[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor
- To: "Kevin Beaumont" <kevin.beaumont@xxxxxxxxx>
- Subject: Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor
- From: "Stefan Kanthak" <stefan.kanthak@xxxxxxxx>
- Date: Wed, 12 Aug 2015 19:33:43 +0200
"Kevin Beaumont" <kevin.beaumont@xxxxxxxxx> wrote:
[...]
> Microsoft documented a feature in Windows 8 and above called Windows
> Platform Binary Table.
Cf. <http://www.acpi.info/links.htm> where WPBT is linked to
<http://go.microsoft.com/fwlink/p/?LinkId=234840> alias
<https://msdn.microsoft.com/en-US/library/windows/hardware/dn550976>
> Up until two days ago, this was a single Word
> document not referenced elsewhere on Google:
>
>
http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx+&cd=1&hl=en&ct=clnk&gl=us
>
> This feature allows a BIOS to deliver the payload of an executable,
> which is run in memory, silently, each time a system is booted. The
> executable code is run under under Session Manager context (i.e.
> SYSTEM).
This sort of feature is NOT new: with Windows 2003 Microsoft introduced
the loading of "virtual OEM device drivers" during Windows setup, see
<https://support.microsoft.com/en-us/kb/896453>
AFAIK at least HP and Dell used this method to deploy [F6] drivers
embedded in their BIOS.
[...]
stay tuned
Stefan Kanthak