Everyone Gets a Rootkit

Now that I have your attention with that clickbait headline?…

There’s been a recent flurry of articles about a longstanding Microsoft Windows capability called “Windows Platform Binary Table” (WPBT).

Introduced with Windows 8, here’s an excerpt of Microsoft’s description ( docx):

This paper describes a mechanism for a platform, via the boot firmware, to publish a binary to Windows for execution. The mechanism leverages a boot firmware component to publish a binary in physical memory described to Windows using a fixed ACPI table.

“via the boot firmware” is the significant part.

Microsoft goes on:

The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration. WPBT allows the Windows image on disk to be modified at boot time.

Yikes!

Remember my advice to “Reload Windows on Your New PCs?” That might not be enough.

Principally, WPBT is there for hardware manufacturers to install their own firmware drivers before Windows loads.

But remember Murphy’s Law: If anything can go wrong, it will.

As far back as 2015 there have been vulnerabilities related to WPBT. Here’s (archive.is) Lenovo’s story.

This popped up again this week in a report (archive.is) from eclypsium.

How-To Geek has the process (archive.is) on how to check your PC:

… open the C:\Windows\system32 directory and look for a file named wpbbin.exe.?… If it’s not present, your PC manufacturer hasn’t used WPBT to automatically run software on your PC.

My ThinkPad and Asus desktop were clean.

YMMV

Originally published at https://blog.benmoore.info.