Skip to content

Sharif-University-ESRLab/summer2024-uefi-smm-rootkit

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
 
 
 
 
 
 
 
 

Repository files navigation

image

Designing a rootkit in SMM

The project involves working with the System Management Mode (SMM) in UEFI firmware, which is a specialized mode in Intel processors used for low-level hardware control. In this project, the aim is to develop and implement an SMM rootkit. The project demonstrates how an SMM rootkit can be designed and implemented in UEFI, showcasing the security implications of such a rootkit by operating at a level higher than the operating system, making it difficult to detect or remove. The outcome includes implementing these features in a proof-of-concept rootkit and demonstrating the results.

Tools

In this section, you should mention the hardware or simulators utilized in your project.

  • Qemu
  • libvirt
  • virt-manager
  • docker (change your docker registery to arvan cloud: link

Implementation Details

the implementation details of this project are given to you in the following steps:

Setting Up the Environment

You can skip this part, if you use the firmware already built by cloning our repo and accessing the firmware through SMM-Rootkit/edk2/Build/OvmfX64/RELEASE_GCC5/FV.

Clone the Rootkit and EDK II repositories:

first we need to compile our SMM with the rootkit on it. We can use docker for this matter. Docker would give us an OS-level virtualization. since SMM support is depricated in the newer versions of EDK II, keep in mind to use version vUDK2018 of EDK II. Please note that you may need sudo permissions for running some of the following commands.

git clone [email protected]:jussihi/SMM-Rootkit.git
cd SMM-Rootkit
git clone [email protected]:tianocore/edk2.git
cd edk2
git checkout vUDK2018
cd ..

For using docker environment, you can start by entering the Docker environment:

./run_docker.sh

Build the BaseTools

Once inside the Docker environment, navigate to the edk2 directory and build the base tools necessary for compiling the firmware:

cd edk2
make -C BaseTools
source ./edksetup.sh
exit

After setting up the base tools, you need to copy the rootkit files into the EDK II project directory:

cp -r ../SMM-Rootkit/* edk2/

Making Some Minor changes in the code

Change Saving directory

Since writing directly to driver C is not possible for regular users, we need to change saving directory of smm.txt to something else. We changed the directory to C:/smm/smm.txt. keep in mind to create folder smm in drive C after creating the virtual machine.

Removing the part for restoring that IAT hook

Remove the part for restoring IAT hook as indicated in the following link

Final Compilation

Re-enter the Docker environment and proceed with the final compilation:

./run_docker.sh
cd edk2
source ./edksetup.sh
build -DSMM_REQUIRE

Locate the Compiled Firmware

After the build process completes, the firmware files will be located in the following directory:

edk2/Build/OvmfX64/RELEASE_GCC5/FV

Look for files starting with OVMF, which will include the compiled firmware that now contains the rootkit.

Create a Virtual Machine with the infected Firmware

In the next step, we need to create a virtual macine with the infected firmware we built in our previous step.

Move Compiled Firmware Files

Move the firmware files (OVMF_CODE.fd, OVMF_VARS.fd) to a directory accessible by QEMU or libvirt. /usr/share/OVMF/rootkit/ is used as an example.

Create a JSON Firmware Descriptor

Create a firmware descriptor file to map the firmware files. Create file /usr/share/qemu/firmware/60-ovmf-rootkit-x86_64.json with the following content:

{
    "description": "UEFI SMM rootkit OVMF firmware for x86_64",
    "interface-types": [
        "uefi"
    ],
    "mapping": {
        "device": "flash",
        "executable": {
            "filename": "/usr/share/OVMF/rootkit/OVMF_CODE.fd",
            "format": "raw"
        },
        "nvram-template": {
            "filename": "/usr/share/OVMF/rootkit/OVMF_VARS.fd",
            "format": "raw"
        }
    },
    "targets": [
        {
            "architecture": "x86_64",
            "machines": [
                "pc-i440fx-*",
                "pc-q35-*"
            ]
        }
    ],
    "features": [
        "acpi-s3",
        "amd-sev",
        "verbose-dynamic"
    ],
    "tags": [

    ]
}

Create and Configure the Virtual Machine:

