DE MYSTERIIS DOM JOBSIVS Mac EFI Rootkits - Reverse ...

More documents

Recommendations

Info

‣ Hardware-specific, but it’s always therePERSISTENCE‣ Can modify everything‣ SEC, PEI, DXE, BDS, custom drivers, whatever‣ Can be written to from the OS‣ flashrom‣ So awesome. 11/10 A++++ would buy again.FIRMWARE FLASHDe Mysteriis Dom Jobsivs - Black Hat USA2012
PERSISTENCEFIRMWARE FLASH‣ Apple’s firmware updates‣ Firmware updates are copied to ESP‣ Written to flash on reboot‣ Older machines use EFI Firmware Volumes (.fd files)‣ Volume is blessed with EfiUpdaterApp.efi‣ Writes to flash via SPI from EFI environment‣ Newer machines use EFI Capsules (.scap files)‣ EFI capsule mailbox stuff? (see the spec)De Mysteriis Dom Jobsivs - Black Hat USA2012
Page 1 and 2: DE MYSTERIIS DOM JOBSIVS:MAC EFI RO
Page 3 and 4: AGENDA‣ Things I will talk aboutI
Page 5 and 6: INTRODUCTIONI WANT A COOL BOOT SCRE
Page 8 and 9: II. EFI FUNDAMENTALSDe Mysteriis Do
Page 10 and 11: EFI ARCHITECTUREPUTTING THE “SUCK
Page 12 and 13: EFI ARCHITECTURE‣ Tables - pointe
Page 14 and 15: EFI ARCHITECTURE‣ Some telling ex
Page 16 and 17: III. DOING BAD THINGS WITHEFIDe Mys
Page 18 and 19: DOING BAD THINGS WITH EFIATTACKING
Page 24 and 25: ATTACKING THE KERNEL‣ Patch the k
Page 26 and 27: ATTACKING THE KERNELStart of kernel
Page 28 and 29: ATTACKING THE KERNELPATCHING THE KE
Page 31 and 32: ATTACKING THE KERNEL‣ What’s ou
Page 33 and 34: ATTACKING THE KERNEL‣ Preparing o
Page 35 and 36: ATTACKING THE KERNELOTHER HALF-ASSE
Page 37 and 38: ‣ In ascending order of awesome
Page 39 and 40: PERSISTENCEEFI SYSTEM PARTITION‣
Page 41: PERSISTENCEPCI DEVICE EXPANSION ROM
Page 46 and 47: PERSISTENCEFIRMWARE FLASH‣ Manipu
Page 48 and 49: V. EVIL MAID ATTACKSDe Mysteriis Do
Page 50 and 51: EVIL MAID ATTACKSWHAT CAN WE DO WIT
Page 52 and 53: EVIL MAID ATTACKSIT’S MY JOB TO K
Page 54 and 55: EVIL MAID ATTACKSTHUNDERBOLT TO GIG
Page 56 and 57: DEMO‣ Evil maid using USB‣ Boot
Page 58 and 59: DEMODe Mysteriis Dom Jobsivs - Blac
Page 60 and 61: IN CASE MY DEMO BROKEHERE’S SOME
Page 62 and 63: DEFENCEEFI FIRMWARE PASSWORD?‣ Ha
Page 64 and 65: DEFENCEUEFI SECURE BOOT‣ Issues
Page 66 and 67: REFERENCES‣ UEFI Spec‣ http://w

DE MYSTERIIS DOM JOBSIVS Mac EFI Rootkits - Reverse ...

Create successful ePaper yourself

Delete template?

Save as template?