Imagine a phantasmagoria: your network interface card (or CPU or graphics card) is living a separate life schizophrenic. And she is friends (or all of these computer innards here) against you. Probably there is an uprising of machines, initiated by hackers, or, say, manufacturers of iron? Let's fantasize!
Let's start with the fact that each network packet that came from the bowels of the network before reaching your browser or other network applications will be processed first and foremost your network card, and then - just the operating system kernel. And suddenly, this package will be the most along with him some instructions, which were immediately subdue the whole car? After all, it does not need to write exploits, look for vulnerabilities in order to introduce malicious code ... Just ... send a packet to any open port. And - all ... You're not the owner of your own computer. And crying crocodile tears makers of antivirus software and systems, proactive protection - they help nothing will.
Let's go!
Let me just say one thing - there are examples in the network (please!) web server and SSH-based resource-alone graphics or network card. Yes, using the resources (memory and microprocessor) of most maps (prooflink: alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-PACSEC08-Project-Maux-II.pdf, and radioradar.net/news/electronics_news/avr_crumb644_net . html). If you still do not realize what it was about, I repeat: do not need a, not to the kernel, all you need - a microprocessor network card that will handle the incoming packets from the network and send something back there. Imagine a mini-Apache, which is implemented outside the control of the kernel for the machine itself, because the network card, a piece of hardware, hanging somewhere in the PCI-bus, and her power over all core OSes.
Scary, but it's still the flowers, my dear friend. General - to understand what the creators of some important glands in your computer, whether the network card or video card in deep secret hold all the hidden features of their developments. Just remember that such undocumented features of the operating system. Or processor. Or even a piece of iron, full of possibilities which are stored in a deep secret from us, programmers.
We climb into the interior
Now imagine an exploit that does not live in the OS, but, say, in the same network card. But this put into practice only by the forces of the developers of iron, we try to establish yourself in their shoes and look at, probably a full control of iron in your computer or not? Now we try to consider this interesting subject from the perspective of the system programmer. We try to answer the question of how "deep the rabbit hole," as deeply possible to get into the bowels of the operating system. To deal with rootkits residing in your computer's firmware piece of iron is probably still makes no sense. While tinkering in the guts of the kernel and hardware, as you now see, will reveal to you a lot of interesting details.
So sketchy is the process for handling network packets at the NIC <===> PCI
Common intercept network traffic in today's firewalls is reduced to installations TDI-NDIS-Filter and NDIS-interception important functions, such as, say, NDISREGISTERPROTOCOL. There are two approaches to the interception of network traffic. I-e - to put, say, TDI-filter or NDIS IM-driver and live in peace. However, this approach does not protect miniport network adapter, which is a kind of outpost for further - the resources the network card and network.
Interception of the key functions in the structure can ensure your NDIS_MINIPORT_BLOCK little creatures confident control or modification of network traffic, if not a "but" - get a pointer to NDIS_MINIPORT_BLOCK oh, how hard! One of the most common ways to get a pointer to the miniport - to register your own network protocol in the kernel by calling NDISREGISTERPROTOCOL, but rather firewalling intercept this function to break off all attempts to do so.
How can that be?
It seems that way to control the network to modern rootkit is slightly, although in this situation, few people remember about this magic word, as PCI. After the network card "sitting" on the PCI-bus interfaces (read "sending data") with the operating system kernel is using the resources that PCI-bus is allocated.
Network interface card (physically) consists of 2 blocks - PHY-and MAC-block unit. I is responsible for the direct "digesting" the signals from the RJ45-cable to a set of bytes that are transferred for further processing in the MAC-block. This block is really curious, because it was he who was responsible for interacting with the network card driver (miniport). He has one or 2 CENTRAL PROCESSING, EEPROM-memory, its memory and SRAM-set of registers, which is controlled by a "device" network card. In the EEPROM, usually contains information about the manufacturer, MAC-address of the NIC firmware image. The structure of any particular EEPROM has an undocumented format and depends only on the imagination of developers most network cards. SRAM-ROM contains a copy of the firmware firmware, the structure of the network packets, and temporary buffers to store incoming / outgoing packets. Registers in its own turn, allows you more control over the network card and run it. How many of them, and what they are used in each case - and what a developer depends on the imagination, for this reason, most of them have an undocumented format.
The main issue article - is it possible to access the EEPROM, SRAM or registers? Answer - yes, perhaps. And we will do this b / s PCI-interface. PCI-bus supports data transfer method, called "linear burst" (a way of linear packets). This method assumes that the packet of information is read (or write) "one piece", that is, the address will automatically grow to the next byte. Natural way for an increasing rate of data itself by reducing the amount of transmitted address. The PCI bus is the one turtle, on which stand the elephants that support the "Earth" - architecture Plug and Play (PNP). PCI bus defines three types of resources: 2 rows ("memory range" and "range of I / O," as they called the company Microsoft) and the configuration space - "configuration space".
For more details on the PCI bus you can read in a remarkable book, "PCI Bus Demystified" from fellow Doug Abbott, you'll be able to find it on the disk to the magazine.
It is PCI-bus, thanks to its own "basic" features, will enable us to access all resources, not just a network card, but also any other device that sits on the PCI-bus. And while we, being in sound mind and not entirely sober memory), without affecting the levels of network infrastructure such as TDI or NDIS, where sitting guard firewalls, immediately climbed up into the throat of the network card. And no we will not interfere in this: all you need to do - zasandalit driver to your system.
Wasps to communicate with devices on the PCI-bus uses IO mechanism, based on projections of sections of memory (memory-mapped I / O). Such a piece of memory, most often, has a size of 64 kilobytes. I-e 32 kilobytes used for the projection device registers, the second 32 kilobytes represent a "window" with the ability to read / write SRAM-memory network card. In total, this highly enough to gain control over any of the devices present on the PCI-bus.
We list all the devices on the PCI-bus
for (Busnumber = 0; !Adapterfound && Morebuses; Busnumber++)
{
for (Devicenumber = 0;
!Adapterfound && Devicenumber < PCI_MAX_DEVICES;
Devicenumber++) {
Slotnumber.u.bits.Reserved = 0;
Slotnumber.u.bits.DEVICENUMBER = Devicenumber;
Slotnumber.u.bits.FUNCTIONNUMBER = 0;
length = HALGETBUSDATA(PCICONFI guration,
Busnumber,
Slotnumber.u.ASULONG,
confi Ginfo,
sizeof(PCI_COMMON_CONFIG) );}
Most remained small - to understand, in the sense otreversit EEPROM network card, as in our case, the EEPROM - everything. What one needs to have in mind? First of all, EEPROM contains non-volatile-data. Second, these data are available for reading and writing c / o register set the network card. And thirdly, we must remember that almost no one EEPROM format of the manufacturers of network cards are not documented. What we know about the EEPROM? It contains the most often, the title of the loader, metadata, "devices" network card configuration information about the network card, such as MAC-address, and the most basic - a set of firmware-images, ie: the bootloader code, default style, PXE ( Preboot Execution Environment, crap to be able to "boot the computer using a network interface") and many other things in total.
Now to answer the question, as the style frimware loaded from the EEPROM in the memory? Quite simply - you need to reboot the network card and the CPU to stop quickly! Of course, this must be done using software that supports the emulation of the physical device:). The result? As a result, may see that it is always when there is a connection network card (or restart the PCI-bus):
and. Processor initializes the EEPROM and loads the boot loader and firmware (pardon the tautology) of EEPROM.
b. Executes the boot firmware, that is the kernel configures the network card, setting hours, energy consumption and so on, and then loads the implementation of "second stage" firmware, which is - the main image on the default network card, and then configures all the rest - MAC-address and other network features the card.
That is, in principle, and everything you need to know the boot image and network card. Finally, the answer to a question that is probably a long time ago, spinning in your mind: Is it possible to make such a rootkit that is able to infect the network or the graphics card? The simple answer is yes, it is possible to do, however, and very, very difficult. Despite the fact that this rootkit is quite dangerous and tenacious, he will be able to live only for a specific brand of network card from one manufacturer. For the development of this kit should dump firmware, otreversit it, to understand how it works register ...
And then write their own firmware, which will be replaced by the original. Make it extremely difficult, and indeed likely. In a network, if a good look, there are real examples programmulek that can make the network card to live a double life. Although, again, this is only just POC, which is tied to a specific model network card.
And what about the control of network cards without installation kit option? Little easier! Universal method that would give the opportunity to bend all the network cards at once, no. Manufacturers of a large number, and washed down a program that will monitor all network cards to a number of unrealistic. For this, as you've realized you need to know the specific characteristics of a specific network card - after all how many developers, so many different formats, EEPROM, registers, and, of course, firmware. Need a good understanding of the principles of the PCI bus and the operating system.
BONUS - 5 Gb "cloud" storage free for unlimited time!
DROPBOX - 2GB FREE 'Referral BEFORE 8GB!
БОНУС - 5 Gb "облачного" хранилища free неограниченное время!
DROPBOX - 2GB "БИПЛАТНО", РЕФСИСТЕМА ДО 8GB!
Комментариев нет:
Отправить комментарий