“ The early bird catches the worm ” CORE SECURITY TECHNOLOGIES © 200 9 Anibal L. Sacco (Ssr Exploit writer) Alfredo A. Ort...
Agenda <ul><li>Introduction
A bit of history
A better choice
What is the BIOS
BIOS Structure
How it works
Update/flashing process
A Simple way to patch BIOS
Where to patch
What can be done
Shellcodes
Virtual machine demo
Real hardware demo </li></ul>
Introduction <ul><li>Practical approach to generic & reliable BIOS code injection </li></ul><ul><li>True Persistency
Rootkit(ish) behavior
OS independant </li></ul>
A little bit of history: Commonly used persistency methods: <ul><li>User mode backdoor
Kernel mode backdoor </li></ul>How can this be done more effectively?
Upcoming SlideShare
Loading in...5
×

Persistent Bios Infection

1,426

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,426
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
21
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Persistent Bios Infection

  1. 1. “ The early bird catches the worm ” CORE SECURITY TECHNOLOGIES © 200 9 Anibal L. Sacco (Ssr Exploit writer) Alfredo A. Ortega (Ssr Exploit writer) Persistent BIOS Infection
  2. 2. Agenda <ul><li>Introduction
  3. 3. A bit of history
  4. 4. A better choice
  5. 5. What is the BIOS
  6. 6. BIOS Structure
  7. 7. How it works
  8. 8. Update/flashing process
  9. 9. A Simple way to patch BIOS
  10. 10. Where to patch
  11. 11. What can be done
  12. 12. Shellcodes
  13. 13. Virtual machine demo
  14. 14. Real hardware demo </li></ul>
  15. 15. Introduction <ul><li>Practical approach to generic & reliable BIOS code injection </li></ul><ul><li>True Persistency
  16. 16. Rootkit(ish) behavior
  17. 17. OS independant </li></ul>
  18. 18. A little bit of history: Commonly used persistency methods: <ul><li>User mode backdoor
  19. 19. Kernel mode backdoor </li></ul>How can this be done more effectively?
  20. 20. BIOS Level backdoor: <ul><li>Takes control before any other software
  21. 21. Stealth behavior
  22. 22. Generally forgotten by almost all Antiviruses
  23. 23. OS Independant (Runs outside the OS context)‏ </li></ul>
  24. 24. What is the BIOS? <ul><li>BIOS stands for Basic Input Output System
  25. 25. Boot firmware
  26. 26. Hardware initialization (RAM, North Bridge, etc.)
  27. 27. Size: 256 Kb and bigger
  28. 28. C ommonly stored on EEPROM or flash memory </li></ul>
  29. 29. BIOS Structure <ul><li>It is composed of various LZH compressed modules
  30. 30. Each module has an 8 bit checksum
  31. 31. There are some uncompressed modules: </li><ul><li>Bootblock: In charge of the POST, and emergency boot
  32. 32. Decompression routine: decompresses the rest of the modules </li></ul><li>Various checksum checks. </li></ul>
  33. 33. +------------------------------------------------------------------------------+ | Class.Instance (Name) Packed ---> Expanded Compression Offset | +------------------------------------------------------------------------------+ B.03 ( BIOSCODE) 06DAF (28079) => 093F0 ( 37872) LZINT ( 74%) 446DFh B.02 ( BIOSCODE) 05B87 (23431) => 087A4 ( 34724) LZINT ( 67%) 4B4A9h B.01 ( BIOSCODE) 05A36 (23094) => 080E0 ( 32992) LZINT ( 69%) 5104Bh C.00 ( UPDATE) 03010 (12304) => 03010 ( 12304) NONE (100%) 5CFDFh X.01 ( ROMEXEC) 01110 (04368) => 01110 ( 4368) NONE (100%) 6000Ah T.00 ( TEMPLATE) 02476 (09334) => 055E0 ( 21984) LZINT ( 42%) 63D78h S.00 ( STRINGS) 020AC (08364) => 047EA ( 18410) LZINT ( 45%) 66209h E.00 ( SETUP) 03AE6 (15078) => 09058 ( 36952) LZINT ( 40%) 682D0h M.00 ( MISER) 03095 (12437) => 046D0 ( 18128) LZINT ( 68%) 6BDD1h L.01 ( LOGO) 01A23 (06691) => 246B2 (149170) LZINT ( 4%) 6EE81h L.00 ( LOGO) 00500 (01280) => 03752 ( 14162) LZINT ( 9%) 708BFh X.00 ( ROMEXEC) 06A6C (27244) => 06A6C ( 27244) NONE (100%) 70DDAh B.00 ( BIOSCODE) 001DD (00477) => 0D740 ( 55104) LZINT ( 0%) 77862h *.00 ( TCPA_*) 00004 (00004) => 00004 ( 004) NONE (100%) 77A5Ah D.00 ( DISPLAY) 00AF1 (02801) => 00FE0 ( 4064) LZINT ( 68%) 77A79h G.00 ( DECOMPCODE) 006D6 (01750) => 006D6 ( 1750) NONE (100%) 78585h A.01 ( ACPI) 0005B (00091) => 00074 ( 116) LZINT ( 78%) 78C76h A.00 ( ACPI) 012FE (04862) => 0437C ( 17276) LZINT ( 28%) 78CECh B.00 ( BIOSCODE) 00BD0 (03024) => 00BD0 ( 3024) NONE (100%) 7D6AAh
