Re: [ntdev] Blocking particular process from getting terminated

You also get the same effect when you boot off of a USB key or a mounted ISO or VHD or any other way that your BIOS found and loaded (unmodified) boot code from media you control independently of the existing OS. The key piece of trust is the BIOS loading the code unmodified. After that, it is too late to change the signed code that check its own signature

Depending on the system, the BIOS may be stored in a way is modifiable from software, or it may not. Ironically, high-end systems with enterprise features like upgradeable firmware and inelegant platform management are more susceptible to this kind of attack.

As far as I am aware, no malware bothers about attempting this as both requires intimate knowledge of the BIOS update mechanism, the underlying HW platform, and limits the scope of the attack to a specific line of HW - something that might be fine if you want to attack centrifuges used for dubious purposes in an unstable dictatorship, but a limiting factor for general purpose malware

Sent from Surface Pro

From: Maxim S. Shatskih
Sent: ‎Monday‎, ‎October‎ ‎20‎, ‎2014 ‎5‎:‎53‎ ‎PM
To: Windows System Software Devs Interest List

And I suppose the formatter and the entire software path that executes it
(BIOS, media loader etc) needs to reside on an unalterable certified medium
too. How often does that happen?

Windows setup CD is enough, it cannot be altered and everything is digitally signed on it.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Martin who?

Sent from Surface Pro

From: xxxxx@hotmail.com
Sent: ‎Tuesday‎, ‎October‎ ‎21‎, ‎2014 ‎1‎:‎14‎ ‎AM
To: Windows System Software Devs Interest List

As far as I am aware, no malware bothers about attempting this as both requires intimate knowledge
of the BIOS update mechanism, the underlying HW platform, and limits the scope of the attack
to a specific line of HW

Well, Martin, there are quite a few things that you are unaware of, which does not necessarily imply that they do not exist, right. Therefore, “I am unaware of XYZ” is not really an argument - after all, Mr.Kyler does not seem to be aware even of the fact that all OEM computers that he buys are more than likely to be produced in China…

Our story here is more or less the same - the very first thing that gets into my head in context of this topic is the article that I read not so long ago about China-produced PCs. According to this article, a large proportion of PCs that are produced in China get their firmware compromized before even leaving the factory gates - indeed, attackers know the precise details of BIOS of their targets and attack particular production lines. This firmware does not have to do anything malicious on its own - instead, it may act just as a back-door for various “general purpose malware titles”, i.e. provide them with a sort of “installation API”.
Then this computer gets exported to the US. Mr.O’Brian buys it his local Walmart and remains blissfully unaware of the possibilities of firmware-level attacks exactly the same way Mr.Kyler remains blissfully unaware of the origins of his PC …

Anton Bassov


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer