See our User Agreement and Privacy Policy. See our Privacy Policy and User Agreement for details. Create your free account to read unlimited documents. Slides from ZeroNights FastTrack section. The SlideShare family just got bigger. Home Explore Login Signup. Successfully reported this slideshow. We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads.
You can change your ad preferences anytime. Bypassing patchguard on Windows 8. Upcoming SlideShare. You are reading a preview.
Create your free account to continue reading. Sign Up. Like this presentation? Why not share! Embed Size px. Start on. Show related SlideShares at end. WordPress Shortcode. Next SlideShares. Download Now Download to read offline and view in fullscreen.
Download Now Download Download to read offline. Rootkit internales. Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs Injection on Steroids: Codeless code injection and 0-day techniques. Back to the CORE. Makes extensive use of the Zydis disassembler library for fast runtime instruction decoding to support more robust analysis than what is possible with signature matching, which often requires changes with new OS updates.
Works passively: the driver does not load or start the Windows boot manager. Instead it acts on a load of bootmgfw. If a non-Windows OS is booted, the driver will automatically unload itself. Supports four-stage patching for when bootmgfw. Graceful recovery: in case of patch failure, the driver will display error information and prompt to continue booting or to reboot by pressing ESC.
This is true even up to the final kernel patch stage, because the last patch stage happens before ExitBootServices is called. This means no boot services are available to tell the user that something went wrong. Debuggable: can output messages to a kernel debugger and to the screen albeit buffered during the kernel patching stage, and to a serial port or unbuffered to the screen during the boot manager and boot loader patching stages. If the driver is compiled with PDB debug information, it is possible to load the debug symbols at any point after HAL initialization by specifying the virtual DXE driver base and debugging it as you would a regular NT driver.
The loader will use the SetVariable hook method by default, due to the fact that some anti-cheat and anti-virus programs do not understand the difference between cheats or malware and self-signed drivers in general and target the UPGDSED fix. Allows Secure Boot to work with Windows 7 not a joke! Windows 7 itself is oblivious to Secure Boot as it does not support it, or officially even booting without CSM.
Wiki entry on how to get this to work here. Using the EFI partition has the advantage of not requiring a second boot disk, but this method is more complex to set up.
It is advised to try one of the methods below first, and read the instructions in issue 2 if you want to install EfiGuard on the EFI partition. EfiGuard requires EDK2 to build.
This will produce EfiGuardDxe. Only after this approach proved successful, with no modifications to code needed in over a year of Windows updates, did UEFI come into the picture as a way to further improve capabilities and ease of use.
The initial incarnation of EfiGuard as a bootkit was an attempt to get dude's UEFI-Bootkit to work with recent versions of Windows 10, because it had become dated and no longer works on the latest versions like UPGDSED, often caused by version-sensitive pattern scans.
While I did eventually get this to work, I was unsatisfied with the result mostly due to the choice of hooking OslArchTransferToKernel , which as noted above executes in protected mode and after ExitBootServices has been called.
Apart from this, I was not satisfied with only being able to patch some versions of Windows 10; I wanted the bootkit to work on every EFI-compatible version of Windows x64 released to date.
Because of this, I rewrote the bootkit from scratch with the following aims:. A big picture overview of the final EfiGuard boot flow is shown in the diagram above.
EfiGuard is licensed under the GPLv3. Skip to content. Star Branches Tags. Could not load branches. Could not load tags. Latest commit.
0コメント