DE MYSTERIIS DOM JOBSIVS Mac EFI Rootkits - Reverse ...

More documents

Recommendations

Info

DOING BAD THINGS WITH <strong>EFI</strong>ATTACKING WHOLE-DISK ENCRYPTION‣ Boot process with FileVault‣ Platform firmware inits‣ Loads bootloader from “recovery” partition‣ Bootloader prompts user for passphrase‣ Uses passphrase to unlock disk‣ Execute kernelDe Mysteriis Dom Jobsivs - Black Hat USA2012
DOING BAD THINGS WITH <strong>EFI</strong>ATTACKING WHOLE-DISK ENCRYPTION‣ Stealing the user’s passphrase‣ Keystroke logger!‣ Hook the Simple Text Input protocol‣ Specifically, the instance installed by the bootloader‣ Replace pointer to ReadKeyStroke() with our function‣ Every time a key is pressed, we get called‣ Record keystroke, call real ReadKeyStroke()De Mysteriis Dom Jobsivs - Black Hat USA2012
Page 1 and 2: DE MYSTERIIS DOM JOBSIVS:MAC EFI RO
Page 3 and 4: AGENDA‣ Things I will talk aboutI
Page 5 and 6: INTRODUCTIONI WANT A COOL BOOT SCRE
Page 8 and 9: II. EFI FUNDAMENTALSDe Mysteriis Do
Page 10 and 11: EFI ARCHITECTUREPUTTING THE “SUCK
Page 12 and 13: EFI ARCHITECTURE‣ Tables - pointe
Page 14 and 15: EFI ARCHITECTURE‣ Some telling ex
Page 16 and 17: III. DOING BAD THINGS WITHEFIDe Mys
Page 18 and 19: DOING BAD THINGS WITH EFIATTACKING
Page 22 and 23: DOING BAD THINGS WITH EFIATTACKING
Page 24 and 25: ATTACKING THE KERNEL‣ Patch the k
Page 26 and 27: ATTACKING THE KERNELStart of kernel
Page 28 and 29: ATTACKING THE KERNELPATCHING THE KE
Page 31 and 32: ATTACKING THE KERNEL‣ What’s ou
Page 33 and 34: ATTACKING THE KERNEL‣ Preparing o
Page 35 and 36: ATTACKING THE KERNELOTHER HALF-ASSE
Page 37 and 38: ‣ In ascending order of awesome
Page 39 and 40: PERSISTENCEEFI SYSTEM PARTITION‣
Page 41 and 42: PERSISTENCEPCI DEVICE EXPANSION ROM
Page 43 and 44: PERSISTENCEFIRMWARE FLASH‣ Apple
Page 46 and 47: PERSISTENCEFIRMWARE FLASH‣ Manipu
Page 48 and 49: V. EVIL MAID ATTACKSDe Mysteriis Do
Page 50 and 51: EVIL MAID ATTACKSWHAT CAN WE DO WIT
Page 52 and 53: EVIL MAID ATTACKSIT’S MY JOB TO K
Page 54 and 55: EVIL MAID ATTACKSTHUNDERBOLT TO GIG
Page 56 and 57: DEMO‣ Evil maid using USB‣ Boot
Page 58 and 59: DEMODe Mysteriis Dom Jobsivs - Blac
Page 60 and 61: IN CASE MY DEMO BROKEHERE’S SOME
Page 62 and 63: DEFENCEEFI FIRMWARE PASSWORD?‣ Ha
Page 64 and 65: DEFENCEUEFI SECURE BOOT‣ Issues
Page 66 and 67: REFERENCES‣ UEFI Spec‣ http://w

DE MYSTERIIS DOM JOBSIVS Mac EFI Rootkits - Reverse ...

Create successful ePaper yourself

Delete template?

Save as template?