Enviar búsqueda
Cargar
Persistent BIOS Infection
•
Descargar como ODP, PDF
•
2 recomendaciones
•
992 vistas
G
guest042636
Seguir
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 19
Descargar ahora
Recomendados
G31 m s motherboard pc
G31 m s motherboard pc
eddyhuezo
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE
Open Source Firmware - FrOSCon 2019
Open Source Firmware - FrOSCon 2019
Daniel Maslowski
UDOO IoT Platform
UDOO IoT Platform
Maurizio Caporali
H61 m vs
H61 m vs
Keny Ferrufino
Jiva 8315 e-white-b
Jiva 8315 e-white-b
Hatem Zalat
SoM with Zynq UltraScale device
SoM with Zynq UltraScale device
nie, jack
Panic report 121112
Panic report 121112
wangxueGT
Recomendados
G31 m s motherboard pc
G31 m s motherboard pc
eddyhuezo
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE
Open Source Firmware - FrOSCon 2019
Open Source Firmware - FrOSCon 2019
Daniel Maslowski
UDOO IoT Platform
UDOO IoT Platform
Maurizio Caporali
H61 m vs
H61 m vs
Keny Ferrufino
Jiva 8315 e-white-b
Jiva 8315 e-white-b
Hatem Zalat
SoM with Zynq UltraScale device
SoM with Zynq UltraScale device
nie, jack
Panic report 121112
Panic report 121112
wangxueGT
TUGAS MEMBUAT PRESENTASI TENTANG SPEC KOMPUTER DAN SMARTPHONE
TUGAS MEMBUAT PRESENTASI TENTANG SPEC KOMPUTER DAN SMARTPHONE
dede abdulah
Spec00315
Spec00315
guesta6dbd5
Advanced Root Cause Analysis
Advanced Root Cause Analysis
Eric Sloof
Analisis_avanzado_vmware
Analisis_avanzado_vmware
virtualizacionTV
Highload осень 2012 лекция 2
Highload осень 2012 лекция 2
Technopark
Tr15 1332
Tr15 1332
teknikito
Changes
Changes
Yhorledy Cardenas
Exor epc 0036_Spec Sheet
Exor epc 0036_Spec Sheet
Electromate
Motherboard
Motherboard
Cma Mohd
Ict - Motherboard
Ict - Motherboard
aleeya91
La2 Motherboard
La2 Motherboard
Cma Mohd
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
qqlan
Network Docs
Network Docs
Sify Technologies
Aditech innodisk-flash disk technology
Aditech innodisk-flash disk technology
Vilas Fulsundar
EMC Data Storage Systems
EMC Data Storage Systems
webmaster-ibremarketing
P4i45 gv r5
P4i45 gv r5
rodanteg
Hardware Management Module
Hardware Management Module
Aero Plane
Windows Debugging with WinDbg
Windows Debugging with WinDbg
Arno Huetter
Bootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
Satpal Parmar
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Jagadisha Maiya
2020-ntn-vsphere_performance_principles_bondzio.pdf
2020-ntn-vsphere_performance_principles_bondzio.pdf
PhmNgcTr3
Más contenido relacionado
La actualidad más candente
TUGAS MEMBUAT PRESENTASI TENTANG SPEC KOMPUTER DAN SMARTPHONE
TUGAS MEMBUAT PRESENTASI TENTANG SPEC KOMPUTER DAN SMARTPHONE
dede abdulah
Spec00315
Spec00315
guesta6dbd5
Advanced Root Cause Analysis
Advanced Root Cause Analysis
Eric Sloof
Analisis_avanzado_vmware
Analisis_avanzado_vmware
virtualizacionTV
Highload осень 2012 лекция 2
Highload осень 2012 лекция 2
Technopark
Tr15 1332
Tr15 1332
teknikito
Changes
Changes
Yhorledy Cardenas
Exor epc 0036_Spec Sheet
Exor epc 0036_Spec Sheet
Electromate
Motherboard
Motherboard
Cma Mohd
Ict - Motherboard
Ict - Motherboard
aleeya91
La2 Motherboard
La2 Motherboard
Cma Mohd
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
qqlan
Network Docs
Network Docs
Sify Technologies
Aditech innodisk-flash disk technology
Aditech innodisk-flash disk technology
Vilas Fulsundar
EMC Data Storage Systems
EMC Data Storage Systems
webmaster-ibremarketing
P4i45 gv r5
P4i45 gv r5
rodanteg
Hardware Management Module
Hardware Management Module
Aero Plane
La actualidad más candente
(17)
TUGAS MEMBUAT PRESENTASI TENTANG SPEC KOMPUTER DAN SMARTPHONE
TUGAS MEMBUAT PRESENTASI TENTANG SPEC KOMPUTER DAN SMARTPHONE
Spec00315
Spec00315
Advanced Root Cause Analysis
Advanced Root Cause Analysis
Analisis_avanzado_vmware
Analisis_avanzado_vmware
Highload осень 2012 лекция 2
Highload осень 2012 лекция 2
Tr15 1332
Tr15 1332
Changes
Changes
Exor epc 0036_Spec Sheet
Exor epc 0036_Spec Sheet
Motherboard
Motherboard
Ict - Motherboard
Ict - Motherboard
