$IDADIRloaders directory, 108
258SMM. See System Management Mode (SMM)
Absolute Software, 280
ACM (Authenticated Code Module), 288, 299, 300, 340–342, 343, 344
ACRAM (Authenticated Code RAM), 288
Advanced Configuration and Power Interface (ACPI), 307
Advanced Encryption Standard (AES), 190, 197, 210, 211, 218
Advanced RISC Machine (ARM) architecture, 116
BMC implementation, 314
Cortex-A, 347
Cortex-M, 347
implementations, 347
processors, 348
root of trust key, 350
Trusted Boot Board (TBB), 346, 347
Advanced Technology Attachment (ATA), 262
Aeroflot, 14
afd.sys, 179
AIDS (computer virus), 208
Airbus, 314
Alureon family of malware, 4. See also TDL3
antivirus industry
evolution, 175
first-wave bootkits, reaction to, 133
Gapz (see Gapz)
hooks, antivirus (see hooking)
origins, 50
Apple, 286, 289, 308, 312, 365
Aptiocalypsis (INTEL-SA-00057), 263
ARM (Advanced RISC Machine) architecture. See Advanced RISC Machine (ARM) architecture
array of flash data (FDATAX) register, 372, 373, 374
ASCII, 218
Assist, 14
ATA (Advanced Technology Attachment), 262
Authenticated Code Module (ACM), 288, 299, 300, 340–342, 343, 344
Authenticated Code RAM (ACRAM), 288
Avatar, 10
base58 decoding algorithm, 218
BASE64, 190
Baseboard Management Controller (BMC), 288, 289, 313, 314–315
BaseNamedObjects, 182
Basic Input/Output System (BIOS). See also BIOS Guard
accessibility, 101
Authenticated Code Module (ACM), 288, 299, 300, 340–342, 343, 344
boot process, role in, 256
bootkit target, as, 58
bootkit, evolution of, 258
bootup, 50
bypassing, 365
Compatibility Support Mode, 215
complexity, 256
default behavior, early PCs, 50
DISK_ADDRESS_PACKET, 104
disk service, 101
entry point, 101
evolution, 52
extended read operations, 103
firmware implant, 291
infection methods, 265
installation, 289
interrupt handler, 87
boot process flow, 236
MBR code in, 238
malicious boot loader sectors, 103, 104
malware, history of, 256
BIOSkit, 257
Mebromi, 257
nonpersistent implant, 291
outdated, 292
persistent implant, 291
protection bits, 310
set-up, legacy processes, 59
set-up, Windows, 60
setup menu, 280
system initialization, 229
System Management Interrupt (SMI) handler (see System Management Interrupt (SMI) handler)
DEX driver, modifying, 269
Option ROM, modifying, 267–269
Update App, 305
Update Driver, 305
vulnerabilities, during updates, 296
vulnerabilities, post-exploitation, 290, 291
BCD (Boot Configuration Data). See Boot Configuration Data (BCD)
BDS (Boot Device Selection), 244
BIOS Guard, 253, 293, 297, 298
BIOSkit, 257
BIOS Lock Bit, 298
BIOS Lock Enabled (BLE), 263, 310
BIOS Parameter Block (BPB), 186–187, 188, 222
BIOSWE, 263
BIOS Write Enable, 263
BIOS Write Protection, 310
Bitcoin, used by ransomware, 209
Black Hat Asia, 272
BLE (BIOS Lock Enabled), 263
Blue Screen of Death (BSoD), 86–87
BMC (Baseboard Management Controller), 288, 289, 313, 314–315
Bochs emulator
bochsrc.bxrc, 117
bochssdbg.exe, 120
booting, 118
code interpretation, 116
configuration file, 121
disk image, infecting, 119–121
dynamic analysis, in context of, 120
environment, creating, 117–119
IDA Pro, combining with, 116, 118, 123–124
installing, 117
origins, 116
Boot Configuration Data (BCD)
execution flow, role in, 68
layout, 66
parameters, 64
reading, 88
store, 249
Boot Device Selection (BDS), 244
Authenticated Code Module (ACM), 288, 299, 300, 340–342, 343, 344)
boot code, early, 288
boot flow, 339
boot policy manifest (BPM), 343–344
chain of trust, 344
integrity checking, 299
OEM root public key, 350
process root, 293
root of trust, 312
bootkits, 49
boot sector infectors (BSIs), 50, 51–52, 59
Brain virus, 51
components, 96
digital signature checks, bypassing, 52–53
ELAM, bypassing (see Early Launch Anti-Malware (ELAM) module)
Elk Cloner, 50
Gapz (see Gapz)
goal of, 55
Load Runner, 51
