While this BIOS image is bundled into the vmware-vmx.exe application, it is also possible to use it separately, without the need to modify into the vmware executable after each change. The following image shows what this looks like in Resource Hacker: In other versions this may be different, but the key thing to look for is the resource file that is 512kb in size. There are a number of different binary resources bundled into this application, and the BIOS is stored in resource ID 6006 (at least in VMware 7). In Windows, this can be done by opening the vmware-vmx.exe executable with any resource extractor, such as Resource Hacker. The first step which is required is to extract the BIOS from VMware itself. Ok, enough background, onto the actually doing it! After getting everything going successfully in VMware, work was done to port the VMware BIOS modifications to other similar BIOS’s, and will be described in the second half of this write-up. In their paper on Persistent BIOS Infection, Sacco and Ortega detail how they discovered that VMware contains a BIOS rom as well as a GDB server which can be used for debugging applications starting from the BIOS itself. The first stage for completing this project was to set up a test and development environment where BIOS modifications could be made and debugged.
#Phoenix bios editor tutorial code#
Despite the comments and suggestions that this bootkit code could be moved into the BIOS for execution, there has not yet been any examples of such code made public. This similarity led a number of bootkit developers to remark that it should be possible to perform this type of attack directly from the BIOS instead of loading from the MBR. This type of rootkit was termed a “Bootkit”, and similar to a BIOS based rootkit it aims to load itself before the OS is loaded. Unlike BIOS based rootkits, developments in this area have progressed rapidly, which has led to a number of different master boot record (MBR) based rootkits being developed and released. In 2009 there was research done into a similar area of security, which is boot sector based rootkits. My ultimate goal was to create some sort of BIOS based rootkit which could easily be deployed.
My first goal was to reproduce the findings made by Core Security in 2009, and then my second task was to investigate how I could extend their findings. Make sure you check it out ApproachĬurrently there is a very limited amount of sample code available for the creation of BIOS rootkits, with the only publicly available code being released along with the initial BIOS rootkit demonstration in March of 2009 (as far as I’m aware).
Please take your time and visit their page and support the researchers. Many TnX and all the credit goes to them. This reasearch is published for purely educational purposes and it is a work of.
0 kommentar(er)
