{"id":13578863,"url":"https://github.com/memN0ps/redlotus-rs","last_synced_at":"2025-04-05T19:33:59.355Z","repository":{"id":158532475,"uuid":"626230659","full_name":"memN0ps/redlotus-rs","owner":"memN0ps","description":"Rusty Bootkit - Windows UEFI Bootkit in Rust (Codename: RedLotus)","archived":true,"fork":false,"pushed_at":"2023-09-12T07:23:15.000Z","size":3025,"stargazers_count":526,"open_issues_count":0,"forks_count":64,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-04-04T18:52:12.839Z","etag":null,"topics":["bootkit","ring-2","rust","uefi","windows"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/memN0ps.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-04-11T03:53:15.000Z","updated_at":"2025-03-27T08:23:11.000Z","dependencies_parsed_at":null,"dependency_job_id":"d5b99226-2e5e-4145-a85e-00304a7451d0","html_url":"https://github.com/memN0ps/redlotus-rs","commit_stats":null,"previous_names":["memn0ps/redlotus-rs"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/memN0ps%2Fredlotus-rs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/memN0ps%2Fredlotus-rs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/memN0ps%2Fredlotus-rs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/memN0ps%2Fredlotus-rs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/memN0ps","download_url":"https://codeload.github.com/memN0ps/redlotus-rs/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247393095,"owners_count":20931804,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bootkit","ring-2","rust","uefi","windows"],"created_at":"2024-08-01T15:01:34.440Z","updated_at":"2025-04-05T19:33:57.688Z","avatar_url":"https://github.com/memN0ps.png","language":"Rust","funding_links":[],"categories":["Rust","Projects"],"sub_categories":[],"readme":"# Windows UEFI Bootkit in Rust (Codename: RedLotus)\n\nIntroducing a Windows UEFI Bootkit in Rust designed to facilitate the manual mapping of a driver manual mapper before the kernel (`ntoskrnl.exe`) is loaded, effectively bypassing `Driver Signature Enforcement (DSE)`. This bootkit utilizes a UEFI runtime driver (`EFI_RUNTIME_DRIVER`) inspired by the work of [umap by @btbd](https://github.com/btbd/umap/). By employing a straightforward `.data` function pointer hook, the driver manual mapper enables the manual mapping of various Windows kernel drivers via a user-mode program. It is important to acknowledge that the communication method involving `xKdEnumerateDebuggingDevices` and `NtConvertBetweenAuxiliaryCounterAndPerformanceCounter`, originally shared by the legendary [@can1357](https://blog.can.ac/), may be flagged by anti-cheat systems. Hence, it is crucial to emphasize that this project serves as a Proof of Concept (PoC).\n\nIt is possible to manually map my [Windows kernel rootkit](https://github.com/memN0ps/rootkit-rs) or [Windows blue-pill hypervisor](https://github.com/memN0ps/hypervisor-rs) with minor modifications.\n\nThis project is inspired by the following:\n\n- Umap: https://github.com/btbd/umap/ (This project has been ported from C to Rust)\n- Bootlicker: https://github.com/realoriginal/bootlicker\n- BlackLotus: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/\n- ESPecter: https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/\n- UEFI-Bootkit: https://github.com/ajkhoury/UEFI-Bootkit/\n- EfiGuard: https://github.com/Mattiwatti/EfiGuard\n- Bootkitting Windows Sandbox: https://secret.club/2022/08/29/bootkitting-windows-sandbox.html\n- Rootkits and Bootkits: https://nostarch.com/rootkits\n\n## Description\n\nA bootkit can run code before the operating system and potentially inject malicious code into the kernel or load a malicious kernel driver by infecting the boot process and taking over the system's firmware or bootloader, effectively disabling or bypassing security protections. This tool can be used for game hacking and is a side project for those interested in fun, learning, malware research, and spreading security awareness. It also demonstrates that Rust can handle both low-level and high-level tasks. It's important to recognize the potential of Rust and not underestimate its power.\n\nThe image below shows how Legacy and UEFI boot works.