La2 Motherboard
La2 Motherboard
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
Network Docs
Network Docs
Aditech innodisk-flash disk technology
Aditech innodisk-flash disk technology
EMC Data Storage Systems
EMC Data Storage Systems
P4i45 gv r5
P4i45 gv r5
Hardware Management Module
Hardware Management Module
Similar a Persistent BIOS Infection
Windows Debugging with WinDbg
Windows Debugging with WinDbg
Arno Huetter
Bootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
Satpal Parmar
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Jagadisha Maiya
2020-ntn-vsphere_performance_principles_bondzio.pdf
2020-ntn-vsphere_performance_principles_bondzio.pdf
PhmNgcTr3
BIOS, Linux and Firmware Test Suite in-between
BIOS, Linux and Firmware Test Suite in-between
Alex Hung
Eclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for Microcontrollers
MicroEJ
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
Shinagawa Laboratory, The University of Tokyo
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
Dx diag
Dx diag
Ronnie Lingafelter
operating and configuring cisco a cisco IOS device
operating and configuring cisco a cisco IOS device
scooby_doo
Developing a Windows CE OAL.ppt
Developing a Windows CE OAL.ppt
KundanSingh887495
Information Gathering 2
Information Gathering 2
Aero Plane
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
bios.docx
bios.docx
SUBIRKUMARPANDA1
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
ESET
Linux kernel debugging(PDF format)
Linux kernel debugging(PDF format)
yang firo
Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)
yang firo
SiliconFailsafeForIoT_Doin
SiliconFailsafeForIoT_Doin
Jonny Doin
Similar a Persistent BIOS Infection
(20)
Windows Debugging with WinDbg
Windows Debugging with WinDbg
Bootkits: past, present & future
Bootkits: past, present & future
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
2020-ntn-vsphere_performance_principles_bondzio.pdf
2020-ntn-vsphere_performance_principles_bondzio.pdf
BIOS, Linux and Firmware Test Suite in-between
BIOS, Linux and Firmware Test Suite in-between
Eclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for Microcontrollers
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
Dx diag
Dx diag
operating and configuring cisco a cisco IOS device
operating and configuring cisco a cisco IOS device
Developing a Windows CE OAL.ppt
Developing a Windows CE OAL.ppt
Information Gathering 2
Information Gathering 2
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
bios.docx
bios.docx
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
Linux kernel debugging(PDF format)
Linux kernel debugging(PDF format)
Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)
SiliconFailsafeForIoT_Doin
SiliconFailsafeForIoT_Doin
Último
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
The Digital Insurer
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
apidays
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Rustici Software
Architecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Deepika Singh
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
apidays
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
Último
(20)
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Architecting Cloud Native Applications
Architecting Cloud Native Applications
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
Persistent BIOS Infection
1.
“ The early
bird catches the worm ” CORE SECURITY TECHNOLOGIES © 200 9 Anibal L. Sacco (Ssr Exploit writer) Alfredo A. Ortega (Ssr Exploit writer) Persistent BIOS Infection
2.
3.
A bit of
history
4.
A better choice
5.
What is the
BIOS
6.
BIOS Structure
7.
How it works
8.
Update/flashing process
9.
A Simple way
to patch BIOS
10.
Where to patch
11.
What can be
done
12.
Shellcodes
13.
Virtual machine demo
14.
Real hardware demo
15.
16.
Rootkit(ish) behavior
17.
OS independant
18.
19.
Kernel mode backdoor
How can this be done more effectively?
20.
21.
Stealth behavior
22.
Generally forgotten by
almost all Antiviruses
23.
