标题 简介 类型 公开时间
关联规则 关联知识 关联工具 关联文档 关联抓包
参考1(官网)
参考2
参考3
详情
[SAFE-ID: JIWO-2024-602]   作者: ecawen 发表于: [2017-09-10]

本文共 [380] 位读者顶过

继安全厂商EnSilo的研究人员发现此Windows内核漏洞,PsSetLoadImageNotifyRoutine被反病毒(av)用来检查内存中是否存在恶意软件,一旦被恶意代码利用即可欺骗防御解决方案,微软对此回应是,工程师审查了这些信息,并确定这不会构成安全威胁,不打算用安全更新来解决这一问题。 [出自:jiwo.org]

A design flaw within the Windows kernel is the root cause for antivirus stopping from recognizing malware, and the bad news is that Microsoft won’t fix it because the tech giant doesn’t consider it as a security issue.

The vulnerability was discovered a few days ago by the security researcher Omri Misgav from enSilo , it affects the system call PsSetLoadImageNotifyRoutine that is still active in the latest builds of Microsoft OSs.

“During research into the Windows kernel, we came across an interesting issue with PsSetLoadImageNotifyRoutine which as its name implies, notifies of module loading.” Misgav wrote in a blog post.

Microsoft kernel issue PsSetLoadImageNotifyRoutine

PsSetLoadImageNotifyRoutine is used also by antivirus to check the presence of malware in memory, but the issue could be tricked to deceive the defense solutions.

“The thing is, after registering a notification routine for loaded PE images with the kernel, the callback may receive invalid image names. After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself.” continues the analysis.

The mechanism notifies registered drivers when a PE image file has been loaded into virtual memory (kernel\user space).

The notification routine could be invoked in the following cases:

  • Loading drivers
  • Starting new processes
    • Process executable image
    • System DLL: ntdll.dll (2 different binaries for WoW64 processes)
  • Runtime loaded PE images – import table, LoadLibrary, LoadLibraryEx, NtMapViewOfSection.

The flaw could be exploited by malware to provide antivirus benign executables to inspect rather than their malicious code.executables to inspect rather than their malicious code.executables to inspect rather than their malicious code.

enSilo reported the issue to Microsoft and this is their reply:

“Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update.”

评论

暂无
发表评论
 返回顶部 
热度(380)
 关注微信