stoned bootkit
play

Stoned Bootkit Peter Kleissner Table of Contents 1. Introduction - PowerPoint PPT Presentation

Feb 27, 2023 •326 likes •723 views

Stoned Bootkit Peter Kleissner Table of Contents 1. Introduction 1. About 2. Technical Overview 3. Windows Boot Environment 2. Stoned Architecture 1. Plugins 2. Boot Applications 3. Bootkit Installation & Usage 4. General

  1. Stoned Bootkit Peter Kleissner

  2. Table of Contents 1. Introduction 1. About 2. Technical Overview 3. Windows Boot Environment 2. Stoned Architecture 1. Plugins 2. Boot Applications 3. Bootkit Installation & Usage 4. General Considerations 2

  3. Who am I?  Independent Operating System Developer  Professional Software Engineer and Malware Analyst  Living in Wiener Neudorf, a suburb of Vienna (Austria) 3

  4. Introduction 4

  5. About  Bootkit = Rootkit + Boot Capability Introduced by Vipin and Nitin Kumar  Stoned is a new bootkit targeting Windows operating systems Main targets: Windows 2000 - Pwning all Windows versions Windows XP from the boot Windows Server 2003 - Being able to bypass code Windows Vista integrity verifications & Windows Server 2008 signed code checks Windows 7 RC TrueCrypt www.stoned-vienna.com 5

  6. Architecture Address Size Description 0000 440 Code Area 01B8 6 Microsoft Disk Signature 01BE 4*16 IBM Partition Table 01FE 2 Signature, 0AA55h 0200 - Stoned Kernel Modules - - Stoned Plugins 7A00 512 Backup of Original Bootloader 7C00 512 Configuration Area Master Boot Record File System „A memory resident bootkit up to the Windows kernel “ + Boot applications executed on startup + Drivers executed beside the Windows kernel 6

  7. Stoned Virus Your PC is now Stoned! (1987) Your PC is now Stoned! ..again (2010) Stoned is the name of a boot sector computer virus created in 1987, apparently in New Zealand. It was one of the very first viruses, and was, along with its many variants, very common and widespread in the early 1990s. http://en.wikipedia.org/wiki/Stoned_(computer_virus) Stoned was an OS independent boot sector infector. - Probably the first bootkit? - 416 bytes of size, small & effective! 7

  8. Windows Boot Process BIOS Master Boot Record Partition Bootloader ntldr / bootmgr OS Loader winload.exe NT kernel Ntldr = 16-bit stub + OS Loader (just binary appended) Windows Vista splits up ntldr into bootmgr , winload.exe and winresume.exe Windows XP Windows Vista Processor Environment ntldr bootmgr Real Mode OS Loader OS Loader Protected Mode - winload.exe Protected Mode NT kernel NT kernel Protected Mode + Paging 8

  9. Insecuring Windows Pwning Windows from the boot Stoned MBR Bootkit Real Mode Relocates the code to the end of memory (4 KB), hooks interrupt Interrupt 13h 13h and patches code integrity handler verification Bootkit Protected Patches image verification and Mode hooks NT kernel Windows boot Kernel Code NT kernel base address and file loading PsLoadedModuleList are used for routine resolving own imports Driver Code Loads, relocates, resolves, executes all drivers in the list Windows init PE Loader PE-image relocation & resolving system Subsystem Core functions for the Stoned Subsystem installed in Windows Payload Kernel drivers Payload Applications using the subsystem 9

  10. TrueCrypt Attack There are two possible scenarios: 1. Only the system partition is encrypted 2. Full hard disk is encrypted However, the master boor record always stays unencrypted. Hook! Call Windows I/O TrueCrypt (unencrypted request) Request Encryption (encrypted request) jmp 0000h:BACKh BIOS Disk Services A double forward for intercepting the encrypted and decrypted disk I/O. 10

  11. Previous Bootkits … 2006 2008 2010 Mebroot Stoned Bootkit BOOT KIT TPMkit Stoned BootRoot Vbootkit Vbootkit 2.0 1987 2005 2007 2009 Previous research bootkits at conferences: BootRoot Windows XP Black Hat USA 2005 Vbootkit Windows Vista Black Hat Europe 2007 Vbootkit 2.0 Windows 7 (x64) Hack In The Box Dubai 2009 11

