Bootkit revisited presented at SSTIC 2014

by Samuel Bedside,

Summary : The first proof of concept Bootkit was presented at BlackHat 2005 by Derek Soeder. It was a simple infector Master Boot Record (MBR) to authenticate to a machine without knowing the password. In 2007, malware authors have decided to use this technique on Windows x64 platforms to override the signature mechanism drivers. Since 2005 several projects have emerged, but the techniques used to replicate this kind of attack remained the same: establishment and use of Hook signature to patch memory binary. This article will describe a new technique, it is not based on old projects known. The technique presented allows us to control the boot process all versions of Windows, with or without disk encryption systems, because we do not carry any change to the startup code in memory. It should be noted that this solution does not work with Secureboot or equivalent. The techniques described in this article are based on the features offered by the processor as v8086 mode, breakpoints equipment type and insulation privileges technique that was used by VMware for virtualization in the 2000s. Interest this technique is that no signature is necessary memory, or the establishment of Hook. We offer an example that is in the form of a bootable ISO image on a USB key to load any unsigned driver.