Derek Soeder is a Software Engineer and after-hours researcher at eEye Digital Security. In addition to participating in the ongoing development of eEye's Retina Network Security Scanner product, Derek has also produced a number of internal technologies and is responsible for the discovery of multiple serious security vulnerabilities. His main areas of interest include operating system internals and machine code-level manipulation. Ryan Permeh is a Senior Software Engineer at eEye Digital Security. He focuses mainly on the Retina and SecureIIS product lines. He has worked in the porting of nmap and libnet to Windows, as well as helping with disassembly and reverse engineering, and exploitation efforts within the eEye research team. eEye BootRoot This presentation will cover the eEye BootRoot project, an exploration of technology that boot sector code can use to subvert the Windows NT-family kernel and retain the potential for execution, even after Windows startup—a topic made apropos by the recent emergence of Windows rootkits into mainstream awareness. We will provide some brief but technical background on the Windows startup process, then discuss BootRoot and related technology, including a little-known stealth technique for low-level disk access. Finally, we will demonstrate the proof-of- concept BootRootKit, loaded from a variety of bootable media. Derek Soeder Ryan Permeh black hat briefings
26
Embed
Derek Soeder Ryan Permeh b eEye BootRoot l hatbrie
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Derek Soeder is a Software Engineer and after-hoursresearcher at eEye Digital Security. In addition toparticipating in the ongoing development of eEye's RetinaNetwork Security Scanner product, Derek has also produceda number of internal technologies and is responsible for thediscovery of multiple serious security vulnerabilities. Hismain areas of interest include operating system internalsand machine code-level manipulation.
Ryan Permeh is a Senior Software Engineer at eEye DigitalSecurity. He focuses mainly on the Retina and SecureIISproduct lines. He has worked in the porting of nmap andlibnet to Windows, as well as helping with disassembly andreverse engineering, and exploitation efforts within theeEye research team.
eEye BootRoot
This presentation will cover the eEye BootRoot project, an
exploration of technology that boot sector code can use to
subvert the Windows NT-family kernel and retain the potential for
execution, even after Windows startup—a topic made apropos by
the recent emergence of Windows rootkits into mainstream
awareness. We will provide some brief but technical background
on the Windows startup process, then discuss BootRoot and
related technology, including a little-known stealth technique for
low-level disk access. Finally, we will demonstrate the proof-of-
concept BootRootKit, loaded from a variety of bootable media.
Derek SoederRyan Permeh b
la
ck
ha
tb
rie
fin
gs
CLICK TO ADD MASTER TITLE ALL CAPS
Click to edit Master subtitle style
eEye BootRoot:
A Basis for Bootstrap-Based Windows Kernel Code
Derek Soeder, Software Engineer
Ryan Permeh, Senior Software Engineer
2Introduction
• Explores the capabilities of custom boot sector code on
NT-family Windows
– What can it do? Anything – it’s privileged code on the CPU
– The trick is keeping control while allowing the OS to function
• Overview
– BIOS boot process and Windows startup
– eEye BootRoot: how it works, capabilities and shortcomings
– Demo: eEye BootRootKit backdoor
• Required Knowledge
– x86 real and protected modes, some Windows kernel
digital self defense
bla
ck
ha
tb
rie
fin
gs
bla
ck
ha
tb
rie
fin
gs
3Booting Up
BIOS Handoff to Bootstrap Code
4Booting Up – Summary
• BIOS transfers execution to code from some other medium
– Disk drive (fixed or removable)
– CD-ROM
– Network boot
• Windows startup from a hard drive installation
– Hard drive Master Boot Record
– Windows bootstrap loader
– NTLDR
– OSLOADER.EXE
– NTDETECT.COM
– NTOSKRNL.EXE, HAL.DLL, boot drivers
digital self defense
5Booting Up – Disk Drive
• BIOS loads first sector of drive (200h bytes) at 0000h:7C00h
– Executes in real mode
– SS:SP < 0000h:0400h, DS = 0040h (BIOS data area)
• For hard drives, the first sector is the Master Boot Record
– Copies itself to 0000h:0600h
– Locates a bootable partition in the partition table
– Executes the first sector of the boot partition at 0000h:7C00h
• Partition boot sector is always part of the operating system
– Loads and executes the next boot stage of the OS
6Booting Up – MBR Partition Table
Source: NTFS.com Hard Drive Partition - Partition Table.http://www.ntfs.com/partition-table.htm
0000 xx xx xx xx xx xx xx xx-xx xx xx xx xx xx xx xx
0010 xx xx xx xx xx xx xx xx-xx xx xx xx xx xx xx xx
...
