
Stoned Bootkit: Technical Write-Up for Black Hat

For internal use only.

   1. Why my bootkit is unique
   2. Attacking the Windows Startup
   2.1 Interrupt 13h
   2.2 Windows XP boot file signatures (excerpt)
   2.3 Windows Vista boot file signatures (excerpt)
   2.4 Execution Flow
   3. Attacking TrueCrypt
   4. History of Stoned

Peter Kleissner


1. Why my bootkit is unique

It is the first bootkit that
  - attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one MBR
  - attacks TrueCrypt full volume encryption
  - has integrated FAT and NTFS drivers, in the MBR
  - has an integrated structure for plugins and boot applications (for future development)

BootRoot is only a dedicated attack to Windows XP, vbootkit to Windows Vista and vbootkit 2.0 only to 7 64-bit. They all do only attack one single OS because there are major differences in the startup of Windows between the versions. Bootkits are generally nothing new, even the Stoned.A virus hooked interrupt 13h and monitored the accessed sectors.


2. Attacking the Windows Startup

2.1 Interrupt 13h

The interrupt 13h must be hooked in order to monitor and patch the Windows initial startup file ntldr (for Windows XP) and bootgr (for Windows Vista). The hooked handler checks for the functions "Read" and "Extended Read", forwards them to the BIOS (original int 13h handler) and then checks the buffer contents for the signatures.

2.2 Windows XP boot file signatures (excerpt):

    - 83 C4 02 E9 00 00 E9 FD FF
      Used in:      Bootkit Real Mode
      Applies to:   Ntldr (1C81h, 1C9Ch)
      Action:       4 instructions are patched to bypass code integrity verification

    - 8B F0 85 F6 74 21/22 80 3D
      Used in:      Bootkit Real Mode
      Applies to:   OS Loader (ntldr+26B9Fh)
      Action:       5 instructions are patched to jump to the protected mode code

    - C7 46 34 00 40 ...  A1
      Used in:      Bootkit Protected Mode
      Applies to:   OS Loader (ntldr+19A44h)
      Action:       information is extracted to get ntoskrnl image base address

    - 6A 4B/19 6A 19/4B /?? ?? ?? ?? 89/ ??/ ??/ ??/ ??/ ??/ ??/ E8
      Used in:      Bootkit Protected Mode
      Applies to:   Ntoskrnl (ntoskrnl+1CE87E0h)
      E8 ?? ?? ?? ?? 84 C0
      Used in:      Bootkit Protected Mode
      Applies to:   Ntoskrnl (ntoskrnl+1CE87F8h)
      Action:       ntoskrnl will be patched to jump to Kernel Code

2.3 Windows Vista boot file signatures (excerpt):

    - 8A 46 ?? 98 3D 00 00 75 03 E9 03 00 E9 35 00
      Used in:      Bootkit Real Mode.asm:159
      Applies to:   bootmgr:06F2h
      Action:       hooking code to call protected mode part

    - 3B ?? 58 74 ?? C7
      Used in:      Bootkit Protected Mode.asm:190
      Applies to:   winload.exe         +2024Fh  +212A0h (differs with OS version)
      Action:       hooking windows image load function (later used for hooking ntoskrnl)

    - 8B F0 85 F6 ?? ?? and value 0C0000098h
      Used in:      Bootkit Protected Mode.asm:222
      Applies to:   winload.exe
      Action:       handling "ntoskrnl.exe missing or corrupt (Error 0xC0000098)", STATUS_FILE_INVALID becomes STATUS_SUCCESS (0)

Note these are only the main signatures for hooking the windows boot process.

2.4 Execution Flow

BIOS => Bootloader => Original Bootloader => ntldr   => OSLOADER                => ntoskrnl     Windows XP
BIOS => Bootloader => Original Bootloader => bootmgr => OSLOADER => winload.exe => ntoskrnl     Windows Vista

1. The bootloader of the MBR is loaded by the BIOS (7C00h)
2. The MBR (Stoned) relocates itself to the end of real mode memory
3. Interrupt 13h handler is hooked and points to the relocated code at the end of memory
4. Windows ntldr or bootmgr (depending on OS) is hooked to get called and to patch code integrity verification
5. OSLOADER and winload.exe will be hooked to get information about ntoskrnl.exe image (location, size etc.)
6. The kernel code will be copied to the end of ntoskrnl image (2 KB aligned address) and ntoskrnl hooked to get called
7. The driver code will be relocated to driver allocated memory and executed
8. The driver code reads the kernel driver file (POC) from the file system and executes it

Generally the boot mechanism of XP and Vista differ (with files and signatures), but it is still possible to include them both in one MBR (what is done).

I have split it up into "parts" (= source code files, stages):

; Bootkit Real Mode           Relocates code to end of memory (4 KB)
;                             Hooks Interrupt 13h
;                             Patches ntldr code integrity verification
;                             Hooks OSLOADER (XP)
;                             Hooks bootmgr (Vista)
; Bootkit Protected Mode      Hooks OSLOADER (Vista)
;                             Patches winload.exe ntoskrnl image verification (Vista)
;                             Hooks ntoskrnl
;                             Relocates the code to ntoskrnl image
; Kernel Code                 Gets ntoskrnl base and PsLoadedModuleList, resolves own imports
;                             Loads, relocates, resolves, executes all drivers in the list
; PE Loader                   Responsible for relocating and resolving
; Subsystem                   The Stoned subsystem installed into Windows


3. Attacking TrueCrypt

The interesting thing on the TrueCrypt attack is that no part of TrueCrypt is patched or hooked. The magic is done by using a double-forward of the interrupt 13h execution, so Stoned gets both the encrypted and decrypted sector operations. Interrupt 13h flow is like:

; Windows request -> modified by Stoned Bootkit -> TrueCrypt Encryption -> (double forward here) -> Interrupt 13h of BIOS

It is notable that for bypassing TrueCrypt also the original TrueCrypt MBR must be spoofed. The TrueCrypt bypassing code is just 100 lines of size :). Further the sector 62 must be preserved for TrueCrypt, it contains volume header information which are required in the protected mode for the TrueCrypt driver to mount the file system.


4. History of Stoned

I did in the past different projects which lead to Stoned:

2005  ToasterOS (= operating system totally written in assembly language)
      www.ToasterOS.net

2007  Windows Boot System (= Boot Management Solution)
      http://web17.webbpro.de/index.php?page=windows-boot-system

2008  Forensic Lockdown Software
      http://web17.webbpro.de/index.php?page=forensic-lockdown-software

2009  Hibernation File Attack
      http://web17.webbpro.de/index.php?page=hibernation-file-attack

2009  Stoned Bootkit
      stoned-vienna.com

The source code base is the hibernation file attack, a software resisting in the master boot record and injecting code into the hibernation file of Windows. All the source code of the projects above origin originally from the ToasterOS, my developed operating system.