Master Boot Record (MBR) (see Master Boot Record (MBR))
processor execution mode switch, handling of, 66
proofs of concept (PoCs), 53, 54
resurgence of, 233
Secure Boot (see Secure Boot)
technology, 12
Volume Boot Record (VBR) (see Volume Boot Record (VBR))
bootloaders, 335
fallback, 266
Petya, in (see Petya)
Satana, in (see Satana)
Unified Extensible Firmware Interface (UEFI), in (see Unified Extensible Firmware Interface (UEFI))
Gapz bootkit, use by, 189
real mode, 65
TDL4 infection, 87
Bootmgr partition, 62
boot process, Microsoft Windows, 57–58
BIOS, role of, 60
bootmgr, 64
BCD (Boot Configuration Data) boot variables, 66, 67
real mode vs. protected mode, 65
winload.exe, loading, 67
components, 60
configuration data, 64
Initial Program Loader (IPL), 62–64
legacy-based machines, 58
Master Boot Record (MBR), 60–61
code modification infections, 84–85 (see also TDL4)
Microsoft Windows drive layout, 62
preboot environment, 60
Volume Boot Record (VBR), 61–64
bootvid.dll, 67
botnet, Festi. See Festi rootkits
bot plug-in manager, 19
BotSpam.sys, 31
bot trackers, 137
BPB (BIOS Parameter Block), 186–187, 188, 222
BSoD (Blue Screen of Death), 86–87
Bulygin, Yuriy, 338
C&C (command and control) server. See command and control (C&C) server
C++ compiler, 237
Cache-as-RAM (CAR), 288
call conventions, modern OS, 101
Capsule Update, 242, 246, 274–275
Carberp trojan malware, 171
CDFS, 38
hooking, 173
CBC (cipher block chaining) mode, 194, 211
.cdata, 16
CDO (control device object), 38, 39
certificate authority (CA), 75–76
Certificate Table Data Directory, 322
Chipsec, 264, 303, 324, 367, 386–388, 390
callbacks, 77
information regarding, 78
initialization, 77
cipher block chaining (CBC) mode, 194, 211
clfs.dll, 67
click fraud, 207
CloseHandle, 11
CmRegisterCallbackEx, 36
Code Integrity, 248
code-patching, 195
command and control (C&C) server, 15
communication protocol, 22, 204
Festi botnets, role in, 15–16, 21, 26–27
IP address, 26
Olmasco, relationship between, 137
parser, 17
plug-ins, malicious, 31
ransomware, communication with, 211
TCP protocol, relationship between, 26
Command Prompt, 324
Compatibility Support Module (CSM), 234
Component Object Model (COM), 138
compute_checksum, 230
configuration information manager, 19
control device object (CDO), 38–39
Core Wars, 44
CreateFileX, 142
CreateModule, 20
CryptoLocker, 209
CTB-Locker, 209
Cubi2, 264
Cylinder Head Sector (CHS)-based addressing, 101
Czarny, Joffrey, 315
DDoS (distributed denial of service) botnets. See distributed denial of service (DDoS) botnets
debuggers
32-bit code, 126
64-bit code, 126
Bochs emulator, in (see Bochs emulator)
detection of, 5
GNU debugger (see GNU Debugger (GDB))
protocol, kernel debugger, 67
remote, 45
Rovnix, interface in, 161
serial, 88
stability, 124
Windows, in, 41
DebugMonitor, 227
Dediprog SF100 ISP Programmers, 375
DeleteModule, 20
DGA (domain name generation algorithm), 30
Diffie-Hellman key agreement algorithm, 218
digital rights management (DRM), 43
Direct Kernel Object Manipulation (DKOM), 36
direct memory access (DMA) attacks, 292
DiskNumber parameter, 213
disk service, 60
distributed denial of service (DDoS) botnets, 13–14
Assist, against, 14
Festi botnet (see Festi rootkits)
plug-ins, jobs of, 15
DLLs (dynamic-link libraries), 6, 87
DNS flooding, 32
DogmaMillions, 4
domain name generation algorithm (DGA), 30
dr0, 22
dr3, 22
DRAM (dynamic random access memory), 295
Driver Execution Environment (DXE), 244, 264, 265–266, 269
BIOS phase, 278
drivers, 300, 305–306, 320, 321
firmware implants, target of, 291
nonprivileged, 289
rkloader driver, 277
UEFI, in, 299
DriverObject field, 9
DRIVER_OBJECT modification, 357–359
DriverSection, 5
DRM (digital rights management), 43
Dropbox, 209
droppers, 134
debug information in, 226
defining, 15
description, 15
downloader, vs., 134
