lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Aug 2015 19:33:43 +0200
From: "Stefan Kanthak" <>
To: "Kevin Beaumont" <>
Cc: <>
Subject: Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor

"Kevin Beaumont" <> wrote:


> Microsoft documented a feature in Windows 8 and above called Windows
> Platform Binary Table.

Cf. <> where WPBT is linked to
<> alias

> Up until two days ago, this was a single Word
> document not referenced elsewhere on Google:
> This feature allows a BIOS to deliver the payload of an executable,
> which is run in memory, silently, each time a system is booted.  The
> executable code is run under under Session Manager context (i.e.

This sort of feature is NOT new: with Windows 2003 Microsoft introduced
the loading of "virtual OEM device drivers" during Windows setup, see

AFAIK at least HP and Dell used this method to deploy [F6] drivers
embedded in their BIOS.


stay tuned
Stefan Kanthak

Powered by blists - more mailing lists