Jump to content
Nytro

BIOS Disassembly Ninjutsu Uncovered

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

BIOS Disassembly Ninjutsu Uncovered

Preface ________________________ 1
The Audience ___________________________ 2
The Organization 3
Software Tools Compatibility 4
Typographical Conventions 4
PART I: THE BASICS __________________________________________________ 5
Chapter 1: PC BIOS Technology ______________ 7
Preview ____________________________ 7
1.1. Motherboard 8105 _____________________ ,8
1.2. Expansion ROM 12
1.3. Other Firmware within the PC 13
1.4. Bus Protocols Fundamentals 14
1.4 .1. System -Wide Addressing 14
1.4.2. PC! Bus Protocol 16
1.4.3. Proprietary Intcrchipset Protocol Technology 23
VI Contents •
1.4.4. PCI Express Bus Protocoll _________________ 25
1.4.5. HyperTransport Bus Protocol _______________ 27
Chapter 2: Preliminary Reverse Code Engineering _________ 29
Preview -----____________________ 29
2.1. Binary Scanning _____ ________________ 30
2.2. Introducing IDA Pro 31
2.3. IDA Pro Scripting and Key Bindings 38
2.4. IDA Pro Plugin (Optional) 47
Chapter 3: BIOS-Related Software Development Preliminary _____ 61
Preview _________________________ 61
3.1. BIOS-Related Software Development with Pure Assembler _______ 62
3.2. BIOS-Related Software Development with ecc 67
PART II: MOTHERBOARD BIOS REVERSE ENGINEERING _______ 77
Chapter 4: Gelling Acquainted with the System _________ 79
Preview --_______________________ 79
4.1. Hardware Peculiarities ___________________ 80
4.1.1. System Address Mapping and BIOS Chip Addressing' ________ 80
4.1.2. Obscure Hardware Ports 96
4.1.3. Relocatablc Hardware Ports ________________ 99
4.1.4. Expansion ROM Handling;.. _______________ 101
Contents VII
$
4.2. BIOS Binary Structure ____________________ 101
4.3. Software Peculiarities 102
4.3.1. call Instruction Peculiarity 102
4.3.2. retn Instruction Peculiarity 103
4.3.3. Cache-as-RAM 108
4.4. BIO$ Disassembling with IDA Pro 112
Chapter 5: Implementation of Motherboard BIOS ________ 115
Preview _________________________ 115
5.1. Award BIOS ______________________ 116
5.1.1. Award BIOS File Structure 116
5. 1.2. Award Boot-Block Reverse Engineering _____________ 121
5.1.2.1. Boot-Block Helper Routine 122
5.1.2.2. Chipset Early Initialization Routine 123
5.1.2.3. Super 1/0 Chip Initialization Routine 124
5.1.2.4. Jump to CMOS Values and Memory Initialization 124
5.1.2.5. BBSS Search and Early Memory Test Routines 125
5.1.2.6. Boot Block Is Copied and Executed in RAM 126
5.1.2.7. System BIOS Decompression and its Entry Point 128
5.1.3. Award System BIOS Reverse Engineering 142
5.1.3.1. Entry Point from the "Boot Block in RAM" 142
5.1.3.2. POST Jump Table Execution 142
5.l.3.3. Decompression Block Relocation and awardext.rom Decompression _143
5.1.3.4. Extension Components Decompression ___________ 146
5.1.3.5. Exotic Intersegment Procedure Call 149
VIII Contents

5.2. AMI 8105 __ 160
5.2.1. AMI BIOS File Structure 161
5.2.2. AMI BIOS Tools 162
5.2.3. AMI Boot-Block Reverse Engineering __ 163
5.2.3.1. Boot-Block Jump Table 163
5.2.3.2. Decompression Block Relocation __ 165
5.2.3.3. Decompression Engine Initialization 168
5,2,3.4. BIOS Binary Relocation into RAM 170
5.2.3.5. POST Preparation 177
5.2.4. AMI System BIOS Reverse Engineering 182
Chapter 6: BIOS Modification __ 187
Preview __ 187
6.1. Tools of the Tmde __ 188
6,2. Code Injection __ 193
6.2.1. Locating the POST Jump Table 195
6.2.2. Finding a Dummy Procedure in the POST Jump Table 197
6.2.3. Assembling the Injected Code 197
6.2.4. Extracting the Genuine System BIOS 200
6.2.5. Looking for Padding Bytes 201
6.2.6. Injecting the Code 202
6.2.7. Modifying the POST Jump Table 202
6.2.8. Rebuilding the BIOS Binary 204
6.2.9. Flashing the Modified BIOS Binary 204
6.3. Other Modifications 205
Contents IX

