https://github.com/TheMalwareGuardian/Awesome-Bootkits-Rootkits-Development

A curated compilation of extensive resources dedicated to bootkit and rootkit development.
https://github.com/TheMalwareGuardian/Awesome-Bootkits-Rootkits-Development

List: Awesome-Bootkits-Rootkits-Development

Last synced: about 1 month ago
JSON representation

A curated compilation of extensive resources dedicated to bootkit and rootkit development.

Host: GitHub
URL: https://github.com/TheMalwareGuardian/Awesome-Bootkits-Rootkits-Development
Owner: TheMalwareGuardian
License: gpl-3.0
Created: 2023-12-08T14:07:39.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2025-04-22T19:48:45.000Z (about 1 year ago)
Last Synced: 2025-04-22T20:45:04.565Z (about 1 year ago)
Language: HTML
Homepage:
Size: 6.17 MB
Stars: 41
Watchers: 3
Forks: 6
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-malware-development - Awesome Bootkits & Rootkits Development (curated list)

README

# 🏴‍☠️ Awesome Bootkits & Rootkits Development

![DEF CON 33 Main Stage Talk](https://img.shields.io/badge/DEF%20CON%2033-Main%20Stage%20Talk-informational?style=for-the-badge&logo=hackaday)

A curated compilation of extensive resources dedicated to bootkit and rootkit development.

---
---
---

## Table of Contents

TheMalwareGuardian

BIOS UEFI

📂

Specifications

Basics

Videos

Windows Boot

Vulnerabilities

Tools

EDK2

📂

Basics

Videos

PoCs

Bootkits

📂

Basics

Videos

Analysis

Source Code

Windows Kernel

📂

Basics

Videos

Structures

Debugging

📂

Basics

Commands

Scripting

📂

Classic

JavaScript

Python

Powershell

Extensions

Protection Mechanisms

📂

Driver Signature Enforcement (DSE)

📂

Basics

Bypasses

Virtualization Based Security (VBS)

📂

Basics

Videos

Kernel Patch Protection (KPP) / PatchGuard

📂

Basics

Videos

Bypasses

Drivers

📂

Basics

Videos

Source Code

Reversing

📂

Basics

Videos

Fuzzing

📂

Basics

Videos

Tools

Exploitation

📂

Basics

Videos

PoCs

Tools

Rootkits

📂

Basics

Videos

Analysis

Source Code

Techniques

📂

I/O control codes (IOCTLs) / I/O request packets (IRPs)

📂

Basics

Direct Kernel Object Modification (DKOM)

📂

Basics

PoCs

Keyboard Filter (Keylogger)

📂

Basics

Windows Filtering Platform (WFP)

📂

Basics

PoCs

WinSock Kernel (WSK)

📂

Basics

PoCs

Minifilter

📂

Basics

PoCs

Forge Signature Timestamps

📂

Basics

Interrupt Descriptor Table (IDT) Hooking

📂

Basics

PoCs

System Service Descriptor Table (SSDT) Hooking

📂

Basics

PoCs

Tools

Environment

📂

Bootkits (Development)

Windows Kernel (Debugging)

Rootkits (Development)

