. “What seems to be caching behavior, along with the way the file-system driver maintains the file name and a severe coding error is what ultimately causes the invalid name issue,” the security researchers say.

They also note that most of the analysis was performed on an x86 system running Windows 7 Service Pack 1 with the latest patches and updates installed. They also verified the findings on Windows XP SP3, Windows 7 SP1 x64, Windows 10 Anniversary Update (Redstone) both x86 and x64, all fully patched and updated.

Udi Yavo, co-founder and CTO at enSilo, confirmed to SecurityWeek that they reported their findings to Microsoft in January this year, but also revealed that the tech giant doesn’t consider this to be a security issue.

“This bug has security implications on security vendors that rely on Microsoft documentation when using the API in order to monitor loaded files. Since there is no documentation of the bug and no formal workaround this can potentially cause security vendors to miss malware. We are not aware of any intention to create a fix to this,” Yavo said.

Related: GhostHook Attack Can Bypass Windows 10’s PatchGuard

Related: Google Researchers Find “Worst” Windows RCE Flaw

Related: Windows, macOS Hacked at Pwn2Own 2017

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.