Modifying the Firmware

By design, a processor will begin functioning by executing a program stored in memory chips. For example, a PC executes the BIOS when booted. Hardware systems vary widely, but they all share a common fact: somewhere, somehow, bootstrap code must be activated. This bootstrap code is sometimes called firmware; it is always non-volatile (that is, it does not get erased when the system is shut down). If you don't know where to start, go to the boot code.

Considering that firmware is very important for the system operation, a rootkit should not remove existing firmware features. Instead, a rootkit should add new features to the existing code (see Figure 8-1). This can be simple if you reverse-engineer the firmware in a program like IDA-Pro^[1] and you find a decent place to patch the execution path. The size of firmware memory is restricted, so if a rootkit is not small enough to fit in the limited amount of unused space, it may need to overwrite some existing firmware code. If this is the case, it is hoped there are some features that are never used, or some data sections that can be overwritten.

^[1] www.datarescue.com

Figure 8-1. A rootkit adds new features to existing firmware.

To place the rootkit into firmware requires writing to the memory chips. (For a PC, the most obvious place to modify is in the BIOS.) This can be done with an external device, or with on-board software. An external device requires physical access to the target. The software approach requires a loader program. The software loader approach is most commonly applicable to PCs. A software exploit or Trojan can be used to deliver the loader program. The loader program can then alter the firmware.

If the target device is a router or an embedded system, a loader program may be difficult to use. Many hardware devices are not designed to run third-party software and don't have mechanisms for starting multiple processes. Sometimes the best you can hope for is a firmware-upgrade feature that allows code to be uploaded.