PART III: EXPANSION ROM 209
Chapter 7: PCI Expansion ROM Software Development 211
Preview 211
7.1. PnP BIOS and Expansion ROM Architecture 212
7.1.1. PnP BIOS Architecture 212
7.1.2. "Abusing" PnP BIOS for Expansion ROM Development 212
7.1.3. POST and PCI Expansion ROM Initialization 213
7.1.4. PCI Expansion XROMBAR 213
7.1.5. PCI Expansion ROM 214
7.1.5.1. PCI Expansion ROM Contents 215
7.1.5.2. PC-Compatible Expansion ROMs 218
7.1.6. PCI PnP Expansion ROM Structure 221
7.2. PCI Expansion ROM Peculiarities 222
7.3. Implementation Sample 224
7.3.1. Hardware Testbed 224
7.3.2. Software Development Tool 225
7.3.3. Expansion ROM Source Code 225
7.3.3.1. Core PCI PnP Expansion ROM Source Code 226
7.3.3.2. PCI PnP Expansion ROM Checksum Utility Source Code 227
7.3.4. Building the Sample 227
7.3.5. Testing the Sample 229
7.3.6. Potential Bug and Its Workaround 230
X Contents
$
Chapter 8: PCI Expansion ROM Reverse Engineering _______ 233
Preview -------____________________ 233
8.1. Binary Architecture' ____________________ 234
8.2. Disassembling the Main Code __________________ 236
8.2.1. Disassembling Realtek 8139 Expansion ROM __________ 236
8.2.2. Disassembling Gigabyte GV -NX76T2S6D-RH
GeForce 7600 GT Expansion ROM ______________ 241
8.2.3. A Note on Expansion ROM Code-Injection Possibility _______ 244
PART IV: BIOS NINIUTSU ________________ 245
Chapter 9: Accessing BIOS within the Operating System ______ 247
Preview ___________________________ 247
9.1. General Access Method ____________________ 248
9.2. Accessing Motherboard BIOS Contents in Linux ___________ 249
9.2.1. Introduction to j1ash_n_burn 2S 1
9.2.2. Internals ofj1ash_n_burn 255
9.3. Accessing Motherboard BIOS Contents in Windows 261
9.3.1. Kernel -Mode Device Driver of bios_probe' ____________ 263
9.3.2. User-Mode Application of bios_probe 278
9.3.2.1. The Main Application 278
9.3.2 .2. The PCI Library 292
9.4. Accessing PCl Expansion ROM Contents in Linux __________ 297
Contents XI
$
9.5. Accessing PCI Expansion ROM Contents in Windows 301
9.5.1. The RTL8139 Address-Mapping Method 301
9.5.2. The Atme] AT29C512 Access Method 305
9.5.3. Implementing the Methods in Source Code 305
9.5.4. Testing the Software 316
Chapter 10: Low-Level Remote Server Management 321
Preview 321
10.1. DMI 'nd 5MBIOS 322
10.2. Remote Server Management Code Implementation 334
Chapter 11: BIOS Security Measures 341
Preview 341
11.1. Password Protection 342
11.1.1. Invalidating the CMOS Checksum 343
11.1.2. Reading the BIOS Password from BDA 348
11.1.3 The Downsides - An Attacker's Point of View 357
11.2. BIOS Component Integrity Checks 357
11.2.1. Award BIOS Component Integrity Checks 358
11.2.2. AMI BIOS Component Integrity Checks 361
11.3. Remote Server Management Security Measures 363
11.4. Hardware-Based Security Measures 364
XII Contents •
Chapter 12: BIOS Rootkit Engineering _____________ 375
Preview ___________________________ 375
12.1. Looking Back through BIOS Exploitation History __________ 376
12.2. Hijacking the System BIOS 391
12.2.1. Hijacking Award BIOS 4.51PG Interrupt Handlers 395
12.2.2. Hijacking Award BIOS 6.00PG Interrupt Handlers ________ 40S
12.2.3. Extending the Technique to a BIOS from Other Vendors ______ 413
12.3. PCI Expansion ROM Rootkit Development Scenario _________ 414
12.3.1. PCI Expansion ROM Detour Patching ____________ 416
12.3.2. Multi-lmage PC! Expansion ROM 418
12.3.3. PCI Expansion ROM Peculiarity in Network Cards 420
Chapter 13: BIOS Defense Techniques _____________ 421
Preview ___________________________ 421
13.1. Prevention Methods _______________ _____ 422
13.1.1. Hardware-Based Security Measures _ _____________ 422
13.1.2. Virtual Machine Defense 426
13.1.2. WBEM Security in Relation to the BIOS RooLkit 427
13.1.3. Defense against PCI Expansion ROM Rootkit Attacks 429
13.1.4. Miscellaneous BIOS-Related Defense Methods 430
13.2. Recognizing Compromised Systems, _______________ 440
13.2.1. Recognizing a Compromised Motherboard BIOS 440
13.2.2. Recognizing a Compromised PCI Expansion ROM 442
13.3. Healing Compromised Systems 443
Contents XIII
PART V: OTHER APPLICATIONS OF 8105 TECHOLOGY 445
Chapter 14: Embedded x86 8105 Technology 447
Preview
447
14.1. Embedded x86 BIOS Architecture 448
14.2. Embedded x86 BIOS Implementation Samples 451
14.2.1. TV Set-Top Box 451
14.2.2. Network Appliance 466
14.2.3. Kiosk 471
14.3. Embedded x86 BIOS Exploitation 473
Chapter 15: What's Next? 475
Preview 475
15.1. Future of BIOS Technology 476
15.1.1. Unified Extensible Firmware Interface 476
15.1.2. BIOS Vendors Road Map 481
15.2. Ubiquitous Computing and Development in BIOS 486
15.3. Future of BIOS-Related Security Threats 487
The CD-ROM Description 489
Index 491

Download:

http://www.handgrep.se/repository/ebooks/Security/Reversing/BIOS-Disassembly-Ninjutsu-Uncovered.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...