  1. Launch virt-manager
sudo virt-manager
  1. Start the creation of a new virtual machine and select "Local install media" for the installation method.
  2. Choose the installation media. for this project we used Windows 10 22H2 Build 19045 version 64-bit Interprise edition. You can download the iso from this link. keep in mind that downloading any other version or edition of windows would cause problem in the following steps. image
  3. Allocate the necessary CPU and memory resources
  4. check "customize configuration before install"
    • Set the chipset to Q35
    • Select Firmware to OVMF_CODE_4M.fd (this is not the infected firmware. we first need to install windows before changing our firmware to infected firmware)
  5. We select Begin Installation at the top left corner.
  6. Now you must start Installing windows.
  7. After Installing windows, turn of your virtual machine and navigate to edit->prefernces' in virt-managerand selectenable XML editing` in the general section.
  8. after applying your changes, navigate to details of your virual machine and view its XML version.
  9. change the loader from the default OVMF to your infected firmware
  <os>
    <type arch="x86_64" machine="pc-q35-6.2">hvm</type>
    <loader readonly="yes" type="pflash">/usr/share/OVMF/rootkit2/OVMF_CODE.fd</loader>
    <nvram>/var/lib/libvirt/qemu/nvram/win10-3_VARS.fd</nvram>
    <boot dev="hd"/>
  </os>

Now your Virtual Machine would be ready for testing.

Running the Sample Program

Program Description:

  • The sample program provided is a simple C++ application designed to interact with the rootkit you have integrated into the firmware. The program repeatedly calls the GetCurrentProcessId function in a loop and outputs the result.

Code Example:

  • Below is the sample C++ code provided in the document:
    #include <iostream>
    #include <string>
    #include <Windows.h>
    
    int main() {
        std::string a;
        while (std::cin >> a) {
            std::cout << "Process id is: " << GetCurrentProcessId() << std::endl;
        }
    }

since we don't have visual studio already installed on our virtual machine. we need to use another machine for the following steps, or we can install visual studio on the machine.

Setting Up the Development Environment:

  • You will need to use Visual Studio to compile this sample program. Ensure that the Desktop Development with C++ workload is installed.

Compiling the Program:

  • Open the project file windows_x64_umd_iat.sln in Visual Studio.
  • Configure the project to use the Multi-threaded Debug runtime library:
    1. Right-click on the project in Visual Studio and select Properties.
    2. Navigate to C/C++ -> Code Generation.
    3. Set the Runtime Library option to Multi-threaded Debug (/MTd).

Building the Executable:

  • Build the solution by selecting Build Solution from the Build menu in Visual Studio.
  • The compiled executable will be generated in the output directory specified in the project settings.

Running the Program on the Virtual Machine:

  • Transfer the compiled executable (.exe) to the virtual machine running the infected firmware. You can use any file transfer method, such as using a simple HTTP file server.
  • Rename the executable to smm_rootkit.exe to ensure it matches the name expected by the rootkit.
  • Execute the program on the VM to interact with the rootkit.

How to Run

After following the steps described above, you now have a virtual machine with the infected firmware on it. Once you have placed the smm_target.exe file on your virtual machine, the next steps involve running the program, monitoring its interaction with the rootkit, and verifying that the rootkit is functioning as intended. Here’s how you can proceed:

Running smm_target.exe on the Virtual Machine

Launch the Virtual Machine:

  • Start your virtual machine (VM) with the infected firmware using your virtualization software (e.g., QEMU, Virt-Manager).
  • Ensure that the VM is configured to use the modified firmware that contains the rootkit.

Transfer the Executable:

  • If you haven't already done so, transfer the smm_target.exe file to the VM. This can be done using various methods like an HTTP file server, SCP, or a shared folder, depending on your setup.

Execute the Program:

  • On the VM, navigate to the directory where smm_target.exe is located and run the executable:
  • The program will start executing and repeatedly call the GetCurrentProcessId function, which should be intercepted by the rootkit.

Monitoring and Verifying Rootkit Activity

Monitor the Serial Console:

  • The rootkit is designed to log its activity or provide output through a serial console. To observe this output, connect to the VM's serial console:
    virsh console win10
  • Watch for any messages or logs to indicate the rootkit status.

Check for Log Files:

  • the rootkit would create a log file smm.txt in a C:/smm/smm.txt.
  • Navigate to the directory in your VM’s file explorer or use the command line to check if the log file is present.
  • Review the contents of the log file to confirm that the rootkit has successfully intercepted the function calls made by smm_target.exe.

Results

Screenshot from 2024-09-02 23-51-32 Screenshot from 2024-09-02 23-52-19 Screenshot from 2024-09-02 23-52-45 As you can see in the screenshots provided, in the serial we can see that after IAT hooking is done, the file smm.txt is created in the path provided to our rootkit.

Related Links

Some links related to your project come here.

Authors

Authors and their github link come here.

Special Thanks to Hirbod Behnam

About

hardware-lab-sharif-university-of-technology-summer2024-hwlab_template created by GitHub Classroom

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 72.7%
  • Python 16.1%
  • Makefile 3.0%
  • Assembly 2.9%
  • SWIG 1.8%
  • Rich Text Format 1.1%
  • Other 2.4%