Coder Social home page Coder Social logo

grabaccess's Introduction

GrabAccess

Bookit / Windows Login Password and Bitlocker Bypass Tool


English | 中文

With physical access to the target device, GrabAccess can:

  1. Bypass the Windows login password to execute commands with System privileges, reset Windows account passwords, etc.
  2. Implant a specified program and add it to startup (this can bypass Bitlocker, but requires the victim to log in)
  3. Survive operating system reinstallations or hard drive replacement, by modifying the UEFI firmware of motherboard (Bootkit)

Quick Start

The basic function of GrabAccess is to bypass the Windows login password.

  1. Prepare a USB drive formatted in either FAT16 or FAT32.

  2. Download GrabAccess_Release.zip and extract it to the root directory of the USB drive.

    1

  3. Plug the USB drive into the target computer. Reboot and enter the BIOS menu upon startup. Select the USB drive as boot option (disable Security Boot if it's enabled).

    2

  4. A CMD window and an account management interface will appear upon Windows startup, granting the ability to execute commands with System privileges without the need for login credentials.

    3

  5. Press ALT+F4 to close the CMD window, and Windows will return to the login screen.

Automated Implantation (Bypassing Bitlocker)

GrabAccess can automatically implant a specified program and add it to the startup items.

For this feature, you need to bundle GrabAccess with the program you wish to implanted:

  1. Download GrabAccess_Release.zip and extract it to the root directory of the USB drive.

  2. Name the program you wish to implanted as payload.exe and place it in the root directory of the USB drive.

  3. Execute build.bat to bundle everything together.

    4

  4. Plug the USB drive into the target computer and boot from the USB drive (as previously described).

  5. Once Windows boots up, the deployed application will be execute.

    5

This implantation process can bypass Bitlocker's system disk encryption.

When the system is booted from GrabAccess, it loads into the system memory. The USB drive can be removed at this point, but you should remain at the Bitlocker password entry screen, waiting for the victim to return and enter the password. After Bitlocker is unlocked, the specified program will be written to the disk.

Note that before this point, since GrabAccess is only in memory, it will be lost if the computer is rebooted or powered off.

Implementing Bootkit via Motherboard UEFI Firmware Modification

GrabAccess can be integrated into a computer's motherboard UEFI firmware, ensuring a hardware-level persistence (Bootkit).

Each time the Windows boots, GrabAccess re-implants the specified program. This process remains effective even after reinstallation of the operating system or replacement of the hard disk. Removal of this implant requires reflashing the motherboard's firmware or replacing the motherboard.

Warning: The following procedure may damage your motherboard! Proceed only if you have sufficient knowledge of UEFI firmware. AT YOUR OWN RISK!!!!

The process involves four main steps:

  1. Bundle GrabAccess with the specified program.
  2. Extracting the motherboard's UEFI firmware.
  3. Inserting GrabAccessDXE into the UEFI firmware.
  4. Reflashing the modified firmware back onto the motherboard.

Steps 2 and 4 vary significantly across different motherboard models. While some can be flashed via software, others require a hardware programmer due to built-in verifications.

Due to these variations, the specifics are not discussed here, it is advised to search online for the procedure relevant to your specific motherboard model.

To package GrabAccess with the intended program, follow the previously outlined steps: rename the program to payload.exe, place it in the GrabAccess root directory, and run build.bat. This results in a file named native.exe, which will be used in the subsequent steps.

After extracting the motherboard UEFI firmware, use UEFITool to open it. Press Ctrl+F, select Text, and search for pcibus. Double-click on the first result in the subsequent list.

6

Right-click on the pcibus entry and choose Insert before. Then select GrabAccessDXE.ffs from the UEFI_FSS folder in the downloaded GrabAccess_Release.zip.

7

After inserting GrabAccessDXE, right-click on it, choose Insert before, and add native.ffs from the UEFI_FSS folder. The list should appear as follows:

8

Open native.ffs (identified by its GUID 2136252F-5F7C-486D-B89F-545EC42AD45C). Right-click on the Raw section, select Replace body, and replace it with the native.exe file which is previously created.

9

Lastly, save the modified firmware by selecting Save image file from the File menu.

This firmware is now embedded with a Bootkit and ready to be flashed back onto the motherboard. If done correctly, native.exe will be written and executed with each boot of Windows.

If the process fails, consider these steps:

  1. Turn off Security Boot and CSM in the UEFI settings, ensuring the OS boots in UEFI mode.
  2. Insert pcddxe.ffs from the UEFI_FSS folder into the firmware (as previously described). Note that this module may conflict with others, potentially preventing booting. This step is advised only if using a programmer!

Supported Operating Systems

GrabAccess only supports Windows operating systems under UEFI, and is currently only supports x64 systems.

Tested on Windows 10 (1803, 22H2) and Windows 11 (23H2), including using TPM, online accounts, and PIN codes. However, it does not support bypassing Security Boot.

Going deeper

Windows Platform Binary Table

Unlike Kon-boot, which tampers with the Windows kernel, GrabAccess is based on a legitimate backdoor in Windows: WPBT (Windows Platform Binary Table).

Manufacturers typically use WPBT to integrate driver management and anti-theft software into their computers. Similar to a Bootkit virus, once a WPBT entry exists in the motherboard, the designated program will automatically installed on Windows system during boot-up, regardless of system reinstalls or hard drive changes.

WPBT was intended to be implemented by manufacturers into the UEFI firmware of the motherboard. However, attackers can exploit this mechanism by injecting a WPBT entry during the UEFI boot process, without needing to modify the motherboard firmware.

Components of GrabAccess

GrabAccess consists of two components:

  1. UEFI Application: In the source code as Stage1-UEFI, this is used to write WPBT entries into the ACPI table in the UEFI environment.
  2. Windows Native Application: In the source code as Stage2-NativeNT, this is used to deploying the payload and setting up startup items.

Functions of the Native Application

The application loaded by WPBT is not a standard Win32 program, but a Windows Native Application. It executes during the Windows Native NT phase, which occurs before user login. However, the APIs provided by Windows to Native NT phase are fewer than those available to Win32 programs.

In the source code, Stage2-NativeNT is tasked with writing out the final Payload (the specified program bundled by the user) to C:\\Windows\\System32\\GrabAccess.exe, and adding a startup item under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GrabAccess.

If there is no Payload at its end, it hijacks Logonui.exe through IFEO, displaying cmd.exe and netplwiz.exe during Windows login.

Credits

  1. Windows Platform Binary Table (WPBT)
  2. WPBT-Builder
  3. Windows Native App by Fox

grabaccess's People

Contributors

push3ax avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

grabaccess's Issues

Bypass secure boot

RT
MSI 最近漏的那批 secure boot 签名密钥应该可以骗过 TPM 直接启动?(假设默认 pcrs 策略)

Bitlocker not able to unlock without Secure Boot

Hi,

most of the time bitlocker will check if secure boot is activated.
When it is disabled, bitlocker will not unlock without the recovery key.
Might want to clarify that the attacks here are not bypassing bitlocker when that feature is present.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.