1 / 26

MBR rootkit

MBR rootkit. 노용환 FSK security Co.,Ltd . somma@fsksec.co.kr. MBR rootkit ? Bootkit ?.

keziah
Download Presentation

MBR rootkit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. MBR rootkit 노용환 FSK security Co.,Ltd. somma@fsksec.co.kr

  2. MBR rootkit ? Bootkit ?

  3. A bootkit is a rootkit that is able to load from a master boot record and persist in memory all the way through the transition to protected mode and the startup of the OS. It's a very interesting type of rootkit. Robert Hensing about bootkits 1987 Stoned, first master boot record (bootkit) virus 1990 Form, common boot sector virus in the early 1990s August 1, 2005 eEyepublishes BootRoot & SysRQ2, presented at BH USA 2005 March 29, 2007 Vbootkitwas presented at Black Hat Europe 2007 October 30,2007 Mebrootbootkit appears in the wild November 2008 Hibernation File Attack was developed, attacking Windows files April 2009 Mebrootis updated to work with Windows Vista (non-public info) May 2009 Kon-Boot is released, a tool to bypass Windows logon March 4, 2009 Vbootkit2.0 attacks Windows 7 64-bit and goes open source - The Rise of MBR Rootkits & Bootkits in the Wild by Peter Kleissner

  4. Bootstrapping

  5. 전원 ON MainBoard::POST (Power On Self Test) 각장치들에 전원공급은 문제 없나? 메모리는 정상적으로 붙어있는가? 메인보드에 연결된 장치들을 초기화 바이오스(BIOS) 호출 MainBoard::장치 초기화 BIOS::MBR 로딩 설정된 부팅장치(hdd, floppy, cdrom, etc.) 에서 MBR (Master Boot Record) 를 검색 MBR 을 찾지 못하면 에러처리 메모리의 0x7c00 주소에 찾은 MBR 512 byte 를 로드하고 실행 MBR (Master Boot Record) 16 비트 리얼모드 코드와 디스크의 파티션 정보 512 byte 511, 512 바이트에는 0x55, 0xAA 의 시그너쳐

  6. http://tinyurl.com/4akp4fu

  7. 초 간단 부트로더 제작

  8. ORG 0 BITS 16 CPU 486 jmp 0x07c0:bootsector_entry welcome db 'welcome to CODEGATE 2011 training course!!',13,10,0 bootsector_entry: mov ax, 0x07c0 mov ds, ax ; clear screen mov ax, 0x0003 int 0x10 ; write message movsi, welcome write_msg: lodsb ; load byte at ds:si into al or al,al ; test if character is 0 (end) jzdone mov ah,0eh ; put character mov bx,0007 ; attribute int 0x10 ; call BIOS jmpwrite_msg done: nop hlt ; hmm... what's next ??? times 510-($-$$) db 0 dw 0AA55h ; MBR signature

  9. 다좋습니다 :-) 그런데 내 윈도우는 언제 부팅되나요?

  10. 0x7c00 영역에 Windows 의 MBR 이 로드 되어야 부팅이 되는데… 0x7c00 에는 우리의 부트로더가 위치해 있다!!! 사용 가능한 영역에 실행할 코드를 로드하고, 0x7C00 영역에 원래의 MBR 코드를 로드 하고 제어권을 넘기면?

  11. Boot stage #2 Boot stage #1 Original MBR 0x7C00 Boot stage #1 - BIO 가 0x7C00 에 로드하고 제어권이 넘어온 상태 - boot stage #2 를 사용가능한 메모리영역에 로드하고 제어권 이동 Boot stage #2 - HDD 에서 MBR 영역을 읽어서 0x7C00 에 로드 (마치 BIOS 처럼) - Original MBR 로 제어권 이동 Original MBR - 정상 부팅 !!

  12. Windows boot process

  13. By Stoned Bootkit by Peter Kleissner at Black Hat USA 2009 presentation

  14. Bootkit technique

  15. Bootkit 코드를 - 어떻게 안전하게 메모리에 상주시킬 것인가 ? - 만일 OS 가 메모리를 덮어쓰지는 않을까?

  16. BIOS 인터럽트 후킹 - 별로 특별할 것도 없다!!!!

  17. Runtime code generating…?? - 실행시점에 덮어쓸 주소를 계산해서 동적으로 후킹

  18. BIOS Make our rootkit Resident INT 12h trick Install BIOS interrupt hook Patch ntldr (16 bit real mode) Patch NT Kernel (32 bit protected mode)

  19. Implement how to… 빌드 환경 설정 및 이미지 생성 부트 섹터 / 부트 로더 코드 리뷰 실행 환경 설정 디버깅 환경 설정

  20. Attack windows logon

  21. http://tinyurl.com/4gbc6p2

  22. 1: kd> u msv1_0!MsvpPasswordValidate L3 msv1_0!MsvpPasswordValidate: 77f197d3 8bff movedi,edi 77f197d5 55 push ebp 77f197d6 8bec movebp,esp 1: kd> eb msv1_0!MsvpPasswordValidate b0 01 c2 0c 00 1: kd> u msv1_0!MsvpPasswordValidate L3 msv1_0!MsvpPasswordValidate: 77f197d3 b001 mov al,1 77f197d5 c20c00 ret 0Ch 77f197d8 83ec50 sub esp,50h Bypassing your testbox's login password by bugcheck(2006) at rootkit.com

  23. Q & A 감사합니다.

More Related