\n\n![Legacy-and-UEFI-Boot](/images/Legacy-and-UEFI-Boot.png)\n**Figure 1. Comparison of the Legacy Boot flow (left) and UEFI boot flow (right) on Windows (Vista and newer) systems (Full Credits: [WeLiveSecurity](https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/))**\n\nThis diagram illustrates the structure and flow of the `redlotus.efi` UEFI bootkit and `redlotus.sys` Windows kernel driver manual mapper.\n\n![redlotus.drawio.png](./images/redlotus.drawio.png)\n\n## Install\n\n### [Install Rust](https://www.rust-lang.org/tools/install)\n\nTo start using Rust, [download the installer](https://www.rust-lang.org/tools/install), then run the program and follow the onscreen instructions. You may need to install the [Visual Studio C++ Build tools](https://visualstudio.microsoft.com/visual-cpp-build-tools/) when prompted to do so.\n\n\n### [Install and change to Rust nightly](https://rust-lang.github.io/rustup/concepts/channels.html)\n\n```\nrustup toolchain install nightly\nrustup default nightly\n```\n\n### [Install cargo-make](https://github.com/sagiegurari/cargo-make)\n\n```\ncargo install cargo-make\n```\n\n### [Install WDK/SDK](https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk)\n\n* Step 1: Install Visual Studio 2022\n* Step 2: Install Windows 11, version 22H2 SDK\n* Step 3: Install Windows 11, version 22H2 WDK\n\n## Build\n\nChange directory to `.\\driver\\` and build driver\n\n```\ncargo make sign\n```\n\nChange directory to `.\\bootkit\\` and build bootkit\n\n```\ncargo build --target x86_64-unknown-uefi --release\n```\n\nChange directory to `.\\client\\` and build client\n\n```\ncargo build --release\n```\n\n## Debugging (Optional)\n\n### 1. [Enabling Test Mode or Test Signing Mode](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option)\n\nTo enable `Test Mode` or `Test Signing Mode`, open an elevated command prompt and enter the following command:\n\n```\nbcdedit /set testsigning on\n```\n\n### 2. [Enabling Debugging of Windows Boot Manager (bootmgfw.efi), Windows OS Boot Loader (winload.efi), and Windows Kernel (ntoskrnl.exe)](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--bootdebug)\n\nThe commands below enable debugging for the Windows Boot Manager, the boot loader, and the operating system's kernel. Using this combination allows for debugging at every startup stage. If activated, the target computer will break into the debugger three times: when the Windows Boot Manager loads, when the boot loader loads, and when the operating system starts. Enter the following commands in an elevated command prompt:\n\n```\nbcdedit /bootdebug {bootmgr} on\nbcdedit /bootdebug on\nbcdedit /debug on\n```\n\n### 3. [Setting Up Network Debugging for Windbg](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-a-network-debugging-connection)\n\nTo set up network debugging, open an elevated command prompt and enter the command below. Replace `w.x.y.z` with the IP address of the host computer and `n` with your chosen port number:\n\n```\nbcdedit /dbgsettings net hostip:w.x.y.z port:n\n```\n\n### 4. [Setting Up Debug Print Filter](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/reading-and-filtering-debugging-messages#setting-the-component-filter-mask)\n\nOpen the Windows registry editor by entering the following command in an elevated command prompt:\n\n```\nregedit\n```\n\nFor more focused and efficient kernel development troubleshooting, set up filters to selectively display debugging messages by following these steps:\n\n1. Navigate to:\n\n```\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\n```\n2. Create a new key named `Debug Print Filter`.\n3. Inside this key, create a new `DWORD (32) Value`.\n4. Name it `DEFAULT`.\n5. Set its `Value data` to `8`.\n\n## Usage\n\nA UEFI Bootkit works under one or more of the following conditions:\n\n- Secure Boot is disabled on the machine, so no vulnerabilities are required to exploit it (**supported by this project**).\n\n- Exploiting a known flaw in the UEFI firmware to disable Secure Boot in the case of an out-of-date firmware version or a product no longer supported, including the Bring Your Own Vulnerable Binary (BYOVB) technique to bring copies of vulnerable binaries to the machines to exploit a vulnerability or vulnerabilities and bypass Secure Boot on up-to-date UEFI systems (1-day/one-day).\n\n- Exploiting an unspecified flaw in the UEFI firmware to disable Secure Boot (0-day/zero-day vulnerability).