Enviar pesquisa
Carregar
Persistent Bios Infection
•
Transferir como ODP, PDF
•
1 gostou
•
530 visualizações
G
guest042636
Seguir
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 19
Baixar agora
Recomendados
G31 m s motherboard pc
G31 m s motherboard pc
eddyhuezo
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE
Open Source Firmware - FrOSCon 2019
Open Source Firmware - FrOSCon 2019
Daniel Maslowski
UDOO IoT Platform
UDOO IoT Platform
Maurizio Caporali
H61 m vs
H61 m vs
Keny Ferrufino
Jiva 8315 e-white-b
Jiva 8315 e-white-b
Hatem Zalat
SoM with Zynq UltraScale device
SoM with Zynq UltraScale device
nie, jack
Panic report 121112
Panic report 121112
wangxueGT
Recomendados
G31 m s motherboard pc
G31 m s motherboard pc
eddyhuezo
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE 2014 : A security assessment study and trial of Tricore-powered aut...
CODE BLUE
Open Source Firmware - FrOSCon 2019
Open Source Firmware - FrOSCon 2019
Daniel Maslowski
UDOO IoT Platform
UDOO IoT Platform
Maurizio Caporali
H61 m vs
H61 m vs
Keny Ferrufino
Jiva 8315 e-white-b
Jiva 8315 e-white-b
Hatem Zalat
SoM with Zynq UltraScale device
SoM with Zynq UltraScale device
nie, jack
Panic report 121112
Panic report 121112
wangxueGT
TUGAS MEMBUAT PRESENTASI TENTANG SPEC KOMPUTER DAN SMARTPHONE
TUGAS MEMBUAT PRESENTASI TENTANG SPEC KOMPUTER DAN SMARTPHONE
dede abdulah
Spec00315
Spec00315
guesta6dbd5
Analisis_avanzado_vmware
Analisis_avanzado_vmware
virtualizacionTV
Advanced Root Cause Analysis
Advanced Root Cause Analysis
Eric Sloof
Highload осень 2012 лекция 2
Highload осень 2012 лекция 2
Technopark
Tr15 1332
Tr15 1332
teknikito
Changes
Changes
Yhorledy Cardenas
Exor epc 0036_Spec Sheet
Exor epc 0036_Spec Sheet
Electromate
Ict - Motherboard
Ict - Motherboard
aleeya91
Motherboard
Motherboard
Cma Mohd
La2 Motherboard
La2 Motherboard
Cma Mohd
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
qqlan
Network Docs
Network Docs
Sify Technologies
Aditech innodisk-flash disk technology
Aditech innodisk-flash disk technology
Vilas Fulsundar
EMC Data Storage Systems
EMC Data Storage Systems
webmaster-ibremarketing
P4i45 gv r5
P4i45 gv r5
rodanteg
Hardware Management Module
Hardware Management Module
Aero Plane
Windows Debugging with WinDbg
Windows Debugging with WinDbg
Arno Huetter
Bootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
Satpal Parmar
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Jagadisha Maiya
2020-ntn-vsphere_performance_principles_bondzio.pdf
2020-ntn-vsphere_performance_principles_bondzio.pdf
PhmNgcTr3
Mais conteúdo relacionado
Mais procurados
TUGAS MEMBUAT PRESENTASI TENTANG SPEC KOMPUTER DAN SMARTPHONE
TUGAS MEMBUAT PRESENTASI TENTANG SPEC KOMPUTER DAN SMARTPHONE
dede abdulah
Spec00315
Spec00315
guesta6dbd5
Analisis_avanzado_vmware
Analisis_avanzado_vmware
virtualizacionTV
Advanced Root Cause Analysis
Advanced Root Cause Analysis
Eric Sloof
Highload осень 2012 лекция 2
Highload осень 2012 лекция 2
Technopark
Tr15 1332
Tr15 1332
teknikito
Changes
Changes
Yhorledy Cardenas
Exor epc 0036_Spec Sheet
Exor epc 0036_Spec Sheet
Electromate
Ict - Motherboard
Ict - Motherboard
aleeya91
Motherboard
Motherboard
Cma Mohd
La2 Motherboard
La2 Motherboard
Cma Mohd
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
qqlan
Network Docs
Network Docs
Sify Technologies
Aditech innodisk-flash disk technology
Aditech innodisk-flash disk technology
Vilas Fulsundar
EMC Data Storage Systems
EMC Data Storage Systems
webmaster-ibremarketing
P4i45 gv r5
P4i45 gv r5
rodanteg
Hardware Management Module
Hardware Management Module
Aero Plane
Mais procurados
(17)
TUGAS MEMBUAT PRESENTASI TENTANG SPEC KOMPUTER DAN SMARTPHONE
TUGAS MEMBUAT PRESENTASI TENTANG SPEC KOMPUTER DAN SMARTPHONE
Spec00315
Spec00315
Analisis_avanzado_vmware
Analisis_avanzado_vmware
Advanced Root Cause Analysis
Advanced Root Cause Analysis