enhancements, in Carberp, 173–174
Gapz installation, use in, 177, 178–179, 180–181
manifest, 151
Satana, in (see Satana)
DualBIOS technology, 366
DXE (Driver Execution Environment). See Driver Execution Environment (DXE)
dynamic-link libraries (DLLs), 6, 87
dynamic random access memory (DRAM), 295
Eagle, Chris, 112
Early Launch Anti-Malware (ELAM) module, 69
boot-start drivers, classifying, 71
bypassing, by bootkits, 72
callback routines, 70
known bad driver, 71
known good driver, 71
ecc_cc_public key, 217
eEye, 53
EFI images, 298
EFI partition tables, 238
EFI system partition (ESP), 266
Electronic Code Book (ECB) mode, 168
Elk Cloner, 50
Elliptic Curve Cryptography (ECC), 209, 211
Embedded Controller (EC), 287, 298
Embedi, 313
emulators, 116
Bochs emulator (see Bochs emulator)
malware detection, 153
QEMU, 116
Endpoint Detection and Response (EDR) approach, 45
Equation Group, 262
event notification callbacks, 36–37
evil maid attacks, 291
EX_CALLBACK_FUNCTION, 70
FADDR (flash address) register, 370, 373
fallback bootloader, 266
FastIO, 40
FEK (file encryption key), 210
Festi rootkits
antidebugging techniques, 22
anti-virtual machine techniques, 20–21
architecture, 13
C&C protocol parser, 17
communications protocol, 19
initialization phase, 26
domain name generation algorithm (DGA), implementation of, 30
driver, 17
encrypted strings, 16
forensics software, bypassing, 27–28
memory manager, 17
Microsoft Windows x86 platform target, 15
network sockets, 17
object-oriented framework of, 17
origins, 14
popularity, 14
proxy services, 31
registry key, 25
rootkit distribution, 15
FFS (firmware filesystem), 384, 385–386
field-programmable fuse (FPF), 293, 300
file encryption key (FEK), 210
FILE_OBJECT, 23
images, parsing, 360
miniport storage driver, 354–355
DEVICE_OBJECT modification, 359
storage device stack layout, 355–356
usage, 362
finite state machine, 298
firewalls, Windows, 34
anomalies, detecting, 205
graphics card, 262
hard drive (HDD/SDD), 262
peripheral devices, for, 262
platform-specific nature of, 364
Power Management Unit (PMU), 287
rootkits, 320 (see also specific rootkits)
protecting against, 205
security issues, 205
system-to-system variations, 262
types, 262
UEFI, in (see Unified Extensible Firmware Interface (UEFI))
firmware filesystem (FFS), 384, 385–386
firmware implants, 256
Firmware Interface Table (FIT), 340, 342
firmware Trusted Platform Module (fTPM), 288
flash address (FADDR) register, 370, 373
forensics, firmware
analysis, BIOS firmware image, 365–366
emergence of, 364
limitations of, 364
FPF (field-programmable fuse), 293, 300
fsbg.efi module, 279
FT2232 SPI programmer, 375
GangstaBucks, 4
antimalware software, self-defense against, 194–196
C&C servers, communication with, 204, 206
command executor code, 200
complexity, 177
detection name, 179
algorithm, 180
modifying Shell_TrayWnd procedure, 184–185
functionality, 177–178, 186, 191–193, 199
hacker disassembler engine (HDE), 196
hooking, 190, 194–195, 202, 253
infection technique
BIOS parameter block, reviewing, 186–187
kernel-mode driver, malicious, loading, 189–190
VBR, infecting, 187, 188–189, 190
kernel-mode code, 178
name, origin of, 178
network architecture, 206
payload communication interface, 201–202, 204
pre-Vista operating systems, use on, 199
purpose, 189
security software checks, bypassing, 195
Win32/Gapz.A, 179
Win32/Gapz.B, 179
Gazet, Alexandre, 315
GDB. See GNU Debugger (GDB)
Gigabyte, 272
Gigabyte Brix platform, 272
Global Descriptor Table, 10, 162
global unique identifier (GUID), 235, 386. See also GUID Partition Table (GPT)
GNU Debugger (GDB), 116
protocol, 126
Google, 365
GpCode trojan, 208
graphics processing unit (GPU), 288
GUID Partition Table (GPT), 213
boot flow, 239
drive, parsing with SweetScape, 241
fields, 241
infecting, with Petya, 214–215
