Huh, never really thought I'd get this far.
As mentioned before, the talk will be recorded so you can watch me flop live or online on November 16 @ 7:30 pm UTC called "The Complete Idiots Guide To UEFI Bootkits"
Since secrets are boring here's how it works:
Change protections, write changes, restore protections, fork the parent, kill the child, parent will set the shared status back to normal but Shared original for regions that aren't written to will stand out
Blame forking not me
In reality, you can still inject unsigned code into a process ( doesnt matter what ) and well also not have to perform any memory obfuscation/stack spoofing without also having to "touch the disk" as alot of people put it.
I consider my experiment a success.
Or, building the chain differently: Heres another PoC. I call it, GrimReaper. I originally planned more, but truthfully became bored as I wish to move onto other things.
Uses special/normal APC's to build and queue properly without NtContinue.
In reality, you can still inject unsigned code into a process ( doesnt matter what ) and well also not have to perform any memory obfuscation/stack spoofing without also having to "touch the disk" as alot of people put it.
I consider my experiment a success.
In reality, you can still inject unsigned code into a process ( doesnt matter what ) and well also not have to perform any memory obfuscation/stack spoofing without also having to "touch the disk" as alot of people put it.
I consider my experiment a success.
Finally got Cr4sh's project working for DMA using a Spartan-6 board I picked off ebay for a hundred bucks. Gonna tie into the UEFI experiments been working with
"Ghost": A poorly designed client / server architecture example. I will not support it. User interface example if shown below: Theres a race condition or two lel.
Milestone 2 complete: Basic prototype capable of dispatching requests/responses and handling input via a Packer/Parser format.
Finalizing it, then working on the rootkit portion again, this time.
I call it, Great Value ® Cobalt Strike. Dont sue me.
Finally got Cr4sh's project working for DMA using a Spartan-6 board I picked off ebay for a hundred bucks. Gonna tie into the UEFI experiments been working with
After several hours of screaming into the void i finally achieved my dreams and got it work on a cold boot.
i think i've had enough for the rest of the year this is mentally fucking exhausting.
Huh, never really thought I'd get this far.
As mentioned before, the talk will be recorded so you can watch me flop live or online on November 16 @ 7:30 pm UTC called "The Complete Idiots Guide To UEFI Bootkits"
You can setup a piece of shellcode to more or less run outside of a CFG page using a simple jump. Its an initial step, fixing a proper 'ROP' chain to be sufficient and capture the return values Ill leave to the reader, not too difficult.
Love elastic's work, one of the best.
After several hours of screaming into the void i finally achieved my dreams and got it work on a cold boot.
i think i've had enough for the rest of the year this is mentally fucking exhausting.
Success against an ASUS z590-A Prime AMI-based firmware. There is a race condition between when the bug is exploitable and when it is not, with SP605 Rev E I can with the race successfully by doing a full cold boot, first attempt tends to succeed.
Test: Locked at a UEFI setup screen prior to OS start to disable VBS/HVCI/SL with IOMMU + ASUS's "Pre-Boot IOMMU". Host configured with BitLocker and TPM 2.0 once it boots - No issues and OS boots without the protections except Kernel DMA until I wipe DMAR Flags. SP605 REV E WIP
Furthermore, builds its call frames to match that of a normal return for the ROP's themselves. If you want to manipulate your primary thread stack, well, have fun with NT_TIB: You can achieve by using context manipulation + manipulating NT_TIB as shown in:
@artem_i_baranov
The blacklotus sources aren't the actual BlackLotus code. Its a ripped piece of source from my GitHub thrown together with a random other piece of code, non functioning
@Octoberfest73
I'll keep that in mind. I used to but found few people read it.
None the less, I will keep that in mind and see about that if I choose to continue this work.
@shubakki
Well done. I'll be happy to answer my design notes of why I chose some of the stuff mentioned in your post if you'd like
Unrelated, I'll provide you an easy win to make your chain somewhat simpler to build:
Works! Developing the individual teamserver messages that are broadcasted ( info, good, error ) and cleaning up the client connect/disconnect code before reworking the listener/agent/agent display
With his project(s) as a reference even with a cursory understanding should be sufficient to construct a Hyper-V compatible bootkit that can successfully transition into the 'guest' if Hyper-V is compatible, and verify its enabled if not / perform normal hooking process
@C5pider
Was messing with this a few weeks ago - I personally issues with constexpr, switched to GNU-C++23 and was able to get guaranteed string to array & hashes. Not sure of your results.
@GabrielLandau
Honestly, I don't see the attack surface going away lol. The amount of machines I can break IOMMU with a small race ( alot of firmware I've encountered hilariously initialized PCIe prior to initializing IOMMU ) to get DMA is still quite extensive and likely will never change.
@modexpblog
@kyleavery_
@mrgretzky
I leveraged this fact for SMB pipes to obfuscate during R/W & connect operations. Works great on arbitrary "object"s .
Not much progress. I spent way too long fucking around with QT Designer, hated the way it exported, so built it by hand. Got input validation working as well ( grey out the generation until all input is validated ).
On today's episode of "I'm fucked": will this laptop crash or reach full CPU usage with 65+ agents with no delay spraying the every living fuck out of a asyncio ICMP listener infinitely in a loop. Since I'm still tweeting, I'd say its doing well?