Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

"Kevin Beaumont" <kevin.beaumont () gmail com> wrote:

[...]

> Microsoft documented a feature in Windows 8 and above called Windows
> Platform Binary Table.

Cf. <http://www.acpi.info/links.htm> where WPBT is linked to
<http://go.microsoft.com/fwlink/p/?LinkId=234840> alias
<https://msdn.microsoft.com/en-US/library/windows/hardware/dn550976>

> Up until two days ago, this was a single Word
> document not referenced elsewhere on Google:
http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx+&cd=1&hl=en&ct=clnk&gl=us
> This feature allows a BIOS to deliver the payload of an executable,
> which is run in memory, silently, each time a system is booted.  The
> executable code is run under under Session Manager context (i.e.
> SYSTEM).

This sort of feature is NOT new: with Windows 2003 Microsoft introduced
the loading of "virtual OEM device drivers" during Windows setup, see
<https://support.microsoft.com/en-us/kb/896453>

AFAIK at least HP and Dell used this method to deploy [F6] drivers
embedded in their BIOS.

[...]

stay tuned
Stefan Kanthak