\n\n### Usage 1: Infecting the Windows Boot Manager (bootmgfw.efi) on Disk (Unsupported)\n\nUEFI Bootkits typically target the Windows Boot Manager (`bootmgfw.efi`) found in the EFI partition at `\\EFI\\Microsoft\\Boot\\bootmgfw.efi` (also accessible at `C:\\Windows\\Boot\\EFI\\bootmgfw.efi`). The infection process involves adding a new section named `.efi` to the `bootmgfw.efi` and redirecting the executable's entry point to this new section. Here's a step-by-step breakdown:\n\n1. Convert the bootkit into position-independent code (PIC) or shellcode.\n2. Locate `bootmgfw.efi` (Windows Boot Manager) in the EFI partition at `\\EFI\\Microsoft\\Boot\\bootmgfw.efi`.\n3. Append a new `.efi` section to the `bootmgfw.efi`.\n4. Inject or copy the bootkit shellcode into the newly added `.efi` section.\n5. Modify the entry point of `bootmgfw.efi` to point to the shellcode in the `.efi` section.\n6. Reboot the system.\n\n**Note**: This method is unsupported.\n\n### Usage 2: Running a UEFI Bootkit through the UEFI Shell (Supported)\n\nThe following outlines a supported method to execute a UEFI Bootkit using the UEFI Shell. By leveraging either the EDK2 efi shell or the UEFI-Shell, users can set up a USB drive to boot into a UEFI shell environment. From there, the bootkit can be loaded and executed directly. The steps also include specific instructions for users working with VMware Workstation.\n\nDownload [EDK2 efi shell](https://github.com/tianocore/edk2/releases) or [UEFI-Shell](https://github.com/pbatard/UEFI-Shell/releases) and follow these steps:\n\n1. Extract downloaded efi shell and rename file `Shell.efi` (should be in folder `UefiShell/X64`) to `bootx64.efi`\n\n2. Format USB drive to FAT32\n\n3. Create following folder structure:\n\n```\nUSB:.\n │   redlotus.efi\n │\n └───EFI\n      └───Boot\n              bootx64.efi\n```\n\n4. Boot from the USB drive\n\n    4.1. The following is required for VMware Workstation:\n\n    * VMware Workstation: `VM -\u003e Settings -\u003e Hardware -\u003e Add -\u003e Hard Disk -\u003e Next -\u003e SCSI or NVMe (Recommended) -\u003e Next -\u003e Use a physical disk (for advanced users) -\u003e Next -\u003e Device: PhysicalDrive1 and Usage: Use entire disk -\u003e Next -\u003e Finish.` \n\n    * Start VM by clicking `Power On to Firmware`\n\n    * Select Internal Shell (Unsupported option) or EFI Vmware Virtual SCSI Hard Drive (1.0)\n\n5. A UEFI shell should start, change directory to the same location as the Windows Boot Manager (e.g. `FS0`). **Note that the file system could be different for your machine**\n\n```\nFS0:\n```\n\n6. Copy the bootkit to the same location as the Windows Boot Manager (e.g. `FS0`).\n\n```\ncp fs2:redlotus.efi fs0:\n```\n\n7. Load the the bootkit\n\n```\nload redlotus.efi\n```\n\n8. Windows should boot automatically.\n\n9. Manually map your Windows kernel driver using the user-mode application (`client.exe`) even with `Driver Signature Enforcement (DSE)` enabled.\n\n```\nPS C:\\Users\\developer\\Desktop\u003e .\\client.exe -h\nManually Map Windows Kernel Driver\n\nUsage: client.exe --path \u003cPATH\u003e\n\nOptions:\n  -p, --path \u003cPATH\u003e  The Windows kernel driver path to be manually mapped\n  -h, --help         Print help\n  -V, --version      Print version\n```\n\n## PoC\n\nTested on: \n\n* `Microsoft Windows 10 Home 10.0.19045 N/A Build 19045`\n* `Microsoft Windows 11 Home 10.0.22621 N/A Build 22621`\n\nThis image demonstrates the loading of the bootkit (`redlotus.efi`) from a UEFI Shell.\n\n![poc_uefi.png](./images/poc_uefi.png)\n\nThis image depicts the successful manual mapping of the driver manual mapper (`redlotus.sys`).\n\n![poc_win11.png](./images/poc_win11.png)\n\nThis image showcases the successful manual mapping of a Windows kernel driver (`testing123.sys`), which could be written in any language such as C or Rust. It demonstrates the utilization of the user-mode application (`client.exe`) to communicate with the driver manual mapper (`redlotus.sys`).\n\n![poc_win11_driver_mapper.png](./images/poc_win11_driver_mapper.png)\n\nPlease note that depending on your Windows build and version, you may need to adjust the signatures of the hooked `bootmgfw.efi` and `winload.efi` functions, as well as the `.data` function pointer signature in `ntoskrnl.exe`. These changes are necessary to ensure compatibility and proper functioning with your specific Windows build and version.