  12. Stoned Architecture 12

  13. Master Boot Record Master Boot Record = first 63 sectors of hard disks; contains Partition Table and Bootloader Modularized Stoned MBR contains: Address Size Description 440 Code Area (Bootloader) 0000 6 Microsoft Disk Signature 01B8 Bootloader.sys 4*16 IBM Partition Table 01BE 2 Signature, 0AA55h 01FE 2 KB System Loader System Loader.sys 0200 1 KB Textmode User Interface Textmode TUI.sys 0A00 8 KB Disk System Disk System.sys 0E00 2 KB Load Application Programming 2E00 API [RM].sys Interface for Real Mode 512 Rescue Module Rescue Module.sys 3600 8 KB Free space (former User 3800 Interface and Hibernation File [Embedded Boot Application] Attack) 1.5 KB Crypto Module Crypto Module.sys 5800 5E00 1 KB Boot Module Boot Module.sys 4 KB Pwn Windows Windows.sys 6200 2 KB Free Space 7200 512 Original Bootloader Backup Sector 61 512 Configuration Area / TrueCrypt volume-header information Sector 62 13

  14. Stoned Modules Management Modules: Bootloader System Loader Plugin Manager API providing modules: API [RM] Boot Module Crypto Module Disk System Locking Module Rescue Module Textmode UI User Interface Boot applications use the API provided by the modules. They are independent from each other (this is also why the Windows pwning module can be injected into TrueCrypt’s MBR). 14

  15. Windows XP Boot Microsoft's Master NTFS Partition BIOS Boot Record Bootloader ntldr (uses ntdetect.com) NT kernel Ntldr contains a 16-bit stub and a 32 bit PE Image (= OS Loader) This concept has not been changed in Windows until Windows Vista Hooking & Patching (simplified): Interrupt 13h hooked  Ntldr hooked for calling 32-bit code and patching  the code integrity verification Patching the NT kernel  Executing payloads (driver)  15

  16. Windows Vista Boot Microsoft's Master NTFS Partition BIOS Boot Record Bootloader NT kernel bootmgr winload.exe HAL Boot drivers (also allows to execute ntldr for multi-boot systems) winresume.exe hiberfil.sys Hooking & Patching (simplified): Interrupt 13h hooked  Bootmgr hooked to call 32-bit code  Patching winload.exe code integrity verifications  Patching the NT kernel  16

  17. Boot Media  Currently only IBM-conform legacy boot supported  In future EFI (Extensible Firmware Interface) support All common drives supported: Floppy, CD, DVD, Blu-ray, USB flash drives, removable media, hard drives, network boot Media independent. 17

  18. Plugins 18

  19. About Plugins Extending the core functionality by static bootkit attacks User Interface CO 2 -Plugin PE Infector File Parsers Hibernation File Pagefile Boot Password Music Melody! Attack Injector Crack Persistent BIOS AntiWPA ...and much more under development Infector May be out sourced to the file system. User data stored in CMOS memory? 19

  20. Hibernation File Attack - Predecessor of Stoned - Static attack of bootkit - Structures were revealed with BH USA 2008 „Windows Hibernation File for Fun and Profit” 20

  21. CO 2 Plugin Save The Environment!  Example Plugin  Throttling CPU speed down to 80%  Normal user should not take any notice but our earth does :)  Using the Advanced Configuration Programming Interface 21

  22. Boot Applications 22

  23. Example: Sinowal Extractor Using Stoned Bootkit to execute Sinowal and then extract the unpacked kernel driver  Tracing the memory by hooking the exports for ExAllocatePool() and ExFreePool() using the installed Stoned Subsystem Writing it out to disk for further analysis  New Anti-Malware technology? (Unpacked Sinowal kernel driver, here you see commands & domain name generation strings) 23

  24. Bootkit Installation 24

  25. Installation Guide 1. Backup original MBR 2. Overwrite Master Boot Record 3. Extract Files Problem: Raw sector access is required Windows XP Administrator rights Windows Vista Elevated Administrator rights But every problem has its solution … 25

