• 1: Home
• 2: Presentations
  • 2.1: Hibernation File Attack
  • 2.2: Stoned Bootkit
  • 2.3: The Rise of MBR Rootkits & Bootkits in the Wild
  • 2.4: Stoned déjà vu - again
• 3: Trainings
  • 3.3: Hibernation File Attack - Reino de España
• 4: Articles
  • 4.1: Polymorphic Encryption Methods
  • 4.2: Writing a Boot Scan Engine
  • 4.3: The Magic of Bootkits
  • 4.4: Analysis of Sinowal
  • 4.5: Advanced Analysis of Sinowal
  • 4.6: Microsofts Rich Header
  • 4.7: Analysis of Conficker
  • 4.8: CIPAV
  • 4.9: Windows Exception Handling
  • 4.10: Pagefile Attack
  • 4.11: Software Watermarking
  • 4.12: Analysis of Stoned
  • 4.13: The Old New Thing About Development
  • 4.14: AntiWPA
  • 4.15: Kon-Boot
  • 4.16: Compiling Shellcode
  • 4.17: Elevated rights, process token and security identifier
  • 4.18: Abusing the TrueCrypt driver
  • 4.19: Nothing new: Msvcrt.dll
  • 4.21: Identifying Source Code
  • 4.22: Analysis of Mebratix
  • 4.23: Popsomp Hills
• 5: Projects
  • 5.1: DiskEdit
  • 5.2: Forensic Deletion Software
    • 5.2.1: Additional Deletion Methods
    • 5.2.2: Visual C++ Source Code
  • 5.3: Forensic Lockdown Software
  • 5.5: Information System
  • 5.6: QuickView
  • 5.7: Smart Boot Manager
  • 5.8: USB View
  • 5.9: Windows 3.1 Emulation
  • 5.10: Windows Boot System
  • 5.11: AV Tracker
  • 5.12: EIPTN
• 6: Services
  • 6.1: Boot-US work
  • 6.2: TeraByte Unlimited work
  • 6.3: EPIGUS work
• 8: Research
  • 8.1: Ascrimez Kit
  • 8.2: Analysing the PDF Exploit
  • 8.3: ZeuS
  • 8.4: infobox.ru: Botnet
  • 8.5: Operating System Development
  • 8.6: 4 million email addresses
• 9: About
  • 9.1: Links
  • 9.3: Peter Kleissner
  • 9.4: Last Modified Pages
  • 9.5: Meeting Points
  • 9.6: Live Search
  • 9.7: Terms of Use
  • 9.8: Contact

Kon-Boot

Kon-Boot is a software to bypass Linux and Windows logon. It uses a kind of bootkit technology to bypass the logon so you do not need to enter any password. However, due to missing payload, Kon-Boot is not a full qualified bootkit. There is no technical information about Kon-Boot available from the author, so I am publishing Kon-Boot now as open source under the European Union Public License (EUPL). Take it, use it. Enjoy reading!

Peter Kleissner, Software Guru & Anti-Software Stealing Researcher

Overview

Kon-B00t is distributed as floppy image. Please take a look on its sector occupation:

  Sector 0    0000h:7C00h   1 sector        Boot Sector.asm     Boot Sector (loads other code, initialization)
  Sector 1    9XXXh:0000h   9 sectors                           Linux & Windows logon bypassing code
  Sector 10   41 KB:FC00h   2 sectors       (not included)      palette data (VGA)
  Sector 12   41 KB:0000h   126 sectors     (not included)      raw picture data (VGA)
  Sector 137  0000h:2C00h   2 sectors       VGA Code.asm        VGA code (displays picture etc.)

http://pastebin.ca/1507709 Boot Sector.asm
http://pastebin.ca/1507666 VGA Code.asm

Reversing the boot sector

I downloaded the floppy version (FD0-konboot-v1.1-2in1.img) because it makes it easier to extract the bootloader and any further sectors or files of Kon-B00t. Using a simple hex-editor I can extract the boot sector and store it as Boot Sector.bin. For generating the disassembly I use the Netwide disassembler with following options:

C:\Company Folders\Stoned-Project\Kon-Boot>ndisasm -a -b 16 -p intel "Boot Sector.bin" > "Boot Sector.asm"

http://pastebin.ca/1507709
http://pastebin.ca/1507666