Blog
Uncategorized
2

MalwareTech SBK – A Bootkit Capable of Surviving Reformat

Since i got into firmware hacking, I’ve been working on a little project behind the scenes: A hard disk firmware based rootkit which allows malware to survive an operating system re-install or full disk format. Unfortunately I can’t post a proof of concept for many reasons (people have even contacted …

Read More
Uncategorized
14

Hard Disk Firmware Hacking (Final)

Core 2, I choose you. Less than 5 minutes after posting the last article, i discovered the final piece of my puzzle: a second CPU core. I was looking through my OpenOCD configuration when I realized it had a single tap definition hardcoded, so i decided to comment it out …

Read More
Uncategorized

Hard Disk Firmware Hacking (Part 5)

“Discovery requires experimentation” This weekend I made a pretty big breakthrough which lead to me making a few smaller breakthroughs and ultimately negating most of my previous research. I’ve also learned that “not reinventing the wheel” isn’t always the best option, especially when it comes to trusting other people’s research. …

Read More
Uncategorized
7

Hard Disk Firmware Hacking (Part 4)

It seems that the bootstrap code is just scattered around various memory addresses and there’s no simple way to dump all of it, so i decided to just dump a chunk of memory from 0x00000000 and look for any reference to addresses outside of that chunk (allowing me to build …

Read More
Uncategorized
1

Hard Disk Firmware Hacking (Part 3)

Before we get started with part 3, I have a few updates regarding part 1 & 2. I’ve found that the reset pad on the JTAG header is not actually a system reset (SRST) but a TAP reset (TRST), which isn’t very useful for debugging. Here is the updated layout …

Read More
Uncategorized
1

Hard Disk Firmware Hacking (Part 1)

I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple …

Read More
Uncategorized

Hard Disk Firmware Hacking (Part 2)

Now that everything is ready to be connected, power up the hard drive an run openocd with the following command: openocd -f interface/<your interface here>.cfg -f target/test.cfg test.cfg should be the configuration for the CPU used by your hard disk controller, for most marvell CPUs this config should work. I’m …

Read More
Uncategorized
2

Intercepting all System Calls by Hooking KiFastSystemCall

Usually I don’t post things like this, but because KiFastSystemCall hooking only works on x86 systems and doesn’t work on Windows 8 or above, it no longer has much use in malware. There are also multiple public implementations for this method, just not very elegant, which I hope to correct. …

Read More
Uncategorized
6

Code Mutation (Polymorphism)

Before we start it’s probably best to explain some things: Signature – A pattern of bytes used by an antivirus to identify malicious executables, this could be a string, parts of a function, or a hash. Crypting – This is the most common way of evading antivirus detections, it works …

Read More
Uncategorized
4

Bootkit Disk Forensics – Part 3

Getting Original Pointers XP is a little more complicated than newer systems due to the use of a single driver for both port and miniport; however, getting the original pointers is fairly straight forward depending on how you do it. IRP_MJ_SCSI & DriverStartIo – Method 1 (Windows XP) A common …

Read More