____ ____ ___ __ __
.--.--.--------.| _||_ |.' _|.---.-.|__| |
| | | || | __ | || _|| _ || | |
\___/|__|__|__|| ||__|| ||__| |___._||__|__|
|____||____|
in the realm of the reckless
the cautious mind is the crown
https://github.com/3itch ( twitter ):
CHECKM8 - intel txt's tboot integrity checking bypass
__ __ _______
.----| |--.-----.----| |--.--------| _ |
| __| | -__| __| <| |. | |
|____|__|__|_____|____|__|__|__|__|__|. _ |
|: 1 |
|::.. . |
`-------'
patching verify_integrity() function to return true
using coreboot shim
ICEKIT - AMD x86_64 cache persistence + cache-as-ram
cache way locking using CAT for L3
___ ___ ___
/\__\ /\__\ /| |
___ /:/ / /:/ _/_ |:| | ___ ___
/\__\ /:/ / /:/ /\__\ |:| | /\__\ /\__\
/:/__/ /:/ / ___ /:/ /:/ _/_ __|:| | /:/__/ /:/ /
/::\ \ /:/__/ /\__\ /:/_/:/ /\__\ /\ |:|__|____ /::\ \ /:/__/
\/\:\ \__ \:\ \ /:/ / \:\/:/ /:/ / \:\/:::::/__/ \/\:\ \__ /::\ \
\:\/\__\ \:\ /:/ / \::/_/:/ / \::/~~/~ \:\/\__\ /:/\:\ \
\::/ / \:\/:/ / \:\/:/ / \:\~~\ \::/ / \/__\:\ \
/:/ / \::/ / \::/ / \:\__\ /:/ / \:\__\
\/__/ \/__/ \/__/ \/__/ \/__/ \/__/
https://github.com/3intermute ( discord ):
RAMIEL - uefi diskless persistence + OVMF secureboot bypass
#
.%%( (
/%%%%%% *#
,%%%%%%%% (
%%%%%%%%%%%% ,(
*%%%%%%%%%%%%%%, (
#&%%%%%%%%%%%%%%%&@@ /
#%%%%%%%%%%&@ %%%% %%%%%%@, &
%%%%%%@.*%%%%%%%%%%%%% (%%%%%%%%%%%%%@ *
*%%%%%%%%%%%%%%%%%%%%%%% &&%%%%%%%%%%%%%%%%%%%&*/
/@@@@%%%%%%%%%%%%%%%%& %&%%%%%%%%%%%%%%%%%%&,
,#@@@@@@@&%%%%%%%%%&.%&%%%%%%&%%%%%%%%% (
@@@@@@@@@@@@%%%& %%%%%%%%%%%%%%%,
#@@@@@@@@@@&@% %%%%%%%%%%%%&/
(@@@@@@&@@@ %%%%%%%%%%,
*@@@@@@@@ %%%%%%%//
&@@@@ %%%%%/
/@@*%%*
@
persisting inside pci oprom ( because disk persistence is unreliable )
clearing XROMBAR, and setting pci=norom kernel flag to ensure oprom mapping
doesn't happen, and guid splitting for future reassembly.
HvICE - hypervisor-enforced patch protection for the linux kernel with
xen + libvmi, libvmi KASLR offset spoofer
___ ___ ___
/\ \ /\ \ /\ \
_\:\ \ _\:\ \ _\:\ \
/\/::\__\ /\/::\__\ /\/::\__\
\::/\/__/ \::/\/__/ \::/\/__/
\:\__\___ \:\__\___ \:\__\___
\/__/\ \ \/__/\ \ \/__/\ \
/::\ \ /::\ \ /::\ \
/:/\:\__\ /:/\:\__\ /:/\:\__\
\:\ \/__/ \:\ \/__/ \:\ \/__/
\:\__\___ \:\__\___ \:\__\___
\/__/\ \ \/__/\ \ \/__/\ \
/::\ \ /::\ \ /::\ \
/::\:\__\ /::\:\__\ /::\:\__\
\:\:\/ / \:\:\/ / \:\:\/ /
\:\/ / \:\/ / \:\/ /
\/__/ \/__/ \/__/
hypervisor-enforced patch protection via setting .text and .rodata
(_text, _etext & __start_rodata, __end_rodata) kernel section
ranges as non-writeable in guest EPT.
HvICE then monitors for writes. if writes occur, an EPT write violation occurs.
VM then gets paused and the unauthorized write is taken care of.
--------------------------
submissions are welcome !!