OS Independant (Runs
outside the OS context)
24.
25.
Boot firmware
26.
Hardware initialization (RAM,
North Bridge, etc.)
27.
Size: 256 Kb
and bigger
28.
C ommonly stored
on EEPROM or flash memory
29.
30.
Each module has
an 8 bit checksum
31.
32.
33.
+------------------------------------------------------------------------------+ | Class.Instance
(Name) Packed ---> Expanded Compression Offset | +------------------------------------------------------------------------------+ B.03 ( BIOSCODE) 06DAF (28079) => 093F0 ( 37872) LZINT ( 74%) 446DFh B.02 ( BIOSCODE) 05B87 (23431) => 087A4 ( 34724) LZINT ( 67%) 4B4A9h B.01 ( BIOSCODE) 05A36 (23094) => 080E0 ( 32992) LZINT ( 69%) 5104Bh C.00 ( UPDATE) 03010 (12304) => 03010 ( 12304) NONE (100%) 5CFDFh X.01 ( ROMEXEC) 01110 (04368) => 01110 ( 4368) NONE (100%) 6000Ah T.00 ( TEMPLATE) 02476 (09334) => 055E0 ( 21984) LZINT ( 42%) 63D78h S.00 ( STRINGS) 020AC (08364) => 047EA ( 18410) LZINT ( 45%) 66209h E.00 ( SETUP) 03AE6 (15078) => 09058 ( 36952) LZINT ( 40%) 682D0h M.00 ( MISER) 03095 (12437) => 046D0 ( 18128) LZINT ( 68%) 6BDD1h L.01 ( LOGO) 01A23 (06691) => 246B2 (149170) LZINT ( 4%) 6EE81h L.00 ( LOGO) 00500 (01280) => 03752 ( 14162) LZINT ( 9%) 708BFh X.00 ( ROMEXEC) 06A6C (27244) => 06A6C ( 27244) NONE (100%) 70DDAh B.00 ( BIOSCODE) 001DD (00477) => 0D740 ( 55104) LZINT ( 0%) 77862h *.00 ( TCPA_*) 00004 (00004) => 00004 ( 004) NONE (100%) 77A5Ah D.00 ( DISPLAY) 00AF1 (02801) => 00FE0 ( 4064) LZINT ( 68%) 77A79h G.00 ( DECOMPCODE) 006D6 (01750) => 006D6 ( 1750) NONE (100%) 78585h A.01 ( ACPI) 0005B (00091) => 00074 ( 116) LZINT ( 78%) 78C76h A.00 ( ACPI) 012FE (04862) => 0437C ( 17276) LZINT ( 28%) 78CECh B.00 ( BIOSCODE) 00BD0 (03024) => 00BD0 ( 3024) NONE (100%) 7D6AAh
34.
35.
The Bootblock POST
(Power On Self Test) initialization routine is executed.
36.
Decompression routine is
called and every module is executed.
37.
Initializes PCI ROMs.
38.
Loads bootloader from
hard-disk and executes it.
39.
BIOS Memory Map
40.
41.
Vendors provide perodic
updates to add new features and fix bugs. They also provides it's own tools to flash from DOS, windows, and even from ActiveX!
42.
BIOS update procedure
depends on South-Bridge and chip used.
43.
CoreBOOT project provides
a generic BIOS flashing tool: flashrom, that supports most motherboard/chip combination.
44.
45.
Any modification leads
to an unbootable system.
46.
47.
48.
2) Patch and
compensate
49.
3) Re-flash
50.
51.
INT 0x19: Exected
before booting
52.
53.
Located easily by
pattern matching Almost never change Called multiple times during boot
54.
55.
Memory Manager (PMM)
56.
network access (PXE,
Julien Vanegue technique)
57.
58.
2) Code injection
on windows binaries
59.
60.
We use BIOS
services for everything
61.
Easy to debug:
BIOS execution enviroment can be emulated running the code as a COM file over DOS
62.
63.
3) Runs
64.
Hook schema
65.
66.
67.
68.
Extensively used BIOS
69.
Using the VGA
ROM signature as ready-signal.
70.
No debug allowed
here, all was done by Reverse-Engineering and later, Int 10h (Not even printf!)
71.
Injector tool is
a 100-line python script!
72.
73.
PCI device placement
(Modems, VGA, Ethernet and RAID controllers)
74.
The ultimate BIOS
rootkit...
75.
Thank you for
your attention!
Descargar ahora