partitions, number of, 235–236
partitions, sizes, 236
support, checking for on Windows, 240
hacker disassembler engine (HDE), 196
hardware abstraction layer (HAL)
abstractions, 250
interfaces, 388
library, 246
module, 246
wrappers, 245
hardware sequencing flash control (HSFC) register, 370–371, 373
hardware sequencing flash status (HSFS) register, 370–371
Hardware Validated Boot (HVB), 350
HBA (host-based architecture), 9
Heasman, John, 267
HECI (Host-Embedded Controller Interface), 312
Hex-Rays, 136, 249. See also IDA Pro
hooking
benign, 43
Carberp trojan malware, 173
defining, 7
detecting, 196
Gapz, in (see Gapz)
manipulating object data, 41
placement, hook, 8
recovery of hooks by rootkits, 43
TDL3 technique (see TDL3)
ZwEnumerateKey, 25
host-based architecture (HBA), 9
Host-Embedded Controller Interface (HECI), 312
Host Intrusion Prevention Systems (HIPS), 34, 36, 177
Endpoint Detection and Response (EDR) approach, 45
HSFC (hardware sequencing flash control) register, 370–371, 373
HSFS (hardware sequencing flash status) register, 370–371
HTTP flooding, 32
HTTP protocol, 204
HTTP proxy, 207
HVB (Hardware Validated Boot), 350
Hypervisor-Enforced Code Integrity (HVCI), 81
Hyper-V virtual machine manager, 130, 250
IAT (Import Address Table), 20, 197, 200
IDAPathFinder, 249
IDA Pro, 95
BIOS disk service, analyzing
accessibility, 101
DISK_ADDRESS_PACKET, 104
entry point, 101
extended read operations, 103
malicious boot loader sectors, reading, 103–104
MBR drive parameters, 102
MBR partition table analysis, 104–106
Bochs emulator, combining with, 116, 118, 123–124
database, 98
decryption, 153
defaults, 97
Gapz, use with, 180
GDB debugger, combining with, 126–130
MBR, analyzing
drive parameters, 102
MBR drive parameters, 102
MBR partition table analysis, 104–106
MBR loader, writing a custom, 108–109
loader.hpp, 109
partition table, importing, 111
memory allocation, 127
scripting engine, 99
VBR analysis techniques
kernel-mode drivers, analyzing, 108
malicious boot loaders, analyzing, 107–108
VM, attachment to, 127
IDT (Interrupt Descriptor Table), 10, 162
Import Address Table (IAT), 20, 197, 200
Initialize, 18
Initial Program Loader (IPL), 62
decryption, 152–153, 156, 159, 160
Rovnix, creation of code modification, 151–152, 159, 235
Input/Output Control (IOCTL) code, 10
input/output request packet (IRP). See I/O request packet (IRP)
instruction set architecture (ISA), 288
INT 13h. See interrupt 13th handler (INT 13h)
integrated graphics processing unit (iGPU), 288
Integrated Sensor Hub (ISH), 287
200 Series, 367
Active Management Technology (AMT), 288, 313–314
Advanced Threat Research (ATR) group, 275
Baseboard Management Controller (BMC), 288, 289, 313, 314–315
Boot Guard (see Boot Guard)
Embedded Controller (EC), 287, 298
GBE, 380
gigabit network, 287
Integrated Sensor Hub (ISH), 287
Intel Management Engine (ME), 263, 286–289, 311
code attacks, 312
firmware, 380
SPI flash, relationship between, 369
Intel Product Assurance and Security (IPAS), 264
Intel PSIRT, 289
Intel Security Center of Excellence, 264
Internet of Things, 263
interrupt 13th handler (INT 13h)
accessing, 101
bootmgr, use by, 66
disk operations, interface for, 87
entry point, 101
executing, 104
extended read operation parameter, 103
hooking, 87, 90, 91, 160, 163, 189
Satana, use by, 229
tampering with, 60
Interrupt Descriptor Table (IDT), 10, 162
Invisible Things Lab, 311
IoAttachDeviceToDeviceStack, 24
IOCTL (Input/Output Control) code, 10
I/O driver, 24
IoGetRelatedDeviceObject, 24
IoInitSystem, 190
IoRegisterShutdownNotification, 25
I/O request packet (IRP), 8, 24, 25, 40
Bochs emulator, use in, 120
Festi, role in, 28
malware, bypassing defensive tools, role in, 85
processing, 28
IPAS (Intel Product Assurance), 264
IPL (Initial Program Loader). See Initial Program Loader (IPL)
