Hi,
I am conducting research on forensic analysis of firware level rootkits . Since the rootkits are implemented at the hardware it is difficult to detect. There is a brand new rootkit which the autor claim the rootkit uses the zero day vulnerability in win32k.sy . https://
Can anyone please share with me how to identify the existence of firmware level rookits on victim computers ?
Thank you
Broadly speaking there are two cases.
Case 1
The firmware came from the manufacturer with the backdoor included.
In this case you could step through the code line by and line and check it.
You could also monitor for strange behaviour. e.g. unexpected network connections.
But most of the time neither is option is a practical option.
Case 2
Someone has updated the original firmware, with a new 'bad' version. In this case there is the possibility to compare the code back to the original. Which makes it much easier to locate something that shouldn't be there.
I have no idea why you are referencing a bug in Win32k.sys as an example of a firmware rootkit however. Maybe you are confused as to what firmware actually is?