While popular during the "bootkit" craze more than a decade ago, boot-time persistence has once again quieted down, thanks in part to the rise of various security technologies that Microsoft and vendors have been pushing out. With UEFI, the bar is much higher to gain a foothold, especially with technologies such as Secure Boot, Measured Boot and Boot Guard.
Additionally, even successful boot-time persistence techniques now have a great deal of trouble migrating into the kernel's execution state, as Patchguard received numerous improvements in recent versions specifically targeting "floating code" persistence in the kernel. Hooks, callbacks, as well as mere periodic execution of malicious Ring 0 code is now significantly harder to achieve in Windows 10 than ever before.
In one direction, some attackers have migrated directly into the "negative" rings of hypervisors and SMM/ME code, which allow for implants to execute without Windows' knowledge. But such implementations become hardware-specific and hard to scale, versus being able to leverage (and hide in) the vast myriad of Windows kernel facilities.
In this talk, we'll review some specific mitigations Microsoft has built against boot-time persistence, as well as various little-acknowledged Patchguard behaviors that make this even harder. Then, we'll discuss new ways to jump from firmware to kernel without triggering the usual alarms and affecting TPM-measured data structures, secretive side-channels that can be established between firmware-persistent code and user/kernel Windows code, tricks to hide from traditional forensic/memory dump technologies, and interesting techniques to achieve periodic execution of free-floating code without Patchguard's watchful eye.
Keep in mind this session assumes Ring 0 code execution has already been achieved and/or physical access granted, and is meant to help defenders understand potential ways insiders and other deeply resourceful actors can burrow into the system. If you believe getting Ring 0 is the only goal that matters, this session is probably not for you.
Alex Ionescu is the Chief Architect at CrowdStrike, Inc. Alex is a world-class security architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering. He is coauthor of the last two editions of the Windows Internals series, along with Mark Russinovich and David Solomon. His work has led to the fixing of many critical kernel vulnerabilities, as well as over a few dozen non-security bugs.
Previously, Alex was the lead kernel developer for ReactOS, an open source Windows clone written from scratch, for which he wrote most of the Windows NT-based subsystems. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, and drivers on the original core platform team behind the iPhone, iPad and AppleTV. Alex is also the founder of Winsider Seminars & Solutions Inc., a company that specializes in low- level system software, reverse engineering and security trainings for various institutions. In the last three years, he has also contributed to patches and development in two major commercially used operating system kernels.
