Windows kernel bug could spoof malware from security software

Posted on Friday, September 08 2017 @ 10:08 CEST by Thomas De Maesschalck
MS logo
enSilo researchers discovered a vulnerability in the Windows kernel that could potentially be abused to hide malware from certain strains of security software. The vulnerability is present in all versions of Windows since Windows 2000 and affects PsSetLoadImageNotifyRoutine, a low-level mechanism that is used by some security tools to verify code that's been loaded into the kernel or user space.

By changing the value that is returned by PsSetLoadImageNotifyRoutine, attackers can hide malware from security software that relies on this operation. The security researchers got in touch with Microsoft but got to hear that the software giant doesn't deem this as a security issue. Presumably, the software giant never intended this feature to be used this way.
Microsoft introduced the PsSetLoadImageNotifyRoutine notification mechanism as a way to programmatically notify app developers of newly registered drivers. Because the system could also detect when a PE image was loaded into virtual memory, the mechanism was also integrated with antivirus software as a way to detect some types of malicious operations.


“We did not test any specific security software,” Misgav told Bleeping Computer via email. “We are aware that some vendors do use this mechanism, however at this point in time we cannot say if and how the use of the faulty [PsSetLoadImageNotifyRoutine] information affects them.”
Source: Bleeping Computer

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments