We have been recently researching on Vista. Meanwhile, our research for fun lead us to some important findings.Vista is still vulnerable to unsigned code execution.vbootkit is the name we have chosen ( V stands for Vista and boot kit is just a termed coined which is a kit which lets you doctor boot process).vbootkit concept presents how to insert arbitrary code into RC1 and RC2, thus effectively bypassing the famous Vista policy for allowing only digitally signed code to be loaded into kernel. The presented attack works using the custom boot sectors.Custom boot sector are modified boot sectors which hook booting process of the system & thus, gains control of the system.Meanwhile, the OS continues to boot and goes on with normal execution.

we have been scheduled to demonstrate the concept at

1) the HITB Conference Dubai and

2) Black Hat Europe 2007.

http://www.blackhat.com/html/bh-europe-07/bh-eu-07-schedule.html

http://conference.hitb.org/hitbsecconf2007dubai/

We are also talking about shell-codes for Vista.

Some of the shellcodes which might be plugged into vbootkit are:

1) Privilege escalation shell code (automagically increasing any process to SYSTEM privileges)

2) Modify Registry so as to start the telnet server automatically , huh


3) disable other protections

4) hiding process and so on.

Since vbootkit becomes the part of kernel itself, it can basically do anything that the kernel could do.

Nitin Kumar,Vipin Kumar