Highload осень 2012 лекция 2
Highload осень 2012 лекция 2
Tr15 1332
Tr15 1332
Changes
Changes
Exor epc 0036_Spec Sheet
Exor epc 0036_Spec Sheet
Ict - Motherboard
Ict - Motherboard
Motherboard
Motherboard
La2 Motherboard
La2 Motherboard
SCADA StrangeLove 2: We already know
SCADA StrangeLove 2: We already know
Network Docs
Network Docs
Aditech innodisk-flash disk technology
Aditech innodisk-flash disk technology
EMC Data Storage Systems
EMC Data Storage Systems
P4i45 gv r5
P4i45 gv r5
Hardware Management Module
Hardware Management Module
Semelhante a Persistent Bios Infection
Windows Debugging with WinDbg
Windows Debugging with WinDbg
Arno Huetter
Bootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
Satpal Parmar
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Jagadisha Maiya
2020-ntn-vsphere_performance_principles_bondzio.pdf
2020-ntn-vsphere_performance_principles_bondzio.pdf
PhmNgcTr3
BIOS, Linux and Firmware Test Suite in-between
BIOS, Linux and Firmware Test Suite in-between
Alex Hung
Eclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for Microcontrollers
MicroEJ
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
Shinagawa Laboratory, The University of Tokyo
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
Dx diag
Dx diag
Ronnie Lingafelter
operating and configuring cisco a cisco IOS device
operating and configuring cisco a cisco IOS device
scooby_doo
Developing a Windows CE OAL.ppt
Developing a Windows CE OAL.ppt
KundanSingh887495
Information Gathering 2
Information Gathering 2
Aero Plane
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
bios.docx
bios.docx
SUBIRKUMARPANDA1
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
ESET
Linux kernel debugging(PDF format)
Linux kernel debugging(PDF format)
yang firo
Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)
yang firo
SiliconFailsafeForIoT_Doin
SiliconFailsafeForIoT_Doin
Jonny Doin
Semelhante a Persistent Bios Infection
(20)
Windows Debugging with WinDbg
Windows Debugging with WinDbg
Bootkits: past, present & future
Bootkits: past, present & future
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
2020-ntn-vsphere_performance_principles_bondzio.pdf
2020-ntn-vsphere_performance_principles_bondzio.pdf
BIOS, Linux and Firmware Test Suite in-between
BIOS, Linux and Firmware Test Suite in-between
Eclipse Edje: A Java API for Microcontrollers
Eclipse Edje: A Java API for Microcontrollers
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
Dx diag
Dx diag
operating and configuring cisco a cisco IOS device
operating and configuring cisco a cisco IOS device
Developing a Windows CE OAL.ppt
Developing a Windows CE OAL.ppt
Information Gathering 2
Information Gathering 2
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
bios.docx
bios.docx
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
Linux kernel debugging(PDF format)
Linux kernel debugging(PDF format)
Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)
SiliconFailsafeForIoT_Doin
SiliconFailsafeForIoT_Doin
Último
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
V3cube
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
Último
(20)
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
Persistent Bios Infection
1.
“ The early
bird catches the worm ” CORE SECURITY TECHNOLOGIES © 200 9 Anibal L. Sacco (Ssr Exploit writer) Alfredo A. Ortega (Ssr Exploit writer) Persistent BIOS Infection
2.
3.
A bit of
history
4.
A better choice
5.
What is the
BIOS
6.
BIOS Structure
7.
How it works
8.
Update/flashing process
9.
A Simple way
to patch BIOS
10.
Where to patch
11.
What can be
done
12.
Shellcodes
13.
Virtual machine demo
14.
Real hardware demo
15.
16.
Rootkit(ish) behavior
17.
OS independant
18.
19.
Kernel mode backdoor
How can this be done more effectively?
20.
21.
Stealth behavior
22.
Generally forgotten by
almost all Antiviruses
23.
