0xbekoo/Silence-of-Naunet

# Silence of Naunet ## The Goddess Naunet In ancient Egyptian mythology, **Naunet** is the personification of the primordial waters—the infinite, formless abyss from which all creation emerged. She is the feminine counterpart of **Nun**, the god of the chaotic waters of creation, and together they form the basis of Egyptian cosmogony. ## Overview Silence of Naunet is a research project demonstrating **UEFI Runtime Services hooking** via NVRAM variable interception. The name is inspired by the goddess of the primordial waters, reflecting the project's purpose: to reach into the silent depths of the system's firmware and intercept data as it flows through the chaotic waters of the UEFI runtime services. The project consists of two components: 1. **SilenceOfNaunet** - An EFI driver that hooks the `SetVariable()` UEFI Runtime Service 2. **Rootkit** - A Windows kernel driver that writes test payload data to UEFI NVRAM ### What This Project Demonstrates - How to intercept firmware variable writes by hooking the `SetVariable()` service in the UEFI Runtime Services Table - When a specific NVRAM variable (defined by a custom GUID and name pair) is written, the hooked function captures the payload data and stores it in a hidden memory buffer - The intercepted data never reaches persistent storage—it remains hidden in runtime memory, like treasures submerged in Naunet's depths ## How It Works ### SilenceOfNaunet (EFI Driver) The EFI driver performs the following operations: 1. **Hook Installation**: Intercepts `SetVariable()` in the EFI Runtime Services Table by replacing the function pointer in the service table 2. **Hidden Buffer Allocation**: Allocates a hidden buffer in runtime services memory to store intercepted payloads 3. **Variable Interception**: When any variable matching the target GUID/Name pair is written via `SetVariable()`, the driver captures the payload data instead of allowing it to persist in NVRAM 4. **Debug Output**: Displays hex dump of intercepted payloads via DEBUG() messages ### Rootkit (Windows Kernel Driver) A minimal Windows kernel driver that writes test data to UEFI NVRAM using `ExSetFirmwareEnvironmentVariable()`. This driver is used to trigger the interception mechanism when the system boots. ## Project Structure Silence-of-Naunet/ ├── SilenceOfNaunet/ # EFI Driver │ ├── SilenceOfNaunet.c # Main driver implementation │ ├── SilenceOfNaunet.h # Public header │ ├── SilenceOfNaunet.inf # INF file for build ├── Rootkit/ # Windows Kernel Driver │ └── Rootkit/ │ ├── main.c # Driver entry point │ └── Rootkit.inf # INF file for build └── README.md ## Configuration To change the target variable that gets intercepted, modify the following values in the source files: **SilenceOfNaunet/SilenceOfNaunet.c:** CHAR16 *NvramName = L"TestData"; STATIC EFI_GUID mTestDataGuid = { 0xa1b2c3d4, 0x1234, 0x5678, {0x9a, 0xbc, 0xde, 0xf1, 0x23, 0x45, 0x67, 0x89} }; **Rootkit/Rootkit/main.c:** #define SN_VAR_NAME L"TestData" GUID VendorGuid = { 0xa1b2c3d4, 0x1234, 0x5678, {0x9a, 0xbc, 0xde, 0xf1, 0x23, 0x45, 0x67, 0x89} }; ## Testing Using QEMU + OVMF for testing (see [my blog](https://0xbekoo.github.io/docs/uefi-dev/debugging-ovmf-with-gdb/) for debug setup): bekoo@UbuntuOS:~/qemu-ovmf$ cat debug.log | grep "Silence" ... Loading driver at 0x0007FAAC000 EntryPoint=0x0007FAAE351 SilenceOfNaunet.efi [SilenceOfNaunet] OnVirtualAddressChange triggered [SilenceOfNaunet] HiddenBuffer virtual: 0xFFFFF80763C49000 [SilenceOfNaunet] SetVariable virtual: 0xFFFFF80763DDEED5 [SilenceOfNaunet] TestData intercepted! 4 bytes -> HiddenBuffer (0xFFFFF80763C49000) [SilenceOfNaunet] Payload Content (Hex Dump): [SilenceOfNaunet] DE AD BE EF ## Technical Details ### Hook Mechanism The driver hooks `SetVariable()` by: 1. Disabling CPU write protection (CR0.WP bit) 2. Replacing the function pointer in `gRT->SetVariable` 3. Re-enabling write protection 4. Recalculating `gRT` CRC32 for integrity ## License See LICENSE file for details.

标签：EFI驱动, GUID变量, Hook技术, NVRAM, Rootkit, SetVariable, TPM, UEFI, Zeek, 内存隐藏, 内核驱动, 固件后门, 固件安全, 固件漏洞, 子域名枚举, 安全测试, 客户端加密, 持久化存储, 攻击性安全, 数据拦截, 系统安全, 网络协议, 身份验证强制, 运行时服务, 隐蔽存储