Cybersecurity Resources

Books

Courses

Master's Degree

Contact

---
---
---

## ***TheMalwareGuardian***

Whoami

* [Web Linkedin: Alejandro Vazquez Vazquez (TheMalwareGuardian)](https://www.linkedin.com/in/vazquez-vazquez-alejandro/) -> My Linkedin profile.
* [Web Linkedin: Maria San Jose (drkrysSrng)](https://www.linkedin.com/in/mariasanjose) -> Maria's Linkedin profile.
* [Github: Awesome Bootkits & Rootkits Development](https://github.com/TheMalwareGuardian/Awesome-Bootkits-Rootkits-Development) -> A curated compilation of extensive resources dedicated to bootkit and rootkit development.
* [Github: Bootkits & Rootkits Development Environment](https://github.com/TheMalwareGuardian/Bootkits-Rootkits-Development-Environment) -> Automated environment setup for Bootkit & Rootkit development.
* [Github: Abyss Windows UEFI Bootkit](https://github.com/TheMalwareGuardian/Abyss) -> Abyss is a comprehensive project thoroughly designed with the explicit goal of establishing a robust foundation for the development of bootkits.
* [Github: Benthic Windows Kernel Rootkit](https://github.com/TheMalwareGuardian/Benthic) -> Benthic is a comprehensive project thoroughly designed with the explicit goal of establishing a robust foundation for the development of rootkits.
* [Github: PKfail](https://github.com/TheMalwareGuardian/PKfail) -> PKfail is a summary and proof-of-concept project demonstrating how UEFI Secure Boot can be bypassed on platforms configured with test-signing keys as the Platform Key (PK), exposing a common misconfiguration that undermines platform integrity.
* [Github: UEFI Firmware Analysis](https://github.com/TheMalwareGuardian/UEFI-Firmware-Analysis) -> A set of personal notes and practical steps to guide you through analyzing the UEFI firmware of your own hardware, including techniques to inspect, dump, and review firmware images for misconfigurations or potential weaknesses.
* [Github: Hello WinDbg Scripting](https://github.com/TheMalwareGuardian/WinDbg_Scripting) -> This repository serves as a starting point for scripting in WinDbg, covering WinDbg native scripting, JavaScript, and PyKD (Python).

---
---
---

## ***BIOS UEFI***

Deep dive into BIOS UEFI.

### ***Specifications***

Return here once you have developed a better grasp of the subject.

* [Web UEFI: Specifications](https://uefi.org/specifications) -> Unified Extensible Firmware Interface Forum.
* [Web UEFI: UEFI Specification Version 2.11](https://uefi.org/specs/UEFI/2.11/) -> This Unified Extensible Firmware Interface (UEFI) Specification describes an interface between the operating system (OS) and the platform firmware.
* [Web UEFI: UEFI Shell Specification Version 2.2](https://uefi.org/sites/default/files/resources/UEFI_Shell_2_2.pdf)
* [Web UEFI: UEFI Platform Initialization Specification 1.9](https://uefi.org/specs/PI/1.9/) -> This specification defines the core code and services that are required for an implementation of the Pre-EFI Initialization (PEI) phase of the Platform Initialization (PI) specifications (hereafter referred to as the "PI Architecture").

### ***Basics***

This should be your starting point.

* [Web Wikipedia: Booting](https://en.wikipedia.org/wiki/Booting) -> In computing, booting is the process of starting a computer as initiated via hardware such as a button on the computer or by a software command
* [Web OsDev: UEFI](https://wiki.osdev.org/UEFI) -> UEFI is a specification for x86, x86-64, ARM, and Itanium platforms that defines a software interface between the operating system and the platform firmware/BIOS.
* [Blog: Programming for EFI](https://www.rodsbooks.com/) -> Tech-savvy individuals know the Extensible Firmware Interface (EFI) and its newer variant, the Unified EFI (UEFI) as a replacement for the older Basic Input/Output System (BIOS) on PCs and other computers. What you may not be aware of is that EFI is a complex software environment, comparable in size and features to a simple OS such as DOS. As such, EFI can host a variety of programs—but those programs can't spring into existence fully-formed, like Athena from Zeus' head. Rather, they must be written by individuals.

### ***Videos***

Familiarize yourself with UEFI watching these videos.

* [Youtube Video: BIOS and UEFI As Fast As Possible](https://www.youtube.com/watch?v=zIYkol851dU) -> What fundamental things does a computer BIOS do, and what are the important differences between the traditional BIOS and the newer UEFI?
* [Youtube Video: BIOS, CMOS, UEFI](https://www.youtube.com/watch?v=LGz0Io_dh_I) -> This video explains the difference between the BIOS, CMOS, and UEFI. It also explains what the purpose of the CMOS battery. What is the BIOS? What is UEFI? What is CMOS?
* [Youtube Video: PC BIOS Settings](https://www.youtube.com/watch?v=ezubjTO7rRI&t=10s) -> BIOS / UEFI settings, including boot options, secure boot, enabling XMP memory profiles, and BIOS passwords. Also information on the differences between a legacy BIOS and a UEFI BIOS, and how to enter the BIOS.
* [Youtube Video: ThatOsDev - EFI based Bootloader](https://www.youtube.com/watch?v=_98PUTJc9Yk&list=PLwH94sFU_ljPi2ClIcWIvuc1GdLT81uuH&index=4) -> EFI Explained.
* [Youtube Video: UEFIForum - Best Practices for UEFI Secure Boot Customization](https://www.youtube.com/watch?v=WBemkwMHLJM) -> UEFI Secure Boot helps provide an effective defense against boot malware, but following today's best practices in its implementation, deployment and configurability can help its increase its effectiveness against increasingly sophisticated exploits.

