Professional Documents
Culture Documents
COMPROMISING
12
DEFCON 2018 - USA
ROOTKITS: RING 0
kd> dt _KTHREAD
16
DEFCON 2018 - USA
ROOTKITS: RING 0
• Alternatively, this IRP could be passed down to the
layered driver by using function such as
IoCallDriver( ).
Device Stack
D
Y IO_STACK_LOCATION
N
IO_STACK_LOCATION
A
M IO_STACK_LOCATION
I ..............
C
DEFCON 2018 - USA 19
ROOTKITS: RING 0
20
DEFCON 2018 - USA
ROOTKITS: RING 0
22
23
DEFCON 2018 - USA
DEFCON 2018 - USA
ROOTKITS: RING 0
24
25
26
27
28
34
DEFCON 2018 - USA
ROOTKITS: RING 0
• As it is done by AVs, malwares also hook functions such as
ZwCreate( ) for intercepting all opened requests sent to devices.
35
DEFCON 2018 - USA
ROOTKITS: RING 0
• Malwares continue allocating (usually RWX, although on Windows 8+ it
could specify NonPagePoolNX) and marking their pages by using
ExAllocatePoolWithTag( ) function (and other at same family
ExAllocatePool*). Fortunately, it can be easily found by using memory
analysis:
37
38
40
DEFCON 2018 - USA
ADVANCED MALWARES
• MBR rootkits: Petya and TLD4 (both in bootstrap code), Omasco
BIOS_PARAMETER
__BLOCK_NTFS
Eventually,
analyzing and
debugging the
MBR/VBR (loaded
as binary module)
is unavoidable,
but it’s not so difficult
as it seems.
Furthermore, we
never know when
an advanced malware
or a ransomwares
(TDL4 and Petya) will
attack us.
43
DEFCON 2018 - USA
ADVANCED MALWARES
• MBR modifications (partition table or MBR code) and VBR+IPL
modifications (BPB or IPL code) have been used as an effective way
to bypass the KCS.
• As injecting code into the Windows kernel has turned out to be a bit
more complicated, to modern malwares are used to bypassing the
44
DEFCON 2018 - USA
ADVANCED MALWARES
45
DEFCON 2018 - USA
ADVANCED MALWARES
Read its configuration from
BPB + VBR code + strings + 0xAA55 Boot Configuration Data (BCD)
Kdcom.dll
Classifies modules as
Winload.exe good, bad and unknown.
ci.dll Additionally, it decides
Bootkits could attack it
whether load a module or
before loading the
not according to the policy.
kernel and ELAM. HAL.dll
46
DEFCON 2018 - USA
ADVANCED MALWARES
• Malwares infect the bootmgr, which switches the processor
execution from real mode to protected mode, and use the int 13h
interrupt to access the disk drive, patch modules and load
malicious drivers.
48
DEFCON 2018 - USA
ADVANCED MALWARES
• SMM basics:
• Interesting place to hide malwares because is protected from OS
and hypervisors.
49
DEFCON 2018 - USA
ADVANCED MALWARES
51
DEFCON 2018 - USA
ALEXANDRE BORGES - MALWARE AND SECURITY RESEARCHER
ADVANCED MALWARES
The Windows uses the
UEFI to load the Hypervisor
and Secure Kernel.
HARDWARE TSL
Boot Guard
Hypervisor
SEC
malwares Windows Boot Loader
OS Secure
and Boot
exploits PEI Kernel drivers
attack Acts on drivers
IBB
here ELAM that are executed
DXE UEFI Secure before Windows
Boot being loaded and
3rd party drivers initialized.
ME: has full access to the DRAM, invisible at same time, is always working
(even then the system is shutdown) and has access to network interface.
Conclusion: a nightmare.
53
DEFCON 2018 - USA
ADVANCED MALWARES
• Intel Boot Guard (controlled by ME), introduced by Intel, is
used to validate the boot process through flashing a public
key associated to BIOS signature into FPFs (Field
BIOS Guard allows that only trusted modules (by ACM) be able to
modify the SPI flash memory and protect us against rookit implants.
56
DEFCON 2018 - USA
ADVANCED MALWARES
• Secure Boot:
59
DEFCON 2018 - USA
ADVANCED MALWARES
• Without ensuring the UEFI image integrity, a rookit could load
another UEFI image without being noticed.
61
DEFCON 2018 - USA
ADVANCED MALWARES
• These SMM Protections flags that can be used to enable or
disable any WSMT feature.
• FIXED_COMM_BUFFERS: it guarantees that any input/output
62
DEFCON 2018 - USA
ADVANCED MALWARES
• chipsec_util.py spi dump spi.bin
• chipsec_uti.py decode spi.bin
ADVANCED MALWARES
ADVANCED MALWARES
chipsec_main.py -m common.bios_smi
65
DEFCON 2018 - USA
ADVANCED MALWARES
• The BIOS_CNTL register contains:
70
DEFCON 2018 - USA
ADVANCED MALWARES
71
DEFCON 2018 - USA
CONCLUSION
• Most security professionals have been facing problems to
understand how to analyze malicious drivers because the
theory is huge and not easy.
LinkedIn:
http://www.linkedin.com/in/aleborges