(This page updates periodically, last edit: Oct 2023)
In this blog I'm writing some articles about studying and exploitation of various low level stuff including operating systems, bootloaders, hypervisors and, of course, platform firmware. Also, here you can find many of my old materials written in Russian moved from other places. I've been around for the last two decades or so, currently I'm mostly active on Twitter and GitHub and writing more code instead of long and boring texts.
I was first independent researcher who get paid by Intel for reporting a few industry-wide high severity platform firmware vulnerabilities.
Also, I developed, demonstrated and released (as large set of various tools) novel low level attack technique called pre-boot DMA attack. This attack is targeting pre-boot environment of UEFI DXE phase of the platform firmware init rather than runtime phase and operating system itself. It allows malicious PCI Express device to execute arbitrary code at relatively early init stages of the platform when IOMMU and other security features of operating system are not initialized yet. Pre-boot DMA attacks allows to bypass various security features of platform firmware like UEFI secure boot or Intel Boot Guard along with IOMMU memory protection of operating system.
One time, using the same DMA attack setup mentioned above, I found really cool way to gain arbitrary System Management Mode (SMM) code execution from malicious PCI Express device connected to the target system, this vulnerability was recognised by Intel as high severity but still remains unfixed in many computers with Intel chips.
Once I broke Apple FileVault with my fancy DMA attack setup for PCI Express and did accidental full disclosure on Twitter. Using this vulnerability it was possible to extract (or modify on the fly) FileVault protected data with malicious Thunderbolt device connected to the locked Apple machine.
Another time I bought some new hardware for my home server and found a bunch of remotely exploitable vulnerabilities in Baseboard Management Controller (BMC) firmware from AMI that can lead to the compromise of the host operating system on good half of all servers and server motherboards made by Intel.
By the way, not so while ago I released a really nice set of tools for Hyper-V and Secure Kernel introspection on Windows 10 machines with enabled Virtualization-based security (VBS) features including Device Guard, Credential Guard, Hypervisor-protected Code Integrity and other things. It was first publicly available tools to load arbitrary unsigned code into the running Secure Kernel, bypass HVCI and load unsigned code into the any Hyper-V partition, load unsigned 3-rd party trustlests into the Isolated User Mode (IUM) and get full debug access to system trustlets including protected process of Credential Guard. Also, described Hyper-V and Secure Kernel tools has full integration with DMA attacks toolkit described above which makes their deployment and use even more cool.
My research along with hard work of many other people defined modern landscape of x86 machines platform security. For example, as result of this now you can buy a typical "wintel" computer with platform firmware that has some sort of pre-boot DMA attacks protection and also some implementation of Intel TXT support aka Dynamic Root of Trust Measurement (DRTM) which might become really good and secure some day.
I like reverse engineering, especially automated one, and know thing or two about program analysis. However, most of the time I just staring at the code and graphs using obsolete pirated version of IDA Pro.
Most (if not all) of my work you can find in this blog and GitHub account was done for hobby on non-commercial basis. I don't like people who stealing my texts or code without mention of original source, but since I don't have effective means to prohibit that − feel free to use everything in any form for any purpose you want Ⓐ.
Contact information
E-mail: cr4sh0@gmail.com [see PGP key below]
Twitter, Mastodon and GitHub
d_olex at Keybase
Other links
Here you can find an information about some of my public projects and activities for the long period of time. All this information is provided with no warranties: I'm not your tech support and not responsible for your bricked hardware:
- PCI Express DIY Hacking Toolkit − Started as FPGA design and tools for DMA attacks for Xilinx SP605 development board, now this repository is also home of Hyper-V Backdoor and Boot Backdoor. Probably, one of my largest and most interesting public projects, check readme for links and detailed info [GitHub]
- Xilinx Zynq DMA Attack Tools − FPGA design and tools for DMA attacks for development boards based on Xilinx Zynq chips. This design is compatible with all of the host software that was made for PCI Express DIY Hacking Toolkit project [GitHub]
- Pico DMA − Autonomous pre-boot DMA attack hardware implant for M.2 slot based on PicoEVB development board, can be used to deloy my Hyper-V Backdoor, Boot Backdoor or SMM Backdoor Next Gen. This design is compatible with all of the host software that was made for PCI Express DIY Hacking Toolkit project [GitHub]
- ThinkPwn − Started as arbitrary System Management Mode code execution exploit for Lenovo ThinkPad model line, ended as exploit for industry-wide 0day vulnerability in machines of many vendors [GitHub]
- Aptiocalypsis − Another cool arbitrary System Management Mode code execution exploit for industry-wide 0day vulnerability in AMI Aptio based firmwares that I found [GitHub]
- SMM Backdoor − First open source and publicly available System Management Mode backdoor for UEFI based platforms. Good as general purpose playground for various SMM experiments [GitHub]
- SMM Backdoor Next Gen − Updated version of System Management Mode backdoor for UEFI based platforms heavily inspired by previous one, has many new features and deployment options, including INTEL-SA-00144 vulnerability exploit and integration with Hyper-V Backdoor [GitHub]
- Firmware Exploitation Tool and Library − Library and tools for development of System Management Mode exploits for Windows targets. Project includes examples of exploits for 0day and 1day vulnerabilities in firmware of various Lenovo machines. Also, this project provides DSE bypass techniques that allows to exploit this vulnerabilities even on Hypervisor-Protected Code Integrity (HVCI) enabled machines [GitHub]
- PEI Backdoor − First open source and publicly available Pre-EFI Initialization (PEI) phase backdoor for UEFI based platforms. Good as general purpose playground for various experiments at earliest possible boot stages when most part of the platform components and features was not initialized yet [GitHub]
- Micro Backdoor − C2 tool for Windows targets with easy customizeable code base and small footprint. It wasn't designed as replacement for your favourite post-exploitation tools but rather as really minimalistic thing with all of the basic features in less than 5000 lines of code [GitHub]
- Kernel Forge − A library to develop kernel level Windows payloads for post HVCI era when Hyper-V security features of modern platforms prevents you from executing of any unsigned kernel code at all [GitHub]
- OpenREIL − Open source library that implements translator and tools for REIL: reverse engineering intermediate language [GitHub, archived]
- IOCTL Fuzzer − Windows tool for reverse engineering and hunting vulnerabilities in Windows kernel drivers, it also can monitor & log IOCTL requests you're interested in [GitHub, archived]
- Windows Registry Rootkit − My old rootkit that stores its body in registry values and gaining kernel mode code execution at early boot by exploiting 0day vulnerability in win32k.sys function that parses malicious data read from registry [GitHub, archived]
- A while ago a did some work related to reverse engineering of and hardware attacks on iPhone including Lightning devices emulation, NAND and baseband firmware research, DMA attacks and stuff. At this moment I'm not working in this direction anymore since all low hanging fruits been taken and such kind of research is very resources consuming overall.
- I also was co-founder and long time member of one of the first hackerspace on post-soviet space: Neuron. It was located in the center of Moscow from 2011 to 2020 but unfortunately it was closed at the beginning of the pandemics.
- Once with my colleague Andrey Rassokhin we gained control over the largest botnet in the world of that time: TDSS. We wrote detailed article about this operation (EN, RU, internet archive)
- Some of my old articles are also available at nobunkum.ru (EN, internet archive) / nobunkum.ru/ru (RU, internet archive): technical e-zine on guns, germs, and steel of the digital age. There's also some of my even older technical articles that can be found over the internet, for example the one about finding Windows kernel drivers vulnerabilities, but most of them are quite lame and don't worth to be mentioned
- Long time ago I was a member of Hell Knights Crew: Russian hacking team of early 00's with strong interest in reverse engineering, malware and vulnerabilities. It's all been gone, but most likely you will able to find proper archives
- Really long time ago I had... well, a typical cool hax0r kid homepage of mid 2000's with some of my code archives and sort of a blog. Looks good enough for cemetery monument of post-soviet underground hacking culture that days
In addition to mentioned projects you can find many other interesting stuff on my GitHub page. During some time in the past I did many private projects related to intrusion security and post-exploitation but unfortunately I can't share any details about the cool stuff I used there. Some of my work that been made for projects of that period later was used during APT attacks you probably heard or read about: fortunately or not, I have nothing to do with that attacks and threat actors.