  26. Raw Sector Access  Solution 1: 75% of the users have full admin privileges However, outside the enterprise and the Parental Controls case, most machines (75%) have a single account with full admin privileges. According to Ben Fathi, Windows 7 User Account Control Engineer  Solution 2: Ask the system for elevated rights at runtime using ShellExecute() or request it via a manifest If the user clicks “no” terrorize the user and ask again, e.g. start the elevated process until the user clicks “yes” 26

  27. Elevated Administrator Rights  Method 1: Application Manifest <requestedPrivileges> <requestedExecutionLevel level=“ asInvoker “ uiAccess =“true”/> </requestedPrivileges> Application manifest (can be embedded into the application as resource) /MANIFESTUAC:”level= asInvoker ” Visual Studio linker option to generate and include such a manifest Level to be “ asInvoker ”, “ highestAvailable ” or “ requireAdministrator ”  Method 2: ShellExecute() at runtime HINSTANCE ShellExecute( HWND hwnd, LPCTSTR lpOperation = “ runas ”, (…) ); 27

  28. MBR is still writable  CreateFile (“ \\.\PhysicalDrive0 ”, …)  Direct driver usage, IOCTLs  Also works with Windows Vista and Server 2008: A file system can write to a volume handle only if the following conditions are true: Condition 1 : The sectors that are being written to are boot sectors. Condition 2 : The sectors that are being written to reside outside the file system space. According to the Microsoft Knowledgebase article #92448 “Changes to the file system and to the storage stack to restrict direct disk access and direct volume access in Windows Vista and in Windows Server 2008”  63 Sectors (31.5 KB size, sectors 0-62) 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Expressing experience: Not necessarily stoned, but beautiful Chris Kennedy and Malte

Expressing experience: Not necessarily stoned, but beautiful Chris Kennedy and Malte

Expressing experience: Not necessarily stoned, but beautiful Expressing experience: Not necessarily stoned, but beautiful Chris Kennedy and Malte Willer University of Chicago University of Connecticut Annual Logic

1.1k views • 75 slides
Stoned dj vu again Peter Kleissner, Michael Eisendle Agenda Introduction to bootkits

Stoned dj vu again Peter Kleissner, Michael Eisendle Agenda Introduction to bootkits

Stoned dj vu again Peter Kleissner, Michael Eisendle Agenda Introduction to bootkits The new features Remote Surveillance Software Live Demo TPMkit Who we are Peter Kleissner: - Independent Operating System Developer - 1 year at

843 views • 23 slides
I Boot when U-Boot @bernardomr (MIA) @_evict 1 / 44 Agenda 1. Introduction 2. The target device

I Boot when U-Boot @bernardomr (MIA) @_evict 1 / 44 Agenda 1. Introduction 2. The target device

I Boot when U-Boot @bernardomr (MIA) @_evict 1 / 44 Agenda 1. Introduction 2. The target device 3. The bootkit 4. Defending / Detecting 2 / 44 Introduction Vincent Works at KPN REDteam Likes Linux and low-level stu Located in Amsterdam

792 views • 44 slides
A lynch mob, making disciples, and appointing elders Acts 14:19-23 But Jews came from Antioch

A lynch mob, making disciples, and appointing elders Acts 14:19-23 But Jews came from Antioch

A lynch mob, making disciples, and appointing elders Acts 14:19-23 But Jews came from Antioch and Iconium, and having persuaded the crowds, they stoned Paul and dragged him out of the city, supposing that he was dead. But when the disciples

610 views • 50 slides
Position-Independent Code Analysis Problem Aleksandr Matrosov Eugene Rodionov @matrosov

Position-Independent Code Analysis Problem Aleksandr Matrosov Eugene Rodionov @matrosov

Reconstructing Gapz: Position-Independent Code Analysis Problem Aleksandr Matrosov Eugene Rodionov @matrosov @vxradius Outline of The Presentation Gapz: dropper exploprer.exe code injection trick Gapz: bootkit Classification

