BIOS Disassembly Ninjutsu Uncovered (Uncovered series)

BIOS Disassembly Ninjutsu Uncovered (Uncovered series)

Language: English

Pages: 450

ISBN: 1931769605

Format: PDF / Kindle (mobi) / ePub

Explaining security vulnerabilities, possible exploitation scenarios, and prevention in a systematic manner, this guide to BIOS exploitation describes the reverse-engineering techniques used to gather information from BIOS and expansion ROMs. SMBIOS/DMI exploitation techniques—including BIOS rootkits and computer defense—and the exploitation of embedded x86 BIOS are also covered.











5,2,3.4. BIOS Binary Relocation into RAM 170 POST Preparation 177 5.2.4. AMI System BIOS Reverse Engineering 182 Cha pter 6: BIOS Modification _______ 187 Preview _______187 6.1. Tools of the Tmde_______ 188 6,2. Code Injection _______ 193 6.2.1. Locating the POST Jump Table 195 6.2.2. Finding a Dummy Procedure in the POST Jump Table 197 6.2.3. Assembling the Injected Code 197 6.2.4. Extracting the Genuine System BIOS 200 6.2.5. Looking for Padding Bytes 201 6.2.6.

• system DRAM or in the BIOS ROM chip, depending on the southbridge and northbridge register setting at the time the BIOS code is executed. Table 4.3. BIOS ROM Chip Address Mapping Physical Address Also Known As Used by BIOS of Address Aliasing Note OOOF OOOOhOOOF-FFFFh F_ seq/F_segment 1 Mb', 2 Mb. and 4 Alias to FFFF OOOOhFFFF_ FFFFhin all chipsets just after power-up Mb OOOE OOOOhOOOE-FFFFh E_seglE_segment 1 Mb,2 Mb, and 4 Mb Alias to FFFE OOOOhFFFE FFFFhin some chipsels just

been decompressed, out of the entire compressed component in the BIOS binary. And you know that the decompression block is located at segment lOOOh i This image of the BIOS binalY is already copied to RAM al 30_ OOOOh-37 _FFFFh. Chapter 5: Implementation of Motherboard BIOS 143 in RAM. However, I show later that this decompression engine will be relocated elsewhere and segment 1000h will be used by awardext.rom. Listing 5.16. POST Jump Table Execution ee this listing on the CD supplied

component to RAM. Ll If the input parameter for Decompress_Component in the di register has its MSB set and the value in di is not equal to FOh, the target segment for the decompression is not the default target segment for the extension components, i.e., not segment 4000h. Ll If the input parameter for Decompress_Component in the di regisler has its MSB set and the value in dl is equal to FOh, the target offset for the decompression is not the default target offset for the extension components,

Min_Gnt , 30h Capabilities 34h Pointer Reserved , 2Ch Interrupl Pin 38h Interrupt Line 3Ch Fig . 1.7 . PCI configuration space registers for a noo-PCI-to-PCI bridge device 18 Part I: The Basics $ The PCI configuration space in x86 architecture is mapped into the processor 110 address space. The I/O port addresses Ox CF8- 0x CFB act as the configllration address port and I/O ports Ox CFC- Ox CFF act as the configuration data port. These ports are used to configure the corresponding

Download sample