This project implements early stage firmware backdoor for UEFI based firmware. It allows to execute arbitrary code written in C during Pre EFI Init (PEI) phase of Platform Initialization (PI). This backdoor might be useful for low level manipulations with the target platform configuration when the most of the platform configuration registers are not locked yet.
PEI backdoor project includes:
+ PeiBackdoor.py – Python program that allows to infect raw flash images or individual UEFI PEI drivers with the backdoor code.
+ PeiBackdoor_IA32.efi, PeiBackdoor_IA32.pdb – 32-bit PEI backdoor binary compiled with ACTIVE_PLATFORM = IA32.
+ PeiBackdoor_X64.efi, PeiBackdoor_X64.pdb – 64-bit PEI backdoor binary compiled with ACTIVE_PLATFORM = X64.
+ PeiBackdoor.inf – PEI backdoor project configuration for EDK2 build environment.
+ config.h – PEI backdoor build options.
+ payload.c – Put your own PEI stage code into this source file and call it from Payload() function.
+ src/ – Rest of the PEI backdoor code.
PeiBackdoor.py is using Capstone engine and pefile Python libraries, you need to install them with pip install capstone pefile command.
PeiBackdoor .py program to deploy PEI backdoor
Possible applied use cases:
* Edit values of REMAPBASE, REMAPLIMIT and other host controller registers during RAM initialization to perform UMA remap attack on Intel Management Engine RAM.
* Lock TSEGMB host controller register with the junk value to make System Management Mode code vulnerable to DMA attacks.
* Do other evil things that requires hijacking of early stage platform initialization code.
To build PeiBackdoor project you need to have a Windows machine with Visual Studio 2008 and EDK2 https://github.com/tianocore/edk2 source code.
Step by step instruction:
1. Run Visual Studio 2008 Command Prompt and cd to EDK2 directory.
2. Execute Edk2Setup.bat –pull command to configure build environment and download required binaries.
3. Execute git clone git://github.com/Cr4sh/PeiBackdoor.git command.
4. Edit Conf/target.txt file and set ACTIVE_PLATFORM property value to the OvmfPkg/OvmfPkgX64.dsc for 64-bit build or to the OvmfPkg/OvmfPkgIa32.dsc for 32-bit build. Also you need to set TARGET_ARCH property value to the X64 for 64-bit build or to the IA32 for 32-bit build.
5. Edit OvmfPkg/OvmfPkgX64.dsc and add PeiBackdoor/PeiBackdoor.inf path at the end of the [components] section.
6. cd PeiBackdoor && build
7. After compilation resulting PE image file will be created at Build/OvmfX64/DEBUG_VS2008x86/X64/PeiBackdoor/PeiBackdoor/OUTPUT/PeiBackdoor.efi for 64-bit build or at Build/OvmfX64/DEBUG_VS2008x86/IA32/PeiBackdoor/PeiBackdoor/OUTPUT/PeiBackdoor.efi for 32-bit build.
Running on real hardware
To run PeiBackdoor.efi on your physical machine you need to obtain image of existing PEI driver:
1. Dump motherboard firmware using hardware SPI programmer.
2. Open dumped flash image in UEFITool and extract PE/TE image of existing PEI driver that you want to infect with PEI backdoor:
pei-replace
..and itfect it using PeiBackdoor.py:
1. Infect extracted PE or TE image with SmmBackdoor_IA32.efi or SmmBackdoor_X64.efi depending on it’s architecture: python PeiBackdoor.py -d image.efi -o image_patched.efi -p PeiBackdoor_X64.efi
2.Use UEFITool to replace original PE image with image_patched.efi, save modified flash image into the file and write it to the motherboard ROM with programmer.
Usage and Download from git:
git clone https://github.com/Cr4sh/PeiBackdoor && cd PeiBackdoor python PeiBackdoor.py -f flash.bin -p PeiBackdoor_IA32.efi -o flash_patched.bin
Source: http://blog.cr4.sh/ | https://github.com/Cr4sh