eEye BootRoot is a project presented at Black Hat USA 2005 by Derek Soeder and Ryan Permeh of eEye Digital Security. The goal was to explore *and* *implement* technology that custom boot sector code could use to subvert the Windows NT-family kernel as it loads. To our knowledge, such technology had not previously been publicly demonstrated.

eEye BootRootKit is a manifestation of this technology -- a removable-media boot sector that situates itself to regain execution later, as Windows is loading, and then seamlessly continues the boot sequence from hard drive 0. The basic concept employed is to hook INT 13h and "virtually patch" the Windows OS loader as it's read from disk, then leverage this patch to hook into NDIS.SYS after it has been loaded into memory and validated.

The hook function's purpose is simple: scan all incoming Ethernet frames for a signature in a specific location, and execute code (with kernel privileges) from any matching frame. The RSoD2 demo gives a very simple display of this capability, by patching NTOSKRNL.EXE in memory and causing a "red screen of death" kernel crash. Try sending the packet to a closed UDP port on a firewalled machine running BootRootKit, or use the broadcast address!
Links

1. Homepage - http://www.eeye.com/html/resources/d...her/index.html
2. Download - http://www.eeye.com/html/resources/d...yebootroot.zip

Here's a screenshot of the RSOD