  34. 34. How it works <ul><li>The first instruction executed by the CPU is a 16 byte opcode located at F000:FFF0
  35. 35. The Bootblock POST (Power On Self Test) initialization routine is executed.
  36. 36. Decompression routine is called and every module is executed.
  37. 37. Initializes PCI ROMs.
  38. 38. Loads bootloader from hard-disk and executes it. </li></ul>
  39. 39. BIOS Memory Map
  40. 40. Code BIOS Update/flashing process <ul><li>BIOS is upgradeable.
  41. 41. Vendors provide perodic updates to add new features and fix bugs. They also provides it's own tools to flash from DOS, windows, and even from ActiveX!
  42. 42. BIOS update procedure depends on South-Bridge and chip used.
  43. 43. CoreBOOT project provides a generic BIOS flashing tool: flashrom, that supports most motherboard/chip combination. </li></ul>
  44. 44. A Simple way to patch BIOS <ul><li>BIOS contains several checksums
  45. 45. Any modification leads to an unbootable system.
  46. 46. We used two techniques: </li><ul><li>1) Use a BIOS building tool (Pinczakko's method)‏
  47. 47. 2) Patch and compensate the 8-bit checksum </li></ul><li>Three easy steps: </li><ul><li>1) Dump BIOS using flashrom
  48. 48. 2) Patch and compensate
  49. 49. 3) Re-flash </li></ul></ul>
  50. 50. Where to patch <ul><li>Anywhere is valid: </li><ul><li>f000:fff0: First instruction executed.
  51. 51. INT 0x19: Exected before booting
  52. 52. Insert a ROM module: Executing during POST </li></ul><li>The most practical place: Decompressor </li><ul><li>It's uncompressed!
  53. 53. Located easily by pattern matching </li></ul></ul>Almost never change Called multiple times during boot
  54. 54. What can be done <ul><li>Depends. What resources are available from BIOS? </li><ul><li>Standarized Hard Disk access (Int 13h)‏
  55. 55. Memory Manager (PMM)‏
  56. 56. network access (PXE, Julien Vanegue technique)‏
  57. 57. Modem and other hardware (Needs a driver)‏ </li></ul><li>Our choice was to modify hard-disk content: </li><ul><li>1) Modify shadow file on unix
  58. 58. 2) Code injection on windows binaries </li></ul></ul>
  59. 59. Shellcodes <ul><li>Shellcodes are all in 16 bit
  60. 60. We use BIOS services for everything
  61. 61. Easy to debug: BIOS execution enviroment can be emulated running the code as a COM file over DOS
  62. 62. Pseudocode: </li><ul><li>1) Checks ready-signal </li></ul><li>2) Checks for services inicialization
  63. 63. 3) Runs </li></ul>
  64. 64. Hook schema
  65. 65. Virtual machine demo <ul><li>Virtual machines also have a BIOS! </li></ul>In VMWARE, It's embedded as a section of the main VM process, shared on all Vms. Also can be specified on the VMX file for each VM. Is a phoenix BIOS. Very easy to develop because of the embedded GDB server. Using Interrupt Vector Table as ready-signal <ul><li>Two attacks: </li><ul><li>OpenBSD shadow file
  66. 66. Windows code injection </li></ul><li>This method will infect multiple virtual machines. </li></ul>
  67. 67. Real hardware demo <ul><li>We infected an Phoenix-Award BIOS
  68. 68. Extensively used BIOS
  69. 69. Using the VGA ROM signature as ready-signal.
  70. 70. No debug allowed here, all was done by Reverse-Engineering and later, Int 10h (Not even printf!)
  71. 71. Injector tool is a 100-line python script! </li></ul>
  72. 72. Future research <ul><li>Virtualized Rootkit
  73. 73. PCI device placement (Modems, VGA, Ethernet and RAID controllers)‏
  74. 74. The ultimate BIOS rootkit...
  75. 75. Thank you for your attention! </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×