### ***Windows Boot***

Gain an understanding of the Windows boot process and the existing protection mechanisms at startup.

* [Presentation: UEFI Plugfest - Windows Boot Environment](https://uefi.org/sites/default/files/resources/UEFI-Plugfest-WindowsBootEnvironment.pdf) -> High-level description of Windows boot process and Windows UEFI services usage.
* [Web Microsoft: Secure boot](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot) -> Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM).
* [Web Microsoft: Secure the Windows boot process](https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process) -> Running Windows 10 or Windows 11 on a PC with Unified Extensible Firmware Interface (UEFI) support ensures that Trusted Boot safeguards your PC against malware right from the moment you power it on.
* [Youtube Video: Boot Up with Confidence Windows 10/11 Secure Boot Demystified](https://www.youtube.com/watch?v=ZF1xGdhyUyw&t=45s) -> How secure boot works in Windows 10/11. Secure boot allows protection from "root-kit" attacks on both clients and servers.
* [Youtube Video: Compare Windows 7 and Windows 8-10 boot process](https://www.youtube.com/watch?v=_DQlaFUhCyM) -> A comparison of the boot process of Windows 7 and Windows 8/10.

### ***Vulnerabilities***

Explore BIOS vulnerabilities, it's fine if it appears challenging at this moment.

