PoC published for new Microsoft PatchGuard (KPP) bypass

A security researcher has discovered a bug in PatchGuard––a crucial Windows security feature––that can allow threat actors to load unsigned (malicious) code into the Windows operating system kernel.

Discovered by Japanese researcher Kento Oki, the issue remains unfixed.

In an email last week, Kento told The Record he did not report the bug to Microsoft because the company previously ignored three other PatchGuard bypasses discovered in the past years and knew the company wouldn't be rushing to fix it.

What is PatchGuard

Officially known as Microsoft Kernel Patch Protection (KPP) but more commonly known as PatchGuard, this security feature made its way into the Windows OS in 2005, when Microsoft launched the 64-bit editions of Windows XP Professional and Windows Server 2003.

Since then, all 64-bit versions of Windows come with PatchGuard support, and the feature is now a foundational stone in the security of the Windows ecosystem.

However, when it was released in 2005, PatchGuard was an innovative solution as it was the first security feature developed to prevent "kernel patching."

Referring to a programming technique, kernel patching is where low-level apps tap into the core of the Windows OS, known as the kernel, and modify its structure to allow the app to run its operations with the highest level of privileges, known as kernel mode.

The technique was in vogue in the early 2000s and was abused by both good guys, such as antivirus makers, but also bad guys, such as adware and rootkit developers.

But when it released its first 64-bit OS versions, Microsoft decided to stomp on this tactic and took the opportunity to add a series of checks and defenses to the kernel, which eventually became known as KPP or PatchGuard.

PatchGuard bypasses and the Microsoft reporting conundrum

Today, PatchGuard is just one of an entire arsenal of security features that makes hacking Windows operating systems much harder, and especially Windows 10.

However, across the years, security researchers also discovered ways to bypass PatchGuard and patch the kernel with unauthorized code.

Techniques like GhostHook, InfinityHook, and ByePg were disclosed in 2017 and 2019, all allowing threat actors a slip through the PatchGuard cracks and tap into the kernel via a legitimate function and then modify its internal structure.

The latest of these is Kento's bypass, which the researcher detailed in a blog post earlier this month when he also released proof-of-concept (PoC) code on GitHub to reproduce his findings.

As Jesse Michael, Principal Researcher at Eclypsium, told The Record in an email, the PoC is not dangerous, as it only crashes a Windows 10 system.

However, in an email, Kento told The Record that the technique itself is weaponizable and could be abused in attacks.

"Yes, this is weaponizable when the malware wants to register a callback routine function that mapped in their unsigned code kernel virtual address, that usually not possible at all with legitimate ways," the researcher told us.

"At the weaponizable scenario, the malware must have already in control, but that does not mean this bypass is useless," Kento added.

His latest remarks refer to the fact that his bypass technique, along with the three previous PatchGuard bypasses, all require that the attacker's code runs with admin privileges, so it can perform the illicit kernel patch.

This requirement is what made Microsoft ignore all the three previous reports, with the company arguing that once an attacker has admin rights on a Windows system, it is game over, and any attack escalation is possible.

However, while Microsoft is usually right when it comes to this explanation, researchers argued that this should not be a valid counterpoint for PatchGuard bypasses, as PatchGuard was designed to prevent even high-privileged processes from patching the kernel.

Nevertheless, despite their past arguments, Microsoft did not budge and even today, the company does not consider PatchGuard bypasses as security flaws but rather as mundane code bugs.

But while Microsoft did eventually patch the three PatchGuard bypasses months after they became public, years later, their classification of PatchGuard bypasses as a security non-issue is now having repercussions.

For example, this has dissuaded researchers like Kento from reporting these issues to Microsoft's bug bounty program and is the reason why the Japanese researcher published the bug on his blog without even attempting to report it to Microsoft.

This code can now be weaponized and added to active malware strains as a way for those malware families to gain even more dangerous features and the ability to plant rootkits to improve the efficacy of their attacks.

Although Michael told The Record that Microsoft still values PatchGuard and is committed to fixing these flaws, the OS maker has historically ignored bug reports like these, which has led to situations where a PatchGuard bypass is now broadly available in the public domain––again.

Nevertheless, Michael also downplayed the disclosure of this bug.

"It's something to be aware of, and updates to fix this should be applied when they're available, but not something to lose sleep over," he said. "This isn't a mechanism to initially get code execution on the device and requires code running with admin privileges to exploit this issue."