1.2k views • 89 slides
Tapestry Workshop The University of Virginia July 15, 2009 And kinesthetic computer science

Tapestry Workshop The University of Virginia July 15, 2009 And kinesthetic computer science

Tapestry Workshop The University of Virginia July 15, 2009 And kinesthetic computer science activities Lynn Lambert Christopher Newport University Newport News, Virginia Author: Tim Bell (not pictured: Ian Witten and Mike Fellows) Tapestry

596 views • 48 slides
WHO? Sten Spans Schuberg Philis @sspans (github, etc) CUSTOMER TOPIC Going from 100 to 10000

WHO? Sten Spans Schuberg Philis @sspans (github, etc) CUSTOMER TOPIC Going from 100 to 10000

CUSTOMER WHO? Sten Spans Schuberg Philis @sspans (github, etc) CUSTOMER TOPIC Going from 100 to 10000 systems Orchestrating a Zone Not Google-scale CUSTOMER WHY? New Zone Rethink principles Automate Comments on Centos7/KVM Conceptual

594 views • 35 slides
Msica : I Wanna be Loved by You Cantora : Helen Kane

Msica : I Wanna be Loved by You Cantora : Helen Kane

Msica : I Wanna be Loved by You Cantora : Helen Kane

735 views • 47 slides
Rust In It for the Long Haul Carol (Nichols || Goulding) @carols10cents is.gd/rustLH Online

Rust In It for the Long Haul Carol (Nichols || Goulding) @carols10cents is.gd/rustLH Online

Rust In It for the Long Haul Carol (Nichols || Goulding) @carols10cents is.gd/rustLH Online Print Manning liveVideo Integer 32 Rust Core Team (yep, Im biased) Plan Railroad industry C Rust What the software

1.66k views • 140 slides
Project 1: Bootloader COS 318 Fall 2015 Project 1:

Project 1: Bootloader COS 318 Fall 2015 Project 1:

Project 1: Bootloader COS 318 Fall 2015 Project 1: Schedule Design Review - Monday, 9/28 - 10-min Ime slots from 1:30pm-6:20pm - Write funcIons

731 views • 27 slides
Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure

Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure

Top 10 Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure Boot Theory Internal boot ROM 1 st stage boot loader N th stage Verify signature Optional decrypt boot loader OS / Application 2

517 views • 25 slides
Verified Boot and Free Software: Reconciling Freedom and Security Paul Kocialkowski

Verified Boot and Free Software: Reconciling Freedom and Security Paul Kocialkowski

Verified Boot and Free Software: Reconciling Freedom and Security Paul Kocialkowski contact@paulk.fr Monday July 4 th 2016 Introducing Verified Boot and Related Issues Introducing Verified Boot and Related Issues Bootup Process BIOS History

947 views • 39 slides
Why open source firmware is important Jessie Frazelle - @jessfraz Points of View 1. Security

Why open source firmware is important Jessie Frazelle - @jessfraz Points of View 1. Security

Why open source firmware is important Jessie Frazelle - @jessfraz Points of View 1. Security 2. Usability 3. Visibility First Point of View: Security... Software Software Operating System Kernel Firmware Hardware Software Software

783 views • 62 slides
SE SECU CURE BO BOOT F FOR F FPGAS HE HEADS HA HARDWARE E AND EM EMBED EDDED ED DESIG

SE SECU CURE BO BOOT F FOR F FPGAS HE HEADS HA HARDWARE E AND EM EMBED EDDED ED DESIG

SE SECU CURE BO BOOT F FOR F FPGAS HE HEADS HA HARDWARE E AND EM EMBED EDDED ED DESIG IGN AND SECURIT ITY LAB Lab Director Fareena Saqib, Assistant Professor Email: fsaqib@uncc.edu Office: EPIC 2164 Phone: 704-687-8098 Wh Why

556 views • 20 slides
Fundraising and Finance November 6, 2019 CAMPAIGN FINANCE COMPLIANCE DISCLAIMER Presentation

Fundraising and Finance November 6, 2019 CAMPAIGN FINANCE COMPLIANCE DISCLAIMER Presentation

