DE MYSTERIIS DOM JOBSIVS Mac EFI Rootkits - Reverse ...

More documents

Recommendations

Info

<strong>DE</strong>MO‣ Evil maid using USB‣ Boot from USB flash drive‣ Shim.efi loads malicious driver‣ Driver registers for ExitBootServices()‣ Shim.efi finds real bootloader via NVRAM‣ Executes bootloader‣ Driver gets called back by ExitBootServices() and patchesthe kernelDe Mysteriis Dom Jobsivs - Black Hat USA2012
<strong>DE</strong>MO‣ Evil maid using Thunderbolt‣ Connect Apple Thunderbolt to Gigabit Ethernet Adapter‣ Boot machine‣ Driver is loaded from adapter‣ ... same as beforeDe Mysteriis Dom Jobsivs - Black Hat USA2012
Page 1 and 2:
DE MYSTERIIS DOM JOBSIVS:MAC EFI RO
Page 3 and 4:
AGENDA‣ Things I will talk aboutI
Page 5 and 6: INTRODUCTIONI WANT A COOL BOOT SCRE
Page 8 and 9: II. EFI FUNDAMENTALSDe Mysteriis Do
Page 10 and 11: EFI ARCHITECTUREPUTTING THE “SUCK
Page 12 and 13: EFI ARCHITECTURE‣ Tables - pointe
Page 14 and 15: EFI ARCHITECTURE‣ Some telling ex
Page 16 and 17: III. DOING BAD THINGS WITHEFIDe Mys
Page 18 and 19: DOING BAD THINGS WITH EFIATTACKING
Page 24 and 25: ATTACKING THE KERNEL‣ Patch the k
Page 26 and 27: ATTACKING THE KERNELStart of kernel
Page 28 and 29: ATTACKING THE KERNELPATCHING THE KE
Page 31 and 32: ATTACKING THE KERNEL‣ What’s ou
Page 33 and 34: ATTACKING THE KERNEL‣ Preparing o
Page 35 and 36: ATTACKING THE KERNELOTHER HALF-ASSE
Page 37 and 38: ‣ In ascending order of awesome
Page 39 and 40: PERSISTENCEEFI SYSTEM PARTITION‣
Page 41 and 42: PERSISTENCEPCI DEVICE EXPANSION ROM
Page 43 and 44: PERSISTENCEFIRMWARE FLASH‣ Apple
Page 46 and 47: PERSISTENCEFIRMWARE FLASH‣ Manipu
Page 48 and 49: V. EVIL MAID ATTACKSDe Mysteriis Do
Page 50 and 51: EVIL MAID ATTACKSWHAT CAN WE DO WIT
Page 52 and 53: EVIL MAID ATTACKSIT’S MY JOB TO K
Page 54 and 55: EVIL MAID ATTACKSTHUNDERBOLT TO GIG
Page 58 and 59: DEMODe Mysteriis Dom Jobsivs - Blac
Page 60 and 61: IN CASE MY DEMO BROKEHERE’S SOME
Page 62 and 63: DEFENCEEFI FIRMWARE PASSWORD?‣ Ha
Page 64 and 65: DEFENCEUEFI SECURE BOOT‣ Issues
Page 66 and 67: REFERENCES‣ UEFI Spec‣ http://w
show all

DE MYSTERIIS DOM JOBSIVS Mac EFI Rootkits - Reverse ...

Create successful ePaper yourself

Delete template?

Save as template?