IP network protocols, 170
IRP_MJ_DIRECTORY_CONTROL, 25
IRP_MJ_INTERNAL_CONTROL, 10
ISA (instruction set architecture), 288
ISH (Integrated Sensor Hub), 287
jmp instructions, 153, 156–158
Kallenberg, Corey, 264, 307, 338
KdDebuggerEnabled, 22
KEK (key exchange key), 329, 337
kernel integrity, Microsoft Windows, 3
kernel rootkits, stealth mission of, 7
Kernel-Mode Code Signing Policy, 7, 12
bootkits, effectiveness against, 51, 52–53, 64, 73
bypassing, 133
ci.dll module (see ci.dll)
effectiveness, 270
integrity checks, 73
legacy code integrity weakness, 74–76
rootkit development, impact on, 255, 319
kernel-mode drivers
configuration information, 16
DriverUnload, 203
duties of, 15
kernel-mode modules, 190, 195, 196
kernel-mode programming, 13–14
kernel, system. See system kernel
key exchange key (KEK), 329, 337
key manifest (KM), 344
KLDR_DATA_TABLE_ENTRY, 5
known bad driver, 71
known good driver, 71
Lambert, John, 36
language-theoretic security, 105
LBA (logical block address), 11, 101–102, 240, 241
legacy-based machines, boot process, 58
legacy code, integrity weakness, 74–76
LegbaCore researchers, 314
Lenovo Thinkpad T540p, 324, 330, 375–376
linking, 7–8. See also hooking
loader.hpp, 109
Load Runner, 51
local privilege escalation (LPE), 178–179, 224
logical block address (LBA), 11, 101–102, 240, 241
LoJack. See Computrace
LOJAX, 297
Macronix MX25L6473E, 379
Management Engine (ME). See Intel Management Engine (ME)
Master Boot Record (MBR), 58
bootloaders, 212
decrypting, 99
modification by infecting bootkit, 98–99
overwriting, with Shamoon, 210
partition tables, 90–91, 104–105, 109, 111, 138–139, 151, 235, 239
Protective, 239
unmodified, 152
master file table (MFT), 209, 212, 216
Matrosov, Alex, 272, 275, 289, 300, 306
mbedtls library, 216
mbr.mbr, 120
MD5, 190
ME (Management Engine). See Intel Management Engine (ME)
Mebromi, 257
Mebroot, 53
memory protection bits, 263, 264
Microsoft. See also Windows, Microsoft
digital signature checks, 52
event notification methods, 36
kernel debugger, 45
Miller, Charlie, 262
miniport storage driver, 354, 355, 359
ModR/M, 196
MSI Cubi2, 264
Necurs rootkit, 76
.NET metadata directory, 7
Network Address Translation (NAT), 33
Network Driver Interface Specification (NDIS), 53, 170–171, 204
NIST 800-147, 293
NIST 800-147B, 293
Nmap, 22
nonvolatile random access memory (NVRAM) variable, 236, 239, 242, 244, 246, 281, 323, 388, 390
npf.sys, 21
NTFS, 38, 92, 187, 209, 221, 223
NTFS parser, 277
ntldr bootloader, 64
ntop, 22
NULL device, 204
NuMega SoftIce, 44
Ob* functions, 41
OBJECT_HEADER struct, 41
OBJECT_TYPE struct, 41
ObReferenceObjectByHandle, 23
ObReferenceObjectByName, 30
Oleksiuk, Dmytro, 310
Olmarik family of malware, 4. See also TDL3
bot trackers, countermeasures, 137
hard drive access, monitoring, 353
integrity verification, 143
interception methods, 40
MBR partition table modification, 235
partition table infection, 133
PPI distribution, 134
rootkit functionality
filesystem, maintaining, 141–142
hooking hard drive, 141
payload injection, 141
sandbox analysis, bypassing, 137
OpenProcedure, 42
OpenSSL, 326
Open Systems Interconnection (OSI), 206
original equipment manufacturers (OEMs), 323–324
partition tables
MBR, as part of (see Master Boot Record (MBR))
Olmasco, infection by, 139, 140
Windows, 138
Pay-Per-Install (PPI), 4
PCH (Platform Controller Hub), 288, 365
PCI configuration space, 367
PCIe devices, 288
PE (Portable Executable). See Portable Executable (PE)
Perigaud, Fabien, 314
Permeh, Ryan, 53
Petya, 209
administrator privileges, acquiring, 212
bootloader components, 210, 212, 214, 215–216, 219–220, 223
complexity, 225
cryptographic functionality, 216
functionality, 225
GPT partition tables, parsing, 221–222
hard drive, infecting
infection methods, 212
master file table, encrypting
decrypting, 224
