TRAINING 3 โ€“ System Management Mode Rootkits

DURATION: 2 DAYS

CAPACITY: 12 pax

USD2299 (early bird)

USD3299 (normal)

Early bird registration rate ends on the 30th of September

Overview

This course is for people who want to find out more information about the most privileged and mysterious operating mode of x86 processors: System Management Mode. You will learn what it actually is, how to get there and what can be done by an attacker once his code is executed in SMM.

Are there SMM rootkits in the wild? How feasible it is to create such rootkit? Can a kernel mode antivirus or a hypervisor protect against attacks from SMM? Can SMM rootkit be detected using memory forensics? Can you put an ultimate antivirus in SMM to fight SMM and kernel mode rootkits? We will cover these topics in great detail.

There will be many lab exercises which will help you to better understand the ideas and techniques. By the end of the course you will have a good understanding of SMM security principles. You will also have a hands-on experience with implementing and detecting SMM rootkits.

Who Should Attend

  • AV developers and forensic professionals who want to know more about
    firmware implants
  • BIOS developers wishing to secure the firmware
  • Anyone who is interested in understanding malware running in the most
    privileged operating mode

Key Learning Objectives

  • Understand how an attacker benefits from breaking into System Management Mode, what typical weak points in SMM security are, and how the firmware is supposed to be protected to prevent such attacks.
  • Learn the techniques that may be used by an SMM rootkit to control an underlying OS.

Preequisite Knowledge

  • C system programming experience
  • Basic knowledge of x86 architecture Experience with UEFI helps
  • Understanding x86-64 assembly also helps

Hardware / Software Requirements

  • A laptop with Intel 64bit i3 CPU or higher. Hardware virtualization support (VMX) is required. Make sure it is enabled in BIOS.
  • At least 4GB RAM
  • 40GB free disk space
  • The ability to connect to a WiFi network
  • 64bit Ubuntu 16/18
  • Root access to your system

Agenda

Day 1

  1. SMM overview
    1. Understanding SMM: environment, capabilities
    2. SMM security
    3. UEFI support for SMM
    4. Circumventing SMM security measures
  2. Understanding SMM code
    1. Setting up a development and testing environment for experimenting with SMM code
    2. SMM dispatcher interface and internals
    3. Gaining execution in SMM
    4. Reading and analyzing SMRAM

Day 2

  1. Writing a prototype
    1. Hooking SMM dispatcher
    2. Gaining periodic execution
    3. Accessing OS memory
    4. Modifying S3 boot script
  2. Practical techniques
    1. Injecting code to OS
    2. Monitoring OS events
    3. SMM keylogger
    4. Network communication
  3. SMM rootkit detection

Location: Date: November 25, 2018 Time: 9:00 am - 6:00 pm Alexander Tereshkin