The malicious code in x86/x64 firmware can potentially reside in many places. One of them is in the PCI expansion ROM. In the past, the small amount of memory during PCI expansion ROM execution acted as a hindrance to malicious code. The limited space for code and data limited the possible tasks that could be carried out by such malicious codes. However, this article explains how a malicious PCI expansion ROM might exploit a little-known BIOS memory management interface to break through the memory "barrier," thus creating a potentially more complex threat. The discussion in this article is limited to PCI expansion ROM conforming to PCI firmware revision 3.1 specification. This newly "discovered" larger memory footprint enables a malware creator to place (at least) a simple file system infector inside the PCI expansion ROM (a compressed one). During PCI expansion ROM execution, the compressed file system infector could have the memory it requires through memory allocation with the PMM functions, provided that the BIOS implemented PMM-which is most likely the case in the last 3 to 5 years. Another issue is that a malware creator might abuse the presence of the "permanent" memory allocated for PCI expansion ROM through the pmmAllocate() function by using the permanent memory flag during the call to pmmAllocate().Additionally, a rogue but simple network "interceptor" code might be possible given the jump in the memory footprint, and if the interceptor hides in the "permanent" memory, it could be troublesome. View here: http://resources.infosecinstitute.com/pci-expansion-rom/ to read the full article and walkthrough at InfoSec Institute.