disks, finding, 220
EncryptionStatus, 220
metadata, 225
MBR infection, 230
ransom message, displaying, 224
ransom URLs, generating, 219
Satana, compared to, 230
ZIP archives, 209
Platform Controller Hub (PCH), 288, 365
plug-ins
distributed denial of service (DDoS) botnets, role in, 15–16
downloads from C&C servers, 17–19
Festi manager, 17
functions, 15
polymorphism, 156
Portable Executable (PE)
images, 322
position-independent code, 190
POSIX, 95
Power Loader, 186
Power Management Unit (PMU), 287
Power-On Self-Test (POST), 59
PPI (Pay-Per-Install), 4
proof of concept (PoC), 53–54, 272, 307
_ProtoHandler routine, 22
pshed.dll, 67
PsSetLoadImageNotifyRoutine, 37
public key certificates, 323
Python, 27
Bochs emulator, use with, 120
decrypting MBR, 99
IPL, writing onto disk image, 120
MBR code, script to decrypt, 99
MBR code, writing onto disk image, 120
MBR loaders, 109
VBR code, writing onto disk image, 120
QEMU emulator, 116
bootkit functionality, 208, 209
C&C servers, communicating with, 211
Petya (see Petya)
ransom message, displaying, 224, 229
Satana (see Satana)
types of, 208
UEFI (see Unified Extensible Firmware Interface (UEFI))
RC5 cipher, 210
RC6 cipher, 168
RDPdoor, 171
ReadFile, 11
ReadFileX, 142
read protections (RP), 295
Reaper, 50
Release, 18
reset, 229
return-oriented programming (ROP), 184
Reveton, 208
Rivest ciphers, 136, 168, 190, 210
Rivest, Ron, 168
Robshaw, Matt, 168
Root Complex Base Address (RCBA), 368
Root Complex Register Block (RCRB), 368
rootkits. See also TDL3; TDL4
Aeroflot crime case, 14
detecting, 43
evolving nature of, 35
Festi rootkit (see Festi rootkits)
BIOS update process, exploiting, 272–274
Capsule Update, use of, 274–275
SMM privilege escalation, using, 271–272
interception methods
object dispatcher, intercepting, 41–43
system calls, intercepting, 37–38
system events, intercepting, 36–37
kernel-mode attacks, 269
LOJAX, 297
neutralizing, 43
object data, altering/manipulating, 41
pointers, 42
purpose, 35
Sony, 43
trends, 12
root of trust, 79, 293, 297–299, 311–312, 331
ROP (return-oriented programming), 184
Rovnix bootkit, 10, 83, 91–92, 106, 115
basic blocks, 153
boot process, interference with, 160
Carberp trojan malware (see Carberp trojan malware)
communication channels, hidden, 169–171
complexity, 175
create-process handler, 165
encryption, 168
hard drive access, monitoring, 353
interception methods, 40
Interrupt Descriptor Table, abuse of, 161–162
IPL infection, 154, 159, 162, 174–175, 235
kernel-mode driver, 163–164, 169, 174
memory allocation, 162
origins, 147
payload module, injecting, 164–166
self-defense mechanisms, stealth, 166–167
symbolic link, 168
system registry key, 152
VBR target, 145
Virtual File Allocation Table (VFAT) filesystem, 168
RSA encryption, 211
S3 Boot Script, 205, 298, 306–307
dispatch code, 309
script vulnerability, 311
sleep state, 307
suspend-resume cycle, 307
weaknesses, exploiting, 307–310
Satana
bootloader components, 210
interrupt 13th handler (INT 13h), use of, 229
MBR decryptor code, 227
Petya, compared to, 230
ransom message display, 229
recovery from, 231
TEMP folder, executing copy of, 226
sciport.sys, 195
SCSI disk devices, 38
SEC (security) phase, UEFI, 243
Second Level Address Translation (SLAT), 80
SecSmiFlash, 306
Secure Boot, 51, 53, 59, 130, 261
attacking
overview, 335
bootkit threats, as defense against, 319–320
bypassing, 79, 290, 293, 299, 337
chain of trust, 298
Compatibility Support Module (CSM), incompatibility, 234
creation, 234
disabling, 299
enabled, 66
finite state machine, 298
firmware rootkit implants, bypassing by, 270
initialization, 248
integrity checks, 75
origins, 293
OS Secure Boot, 320
Platform Secure Boot, 320
signature verification algorithm, 327
SMM-based attacks, 293
Unified Extensible Firmware Interface (UEFI), 320
boot sequence, 321
