Security researchers have identified a sophisticated technique that allows attackers to hide malicious processes from Windows Task Manager and system monitoring tools, even on systems with Microsoft’s most advanced kernel protections enabled.
The bypass leverages legitimate Windows APIs to manipulate core data structures before integrity checks can detect tampering, circumventing both PatchGuard and Hypervisor-Protected Code Integrity (HVCI).
The technique exploits a critical timing window during process termination. When a process exits, Windows validates the integrity of the doubly linked lists that track all active processes a structure called ActiveProcessLinks embedded within each EPROCESS object.
Traditionally, rootkits have hidden processes by unlinking them from these lists. However, when the process terminates, the kernel’s PspProcessDelete function performs validation checks that detect the corrupted list structure and trigger a KERNEL_SECURITY_CHECK_FAILURE (0x139 bugcheck), immediately crashing the system and exposing the tampering attempt.
The new bypass sidesteps this detection entirely by using PsSetCreateProcessNotifyRoutineEx, a documented Microsoft API designed for legitimate monitoring purposes.
When registered, this callback receives notification of process creation and termination events including access to the EPROCESS structure of the terminating process.
The researchers discovered that by repairing the corrupted LIST_ENTRY structures within this callback, they can restore the linked lists to a valid state microseconds before PspProcessDelete’s validation runs.
Overview of Kernel Patch Protection
By the time the kernel’s integrity checks execute, the structures appear completely legitimate, allowing the process to terminate cleanly without triggering any security violation.
Even if malware compromises the kernel and gains full Ring-0 access in VTL0, it cannot dump credentials from LsaIso because those credentials physically exist in VTL1’s isolated memory space.
“The solution is remarkably simple and entirely within Microsoft’s own API design,” the researchers note. “No code modification, no hardware hacking, no hypervisor exploitation just precise timing and knowledge of what the kernel validates.”
The implications are significant for threat actors. Process hiding remains a cornerstone technique for rootkits, advanced persistent threats, and anti-cheat evasion.
Making a process invisible to Task Manager, Process Hacker, and security monitoring tools enables attackers to achieve persistence while avoiding detection by endpoint security products that rely on process enumeration.
However, practical deployment barriers remain substantial. The technique requires kernel-mode code execution traditionally one of the most difficult access levels to achieve on modern Windows systems.
More critically, on production systems, the attacker must either possess a legitimate code signing certificate, compromise an existing signed driver, or exploit a vulnerability in a vulnerable driver already present on the system.
Microsoft Code Integrity policies prevent unsigned or untrusted drivers from loading, creating a significant gate.
Mitigations
The researchers emphasize that HVCI itself does not prevent this technique. HVCI’s protections focus on preventing modifications to kernel code pages through Extended Page Tables (EPT) a hypervisor-enforced second layer of memory protection.
Since the bypass operates entirely on writable data using documented Windows API, it bypasses HVCI defense perimeter entirely.
Mitigation strategies remain limited. Security teams should focus on driver code integrity monitoring, driver load auditing, and detecting unsigned driver loads.
Behavioral detection of suspicious process callbacks particularly those that manipulate EPROCESS structures during termination could identify active exploitation.
Additionally, monitoring for unexpected process termination sequences or timing anomalies may reveal instances where this technique is deployed.
The research underscores a growing reality in Windows security: as Microsoft hardens code execution paths through hypervisor-backed protections, attackers increasingly turn to data structure manipulation within legitimate APIs a surface area far more challenging to defend.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.