01B0 xx xx xx xx xx xx xx xx-xx xx xx xx xx xx BI SH
01C0 SS SC ID EH ES EC L0 L1-L2 L3 S0 S1 S2 S3 BI SH
01D0 SS SC ID EH ES EC L0 L1-L2 L3 S0 S1 S2 S3 BI SH
01E0 SS SC ID EH ES EC L0 L1-L2 L3 S0 S1 S2 S3 BI SH
01F0 SS SC ID EH ES EC L0 L1-L2 L3 S0 S1 S2 S3 55 AA
Partition 1 (offset 01BEh)
Partition 2 (offset 01CEh)
Partition 3 (offset 01DEh)
Partition 4 (offset 01EEh)
+00 BYTE Boot Indicator
-- bit 7: partition bootable
+01 BYTE Starting Head
+02 BYTE Starting Sector / Cylinder
-- bits 5..0: sector
-- bits 7..6: cylinder (bits 9..8)
+03 BYTE Starting Cylinder (bits 7..0)
+04 BYTE System ID (volume type)
+05 BYTE Ending Head
+06 BYTE Ending Sector / Cylinder
-- bits 5..0: sector
-- bits 7..6: cylinder (bits 9..8)
+07 BYTE Ending Cylinder (bits 7..0)
+08 DWORD Linear sector number of partition
+0C DWORD Size in sectors of partition
Master Boot Record Layout Partition Table Entry Format
digital self defense
bla
ck
ha
tb
rie
fin
gs
bla
ck
ha
tb
rie
fin
gs
7Booting Up – CD-ROM
• Differences from disks and diskettes
– Sector size is 800h bytes (2KB)
– Data format is more complicated (ECMA-119 / ISO 9660)
– Bootable CD format dictated by “El Torito” Specification
• Boot sector (only first 200h bytes) loads at 07C0h:0000h
– Executes in real mode
– SS:SP = 0000h:0400h, DS = 0040h (BIOS data area)
• Additional disc contents are accessed via INT 13h
– Boot catalog entry indicates “emulation mode” (floppy or HD)
8Booting Up – Bootable CD Layout (1)
Source: ECMA-119: Volume and File Structure of CDROM for Information Interchange.
ECMA. Standard ECMA-119: Volume and File Structure of CDROM for Information Interchange. http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-119.pdf
Intel Corporation. Preboot Execution Environment (PXE) Specification, Version 2.1.ftp://download.intel.com/labs/manage/wfm/download/pxespec.pdf
Kaze <[email protected]>. “FATdoc#1.txt: Lire le Fat via les Ports.”http://fat.lyua.org/frm/data/fatdoc1.txt
[email protected]. “Multiple WinXP kernel vulns can give user mode programs kernel mode privileges.”http://lists.grok.org.uk/pipermail/full-disclosure/2004-February/017545.html
Russinovich, Mark. “Inside the Boot Process, Part 1.”http://www.windowsitpro.com/Article/ArticleID/3952/3952.html
Stevens, Curtis E., and Stan Merkin. “El Torito” Bootable CD-ROM Format Specification, Version 1.0.http://www.phoenix.com/NR/rdonlyres/98D3219C-9CC9-4DF5-B496-A286D893E36A/0/specscdrom.pdf