OS Independant (Runs
outside the OS context)
24.
25.
Boot firmware
26.
Hardware initialization (RAM,
North Bridge, etc.)
27.
Size: 256 Kb
and bigger
28.
C ommonly stored
on EEPROM or flash memory
29.
30.
Each module has
an 8 bit checksum
31.
32.
33.
+------------------------------------------------------------------------------+ | Class.Instance
(Name) Packed ---> Expanded Compression Offset | +------------------------------------------------------------------------------+ B.03 ( BIOSCODE) 06DAF (28079) => 093F0 ( 37872) LZINT ( 74%) 446DFh B.02 ( BIOSCODE) 05B87 (23431) => 087A4 ( 34724) LZINT ( 67%) 4B4A9h B.01 ( BIOSCODE) 05A36 (23094) => 080E0 ( 32992) LZINT ( 69%) 5104Bh C.00 ( UPDATE) 03010 (12304) => 03010 ( 12304) NONE (100%) 5CFDFh X.01 ( ROMEXEC) 01110 (04368) => 01110 ( 4368) NONE (100%) 6000Ah T.00 ( TEMPLATE) 02476 (09334) => 055E0 ( 21984) LZINT ( 42%) 63D78h S.00 ( STRINGS) 020AC (08364) => 047EA ( 18410) LZINT ( 45%) 66209h E.00 ( SETUP) 03AE6 (15078) => 09058 ( 36952) LZINT ( 40%) 682D0h M.00 ( MISER) 03095 (12437) => 046D0 ( 18128) LZINT ( 68%) 6BDD1h L.01 ( LOGO) 01A23 (06691) => 246B2 (149170) LZINT ( 4%) 6EE81h L.00 ( LOGO) 00500 (01280) => 03752 ( 14162) LZINT ( 9%) 708BFh X.00 ( ROMEXEC) 06A6C (27244) => 06A6C ( 27244) NONE (100%) 70DDAh B.00 ( BIOSCODE) 001DD (00477) => 0D740 ( 55104) LZINT ( 0%) 77862h *.00 ( TCPA_*) 00004 (00004) => 00004 ( 004) NONE (100%) 77A5Ah D.00 ( DISPLAY) 00AF1 (02801) => 00FE0 ( 4064) LZINT ( 68%) 77A79h G.00 ( DECOMPCODE) 006D6 (01750) => 006D6 ( 1750) NONE (100%) 78585h A.01 ( ACPI) 0005B (00091) => 00074 ( 116) LZINT ( 78%) 78C76h A.00 ( ACPI) 012FE (04862) => 0437C ( 17276) LZINT ( 28%) 78CECh B.00 ( BIOSCODE) 00BD0 (03024) => 00BD0 ( 3024) NONE (100%) 7D6AAh
34.
35.
The Bootblock POST
(Power On Self Test) initialization routine is executed.
36.
Decompression routine is
called and every module is executed.
37.
Initializes PCI ROMs.
38.
Loads bootloader from
hard-disk and executes it.
39.
BIOS Memory Map
40.
41.
Vendors provide perodic
updates to add new features and fix bugs. They also provides it's own tools to flash from DOS, windows, and even from ActiveX!
42.
BIOS update procedure
depends on South-Bridge and chip used.
43.
CoreBOOT project provides
a generic BIOS flashing tool: flashrom, that supports most motherboard/chip combination.
44.
45.
Any modification leads
to an unbootable system.
46.
47.
48.
2) Patch and
compensate
49.
3) Re-flash
50.
51.
INT 0x19: Exected
before booting
52.
53.
Located easily by
pattern matching Almost never change Called multiple times during boot
54.
55.
Memory Manager (PMM)
56.
network access (PXE,
Julien Vanegue technique)
57.
58.
2) Code injection
on windows binaries
59.
60.
We use BIOS
services for everything
61.
Easy to debug:
BIOS execution enviroment can be emulated running the code as a COM file over DOS
62.
63.
3) Runs
64.
Hook schema
65.
66.
67.
68.
Extensively used BIOS
69.
Using the VGA
ROM signature as ready-signal.
70.
No debug allowed
here, all was done by Reverse-Engineering and later, Int 10h (Not even printf!)
71.
Injector tool is
a 100-line python script!
72.
73.
PCI device placement
(Modems, VGA, Ethernet and RAID controllers)
74.
The ultimate BIOS
rootkit...
75.
Thank you for
your attention!
Baixar agora