Campaign Boot Camp: Fundraising and Finance November 6, 2019 CAMPAIGN FINANCE COMPLIANCE DISCLAIMER Presentation is for educational purposes only and designed for candidates who plan to raise or spend $2,000 or more on their election

984 views • 71 slides
Experiences booting one million virtual machines (and a few tools we developed) Ron Minnich Don

Experiences booting one million virtual machines (and a few tools we developed) Ron Minnich Don

Experiences booting one million virtual machines (and a few tools we developed) Ron Minnich Don Rudish 08961 - Scalable Computing R &amp; D Eurosys 2010 Minnich, Rudish, Gentile, Armstrong, Wylie, Pedretti, Thompson Experiences booting one

692 views • 38 slides
Prak%kum The Bioinforma%cs Lab Week 1: Installing a Linux

Prak%kum The Bioinforma%cs Lab Week 1: Installing a Linux

Prak%kum The Bioinforma%cs Lab Week 1: Installing a Linux OS Stefan Seemayer Boot CD prepara%on Can boot from USB s%ck (on most

68 views • 6 slides
TrustOTP: Transforming Smartphones into Secure One-Time Password

TrustOTP: Transforming Smartphones into Secure One-Time Password

TrustOTP: Transforming Smartphones into Secure One-Time Password Tokens He Sun, Kun Sun, Yuewu Wang, and Jiwu Jing Presented by Fengwei

474 views • 26 slides
Linux Boot Camp Jenna MacCarley, Peter Pearson, Shashank Goyal 9/19/2015 Carnegie Mellon

Linux Boot Camp Jenna MacCarley, Peter Pearson, Shashank Goyal 9/19/2015 Carnegie Mellon

Carnegie Mellon Linux Boot Camp Jenna MacCarley, Peter Pearson, Shashank Goyal 9/19/2015 Carnegie Mellon Connecting SSH Windows users: PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) Mac/Linux users: Use ssh

703 views • 27 slides
HYDRA: HYbrid Design for Remote Attestation (Using a Formally Verified Microkernel) Karim

HYDRA: HYbrid Design for Remote Attestation (Using a Formally Verified Microkernel) Karim

HYDRA: HYbrid Design for Remote Attestation (Using a Formally Verified Microkernel) Karim Eldefrawy , Norrathep Rattanavipanon, Gene Tsudik HRL Labs UC Irvine UC Irvine (Currently at SRI) July 18, 2017 karim.eldefrawy@sri.com IoT/CPS/ES 2

1.07k views • 41 slides
Redundant Booting with U-Boot Welcome to the Redundancy Theater Playhouse Thomas Rini 1 2

Redundant Booting with U-Boot Welcome to the Redundancy Theater Playhouse Thomas Rini 1 2

Redundant Booting with U-Boot Welcome to the Redundancy Theater Playhouse Thomas Rini 1 2 Overview Historically how redundancy has been developed and implemented What we have today And have had for a while What we hope to have

428 views • 10 slides
BI BIOS S an and d Se Secu cure e Bo Boot t Attacks acks Unc ncover ered ed Advanced

BI BIOS S an and d Se Secu cure e Bo Boot t Attacks acks Unc ncover ered ed Advanced

BI BIOS S an and d Se Secu cure e Bo Boot t Attacks acks Unc ncover ered ed Advanced Threat Research, Intel Security John Loucaides (presenting) In n The he Be Begi ginnin nning Was as The he Leg egacy acy BI BIOS.. S..

1.27k views • 100 slides
HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned

HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned

HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned into two categories: Security issues associated with the design Security issues associated with the system and application data once the

1.13k views • 25 slides
Class Structure Last time: Fast Learning, Exploration/Exploitation Part 1 This Time: Fast

Class Structure Last time: Fast Learning, Exploration/Exploitation Part 1 This Time: Fast

Lecture 12: Fast Reinforcement Learning Part II 2 Emma Brunskill CS234 Reinforcement Learning. Winter 2018 2 With many slides from or derived from David Silver, Worked Examples New Lecture 12: Fast Reinforcement Learning Part II 3 Emma Brunskill

1.04k views • 70 slides

More recommend