Under the hood - isbootsecure.exe

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

coffeeprogrammer

Well-known member
Jul 19, 2021
169
14
I had some extra time, so I decided to see if I could help myself understand some of how the new isbootsecure works. I used the command line utility dumpbin like this:

dumpbin isbootsecure.exe /imports

I think the imports is just telling what libraries are being imported from Windows.

This is the output:

Microsoft (R) COFF/PE Dumper Version 14.16.27051.0
Copyright (C) Microsoft Corporation. All rights reserved.


Dump of file isbootsecure.exe

File Type: EXECUTABLE IMAGE

Section contains the following imports:

USER32.dll
402078 Import Address Table
4027A4 Import Name Table
0 time date stamp
0 Index of first forwarder reference

309 wvsprintfA
307 wsprintfA

KERNEL32.dll
40202C Import Address Table
402758 Import Name Table
0 time date stamp
0 Index of first forwarder reference

1F6 GetModuleHandleA
211 GetNumberOfConsoleInputEvents
220 GetProcAddress
23B GetStdHandle
1E6 GetLastError
28C GlobalFree
4B5 lstrlenA
35D ReadConsoleInputA
3C1 SetConsoleTitleA
48D WriteFile
1DA GetFirmwareEnvironmentVariableA
1A9 GetCurrentProcess
16F GetCommandLineA
110 FileTimeToSystemTime
104 ExitProcess
78 CreateFileA
43 CloseHandle
285 GlobalAlloc

ADVAPI32.dll
402000 Import Address Table
40272C Import Name Table
0 time date stamp
0 Index of first forwarder reference

190 LookupPrivilegeValueA
1F1 OpenProcessToken
1E AdjustTokenPrivileges

CRYPT32.dll
402010 Import Address Table
40273C Import Name Table
0 time date stamp
0 Index of first forwarder reference

E2 CryptVerifyMessageSignature
1C CertCreateCertificateContext
3F CertFreeCertificateContext
52 CertNameToStrA

CRYPTUI.dll
402024 Import Address Table
402750 Import Name Table
0 time date stamp
0 Index of first forwarder reference

11 CryptUIDlgViewContext

Summary

1000 .data
1000 .rdata
1000 .rsrc
1000 .text



Just judging by the output my guess is that GetFirmwareEnvironmentVariableA function is the one doing some of the important work. I tried opening the file with Steve Miller's dependency walker, but it was like it was locking up.
 
I guess a follow up question would be, if a person wanted to write a os with its own bootloader, but did not want to sign that boot loader, they would have to turn off secure boot for UEFI? I think when secure boot was new there was some unhappy people because Microsoft was largely responsible for what boot keys where placed in firmware, meaning they could block Linux distro from secure boot they wanted to. For utilities like Image for Linux or SR, I think they would either need to get those signed or not use secure boot. I am wounder what file is actual loaded by UEFI on a Windows installations? Is it on drive C:\ ??
 
So with SN985 Steve’s point is always where security problems can occur. I think the point of SN985 is that if a firmware that allows bad keys is in place then a user might be infected without being noticed. I have been pretty clear that I will never rely on Microsoft or their services to security my own pc’s in my house. That said, just because you have a bad firmware you could just be aware of it and that it could be a problem. It’s like have a car where you can unlock the doors with a key fob, that signal can be cloned and could be a problem. I am aware of that with my car and I am not going to do anything about it. That is basically what I am doing when I am disabling updates. I future news sources, including SN, I am entrusted in if these secure boot firmwares with bad keys have been used to load undesirable code into systems?