System Management Mode Rootkit Innovation

System Management Mode (SMM) is an often overlooked operating state featured on Intel processors since the 80386. It existed to simplify debugging system code (whether operating system or even firmware) which was previously debugged using an In Circuit Emulator (ICE). System Management Mode allows select software to run completely independent of the running operating system and was intended for both debugging and allowing advanced power management software to execute. The ability to operate outside of the operating system's jurisdiction of control and security monitoring has been the focus of rootkit research by Clear Hat Consulting. By operating a rootkit from within System Management Mode, the software will be undetectable by scanners and does not even require the modification of any core files to exist. While operating within System Management Mode, code can browse through the processing state tables in order to read or write to any desired location within the running, albeit suspended, operating system. A to the host it resides in while allowing an external hacker complete, stealthy access to the compromised host.

