Bootlicker – A Generic UEFI Bootkit Used to Achieve Initial Usermode Execution

Posted on


bootlicker is a legacy, extensible UEFI firmware rootkit targeting vmware hypervisor virtual machines. It is designed to achieve initial code execution within the context of the windows kernel, regardless of security settings configured.


bootlicker takes its design from the legacy CosmicStrain, MoonBounce, and ESPECTRE rootkits to achive arbitrary code excution without triggering patchguard or other related security mechanisms.

After initial insertion into a UEFI driver firmware using the the injection utility, the shellcodes EfiMain achieves execution as the host starts up, and inserts a hook into the UEFI firmware’s ExitBootServices routine. The ExitBootServices routine will then, on execution, find the source caller of the function, and if it matches WinLoad.EFI, attempts to find the unexported winload.efi!OslArchTransferToKernel routine, which will allow us to attack the booting kernel before it achieves its initial execution.

Once OslArchTransferToKernel executes, it will search for the ACPI.SYS driver, find the .rsrc PE section, and inject a small stager shellcode entrypoint called DrvMain to copy over a larger payload that will act as our kernel implant.


Entirely based upon d_olex / cr4sh’s DmaBackdoorBoot


This code is apart of a larger project I’ve been working on that on / off in between burnout, like most of the concepts I’ve produced over the years under various aliases, will never see the light of day. Some of the code comments I’ve been to lazy to strip out that refer to unrelated functiaonlity, despite it being previously present. Do not expect this to work out of the box, some slight modifications are certainly necessary.


Gravatar Image
Budak korporat yang hobi nulis. Pengguna Kali Linux sebagai daily driver. Kadang nonton anime di waktu luang.

Leave a Reply

Your email address will not be published. Required fields are marked *