code integrity checks, 326
dbr database, 328
dbt database, 328
executable authentication with digital signatures, 322–323
key exchange key (KEK), 329, 337
relationship between, 78–79, 234, 253
root of trust, 331
time-based authentication, 328
variables, 302
verification, 79
security (SEC) phase, UEFI, 243
SELinux, 75
Serial Peripheral Interface (SPI) bus, 365
SetFilePointer, 226
Shamoon, 210
Sheldor, 171
Shlej, Nikolaj, 274
SIB, 196
Sidney, Ray, 168
signature certificates, 322
Skrenta, Rick, 50
Skylake CPU, 253
SLAT (Second Level Address Translation), 80
SMBus, 287
SMC (System Management Controller), 289
SMI (System Management Interrupt). See System Management Interrupt (SMI)
SMM. See System Management Mode (SMM)
SMM BIOS Write Protection, 263
SMM BIOS Write Protection Bit, 297
SMM_BWP, 263
Snort, 22
Socket Secure (SOCKS), 34
Soeder, Derek, 53
SoftIce, 44
Software Publisher Certificate (SPC), 73
SOIC-8 clip, 378
Sony rootkit, 43
South Bridge, 365
SPI (Serial Peripheral Interface) bus, 365
SPI Base Address Register (SPIBAR), 368–369
SPI flash, 242, 244–245, 263, 265, 269, 271, 312
chipsets, stored on, 366
firmware imaged stored on, 366
firmware located on, 369
forensic analysis of, 365
FT2232 Mini Module, use with, 375
layout, 381
modifying contents, 335
read/write access, 287
registers (see SPI registers)
SPI registers, 369
array of flash data (FDATAX) register, 372–374
flash address (FADDR) register, 370, 373
hardware sequencing flash control (HSFC) register, 370–371, 373
hardware sequencing flash status (HSFS) register, 370–371
spoolsvc.exe, 182
SSDT (System Service Descriptor Table), 10, 25, 43
static analysis
conventional approaches, 108
IDA Pro use (see IDA Pro)
MBR, relationship between, 99
signatures, static, 89
Volume Boot Record (VBR) (see Volume Boot Record (VBR))
Structure window, 382
Stuxnet, 85
supply chain attacks, compromised, 291
firmware attacks, relationship between, 364–365
problems, potential, 292
SweetScape, 241
symbolic link, 168
system kernel
integrity, 43
System Management Controller (SMC), 289
System Management Interrupt (SMI) handler, 257, 258, 271, 296
parameters, 303
validation of addresses/pointers, 305
vulnerabilities, 304
System Management Mode (SMM), 258
BIOS Write Protection Bit, 297
data, receiving, 303
design feature, 301
functionality, 294
initializing, 244
introduction, 244
privilege escalation, 290
SPI Flash, relationship between, 294
SPI Protected Rangers, relationship between, 264
SystemRoot, 23
System Service Descriptor Table (SSDT), 10, 25, 43
tag-value-term scheme, 27
TBB (Trusted Boot Board), 346–347
TCP flooding, 32
TCP/IP network stack, 190
TCP/IP protocol stack, 204
tcpip.sys driver, 30
TCP network protocols, 170
TCP stream, 18
TDL$, hooking, 87
TDL3
bootkit technology, 12
boot process infection, 84
distribution, 4
driver objects, malicious, 9
evolution of, 55
file table, 11
hard drive access, monitoring, 353
infection mechanism, 3
I/O requests, maintaining and handling, 11–12
origins, 4
piggybacking on Windows interfaces, 12
read/write intercepts, 8
reliability, 11
.rsrc section, 5
TDL4, compared to, 4
TDL4
boot code modifications, 235
bypassing security during boot, 86–88
code integrity checks, disabling, 88–89
interception methods, 40
introduction of, 7
MBR code modification, 84, 188
MBR partition table modification, 90
origins, 4
TDL3, compared to, 4
TDSS family of malware, 4. See also TDL3
Tereshkin, Alexander, 311
Terse Executable (TE) images, 322
ThinkPwn (LEN-8324), 263
Thunderbolt Ethernet adapter, 267–268
Time Stamping Authority (TSA) service, 327
Titan, 365
TOCTOU (time of check to time of use), 74
TorrentLocker, 211
Transport Driver Interface, 170
trojans, 173
bootkit persistence methods, 207
Carberp trojan malware (see Carberp trojan malware)
GpCode trojan, 208
outbreak of, 231