My PGP key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.13
mQGiBEosHP4RBACusXfXOj7FE8WRwvbo57sv0inGq3c0e7WUQA0ClvXFP/rsGWmo
vHXrdfEB8CDglE+ivCaoQOYu2MIw1tghhq3HDKouOuZmUkPkjO8L88i6fSiYBVAI
B6fzbh2EzMsvSHp6Y8qPyQaE/ViiO4j0Qxj34J9AB84KbQ1OTxrkfOmUYwCgkT7w
CTLyIgQJFlIpVOrqShCtyM8D/1Pk1BPOoLpAhGKF6bKu/QKxWA0AmB1mJtqoNzEq
sYBtoqgDmbdyN00j5lqDEQflZfixXWspEvN3IZqYeNspwaMA577OGnX1O/x7EYfs
vpNsDLJBlmUrSDht1VdT6arGgLWNBVGfbeUmpZBbFffvzfh7zFbu8dwhFNZ8y9Zu
AY3LBACXTf6o43mSm4jCZAsMdMD5sux5CBzkEFvBF7kQ4jJe+kgFeEsiAAcqVzly
zXJI+6/eHrGXeZPv5F82E000tn0wunj+Tjstwk1jfUC/dVvL9wx2b0A+kH1Ns3mo
JWt6NSmPpWVlSqFj35vefmQ5BA05zLN4qp4bYumJ+WJFdTALlbQZRG1pdHJ5IDxj
cjRzaDBAZ21haWwuY29tPohgBBMRAgAgBQJKLBz+AhsDBgsJCAcDAgQVAggDBBYC
AwECHgECF4AACgkQdXLuVmCTKcMH6ACdEzlKRktqzEzHkis6aN97QPmY2YEAn2V6
4YhXJtCN85NqcWCrJlnVrJJsiHQEExECADQCGwMGCwkIBwMCBBUCCAMEFgIDAQIe
AQIXgAUCTr3fyhMYaHR0cDovL3BncC5taXQuZWR1AAoJEHVy7lZgkynDnCEAn28M
l/3H0R1artS94ELXGI5dcD7/AJ0Vbx9nPtQoHGTwAchnlAQV8QNnf7QcRG1pdHJ5
IDxkbWl0cnlAZXNhZ2VsYWIuY29tPohiBBMRAgAiBQJOvd6eAhsDBgsJCAcDAgYV
CAIJCgsEFgIDAQIeAQIXgAAKCRB1cu5WYJMpw0a3AJ9yP4Lc0soZP6JFqXDgkOMb
fSdaQwCfUg5h/2rkquyxOx5ab3UyZHQ3SfaIdgQTEQIANgIbAwYLCQgHAwIGFQgC
CQoLBBYCAwECHgECF4AFAk6938oTGGh0dHA6Ly9wZ3AubWl0LmVkdQAKCRB1cu5W
YJMpw+5KAJ9ww0e/lYh9QGmeDgRAV/3kIT+XcACdG87O5Utf/fMVJQknryL/3wNI
8v65Ag0ESiwc/hAIANt/RS3oDnsNUmwLoefuXrbONbh+S0CdyCYqAuWLLroZt+mQ
Wp0OAQNycRO7N+f0kNNMVrMIX/kCS20PKW5fOyDWOC82XfwYaw4onu8bq0WzCBHK
i7wpbURrh/OWECqTD1DORHPlE9TFRIVpyp8VvU5A3VrHT1ZNXDb/8yRoATHwgMLU
fimTAL9UwCZASZbZ8A4PZUdeDo9NZ2GxKPv5JGXXL4xOhlRoV9ByBiSnMg7zPE0o
KczTBKkG69ST90DLqC0ba7tjsVpZI9ZaZmLrCIjiAQY1Xri/qmNhpJ5MREpCsB2p
vNJb9i1QekVUK1fJCcezcI4XYXSwoctDEYUOo9cABA0H/jo2nbS/HH8KBb3ka0M5
YyCziVIyS6EAbTFaAKYftmdcPNbx8XKUyH+RhGFFmFvxf+DqGQJfYISV7hQkI00b
wJb8ZToafC24BARMFiqbhUjb9fgxSKBxV6VKz6xfEgsKoTWjERaeR8EMf35dG+i+
ruo2iYIy3pgGloIMNK2jQhdpI4rSE8CliDlJARNLudRHWzDbzTzHFzLTPxproGCC
hc81IvYTguZrPlp+O2EZ2b6eP/xYygTAYOHilkoz0NYv6vDilBykBjhkPVFAWCkX
sWpY561Usqz3tU958YeUs85Y3xBqLyUI15CQtp79CENSDG+1RwibkrvdbiG9Ni17
e9KISQQYEQIACQUCSiwc/gIbDAAKCRB1cu5WYJMpw2rNAJ4iMD301RqZBwcyF7J7
bOW1qNa3HQCfaaPbABf8usWfrOrtx0m2/+MFhsU=
=FUPF
-----END PGP PUBLIC KEY BLOCK-----