Uncategorized

VBoxHardenedLoader

[…]What we will target:
– DMI Information;
– IDE/AHCI devices (harddisks, cd-rom’s);
– ACPI OEM Information;
– Ethernet Adapter MAC address;
– PXE Boot data;
– ACPI DSDT (Differentiated System Description Table);
– ACPI SSDT (Secondary System Descriptor Table);
– VGA Video BIOS data;
– BIOS data;
– VM splashscreen (optional, just for nice looking).
[…]

https://github.com/hfiref0x/VBoxHardenedLoader

http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3478

It requires Visual Studio and only targets Microsoft Windows. No Linux, FreeBSD, Mac OS X support. 😦

Somewhat related, there are also these 2 projects:

https://firmwaresecurity.com/2016/02/07/uefi-virtualbox-tutorial/

https://firmwaresecurity.com/2015/12/24/virtualbox-hardened-loader/

Standard
Uncategorized

Windows UEFI development course

WinInsider — probably via Alex Ionescu — has a UEFI development course available.  Alex is the author of VisualUEFI, which hides the non-Visual Studio’isms of EDK-II development. Alex, along with others at Wininternals, is also one of the current authors of the “Windows Internals”  book from Microsoft Press, now a 2-volume 6th edition set, originally called “Inside Windows NT”, written by Helen Custer.

Windows UEFI Development (3 Days or 5 Days)

In this course, one can expect to learn the internals of the Unified Extensible Firmware Interface inside and out, from the high-level concepts and overview of its functionality, down to the low-level development of actual UEFI applications, drivers, and services. The seminar will go over the history of UEFI’s development, from its original “Intel Boot Initiative” days to today’s SecureBoot facilities (and controversies), discuss the core UEFI data structures that form the basis of the environment, describe the different internal boot phases of the UEFI Runtime, and go in detail over the main UEFI protocols and their semantics. The course will also cover how UEFI leverages several Microsoft technologies, such as Authenticode and the Portable Executable (PE) format. Finishing off the lecture section will be a deep dive on how Windows 8 and later take advantage of UEFI to support booting off GPT disks, implementing SecureBoot, and speeding up the boot experience. Windows user-mode and kernel-mode APIs that interact with UEFI, as well as internal kernel data structures and capabilities in the UEFI HAL will also be shown off. Alongside the lecture period, attendees will get their hands dirty with bare-to-the-metal UEFI development using Visual Studio, as well as learning how to setup the UEFI SDK (EDK) to work alongside Microsoft’s development tools. Participants will get the chance to build their own UEFI applications, drivers, and runtime services, as well as learn how to debug and test their work in the OVMF environment alongside QEMU, without requiring actual UEFI hardware. The course will also show how to develop and build SecureBoot-compatible binaries. Finally, attendees will discover the Windows-specific Boot Application Runtime Environment, how to build compatible applications, and how to leverage the environment from both a UEFI and PCAT perspective. Attendees will then write both offensive and defensive UEFI code that hooks and/or protects the Windows Boot Loader.

UEFI Course Outline:
* Introduction to UEFI
* UEFI Architecture
* UEFI Protocols & Services
* Windows and UEFI
* Windows Boot Application Environment
* Windows Boot Loader Internals
* EDK and Visual Studio Development
* Windows & UEFI Interfacing

Topics:
* UEFI Protocols: UEFI Device Handles, UEFI Text and Graphics, UEFI Local and Remote I/O, UEFI USB & PCI, UEFI File System, Custom Protocols
* UEFI Services: UEFI Boot Services & Runtime Services, UEFI System Table, ACPI & UEFI, Custom Services
* UEFI Architecture: Measured Boot & Secure Boot, UEFI Stages & Layers (SEC, PEI, DXE), GPT Partitioning, Types of UEFI Binaries
* Windows & UEFI: Calling UEFI Services, Accessing UEFI Variables, Windows Boot Library and UEFI, BCD and UEFI, HAL and UEFI
* Windows Boot Environment: PCAT and UEFI Portability, Core Data Structures, Entrypoint and Callbacks,  Building a Windows Boot Application
* Windows Boot Loader: Boot Stages, Boot Loader Functionality, Security Services (BitLocker and more), Boot Structures, Handoff to Kernel
* UEFI Development: Obtaining and Installing the EDK, Setting up Visual Studio with the EDK, EDK Hello World, Interfacing with EDK Libraries, Obtaining and Installing OVMF
* Offensive UEFI: Hooking UEFI Services and Protocols, Windows Boot Environment Hooks, Persistence with UEFI
* Defensive UEFI: Checking for Boot Loader Integrity, Detecting UEFI Hooks and Bootkits

http://www.windows-internals.com/?page_id=1673

http://www.alex-ionescu.com/

https://twitter.com/aionescu

Standard
Uncategorized

Intel MPX support for Microsoft Visual Studio 2015

From the Microsoft Visual Studio blog, there’s a new post mentioning that VS2015.update1 has a new “Experimental” support of Microsoft MPX (Memory Protection Extensions).

This post is about Intel® Memory Protection Extensions (Intel MPX) support in Microsoft Visual Studio* 2015; content provided by Gautham Beeraka, George Kuan, and Juan Rodriguez from Intel Corporation. Update 1 for Visual Studio 2015 was announced on November 30, 2015. This update includes experimental compiler and debugger support for Intel MPX.  Intel MPX can check all pointer reads and writes to ensure they remain within their declared memory bounds.  This technology can detect buffer overflows and stop program execution at runtime, averting possible system compromises. It enables C/C++ code to make use of the new MPX instruction set and registers introduced in the 6th Generation Intel® Core™ Processors (“MPX-enabled platform”). The Microsoft Visual C++ Compiler* and linker can now generate checks automatically, a capability enabled by specifying a command line option. This blog explains how you can use automatic MPX code generation and debug MPX-enabled binaries.  For more details on Intel MPX, please see the Intel MPX Technology web page. […]

http://blogs.msdn.com/b/vcblog/archive/2016/01/20/visual-studio-2015-update-1-new-experimental-feature-mpx.aspx

Standard
Uncategorized

Debugging Tools for Windows 10

It looks like Microsoft has updated Windbg for Windows 10, one of the new features is support of Visual Studio’s NatVis expression model:

 dx (Display NatVis Expression) – Describes the new dx debugger command, which displays object information using the NatVis extension model and LINQ support.
New commands that work with the NatVis visualization files in the debugger environment.

    .nvlist (NatVis List)
    .nvload (NatVis Load)
    .nvunload (NatVis Unload)
    .nvunloadall (NatVis Unload All)

https://msdn.microsoft.com/en-us/library/windows/hardware/mt219728%28v=vs.85%29.aspx

Standard
Uncategorized

Bromium Labs on Microsoft Control Flow Guard

Rafal Wojtczuk has a new entry on the Bromium Labs blog, on Microsoft’s Control Flow Guard security feature, and evading it.

http://labs.bromium.com/2015/09/28/an-interesting-detail-about-control-flow-guard/

http://blogs.msdn.com/b/vcblog/archive/2014/12/08/visual-studio-2015-preview-work-in-progress-security-feature.aspx

Standard