Petya (see Petya)
Satana (see Satana)
Shamoon, 210
Trojan.Win32.EquationDrug.c, 262
Trusted Boot Board (TBB), 346–347
Trusted Platform Module Platform Configuration Registers (TPM PCRs), 338, 339, 344
TSA (Time Stamping Authority) service, 327
UDP flooding, 32
Unified Extensible Firmware Interface (UEFI), 58
BMC, use of, 288
boot configuration data, 247–248
Boot Device Selection (BDS), 244
bootkit development, impact on, 255–256
boot process, 235–236, 265–266, 335
Boot Services, 250
complexity, 235
defining, 234
development, 234
digital signatures, 322
Driver Execution Environment (DXE), 244
execution environment, establishing, 245–246
Exit Boot Services, 250
firmware, 237, 242–243, 245, 265–266, 269, 276
forensics (see forensics, firmware)
implementations, 322
legacy BIOS, vs., 236, 237, 243
memory protection bits, 263, 264
open source, 234
Option ROM (see Option ROM)
OS bootloader, 242
partitioning scheme, 242
platform initialization, 242
Pre-EFI Initialization (PEI) phase, 243
protocol initializations, 279
ransomware, 273
rootkits, 244
Computrace/LoJack (see Computrace)
Vector-EDK (see Vector-EDK)
runtime services, 249
Secure Boot (see Secure Boot)
security (SEC) phase, 243
SPI flash (see SPI flash)
System Management Mode, 244
UEFITool (see UEFITool)
vulnerabilities, 234–235, 263–265, 269, 308
Windows Boot Manager, accessing, 245
unique identifiers (UIDs), 4, 134
Update App, 305
Update Driver, 305
Uroburos family of malware, 75
User Account Control (UAC), 151, 179
Vbootkit, 53
VBR (Volume Boot Record). See Volume Boot Record (VBR)
VDO (volume device object), 39
Vilaca, Pedro, 307
VirtualBox driver, 75
Virtual File Allocation Table (VFAT) filesystem, 168
Virtual File System (VFS), 8
virtualization-based security (VBS), 289
virtual machine manager (VMM), 130
Virtual Secure Mode (VSM), 80–81, 250, 252, 255
VirusTotal, 5
VMware, 20
debugging case example
IPL polymorphic decryptor, dissecting the, 156–159
memory allocation, 156
decryption, 153
GDB debugger, use with, 124–126
Player version, 125
Professional version, 125
VMware Workstation, 116
GDB, combining with IDA, 126–130
malicious bootstrap, debugging, 130
Volume Boot Record (VBR), 61, 62–64
Bochs emulator, use with, 120
bootkits, role in, 96
HiddenSectors, use of, 187
infection techniques, 83, 105–106
Parameter Block, 106
unmodified, 152
volume device object (VDO), 39
Vrublesky, Pavel, 14
War Games, 44
Win32/Gapz.A, 179. See also Gapz
Win32/Gapz.B, 179. See also Gapz
Win32/Gapz.C, 178. See also Gapz
Win32/Redmys, 186
WinDbg, 45
Windows Boot Loader, 242, 245, 248–249, 250, 252
Windows Boot Manager, 242, 245, 247–249, 266
Windows Driver Kit (WDK), 9
Windows Management Instrumentation (WMI), 137–138
Windows Object Manager, 182
Windows packet capture library, 21, 22
Windows Task Scheduler, 85
Windows, Microsoft
boot process (see boot process, Microsoft Windows)
bximage, use with, 118
debuggers, 41
GPT support, checking for, 240
kernel integrity, 3
kernel patch protection (see PatchGuard)
Kernel-Mode Code Signing Policy (see Kernel-Mode Code Signing Policy)
kernel-mode drivers, 37
operating systems
64-bit editions, 10, 12, 25, 34, 84, 126
boot process (see boot process, Microsoft Windows)
debugging with, 126
rootkits piggybacking on, 12
system registry, 37
version 10, 272
Second Level Address Translation (SLAT), 80
virtualization-based security, 79–81
version 8, defensive changes, 77–78
version 95, 256
version 98, 256
x86 platform, as target for Festi botnets, 15
winload.exe, 64, 79, 87, 163, 189
boot start drivers, 67
OS boot, control of, 67
WinPE mode, 75
Wireshark, 22
WMI (Windows Management Instrumentation), 137–138
writedr, 22
WriteIntoTcpStream, 18
write protections (WP), 295
x86 processors, 302
Yin, Yiqun Lisa, 168
Zhou, Zhitao, 257
ZwCreateFile, 28
ZwEnumerateKey, 25
3.145.64.192