The enSilo security researchers warn that a kernel bug which has been impacting Windows systems over the past decade and a half, has remained unpatched.
According to the experts, the kernel bug has appeared as a result of a programming error and it prevents security vendors from identifying modules which have been loaded at runtime.
The researchers claim that this issue impacts the PsSetLoadImageNotifyRoutine function which should notify of module loading. Nevertheless, the experts found that, “after registering a notification routine for loaded PE images with the kernel, the callback may receive invalid image names.”
According to the researchers, the kernel bug has affected recent Windows 10 releases, as well as older versions of the operating system all the way back to Windows 2000.
The PsSetLoadImageNotifyRoutine function was presented as a mechanism for notifying “registered drivers from different parts in the kernel when a PE image file has been loaded to virtual memory (kernel\user space).”
After invoking the registered notification routine, the kernel supplies a series of parameters that enable the proper identification of the PE image being loaded. These parameters are featured in the prototype definition of the callback function.
To solve the issue, Microsoft recommends using of a file-system mini-filter callback for monitoring PEs which are loaded to memory as executable code, however, the security experts argue that this method can’t be used to “determine whether the section object is being created for the loading of a PE image or not.”
According to the enSilo experts, the parameter which is capable of identifying the loaded PE file is the FullImageName parameter, though, the kernel uses a different format for FullImageName and the paths provided for some dynamically loaded user-mode PEs are missing the volume name. Besides, in some instances, the path is completely malformed, pointing to a different or non-existing file.
The co-founder and CTO of enSilo Udi Yavo, confirmed that they reported their findings to Microsoft in January this year, but the corporation didn’t consider this as a security issue.
