UEFI
Criteria | Value |
---|---|
Permissions | Other1 |
Security context | System |
Persistence type | Other |
Code type | EXE23 |
Launch type | Automatic |
Impact | Non-destructive |
OS Version | All OS versions |
Dependencies | OS only |
Toolset | Own toolkit required |
Hardware-based persistence.
- During the OS startup,
smss.exe
callsNtQuerySystemInformation()
function with aSystemPlatformBinaryInformation
(0x85) as a parameter. - NtQuerySystemInformation() scans UEFI tables stored within hardware memory looking for a piece of data with properly constructed headers.
- If the correct pattern ("
WPBT
", length, revision and a checksum) is found, the structure is passed to thesmss.exe
. smss.exe
stores the piece of UEFI memory within a file called%systemroot%\system32\wpbbin.exe
.smss.exe
takes execution parameters (command line) from the same UEFI block.- The
wpbbin.exe
is checked for integrity withIMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
. - The
wpbbin.exe
is executed.
The functionality may be disabled with the DisableWpbtExecution
registry value set to 1
in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
(tip by @Harvesterify)
The functionality is not a typical persistence, as it does not rely only on configuration stored within Windows. As written above, the exploitation requires both: writing into UEFI tables AND digital signature meeting IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
requirements.
- http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
- https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
- https://github.com/tandasat/WPBT-Builder