Practical Firmware Implants and Bootkits

2 DAY U_SHORT 16 CPE HOUR TRAINING: FEBRUARY 2022 * WEEK 2: FEB 19-25

Mickey Shkatov and Jesse Michael

Abstract

In recent years as firmware based attacks are becoming more and more frequent, there is a growing need for understanding the motivation, capabilities and complexities of such attacks. How do they work? How hard is it to create an implant? What are the attacker's considerations and thoughts when creating firmware implants?

“Practical Firmware Implants and Bootkits” is a crash course in UEFI development for security practitioners in which we will spend most of our time working hands-on understanding how system firmware works, basic development and coding, firmware implantation strategies, attack and defense tactics and more.

Hands on labs will help you learn about and better understand

  • Hardware and UEFI boot process
  • The UEFI EDK build environment
  • How to build your own UEFI BIOS and test it
  • EFI Shell application development
  • DXE Driver development
  • Debugging and troubleshooting your code
  • Understand UEFI Implant benefits and caveats
  • Build and Deploy your own UEFI implant
  • Create and Deploy your own Bootkit

Who should take this course

This course is designed for those who have a basic understanding of C/C++ and who would like to start exploring the world of UEFI and BIOS security.

Key Learning Objectives

When you finish this class you will

  • Have a solid foundation to build on when it comes to UEFI and BIOS.
  • Know and understand how to build a firmware implant and the challenges involved.
  • Know and understand how to build a Bootloader Rootkits and the challenges involved.
  • Have a foundation of how to search and detect firmware implants.

High level Course Outline

Part 1

  • Background and overview of UEFI and Boot process
  • Hands-On: Development and debug environment
  • Driver and Application development
  • Hands-On: Hello world exercise
  • Firmware image structure and tools
  • Hands-On : Integrating your driver into the firmware image

Part 2

  • Firmware implant and payloads, background and techniques
  • Hands-On: building custom implant and payload of your choice
  • Secure boot bypasses and bootloader rootkits
  • Hands-On: building a custom WPBT payload for Windows
  • Overview and summary

Student Prerequisites

  • Basic programming experience
  • (Plus) Experience using VMWare

System Prerequisites:

  • A modern computer capable of running x86-64 virtual machines.
  • Minimum 16GB of RAM
  • 60GB of free storage space
  • VMware Workstation Player 16 (Free) or Pro (Requires license)
  • (OPTIONAL) Be able to boot from USB 3.1 Type A storage device