Evil Core Bootkit - Pwning Multiprocessor Systems

Wolfgang Ettlinger
Stefan Viehböck

Type of lecture: lecture
Language: EN
Held on 2011-06-18 16:30:00 (length: 50 min)
Location: Area 1

Other than conventional bootkits, we initialize a secondary CPU/Core which runs our code and has access (R/W) to the physical memory while the operating system is booted on the first core. No interrupt hooking is needed to manipulate code. To prevent the operating system from finding/using any application processor (secondary core), the 'Evil Core' controls the boot process by modifying code and data used by the operating system (eg. bootmgr.exe, winload.exe). After the operating system has booted, the 'Evil Core' still has access to the physical memory. By finding binary patterns/strings and replacing them, the secondary core can insert new code into kernel-/userspace applications.
Our proof of concept supports Windows XP as well as Windows 7 (64 bit). It allows to bypass user authentication and to open a SYSTEM shell. Moreover, on Windows 7 it allows to evade Kernel Patch Protection (KPP, PatchGuard) and to disable Code Integrity (CI) protection.
It is possible to interact with the 'Evil Core' (through memory) using a Windows application. With this application it is also possible to print the TrueCrypt pre-boot authentication password recorded during boot process.

Wolfgang Ettlinger and Stefan Viehböck are students at the University of Applied Sciences Hagenberg - Secure Information Systems.

Attached files: All slides in pdf format, plus the demo