September 22nd, 2005, 05:01 AM
eEye BootRoot is a project presented at Black Hat USA 2005 by Derek Soeder and Ryan Permeh of eEye Digital Security. The goal was to explore *and* *implement* technology that custom boot sector code could use to subvert the Windows NT-family kernel as it loads. To our knowledge, such technology had not previously been publicly demonstrated.
eEye BootRootKit is a manifestation of this technology -- a removable-media boot sector that situates itself to regain execution later, as Windows is loading, and then seamlessly continues the boot sequence from hard drive 0. The basic concept employed is to hook INT 13h and "virtually patch" the Windows OS loader as it's read from disk, then leverage this patch to hook into NDIS.SYS after it has been loaded into memory and validated.
The hook function's purpose is simple: scan all incoming Ethernet frames for a signature in a specific location, and execute code (with kernel privileges) from any matching frame. The RSoD2 demo gives a very simple display of this capability, by patching NTOSKRNL.EXE in memory and causing a "red screen of death" kernel crash. Try sending the packet to a closed UDP port on a firewalled machine running BootRootKit, or use the broadcast address!
1. Homepage - http://www.eeye.com/html/resources/d...her/index.html
2. Download - http://www.eeye.com/html/resources/d...yebootroot.zip
Here's a screenshot of the RSOD
September 23rd, 2005, 04:33 AM
Interesting.....I was wondering when the root kit would be able to take one step further along the evolutionary ladder
September 23rd, 2005, 03:54 PM
Combine that with FuzenOps custom page fault handlers for cloaking memory and you got a doozy.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
September 23rd, 2005, 05:23 PM