View on GitHub

Windows Platform Binary Table




Criteria Value
Permissions Other1
Security context System
Persistence type Other
Code type EXE23
Launch type Automatic
Impact Non-destructive
OS Version All OS versions
Dependencies OS only
Toolset Own toolkit required


Hardware-based persistence.

  1. During the OS startup, smss.exe calls NtQuerySystemInformation() function with a SystemPlatformBinaryInformation (0x85) as a parameter.
  2. NtQuerySystemInformation() scans UEFI tables stored within hardware memory looking for a piece of data with properly constructed headers.
  3. If the correct pattern (“WPBT”, length, revision and a checksum) is found, the structure is passed to the smss.exe.
  4. smss.exe stores the piece of UEFI memory within a file called %systemroot%\system32\wpbbin.exe.
  5. smss.exe takes execution parameters (command line) from the same UEFI block.
  6. The wpbbin.exe is checked for integrity with IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY.
  7. The wpbbin.exe is executed.

The functionality may be disabled with the DisableWpbtExecution registry value set to 1 in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager (tip by @Harvesterify)

The functionality is not a typical persistence, as it does not rely only on configuration stored within Windows. As written above, the exploitation requires both: writing into UEFI tables AND digital signature meeting IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY requirements.




See also:


  1. File content is stored within UEFI tables. 

  2. wpbbin.exe is created on disk during boot process 

  3. The code must rely on ntdll.dll, without any Win32 API calls.