Hello list,
I found this project two days ago and I like it. While I am not a programming expert, I do have some interest in this project because I want to understand BIOS more in-depth. I am reading right now the "BIOS disassembly ninjustu uncovered" and I am looking in BIOS modification to help the process of Malware Reverse Engineering. By having a "side" access to the BIOS while the OS is running, I am wondering if I could have an access to the RAM to allow some sort of low level debugging that would be unnoticed. By side access, It could be like redirecting ACPI events to actually dump the content of the memory on a harddrive which is only seen by the BIOS for instance, or having some sort of console connection straight on the BIOS (serial port ?) to allow to freeze the host when a specific part of the memory is being accessed (breakpoint on hardware level).Note that most of the malware are running on Windows, si I have to be able to use windows as OS.
I am very new in the BIOS world and I am far from being an expert on reverse engineering, so I hope that what I am saying is not just garbage but can actually be done with some coding effort. Do not hesitate to tell me your thoughts about this idea
Anyway, glad to be a member of this list, and I hope to be helpful.
Kind regards,
--------------------------------------- Jean-François Agneessens
Jean-Francois Agneessens <jeanfrancois.agneessens <at> gmail.com> writes:
Hello list,I found this project two days ago and I like it.
I like it, too.
By side access, It could be like redirecting ACPI events to actually dump the content of the memory on a harddrive which is only seen by the BIOS for instance, or having some sort of console connection straight on the BIOS (serial port ?) to allow to freeze the host when a specific part of the memory is being accessed (breakpoint on hardware level).
I think you have some wrong assumption(correct me if I were the wrong one). * You do not need access to BIOS for ACPI event handling. After booting, BIOS is useless and Windows handles all events. * You need neither access to BIOS nor redirecting ACPI to freeze the host and do low level debugging. Since you are using the word "host", I guess you are familiar with Debugging Tools for Windows?
Coreboot won't do you much help if you are investigating malware, but I hope you still can get some information from those words above.
yu ning
Well,
In a normal world you would use a debugger on the host, but because the malware creators are introducing more and more debugger detection techniques, obfuscation and so on, I was thinking of bypassing some of them but just placing access on the memory at a lower level.
Is it possible to have some devices uniquely accessible by the BIOS ? Is it possible to get a side access to the BIOS while the OS is running (and I know that OSes are not using BIOS anymore)? ACPI was just an example but indeed I might be wrong by thinking of ACPI. David in its earlier post talked about SMM which I never heard about.
If you think of DRM BIOS, like said during the presentation at FOSDEM (found on youtube), they can control the whole system independently of the OS. I kinda have the same goal, but with open source code and not for DRM purposes.
thanks for your comments !
--------------------------------------- Jean-François Agneessens
Hello,
Maybe you should look at hardware assisted virtualization, so that the debugger is on the host OS, and can't (almost?) be circumvanted by malware in the guest OS...
You can then imagine a solution where your host OS + debugger + etc... run with coreboot from a big flash.
I hope that this makes sense in the context...
Vincent,
what do you mean exactly by "hardware assisted virtualization" ? I prefer to stay away of virtualization because malware tend to implement techniques to detect if they are running on VMs.
thx --------------------------------------- Jean-François Agneessens
-
FENG Yu Ning -
Jean-Francois Agneessens -
Vincent Legoll