Current methods for the covert loading and execution of software typically operate at ring zero or are hypervisor based. Detecting the presence of hidden processes is a cat and mouse game when using traditional kernel-based techniques, and timing analysis and other methods have demonstrated the ability to detect the presence of a hypervisor as well. Modern hardware platforms provide opportunities to execute code completely outside of the context of the operating system. Some of the challenges of covertly executing code on the hardware resources, outside the context of the operating system, involve interfacing with the overlying OS and finding ways to meaningfully interact with it. To fully explore the possibilities of covert loading and execution of software, we must further investigate the approaches for leveraging the hardware resources of a system to execute code covertly. This research looks at BIOS modifications, peripheral cards, and Systems Management Mode (SMM), as well as an investigation into the capabilities introduced with the Extensible Firmware Interface (EFI), and the possibilities for covert code execution using this emerging architecture.
Keywords: Rootkits, Stealth Software, Bios, Smm, Efi, Covert Processing, Software Protection, Hidden Execution
