Author: dlux
Subject: Gpu based paravirtualization rootkit, all os vulne
Posted: 10 February 2013 at 11:43am
I was able to dump the BIOS in Linux with flashrom -r
Also in Linux using dd in sysfs (/sys) I dumped the GPU and LSI roms again.
In their respective sysfs dirs the GPU rom file was listed as 512k and only dumped 58k, same exact hash as the other one. The LSI RAID rom dumped to 75k in linux vs 25k with the other tool in Windows. The sysfs dir for LSI showed that rom as being 128k. It would appear that those roms had an EOF that dd ran into and quit. I was not able to use any dd parameters to get the whole thing. We know for a fact there are other objects embedded in the GPU rom after 58k as they can be seen in the ASCII dump. In the system AMI BIOS I found what looked to be some mods with strings MINITDLL.pdb and CSI_INITDLL.pdb. I also saw 4 PE's with the header MZ This program cannot be run in DOS mode. Not known if these are standard or not.
I need to know if there are any commands I can run in Linux to dump the whole rom files in /sys and to go past any EOF. It is also not known in what mode these dumps in dd were made, ie: kernel/driver mapped memory, or direct dev IO. The reason this is important is that I have witnessed the malware protecting certain objects, namely the file BCD. When I copied BCD in either Windows or Linux I was always returned the PREVIOUS version of the file and NOT the version listed. I knew this because I suspected it and noted the time stamps for the test across boots.
Here are the newest dumps:
uploads/45310/Linux_DD_sysfs_flashrom_bin_dumps.part1.rar
uploads/45310/Linux_DD_sysfs_flashrom_bin_dumps.part2.rar
uploads/45310/Linux_DD_sysfs_flashrom_bin_dumps.part3.rar
Subject: Gpu based paravirtualization rootkit, all os vulne
Posted: 10 February 2013 at 11:43am
I was able to dump the BIOS in Linux with flashrom -r
Also in Linux using dd in sysfs (/sys) I dumped the GPU and LSI roms again.
In their respective sysfs dirs the GPU rom file was listed as 512k and only dumped 58k, same exact hash as the other one. The LSI RAID rom dumped to 75k in linux vs 25k with the other tool in Windows. The sysfs dir for LSI showed that rom as being 128k. It would appear that those roms had an EOF that dd ran into and quit. I was not able to use any dd parameters to get the whole thing. We know for a fact there are other objects embedded in the GPU rom after 58k as they can be seen in the ASCII dump. In the system AMI BIOS I found what looked to be some mods with strings MINITDLL.pdb and CSI_INITDLL.pdb. I also saw 4 PE's with the header MZ This program cannot be run in DOS mode. Not known if these are standard or not.
I need to know if there are any commands I can run in Linux to dump the whole rom files in /sys and to go past any EOF. It is also not known in what mode these dumps in dd were made, ie: kernel/driver mapped memory, or direct dev IO. The reason this is important is that I have witnessed the malware protecting certain objects, namely the file BCD. When I copied BCD in either Windows or Linux I was always returned the PREVIOUS version of the file and NOT the version listed. I knew this because I suspected it and noted the time stamps for the test across boots.
Here are the newest dumps:
uploads/45310/Linux_DD_sysfs_flashrom_bin_dumps.part1.rar
uploads/45310/Linux_DD_sysfs_flashrom_bin_dumps.part2.rar
uploads/45310/Linux_DD_sysfs_flashrom_bin_dumps.part3.rar