eEye BootRoot
Results 1 to 4 of 4

Thread: eEye BootRoot

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    188

    eEye BootRoot

    eEye BootRoot is a project presented at Black Hat USA 2005 by Derek Soeder and Ryan Permeh of eEye Digital Security. The goal was to explore *and* *implement* technology that custom boot sector code could use to subvert the Windows NT-family kernel as it loads. To our knowledge, such technology had not previously been publicly demonstrated.

    eEye BootRootKit is a manifestation of this technology -- a removable-media boot sector that situates itself to regain execution later, as Windows is loading, and then seamlessly continues the boot sequence from hard drive 0. The basic concept employed is to hook INT 13h and "virtually patch" the Windows OS loader as it's read from disk, then leverage this patch to hook into NDIS.SYS after it has been loaded into memory and validated.

    The hook function's purpose is simple: scan all incoming Ethernet frames for a signature in a specific location, and execute code (with kernel privileges) from any matching frame. The RSoD2 demo gives a very simple display of this capability, by patching NTOSKRNL.EXE in memory and causing a "red screen of death" kernel crash. Try sending the packet to a closed UDP port on a firewalled machine running BootRootKit, or use the broadcast address!
    Links

    1. Homepage - http://www.eeye.com/html/resources/d...her/index.html
    2. Download - http://www.eeye.com/html/resources/d...yebootroot.zip

    Here's a screenshot of the RSOD

  2. #2
    Interesting.....I was wondering when the root kit would be able to take one step further along the evolutionary ladder

  3. #3
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Combine that with FuzenOps custom page fault handlers for cloaking memory and you got a doozy.


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  4. #4
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    :::Shivers:::

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •