Persistent BIOS Infection

•Descargar como ODP, PDF•

2 recomendaciones•992 vistas

guest042636

Tecnología

“ The early bird catches the worm ” CORE SECURITY TECHNOLOGIES © 200 9 Anibal L. Sacco (Ssr Exploit writer) Alfredo A. Ortega (Ssr Exploit writer) Persistent BIOS Infection

Introduction ,[object Object],[object Object]

A little bit of history: Commonly used persistency methods: ,[object Object]

Kernel mode backdoor How can this be done more effectively?

Más contenido relacionado

La actualidad más candente

TUGAS MEMBUAT PRESENTASI TENTANG SPEC KOMPUTER DAN SMARTPHONEdede abdulah

Spec00315guesta6dbd5

Advanced Root Cause AnalysisEric Sloof

Analisis_avanzado_vmwarevirtualizacionTV

Highload осень 2012 лекция 2Technopark

Tr15 1332teknikito

ChangesYhorledy Cardenas

Exor epc 0036_Spec SheetElectromate

MotherboardCma Mohd

Ict - Motherboardaleeya91

La2 MotherboardCma Mohd

SCADA StrangeLove 2: We already knowqqlan

Network DocsSify Technologies

Aditech innodisk-flash disk technologyVilas Fulsundar

EMC Data Storage Systemswebmaster-ibremarketing

P4i45 gv r5rodanteg

Hardware Management ModuleAero Plane

La actualidad más candente (17)

TUGAS MEMBUAT PRESENTASI TENTANG SPEC KOMPUTER DAN SMARTPHONE

Spec00315

Advanced Root Cause Analysis

Analisis_avanzado_vmware

Highload осень 2012 лекция 2

Tr15 1332

Changes

Exor epc 0036_Spec Sheet

Motherboard

Ict - Motherboard

La2 Motherboard

SCADA StrangeLove 2: We already know

Network Docs

Aditech innodisk-flash disk technology

EMC Data Storage Systems

P4i45 gv r5

Hardware Management Module

Similar a Persistent BIOS Infection

Windows Debugging with WinDbgArno Huetter

Bootkits: past, present & futureAlex Matrosov

Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar

Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Jagadisha Maiya

2020-ntn-vsphere_performance_principles_bondzio.pdfPhmNgcTr3

BIOS, Linux and Firmware Test Suite in-betweenAlex Hung

Eclipse Edje: A Java API for MicrocontrollersMicroEJ

BMCArmor: A Hardware Protection Scheme for Bare-metal CloudsShinagawa Laboratory, The University of Tokyo

BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat Security Conference

Dx diagRonnie Lingafelter

operating and configuring cisco a cisco IOS devicescooby_doo

Developing a Windows CE OAL.pptKundanSingh887495

Information Gathering 2Aero Plane

44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON

Cisco IOS shellcode: All-in-oneDefconRussia

bios.docxSUBIRKUMARPANDA1

Bootkits: Past, Present & Future - Virus BulletinESET

Linux kernel debugging(PDF format)yang firo

Linux kernel debugging(ODP format)yang firo

SiliconFailsafeForIoT_DoinJonny Doin

Similar a Persistent BIOS Infection (20)

Windows Debugging with WinDbg

Bootkits: past, present & future

Troubleshooting Linux Kernel Modules And Device Drivers

Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1

2020-ntn-vsphere_performance_principles_bondzio.pdf

BIOS, Linux and Firmware Test Suite in-between

Eclipse Edje: A Java API for Microcontrollers

BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds

BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing

Dx diag

operating and configuring cisco a cisco IOS device

Developing a Windows CE OAL.ppt

Information Gathering 2

44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root

Cisco IOS shellcode: All-in-one

bios.docx

Bootkits: Past, Present & Future - Virus Bulletin

Linux kernel debugging(PDF format)

Linux kernel debugging(ODP format)

SiliconFailsafeForIoT_Doin

Último

Manulife - Insurer Transformation Award 2024The Digital Insurer

Automating Google Workspace (GWS) & more with Apps Scriptwesley chun

Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services

presentation ICT roal in 21st century educationjfdjdjcjdnsjd

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays

Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10

Corporate and higher education May webinar.pptxRustici Software

Architecting Cloud Native ApplicationsWSO2

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz

How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software

Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2

Persistent BIOS Infection

1. “ The early bird catches the worm ” CORE SECURITY TECHNOLOGIES © 200 9 Anibal L. Sacco (Ssr Exploit writer) Alfredo A. Ortega (Ssr Exploit writer) Persistent BIOS Infection

3. A bit of history

4. A better choice

5. What is the BIOS

6. BIOS Structure

7. How it works

8. Update/flashing process

9. A Simple way to patch BIOS

10. Where to patch

11. What can be done

12. Shellcodes

13. Virtual machine demo

14. Real hardware demo

15.