\n\n## Credits / References / Thanks / Motivation\n\n* BTBD: https://github.com/btbd/umap/\n\n* Austin Hudson: https://github.com/realoriginal/bootlicker\n\n* Thanks for all the help: inlineHookz (smoke/snow/never_unsealed): https://twitter.com/never_unsealed\n\n* Rust Community Discord: https://discord.com/invite/rust-lang (#windows-dev channel PeterRabbit, MaulingMonkey etc..)\n\n* Aidan Khoury: https://github.com/ajkhoury/UEFI-Bootkit/\n\n* Matthijs Lavrijsen: https://github.com/Mattiwatti/EfiGuard\n\n* Welivesecurity: https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/\n\n* Welivesecurity: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/\n\n* MrExodia: https://secret.club/2022/08/29/bootkitting-windows-sandbox.html\n\n* Samuel Tulach: https://github.com/SamuelTulach/rainbow\n\n* UnknownCheats: https://www.unknowncheats.me/forum/anti-cheat-bypass/452202-rainbow-efi-bootkit-hwid-spoofer-smbios-disk-nic.html\n\n* ekknod: https://github.com/ekknod/sumap/\n\n* Cr4sh: https://github.com/Cr4sh/s6_pcie_microblaze/tree/master/python/payloads/DmaBackdoorBoot\n\n* Alex Matrosov: Rootkits and Bootkits: https://nostarch.com/rootkits by [Alex Matrosov](https://twitter.com/matrosov)\n\n* Binarly: https://www.binarly.io/posts/The_Untold_Story_of_the_BlackLotus_UEFI_Bootkit/index.html\n\n* rust-osdev: https://github.com/rust-osdev/uefi-rs\n\n* rust-osdev: https://github.com/rust-osdev/bootloader\n\n* rust-osdev: https://crates.io/crates/uefi\n\n* rust-osdev: https://docs.rs/uefi/latest/\n\n* rust-osdev: https://rust-osdev.github.io/uefi-rs/HEAD/\n\n* https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi?view=windows-11\n\n* https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/\n\n* https://github.com/LongSoft/UEFITool\n\n* https://github.com/tianocore/edk2\n\n* https://github.com/pbatard/UEFI-Shell\n\n* https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/\n\n* https://wikileaks.org/ciav7p1/cms/page_36896783.html\n\n* https://github.com/nix-community/lanzaboote/\n\n* https://github.com/lyricalsoul/genie/\n\n* https://github.com/pfnsec/uefi-bin-enum/\n\n* https://github.com/coreos/picker\n\n* https://github.com/mikroskeem/apple-set-os/\n\n* https://github.com/Justfr33z/trampoline/\n\n* https://github.com/kweatherman/sigmakerex\n\n* https://guidedhacking.com/threads/external-internal-pattern-scanning-guide.14112/\n\n* https://guidedhacking.com/resources/guided-hacking-x64-cheat-engine-sigmaker-plugin-ce-7-2.319/\n\n* https://github.com/frk1/hazedumper-rs/\n\n* https://github.com/Jakobzs/patternscanner/\n\n* https://github.com/pseuxide/toy-arms/\n\n* https://uefi.org/specs/UEFI/2.10/index.html\n\n* https://github.com/x1tan/rust-uefi-runtime-driver/\n\n* https://github.com/tandasat/MiniVisorPkg/blob/master/Docs/Building_and_Debugging.md\n\n* https://xitan.me/posts/rust-uefi-runtime-driver/\n\n* https://github.com/tandasat/MiniVisorPkg/blob/master/Docs/Testing_UEFI_on_Hyper-V.md\n\n* https://www.intel.com/content/www/us/en/download/674520/intel-uefi-development-kit-intel-udk-debugger-tool-windows.html\n\n* https://doxygen.reactos.org/\n\n* https://www.vergiliusproject.com/\n\n* thanks [jonaslyk](https://twitter.com/jonasLyk) for providing the correct function signature for `BlImgAllocateImageBuffer` :)\n\n* idontcode aka @_xeroxz: https://blog.back.engineering/08/06/2020/\n\n* can1357: https://www.unknowncheats.me/forum/2614582-post12.html\n\n* https://www.unknowncheats.me/forum/anti-cheat-bypass/503521-data-ptr.html\n\n* https://www.unknowncheats.me/forum/anti-cheat-bypass/425352-driver-communication-using-data-ptr-called-function.html\n\n* https://git.back.engineering/gmh5225/ida-find-.data-ptr\n\n* https://www.unknowncheats.me/forum/general-programming-and-reversing/582086-simple-ida-python-script-data-ptr.html\n\n* https://www.unknowncheats.me/forum/programming-for-beginners/193545-trying-sig-offset-ida.html\n\n* Thanks [not_matthias](https://github.com/not-matthias), [draven/rmccrystal](https://github.com/rmccrystal), @jessiep_ :)\n\n* Thanks [Idov31](https://github.com/Idov31) for this link: https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--bootdebug\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FmemN0ps%2Fredlotus-rs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FmemN0ps%2Fredlotus-rs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FmemN0ps%2Fredlotus-rs/lists"}