* [Presentation: BlackHat USA 2009 - Attacking Intel Bios](https://www.blackhat.com/presentations/bh-usa-09/WOJTCZUK/BHUSA09-Wojtczuk-AtkIntelBios-SLIDES.pdf)
* [Youtube Video: BlackHat USA 2009 - Attacking Intel Bios](https://www.youtube.com/watch?v=CRjcKv-xiqw) -> We demonstrate how to permanently reflash Intel BIOSes on the latest Intel Q45-based systems. In contrast to a previous work done by other researches a few months earlier, who targeted totally unprotected low-end BIOSes, we focus on how to permanently reflash one of the most secure BIOSes out there, that normally only allow a vendor's digitally signed firmware to be flashed.
* [Presentation: REcon 2015 - Attacking and Defending BIOS](https://recon.cx/2015/slides/recon2015-09-yuriy-bulygin-oleksandr-bazhaniuk-Attacking-and-Defending-BIOS-in-2015.pdf)
* [Youtube Video: REcon 2015 - Attacking and Defending BIOS](https://www.youtube.com/watch?v=rGkymhurzM8) -> In this presentation we will demonstrate multiple types of recently discovered BIOS vulnerabilities. We will detail how hardware configuration is restored upon resume from sleep and how BIOS can be attacked when waking up from sleep using "S3 resume boot script" vulnerabilities. Similarly, we will discuss the impact of insufficient protection of persistent configuration data in non-volatile storage and more.
* [Presentation: Defcon 22 - Summary of Attacks Against BIOS](https://defcon.org/images/defcon-22/dc-22-presentations/Bulygin-Bazhaniul-Furtak-Loucaides/DEFCON-22-Bulygin-Bazhaniul-Furtak-Loucaides-Summary-of-attacks-against-BIOS-UPDATED.pdf)
* [Youtube Video: Defcon 22 - Summary of Attacks Against BIOS](https://www.youtube.com/watch?v=QDSlWa9xQuA) -> A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as secure boot, OS loaders, and SMM. Windows 8 Secure Boot provides an important protection against bootkits by enforcing a signature check on each boot component.
* [Presentation: BlackHat Europe 2014 - Analyzing UEFI BIOSes from Attacker & Defender Viewpoints](https://www.blackhat.com/docs/eu-14/materials/eu-14-Kovah-Analyzing-UEFI-BIOSes-From-Attacker-And-Defender-Viewpoints.pdf)
* [Youtube Video: BlackHat Europe 2014 - Analyzing UEFI BIOSes from Attacker & Defender Viewpoints](https://www.youtube.com/watch?v=CGBpil0S5NI) -> In 2013, MITRE released Copernicus 1, a best-effort system to capture a raw dump of the BIOS and whether it appears to be possible for an attacker to write to it. In 2014, we released Copernicus 2 to combat the ability of an attacker to subvert not just Copernicus 1, but all other BIOS capture systems. While these free tools are a good way to get a copy of your BIOS, analyzing it to detect malicious changes is still an open problem in need of further investigation before defenders can feel confident that they have un-infected BIOS. You can't just compare the MD5s from two BIOS dumps and get a valid comparison. This is a problem that leads to firmware-level malware going under-reported and under-analyzed due to not enough people with the background to jump into this area.
* [Presentation: BlackHat USA 2017 - Betraying the BIOS, Where the Guardians of the BIOS are Failing](https://www.blackhat.com/docs/us-17/wednesday/us-17-Matrosov-Betraying-The-BIOS-Where-The-Guardians-Of-The-BIOS-Are-Failing.pdf)
* [Youtube Video: BlackHat USA 2017 - Betraying the BIOS, Where the Guardians of the BIOS are Failing](https://www.youtube.com/watch?v=Dfl2JI2eLc8) -> For UEFI firmware, the barbarians are at the gate -- and the gate is open. On the one hand, well-intentioned researchers are increasingly active in the UEFI security space; on the other hand, so are attackers. Information about UEFI implants -- by HackingTeam and state-sponsored actors alike -- hints at the magnitude of the problem, but are these isolated incidents, or are they indicative of a more dire lapse in security?
* [Presentation: BlackHat USA 2017 - Firmware is the New Black, Analyzing Past Three Years of BIOS/UEFI Security Vulnerabilities](https://github.com/rrbranco/BlackHat2017/blob/master/BlackHat2017-BlackBIOS-v0.13-Published.pdf)
* [Youtube Video: BlackHat USA 2017 - Firmware is the New Black, Analyzing Past Three Years of BIOS/UEFI Security Vulnerabilities](https://www.youtube.com/watch?v=MONgHW2rpY8) -> In recent years, we witnessed the rise of firmware-related vulnerabilities, likely a direct result of increasing adoption of exploit mitigations in major/widespread operating systems - including for mobile phones.
* [Presentation: BlackHat Europe 2023 - LogoFAIL, Security Implications of Image Parsing During System Boot](https://i.blackhat.com/EU-23/Presentations/EU-23-Pagani-LogoFAIL-Security-Implications-of-Image_REV2.pdf)
* [Youtube Video: BlackHat Europe 2023 - LogoFAIL, Security Implications of Image Parsing During System Boot](https://www.youtube.com/watch?v=ch0t2_yjQJQ) -> Enter LogoFAIL, our latest research revealing significant security vulnerabilities in the image parsing libraries used by nearly all BIOS vendors to display logo images during boot. Our research highlights the risks associated with parsing complex file formats at such a delicate stage of the platform startup. During this talk, we will show how some UEFI BIOSes allow attackers to store custom logo images, which are parsed during boot, on the EFI system partition (ESP) or inside unsigned sections of a firmware update. We also shed light on the implications of these vulnerabilities, which extend beyond mere graphical rendering. In fact, successful exploitation of these vulnerabilities allows attackers to hijack the execution flow and achieve arbitrary code execution. LogoFAIL vulnerabilities can compromise the security of the entire system rendering "below-the-OS" security measures completely ineffective (e.g., Secure Boot). Finally, our talk will include a detailed explanation of how we successfully escalate privileges from OS to firmware level by exploiting a real device vulnerable to LogoFAIL...
