{"id":13798107,"url":"https://github.com/Cr4sh/SmmBackdoor","last_synced_at":"2025-05-13T05:31:37.455Z","repository":{"id":1967037,"uuid":"38600240","full_name":"Cr4sh/SmmBackdoor","owner":"Cr4sh","description":"First open source and publicly available System Management Mode backdoor for UEFI based platforms. Good as general purpose playground for various SMM experiments.","archived":false,"fork":false,"pushed_at":"2023-10-09T20:38:16.000Z","size":264,"stargazers_count":592,"open_issues_count":0,"forks_count":164,"subscribers_count":46,"default_branch":"master","last_synced_at":"2025-04-04T17:11:09.218Z","etag":null,"topics":["backdoor","boot","firmware","intel","malware","smm","uefi"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cr4sh.png","metadata":{"files":{"readme":"README.TXT","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.TXT","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2015-07-06T05:58:08.000Z","updated_at":"2025-03-30T04:06:53.000Z","dependencies_parsed_at":"2022-08-09T03:30:13.627Z","dependency_job_id":"4e29ebd2-fc18-493e-977a-96d58462d0d4","html_url":"https://github.com/Cr4sh/SmmBackdoor","commit_stats":{"total_commits":8,"total_committers":1,"mean_commits":8.0,"dds":0.0,"last_synced_commit":"ef2423a2dd6508327063de84c47193b88033becc"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr4sh%2FSmmBackdoor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr4sh%2FSmmBackdoor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr4sh%2FSmmBackdoor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cr4sh%2FSmmBackdoor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cr4sh","download_url":"https://codeload.github.com/Cr4sh/SmmBackdoor/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253883111,"owners_count":21978610,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backdoor","boot","firmware","intel","malware","smm","uefi"],"created_at":"2024-08-04T00:00:39.101Z","updated_at":"2025-05-13T05:31:37.045Z","avatar_url":"https://github.com/Cr4sh.png","language":"C","readme":"\n  SMM backdoor for UEFI based platforms\n\n*****************************************************************\n\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n\n  This is legacy abandoned project, for current version of the \n  backdoor check SMM Backdoor Next Gen project page and its \n  documentation:\n\n  https://github.com/Cr4sh/SmmBackdoorNg\n\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n\nFor more information about this project please read the following article:\n\nhttp://blog.cr4.sh/2015/07/building-reliable-smm-backdoor-for-uefi.html\n\n\nRepository contents:\n\n  * SmmBackdoor.py -- Python program that allows to infect PE image of UEFI DXE driver with backdoor code, communicate with installed backdoor to read SMRAM and do some other useful things.\n\n  * SmmBackdoor/ -- source code of UEFI part that runs in System Management Mode.\n\n  * SmmBackdoor.efi, SmmBackdoor.pdb -- UEFI part binary and it's debug symbols.\n\n  * smm_call/ -- proof of concept Linux program that interacts with installed backdoor to get root privileges for it's process.\n \n\nTo build SmmBackdoor project you need to have a Windows machine with Visual Studio 2008 and EDK2 source code (https://github.com/tianocore/edk2).\n\nStep by step instruction:\n\n  1. Copy SmmBackdoor subdirectory to EDK2 source code directory.\n\n  2. Edit Conf/target.txt file and set ACTIVE_PLATFORM property value to OvmfPkg/OvmfPkgX64.dsc.\n\n  3. Edit OvmfPkg/OvmfPkgX64.dsc and add the following lines at the end of the file:\n\n    #\n    # 3-rd party drivers\n    #\n    SmmBackdoor/SmmBackdoor.inf {\n      \u003cLibraryClasses\u003e\n        DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf\n        MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf\n    }\n\n  4. Run Visual Studio 2008 Command Prompt and cd to EDK2 directory.\n\n  5. Execute Edk2Setup.bat --pull to configure build environment and download required binaries.\n\n  6. cd SmmBackdoor \u0026\u0026 build\n\n  7. After compilation resulting PE image file will be created at Build/OvmfX64/DEBUG_VS2008x86/X64/SmmBackdoor/SmmBackdoor/OUTPUT/SmmBackdoor.efi\n\n\nTo run SmmBackdoor.efi as infector payload on example of Intel DQ77KB motherboard:\n\n  1. Dump motherboard firmware using hardware SPI programmer.\n\n  2. Open dumped flash image in UEFITool.\n\n  3. Extract PE image of FFS file with GUID = 26A2481E-4424-46A2-9943-CC4039EAD8F8 and save it to extracted.bin file.\n\n  4. Infect extrated image with SmmBackdoor.efi using SmmBackdoor.py:\n\n    $ python SmmBackdoor.py --infect extracted.bin --output infected.bin --payload SmmBackdoor.efi\n\n  5. In UEFITool replace original PE image with infected.bin.\n\n  6. Save modified flash image to file and write it to the motherboard ROM with programmer.\n\nBackdoor also has debug output capabilities that allows to see DXE phase debug messages on the screen and receive runtime phase debug messages over COM port.\n\n\nTo use SmmBackdoor.py you need to install a pefile Python library (https://pypi.python.org/pypi/pefile) and CHIPSEC framework (https://github.com/chipsec/chipsec) including Python bindings. \n\nSupported commands:\n\n  * SmmBackdoor.py --infect \u003csource_path\u003e --output \u003cdest_path\u003e --payload \u003cpayload_path\u003e - Infect PE image of DXE driver with specified backdoor code.\n\n  * SmmBackdoor.py --test - Check for backdoor presence and print status information from BACKDOOR_INFO structure.\n\n  * SmmBackdoor.py --dump-smram - Dump all available SMRAM regions into the files.\n\n  * SmmBackdoor.py --read-phys \u003caddress\u003e - Print hexadecimal dump of physical memory page at given address.\n\n  * SmmBackdoor.py --read-virt \u003caddress\u003e - Print hexadecimal dump of virtual memory page at given address.\n\n  * SmmBackdoor.py --timer-enable - Enable periodic timer SMI that required for smm_call (by default it's enabled).\n\n  * SmmBackdoor.py --timer-disable - Disable periodic timer SMI.\n\n\nsmm_call usage:\n\n  * smm_call \u003ccode\u003e [\u003carg_1\u003e [\u003carg_2\u003e]] - Send specified control code and arguments to SMM backdoor.\n\n  * smm_call --privesc - Ask the backdoor to give a root privileges for caller process and run command shell.\n\n\nPlease note, that this code was tested only with Intel DQ77KB motherboard. You may try to run it on any other UEFI compatible hardware, but some of the backdoor features might not work.\n\n\nWritten by:\nDmytro Oleksiuk (aka Cr4sh)\n\ncr4sh0@gmail.com\nhttp://blog.cr4.sh\n\n","funding_links":[],"categories":["Bootkits :bomb:"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCr4sh%2FSmmBackdoor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCr4sh%2FSmmBackdoor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCr4sh%2FSmmBackdoor/lists"}