DE MYSTERIIS DOM JOBSIVS Mac EFI Rootkits - Reverse ...

More documents

Recommendations

Info

ATTACKING THE KERNELStart of kernel image is at 0xffffff8000200000WHERE IS IT?$ otool -l /mach_kernel/mach_kernel:Load command 0cmd LC_SEGMENT_64cmdsize 472First kernel segment VM load addrsegname __TEXTvmaddr 0xffffff8000200000vmsize 0x000000000052e000gdb$ x/x 0xffffff80002000000xffffff8000200000:! 0xfeedfacfMach-O header magic number (64-bit)De Mysteriis Dom Jobsivs - Black Hat USA2012
ATTACKING THE KERNELPATCHING THE KERNEL‣ We know the kernel is at 0xffffff8000200000‣ EFI uses a flat 32-bit memory model without paging‣ In 32-bit mode its at 0x00200000‣ What do we do?‣ Inject a payload somewhere‣ Patch a kernel function and point it at the payload‣ Trampoline payload to load bigger second stage?‣ From an EFI variable‣ From previously-allocated Runtime Services memory‣ Over the networkDe Mysteriis Dom Jobsivs - Black Hat USA2012
Page 1 and 2: DE MYSTERIIS DOM JOBSIVS:MAC EFI RO
Page 3 and 4: AGENDA‣ Things I will talk aboutI
Page 5 and 6: INTRODUCTIONI WANT A COOL BOOT SCRE
Page 8 and 9: II. EFI FUNDAMENTALSDe Mysteriis Do
Page 10 and 11: EFI ARCHITECTUREPUTTING THE “SUCK
Page 12 and 13: EFI ARCHITECTURE‣ Tables - pointe
Page 14 and 15: EFI ARCHITECTURE‣ Some telling ex
Page 16 and 17: III. DOING BAD THINGS WITHEFIDe Mys
Page 18 and 19: DOING BAD THINGS WITH EFIATTACKING
Page 24 and 25: ATTACKING THE KERNEL‣ Patch the k
Page 28 and 29: ATTACKING THE KERNELPATCHING THE KE
Page 31 and 32: ATTACKING THE KERNEL‣ What’s ou
Page 33 and 34: ATTACKING THE KERNEL‣ Preparing o
Page 35 and 36: ATTACKING THE KERNELOTHER HALF-ASSE
Page 37 and 38: ‣ In ascending order of awesome
Page 39 and 40: PERSISTENCEEFI SYSTEM PARTITION‣
Page 41 and 42: PERSISTENCEPCI DEVICE EXPANSION ROM
Page 43 and 44: PERSISTENCEFIRMWARE FLASH‣ Apple
Page 46 and 47: PERSISTENCEFIRMWARE FLASH‣ Manipu
Page 48 and 49: V. EVIL MAID ATTACKSDe Mysteriis Do
Page 50 and 51: EVIL MAID ATTACKSWHAT CAN WE DO WIT
Page 52 and 53: EVIL MAID ATTACKSIT’S MY JOB TO K
Page 54 and 55: EVIL MAID ATTACKSTHUNDERBOLT TO GIG
Page 56 and 57: DEMO‣ Evil maid using USB‣ Boot
Page 58 and 59: DEMODe Mysteriis Dom Jobsivs - Blac
Page 60 and 61: IN CASE MY DEMO BROKEHERE’S SOME
Page 62 and 63: DEFENCEEFI FIRMWARE PASSWORD?‣ Ha
Page 64 and 65: DEFENCEUEFI SECURE BOOT‣ Issues
Page 66 and 67: REFERENCES‣ UEFI Spec‣ http://w

DE MYSTERIIS DOM JOBSIVS Mac EFI Rootkits - Reverse ...

Create successful ePaper yourself

Delete template?

Save as template?