This paper will build upon the author’s previous research presented in February 2006 that explored a way of persisting a rootkit in the system BIOS via the Advanced Configuration and Power Interface (ACPI).
This paper will discuss means of persisting a rootkit on a PCI device containing a flashable expansion ROM. Although previous research has been done into this area, the practicalities of implementing such an attack have not been discussed in detail and there is very little information on how to detect and prevent attacks that don’t have a Trusted Platform Module.