* [Presentation: BlackHat Europe 2020 - efiXplorer, Hunting for UEFI Firmware Vulnerabilities at Scale with Automated Static Analysis](https://i.blackhat.com/eu-20/Wednesday/eu-20-Labunets-efiXplorer-Hunting-For-UEFI-Firmware-Vulnerabilities-At-Scale-With-Automated-Static-Analysis.pdf)
* [Youtube Video: BlackHat Europe 2020 - efiXplorer, Hunting for UEFI Firmware Vulnerabilities at Scale with Automated Static Analysis](https://www.youtube.com/watch?v=Sa779TGX3wY) -> Existing UEFI analysis instruments lack systemic approach to firmware vulnerability research focused on specifics of x86-based systems. No publicly known tools available for UEFI firmware vulnerabilities research focused on static analysis. Most of the common reversing tools focused on...
* [Presentation: Coreboot 2017 - Exploring Your System Deeper with CHIPSEC is Not Naughty](https://www.c7zero.info/stuff/csw2017_ExploringYourSystemDeeper_updated.pdf)
* [Youtube Video: Coreboot 2017 - Exploring Your System Deeper with CHIPSEC is Not Naughty](https://www.youtube.com/watch?v=H4P5cCj1K7o) -> You wanted to explore deep corners of your system but didn't know how? System boot firmware, ROMs on expansion cards, I/O devices and their firmware, microprocessors, embedded controllers, memory devices, low-level hardware interfaces, virtualization and hypervisors. You could discover if any of these have known vulnerabilities, configured insecurely or even discover new vulnerabilities and develop proof-of-concept exploits to test these vulnerabilities. Ultimately, you can verify security state of platform components of your system and how effective are the platform security defenses: hardware or virtualization based TEE, secure or trusted boot, firmware anti-tampering mechanisms, hypervisor based isolation... Or maybe you just want to explore hardware and firmware components your system has. CHIPSEC framework can help you with all of that. Since releasing it three years ago at CanSecWest 2014 significant improvements have been made in the framework - from making it easy to install and use to adding lots of new security capabilities. We'll go over certain representative examples of what you can do with it such as finding vulnerabilities in SMM firmware, analyzing UEFI firmware vulnerabilities, testing hardware security mechanisms of the hypervisors, finding backdoors in UEFI images and more.
[Web Rapid7: How To Hunt For UEFI Malware Using Velociraptor](https://www.rapid7.com/blog/post/2024/02/29/how-to-hunt-for-uefi-malware-using-velociraptor/) -> UEFI threats have historically been limited in number and mostly implemented by nation state actors as stealthy persistence. However, the recent proliferation of Black Lotus on the dark web, Trickbot enumeration module (late 2022), and Glupteba (November 2023) indicates that this historical trend may be changing.
[Github: Velociraptor - Endpoint visibility and collection tool](https://github.com/Velocidex/velociraptor) -> Velociraptor is a tool for collecting host based state information using The Velociraptor Query Language (VQL) queries.
* [Web IEEXplore: Finding SMM Privilege-Escalation Vulnerabilities in UEFI Firmware with Protocol-Centric Static Analysis](https://ieeexplore.ieee.org/document/9833723) -> The Unified Extensible Firmware Interface (UEFI) provides a specification of the software interface between an OS and its underlying platform firmware. The runtime services provided are seemingly secure as they reside in System Management Mode (SMM) at ring -2, assuming a higher privilege than the OS kernel at ring 0. However, their software vulnerabilities are known to be exploitable to launch ring 0 to ring -2 privilege escalation, i.e., SMM privilege escalation attacks.In this paper, we introduce an effective static analysis framework for detecting SMM privilege escalation vulnerabilities in UEFI firmware. We present a systematic study of such vulnerabilities and identify their root causes as being two types of references that can escape from the SMRAM, legacy references and unintentional references.
* [Web Binary Defense: Running Malware Below the OS, The State of UEFI Firmware Exploitation](https://www.binarydefense.com/resources/blog/running-malware-below-the-os-the-state-of-uefi-firmware-exploitation/) -> Usually when we think of malware infections, we think of malicious programs running on top of the operating system, usually Windows. These programs might use techniques like privilege escalation, running in memory only, injecting code into other processes, and obfuscating their code and activities. All of these techniques are used with the end goal of compromising a system, achieving persistence, and remaining undetected.
* [Web SentinelLabs: Moving From Common-Sense Knowledge About UEFI To Actually Dumping UEFI Firmware](https://www.sentinelone.com/labs/moving-from-common-sense-knowledge-about-uefi-to-actually-dumping-uefi-firmware/)
* [Web SentinelLabs: Moving From Manual Reverse Engineering of UEFI Modules To Dynamic Emulation of UEFI Firmware](https://www.sentinelone.com/labs/moving-from-manual-reverse-engineering-of-uefi-modules-to-dynamic-emulation-of-uefi-firmware/)
* [Web SentinelLabs: Moving From Dynamic Emulation of UEFI Modules To Coverage-Guided Fuzzing of UEFI Firmware](https://www.sentinelone.com/labs/moving-from-dynamic-emulation-of-uefi-modules-to-coverage-guided-fuzzing-of-uefi-firmware/)
* [Web SentinelLabs: Adventures From UEFI Land: the Hunt For the S3 Boot Script](https://www.sentinelone.com/labs/adventures-from-uefi-land-the-hunt-for-the-s3-boot-script/)
* [Web Margin Research: Emulating and Exploiting UEFI Firmware](https://margin.re/2023/09/emulating-and-exploiting-uefi-firmware/) -> Dynamically inspecting software becomes harder the lower the level of abstraction you go; while there are many resources for debugging userspace programs, there is less information out there for kernels, bootloaders, and system firmware.

