DURATION: 2 DAYS
CAPACITY: 12 pax
USD2299 (early bird)
USD3299 (normal)
Early bird registration rate ends on the 30th of September
Overview
This course is for people who want to find out more information about the most privileged and mysterious operating mode of x86 processors: System Management Mode. You will learn what it actually is, how to get there and what can be done by an attacker once his code is executed in SMM.
Are there SMM rootkits in the wild? How feasible it is to create such rootkit? Can a kernel mode antivirus or a hypervisor protect against attacks from SMM? Can SMM rootkit be detected using memory forensics? Can you put an ultimate antivirus in SMM to fight SMM and kernel mode rootkits? We will cover these topics in great detail.
There will be many lab exercises which will help you to better understand the ideas and techniques. By the end of the course you will have a good understanding of SMM security principles. You will also have a hands-on experience with implementing and detecting SMM rootkits.
Who Should Attend
AV developers and forensic professionals who want to know more about
firmware implants
BIOS developers wishing to secure the firmware
Anyone who is interested in understanding malware running in the most
privileged operating mode
Key Learning Objectives
Understand how an attacker benefits from breaking into System Management Mode, what typical weak points in SMM security are, and how the firmware is supposed to be protected to prevent such attacks.
Learn the techniques that may be used by an SMM rootkit to control an underlying OS.
Preequisite Knowledge
C system programming experience
Basic knowledge of x86 architecture Experience with UEFI helps
Understanding x86-64 assembly also helps
Hardware / Software Requirements
A laptop with Intel 64bit i3 CPU or higher. Hardware virtualization support (VMX) is required. Make sure it is enabled in BIOS.
At least 4GB RAM
40GB free disk space
The ability to connect to a WiFi network
64bit Ubuntu 16/18
Root access to your system
Agenda
Day 1
SMM overview
Understanding SMM: environment, capabilities
SMM security
UEFI support for SMM
Circumventing SMM security measures
Understanding SMM code
Setting up a development and testing environment for experimenting with SMM code
SMM dispatcher interface and internals
Gaining execution in SMM
Reading and analyzing SMRAM
Day 2
Writing a prototype
Hooking SMM dispatcher
Gaining periodic execution
Accessing OS memory
Modifying S3 boot script
Practical techniques
Injecting code to OS
Monitoring OS events
SMM keylogger
Network communication
SMM rootkit detection