The SMM Rootkit Revisited: Fun with USB
暂无分享,去创建一个
System Management Mode (SMM) in x86 has enabled a new class of malware with incredible power to control physical hardware that is virtually impossible to detect by the host operating system. Previous SMM root kits have only scratched the surface by modifying kernel data structures and trapping on I/O registers to implement PS/2 key loggers. In this paper, we present new SMM-based malware that hijacks Universal Serial Bus (USB) host controllers to intercept USB events. This enables SMM root kits to control USB devices directly without ever permitting the OS kernel to receive USB-related hardware interrupts. Using this approach, we created a proof-of-concept USB key logger that is also more difficult to detect than prior SMM-based key loggers that are triggered on OS actions like port I/O. We also propose additional extensions to this technique and methods to prevent and mitigate such attacks.
[1] Cliff Changchun Zou,et al. SMM rootkits: a new breed of OS independent malware , 2008, SecureComm.
[2] Duflot,et al. Using CPU System Management Mode to Circumvent Operating System Security Functions , 2022 .
[3] Cliff Changchun Zou,et al. A chipset level network backdoor: bypassing host-based firewall & IDS , 2009, ASIACCS '09.