Matousec has recently shaken up the security software industry with a paper and demonstration showing how to bypass (or kill) the products using nothing more than user-mode code. Called KHOBE, the program makes possible a vulnerability theorized back in the ‘90s by exploiting a race condition in parameters passing through Win32 / NT API hooks. Hooking is a method where code replaces pointer entries in the SSDT with its own pointers, allowing other functions to run “in the middle” between an application calling the API and the actual API’s code being executed. It’s a technique used for both good (anti-virus) and evil (rootkits). The attack in question utilizes the concurrency of multi-processing to allow parallel threads to modify parameter structures before they are processed by the real API. In essence, innocuous parameters are passed during the API call which gets intercepted by the hook but before the middleware passes the parameters on to the native API, a concurrent thread alters them back into a malicious version. As for which security products are vulnerable to their KHOBE, “the researchers said that the only reason that they found exploits in only 34 products was that they only had time to test 34 products.”