A bug in the Windows kernel dating back to Windows 2000 can be exploited to prevent security applications from detecting malicious software loaded at runtime, Bleeping Computer reported.
The problem is with the PsSetLoadImageNotifyRoutine, a feature Microsoft introduced to notify developers of newly-registered drivers.
It could also detect when a PE image was loaded into virtual memory, so antivirus software developers used the routine to detect malicious operations – such as code being loaded into the kernel or user space.
enSilo has found that the routine does not work as specified, though.
Microsoft Security Response Center was reportedly contacted about the issue, but it did not feel the bug was a security issue.
“Some references indicate the bug was somewhat known, but… its root cause and full implications weren’t described in detail up until now,” said enSilo.
Details of how PsSetLoadImageNotifyRoutine is meant to work, and how the bug alters it, are available on the enSilo blog.