16. Rootkit(ish) behavior

17. OS independant

18.

19. Kernel mode backdoor How can this be done more effectively?

20.

21. Stealth behavior

22. Generally forgotten by almost all Antiviruses

23. OS Independant (Runs outside the OS context)‏

24.

25. Boot firmware

26. Hardware initialization (RAM, North Bridge, etc.)

27. Size: 256 Kb and bigger

28. C ommonly stored on EEPROM or flash memory

29.

30. Each module has an 8 bit checksum

31.

32.

33. +------------------------------------------------------------------------------+ | Class.Instance (Name) Packed ---> Expanded Compression Offset | +------------------------------------------------------------------------------+ B.03 ( BIOSCODE) 06DAF (28079) => 093F0 ( 37872) LZINT ( 74%) 446DFh B.02 ( BIOSCODE) 05B87 (23431) => 087A4 ( 34724) LZINT ( 67%) 4B4A9h B.01 ( BIOSCODE) 05A36 (23094) => 080E0 ( 32992) LZINT ( 69%) 5104Bh C.00 ( UPDATE) 03010 (12304) => 03010 ( 12304) NONE (100%) 5CFDFh X.01 ( ROMEXEC) 01110 (04368) => 01110 ( 4368) NONE (100%) 6000Ah T.00 ( TEMPLATE) 02476 (09334) => 055E0 ( 21984) LZINT ( 42%) 63D78h S.00 ( STRINGS) 020AC (08364) => 047EA ( 18410) LZINT ( 45%) 66209h E.00 ( SETUP) 03AE6 (15078) => 09058 ( 36952) LZINT ( 40%) 682D0h M.00 ( MISER) 03095 (12437) => 046D0 ( 18128) LZINT ( 68%) 6BDD1h L.01 ( LOGO) 01A23 (06691) => 246B2 (149170) LZINT ( 4%) 6EE81h L.00 ( LOGO) 00500 (01280) => 03752 ( 14162) LZINT ( 9%) 708BFh X.00 ( ROMEXEC) 06A6C (27244) => 06A6C ( 27244) NONE (100%) 70DDAh B.00 ( BIOSCODE) 001DD (00477) => 0D740 ( 55104) LZINT ( 0%) 77862h *.00 ( TCPA_*) 00004 (00004) => 00004 ( 004) NONE (100%) 77A5Ah D.00 ( DISPLAY) 00AF1 (02801) => 00FE0 ( 4064) LZINT ( 68%) 77A79h G.00 ( DECOMPCODE) 006D6 (01750) => 006D6 ( 1750) NONE (100%) 78585h A.01 ( ACPI) 0005B (00091) => 00074 ( 116) LZINT ( 78%) 78C76h A.00 ( ACPI) 012FE (04862) => 0437C ( 17276) LZINT ( 28%) 78CECh B.00 ( BIOSCODE) 00BD0 (03024) => 00BD0 ( 3024) NONE (100%) 7D6AAh

34.

35. The Bootblock POST (Power On Self Test) initialization routine is executed.

36. Decompression routine is called and every module is executed.

37. Initializes PCI ROMs.

38. Loads bootloader from hard-disk and executes it.

39. BIOS Memory Map

40.

41. Vendors provide perodic updates to add new features and fix bugs. They also provides it's own tools to flash from DOS, windows, and even from ActiveX!

42. BIOS update procedure depends on South-Bridge and chip used.

43. CoreBOOT project provides a generic BIOS flashing tool: flashrom, that supports most motherboard/chip combination.

44.

45. Any modification leads to an unbootable system.

46.

47.

48. 2) Patch and compensate

49. 3) Re-flash

50.

51. INT 0x19: Exected before booting

52.

53. Located easily by pattern matching Almost never change Called multiple times during boot

54.

55. Memory Manager (PMM)‏

56. network access (PXE, Julien Vanegue technique)‏

57.

58. 2) Code injection on windows binaries

59.

60. We use BIOS services for everything

61. Easy to debug: BIOS execution enviroment can be emulated running the code as a COM file over DOS

62.

63. 3) Runs

64. Hook schema

65.

66.

67.

68. Extensively used BIOS

69. Using the VGA ROM signature as ready-signal.

70. No debug allowed here, all was done by Reverse-Engineering and later, Int 10h (Not even printf!)

71. Injector tool is a 100-line python script!

72.

73. PCI device placement (Modems, VGA, Ethernet and RAID controllers)‏

74. The ultimate BIOS rootkit...

75. Thank you for your attention!

Persistent BIOS Infection

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (17)

Similar a Persistent BIOS Infection

Similar a Persistent BIOS Infection (20)

Último

Último (20)

Persistent BIOS Infection