Professional Documents
Culture Documents
Ryan Permeh
2
Introduction
• Overview
– BIOS boot process and Windows startup
– eEye BootRoot: how it works, capabilities and shortcomings
– Demo: eEye BootRootKit backdoor
• Required Knowledge
– x86 real and protected modes, some Windows kernel
4
Booting Up – Summary
• For hard drives, the first sector is the Master Boot Record
– Copies itself to 0000h:0600h
– Locates a bootable partition in the partition table
– Executes the first sector of the boot partition at 0000h:7C00h
6
Booting Up – MBR Partition Table
Master Boot Record Layout Partition Table Entry Format
0000 xx xx xx xx xx xx xx xx-xx xx xx xx xx xx xx xx +00 BYTE Boot Indicator
0010 xx xx xx xx xx xx xx xx-xx xx xx xx xx xx xx xx -- bit 7: partition bootable
...
+01 BYTE Starting Head
01B0 xx xx xx xx xx xx xx xx-xx xx xx xx xx xx BI SH
01C0 SS SC ID EH ES EC L0 L1-L2 L3 S0 S1 S2 S3 BI SH +02 BYTE Starting Sector / Cylinder
01D0 SS SC ID EH ES EC L0 L1-L2 L3 S0 S1 S2 S3 BI SH
-- bits 5..0: sector
01E0 SS SC ID EH ES EC L0 L1-L2 L3 S0 S1 S2 S3 BI SH
01F0 SS SC ID EH ES EC L0 L1-L2 L3 S0 S1 S2 S3 55 AA
-- bits 7..6: cylinder (bits 9..8)
+03 BYTE Starting Cylinder (bits 7..0)
+04 BYTE System ID (volume type)
Partition 1 (offset 01BEh)
+05 BYTE Ending Head
Partition 2 (offset 01CEh) +06 BYTE Ending Sector / Cylinder
-- bits 5..0: sector
Partition 3 (offset 01DEh)
-- bits 7..6: cylinder (bits 9..8)
Partition 4 (offset 01EEh) +07 BYTE Ending Cylinder (bits 7..0)
+08 DWORD Linear sector number of partition
+0C DWORD Size in sectors of partition
8
Booting Up – Bootable CD Layout (1)
0000 8000 BYTE Volume Descriptor Type = 1
(unused) 8001 [5] Standard Identifier = "CD001"
8006 BYTE Volume Descriptor Version = 1
8050 DWORD Volume Space Size (sectors) = 15h
8054 DWORD Volume Space Size (big-endian)
8000
8078 WORD Volume Set Size = 1
Primary Volume
807A WORD Volume Set Size (big-endian)
8800 807C WORD Volume Sequence Number = 1
Boot Record Volume 807E WORD Volume Sequence Number (big-endian)
8080 WORD Logical Block Size = 0800h
9000
Set Terminator Volume 8082 WORD Logical Block Size (big-endian)
809C [22h] Directory Record for Root Directory
9800 809C BYTE Length of Directory Record = 1
Boot Catalog 80B5 BYTE File Flags = 02h (Directory)
A000 80B8 WORD Volume Sequence Number = 1
Boot Code 80BA WORD Volume Sequence Number (big-endian)
80BB BYTE Length of File Identifier = 1
A800 80BC [1] File Identifier = {0}
Source: ECMA-119: Volume and File Structure of CDROM for Information Interchange.
http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-119.pdf
9000
Set Terminator Volume
A800
Source: ECMA-119: Volume and File Structure of CDROM for Information Interchange.
http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-119.pdf
10
Booting Up – Bootable CD Layout (3)
0000
(unused)
8000
Primary Volume
9800 [20h] Validation Entry
8800 9800 BYTE Header ID = 1
Boot Record Volume 9801 BYTE Platform ID = 0
981C WORD Checksum = 55AAh
9000
981E WORD Key = AA55h
Set Terminator Volume
9820 [20h] Initial/Default Entry
9800 9820 BYTE Boot Indicator = 88h
Boot Catalog 9821 BYTE Boot Media Type = 2 (1.44MB floppy)
9822 WORD Load Segment = 0
A000
Boot Code 9824 BYTE System Type = 0
9826 WORD Sector Count (virtual sectors) = 1
A800 9828 DWORD Load RBA (sector) = 14h
Source: ECMA-119: Volume and File Structure of CDROM for Information Interchange.
