Two Indian security researchers Nitin and Vipin Kumar from NV labs developed a program called the VBootkit that launches from a CD and boots Vista, making "on the fly" changes in memory and in files being read. The ‘boot kit’ exploits the fact that Vista’s boot processes operate on the assumption that everything prior to it ran cleanly, thus allowing the VBootkit to load itself into memory prior to Vista starting and hooking Interrupt 13, which is used by Vista to read sectors from the hard disk. In what is a quite retro DOS Boot Sector virus like situation.

The idea is that as soon as the NT Boot sector loads Bootmgr.exe, VBootkit patches the security queries that ensure integrity and copies itself into an unused area of memory. Then a similar attack is done when Winload.exe and NTOSKrnl.exe are loaded at a later stage of the boot process so that the boot kit is running in the background when the system is finally booted. At no point do Vista’s new security mechanisms, which are designed to prevent unsigned code from being executed with kernel privileges get triggered.

The demonstration by the researchers showed the operation of the boot kit with Windows Vista RC2, however Nitin and Vipin Kumar have said that the techniques used to bypass Vista’s Code Signing mechanism will work with the release version of Windows Vista. The only thing that has stopped them from porting their VBootkit software has been the cost of doing so. This is due to the time and effort required to go through the process of debugging the Vista boot process with the new build to determine which memory areas and checksums need to be patched because they are different with every Vista build.

You can see more of Nitin and Vipin Kumar's research here on their blog. They have released some proof of concept source code for their boot kit research to their blog, which targets Windows 2000/XP and 2003. They don't appear to have released the VBootkit code as yet. 

Add this page to your favorite Social Bookmarking websites