How Attackers Hide Processes by Abusing Kernel Patch Protection

The Windows kernel has long relied on PatchGuard and Hypervisor‑Protected Code Integrity (HVCI) to safeguard critical data structures from tampering. As Microsoft hardened the code‑execution path, attackers shifted focus to the kernel’s writable data, seeking timing windows where legitimate APIs can be abused. By registering a PsSetCreateProcessNotifyRoutineEx callback, threat actors can intervene milliseconds before the PspProcessDelete routine validates the ActiveProcessLinks list, repairing any malicious modifications and allowing the process to terminate cleanly without raising a bugcheck. This approach demonstrates how deep knowledge of Windows internals can turn defensive mechanisms into stealth tools.

From a technical perspective, the exploit leverages the fact that the callback receives a pointer to the terminating process’s EPROCESS object. By restoring the doubly linked LIST_ENTRY structures within the callback, the rootkit ensures the kernel perceives a consistent process list, effectively rendering the malicious process invisible to Task Manager, Process Hacker, and many endpoint detection solutions. Because the method uses documented, signed APIs, it bypasses HVCI’s code‑page protections and avoids the need for hypervisor manipulation. The requirement for kernel‑mode code—often achieved through a signed driver or a compromised legitimate driver—means the technique remains limited to sophisticated actors, but its potential impact on advanced persistent threats and anti‑cheat evasion is significant.

Mitigating this class of attacks demands a shift from pure code‑integrity checks to behavioral monitoring. Organizations should enforce strict driver signing policies, audit driver load events, and deploy tools that can detect anomalous process‑termination callbacks or unexpected modifications to EPROCESS structures. Additionally, integrating real‑time analytics that flag timing anomalies during process shutdown can provide early warning of exploitation. As Windows continues to reinforce code‑execution barriers, defenders must broaden their focus to include data‑structure integrity and API‑level abuse, ensuring a more resilient security posture against evolving kernel‑level threats.