http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-119.pdf
12
Booting Up – Network Boot Traffic Example
14
Windows Startup – Boot Loader
16
Windows Startup – NTLDR GDT
18
Windows Startup – OSLOADER.EXE (2)
20
Windows Startup – Phase 0 Initialization
• NTOSKRNL.EXE!KiSystemStartup
– HAL.DLL!HalInitializeProcessor
– KiInitializeKernel
• KiInitSystem (initializes _KeServiceDescriptorTable and _KeServiceDescriptorTableShadow)
• KeInitializeProcess (_KiIdleProcess), KeInitializeThread (P0BootThread)
• ExpInitializeExecutive
– HAL.DLL!HalInitSystem
– ExInitSystem
– MmInitSystem (0)
– ObInitSystem
– SeInitSystem
– PsInitSystem (creates _PsInitialSystemProcess and Phase1Initialization thread)
– PpInitSystem
• NTOSKRNL.EXE!Phase1Initialization
– HAL.DLL!HalInitSystem – MmInitSystem (2) (makes executive pageable)
– PoInitSystem (0) – PoInitSystem (1)
– ObInitSystem – PsInitSystem (locates certain NTDLL exports)
– ExInitSystem
– KeInitSystem
– SeInitSystem
– MmInitSystem (1)
– CmInitSystem
– FsRtlInitSystem
– PpInitSystem
– LpcInitSystem
– ExInitSystemPhase2
– IoInitSystem (IopInitializeSystemDrivers runs boot drivers, PsLocateSystemDll loads NTDLL.DLL)
22
eEye BootRoot
• Advantages
– Our code is privileged – real mode is “ring 0”
– We can control all subsequent code execution
• Disadvantages
– No part of the operating system is loaded yet
– We need the system to function normally, except with a few
of our own “adjustments”
– OS startup will bring about dramatic machine state changes
24
eEye BootRoot – Playing Field
26
eEye BootRoot – Our Solution
28
eEye BootRoot – System Memory Map Example
System memory map generated using INT 15h/AX=E820h on a VMWare 4.5 system with 128MB RAM.
30
eEye BootRootKit – Overview
• Features
– Works on Windows 2000 and later
– Fits into 512 bytes!
32
eEye BootRootKit – OSLOADER Patch
34
eEye BootRootKit – OSLOADER Module List
Format of loaded module list nodes used by OSLOADER and based at [[_BlLoaderBlock]+0].
Structure is identical to that used by NTOSKRNL in PsLoadedModuleList.
36
eEye BootRootKit – Hooking NDIS (2)
• Hook ethFilterDprIndicateReceivePacket
– Store a relative JMP at function entry point, or two bytes
afterward if first instruction is “MOV EDI, EDI”
– Assume overwritten instructions will always be:
PUSH EBP / MOV EBP, ESP / SUB ESP, imm (exact value is irrelevant, we just subtract a lot)
38
Demonstration
• From a CD-RW
40
Bonus Material!
42
IOPL Technique – Overview
44
IOPL Technique – Local Kernel Backdoor?
ECMA. Standard ECMA-119: Volume and File Structure of CDROM for Information Interchange. http://www.ecma-
international.org/publications/files/ECMA-ST/Ecma-119.pdf
randnut@hotmail.com. “Multiple WinXP kernel vulns can give user mode programs kernel mode privileges.”
http://lists.grok.org.uk/pipermail/full-disclosure/2004-February/017545.html
Stevens, Curtis E., and Stan Merkin. “El Torito” Bootable CD-ROM Format Specification, Version 1.0.
http://www.phoenix.com/NR/rdonlyres/98D3219C-9CC9-4DF5-B496-
A286D893E36A/0/specscdrom.pdf
46
Questions?