Simple Windows 24h2 bootkit made for my bachelor's thesis. The main goal of this project was to learn and experiment with threats affecting the UEFI environment. It should not be considered aa a serious malware and will probably trigger any properly configured EDR or antivirus (except windows defender ofc) More informations will be added soon.
- Decrypt the driver (simple xor)
- Disable SecureBoot by hooking EFI_SECURITY2_ARCH_PROTOCOL
- Install a runtime driver (main bootkit logic)
- Start windows initialization
hook winload and ntosknrl to insert a driver in kernel memory
- LoadImage --> intercept bootmgfw.efi (windows boot manager)
- ImgStartBootApplication --> intercept winload.efi (windows bootloader)
- BlImgAllocateBuffer --> allocate kernel memory
- OsfFwpKernelSetupPhase1 --> get kernel base address and map driver in kernel memory
- VirtualAddressChangeEvent --> translate physical addresses and set ntoskrnl.exe hook
- Phase1Initialization --> start injected driver
basic udp client used to show kernel access
- limited to ntoskrnl imports
- uses WSK for network communication
- sends kernel and current thread addresses every few seconds