bootlicker: generic UEFI bootkit used to achieve initial usermode execution

bootlicker

bootlicker is a legacy, extensible UEFI firmware rootkit targeting vmware hypervisor virtual machines. It is designed to achieve initial code execution within the context of the windows kernel, regardless of the security settings configured.

Architecture

bootlicker takes its design from the legacy CosmicStrain, MoonBounce, and ESPECTRE rootkits to achieve arbitrary code execution without triggering patch guard or other related security mechanisms.

After initial insertion into a UEFI driver firmware using the injection utility, the shellcodes EfiMain achieves execution as the host starts up, and inserts a hook into the UEFI firmware’s ExitBootServices routine. The ExitBootServices routine will then, on execution, find the source caller of the function, and if it matches WinLoad.EFI, attempts to find the unexported winload.efi!OslArchTransferToKernel routine, which will allow us to attack the booting kernel before it achieves its initial execution.

Once OslArchTransferToKernel executes, it will search for the ACPI.SYS driver, find the .rsrc PE section, and inject a small stager shellcode entrypoint called DrvMain to copy over a larger payload that will act as our kernel implant.

Resources

Entirely based upon d_olex / cr4sh’s DmaBackdoorBoot

Download