WHISKYCON

SMM Rootkits

Instructor

Alex Tereshkin

Alex Tereshkin is an experienced reverse engineer and an expert into UEFI security, Windows® kernel and hardware virtualization, specializing in rootkit technology and kernel exploitation. He has been involved in BIOS and SMM security research since 2008. He has done significant work in the field of virtualization based malware and Windows® kernel security. He is a co-author of a few courses taught at major security conferences. Alex holds the Russian equivalent of a Master's Degree in Applied Mathematics, and also the Russian equivalent of a PhD degree in Information Security from Southern Federal University.

Training Dates

26 - 29 March 2016

Description

This course is for people who want to find out more information about the most privileged and mysterious operating mode of x86 processors: System Management Mode. You will learn what it actually is, how to get there and what can be done by an attacker once his code is executed in SMM. Are there SMM rootkits in the wild? How feasible it is to create such rootkit? Can a kernel mode antivirus or a hypervisor protect against attacks from SMM? Can SMM rootkit be detected using memory forensics? Can you put an ultimate antivirus in SMM to fight SMM and kernel mode rootkits? We will cover these topics in much detail.

There will be many lab exercises which will help you to better understand the ideas and techniques. By the end of the course you will have a good understanding of SMM security principles. You will also have a hands-on experience with implementing and detecting SMM rootkits.

Topics

Day 1

  • SMM overview
    • Understanding SMM: environment, capabilities
    • SMM security
    • UEFI support for SMM
    • Circumventing SMM security measures

Day 2

  • Understanding SMM code
    • Setting up a development and testing environment for experimenting with SMM code
    • SMM dispatcher interface and internals
    • Gaining execution in SMM
    • Reading and analysing SMRAM

Day 3

  • Writing a prototype
    • Hooking SMM dispatcher
    • Gaining periodic execution
    • Accessing OS memory
    • Modifying S3 boot script

Day 4

  • Practical techniques
    • Injecting code to OS
    • Monitoring OS events
    • SMM keylogger
    • Network communication
  • SMM rootkit detection

Course Requirements

Student Requirements

  • C system programming experience
  • Basic knowledge of x86 architecture
  • Experience with UEFI is an advantage
  • Understanding x86-64 assembly is an advantage

Software Requirements

  • Either 64bit Ubuntu 16 or 64bit Windows installed
  • In case you choose Windows: VMware Workstation 12 or VMware Workstation Player 12 installed, with a valid license
  • Administrator / root access in your system
  • Free version of IDA

Hardware Requirements

  • A laptop with Intel 64bit i3 CPU or higher. Hardware virtualization support (VMX) is required. Make sure it is enabled in BIOS.
  • At least 4GB RAM
  • 30GB free disk space
  • The ability to connect to a WiFi network