### ***Tools***

Analyze, test, and modify UEFI firmware.

* [Github: UEFITool - UEFI firmware image viewer and editor](https://github.com/LongSoft/UEFITool) -> UEFITool is a cross-platform open source application written in C++/Qt, that parses UEFI-compatible firmware image into a tree structure, verifies image's integrity and provides a GUI to manipulate image's elements. Project development started in the middle of 2013 because of the lack of cross-platform open source utilities for tinkering with UEFI images.
* [Github: CHIPSEC - Platform Security Assessment Framework](https://github.com/chipsec/chipsec) -> CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components. It includes a security test suite, tools for accessing various low level interfaces, and forensic capabilities. It can be run on Windows, Linux, Mac OS X and UEFI shell. Instructions for installing and using CHIPSEC can be found in the manual.
* [Github: CHIPSEC - Training, Writing Modules & Tools](https://raw.githubusercontent.com/wiki/chipsec/chipsec/files/training/OSFC_2018_CHIPSEC_Workshop.pdf)
* [Presentation: CHIPSEC - BlackHat USA 2014](https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Bulygin-CHIPSEC-Slides.pdf)
* [Github: UEFI Firmware Parser](https://github.com/theopolis/uefi-firmware-parser) -> The UEFI firmware parser is a simple module and set of scripts for parsing, extracting, and recreating UEFI firmware volumes. This includes parsing modules for BIOS, OptionROM, Intel ME and other formats too.
* [Github: FwHunt Community Scanner](https://github.com/binarly-io/fwhunt-scan) -> Tools for analyzing UEFI firmware and checking UEFI modules with FwHunt rules.
* [Github: FwHunt Rules](https://github.com/binarly-io/FwHunt) -> The Binarly Firmware Hunt (FwHunt) rule format was designed to scan for known vulnerabilities in UEFI firmware.
* [Github: Kraft Dinner](https://github.com/tandasat/kraft_dinner) -> Tool to dump UEFI runtime drivers implementing runtime services for Windows.
* [Github: Flashrom](https://github.com/flashrom/flashrom) -> It is a utility for detecting, reading, writing, verifying and erasing flash chips. It is often used to flash BIOS/EFI/coreboot/firmware images in-system using a supported mainboard, but it also supports flashing of network cards (NICs), SATA controller cards, and other external devices which can program flash chips.
* [Web Hex Rays: IDA Free](https://hex-rays.com/ida-free/) -> This (completely!) free version of IDA offers a privilege opportunity to see IDA in action. This light but powerful tool can quickly analyze the binary code samples and users can save and look closer at the analysis results.
* [Web Ghidra SRE: Software Reverse Engineering framework](https://ghidra-sre.org/) -> A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission

---
---
---

## ***EDK2***

Study the development of applications and drivers (bootkit components) in the UEFI environment.

### ***Basics***

Configure the required development environment.

* [Github: EDK II Project](https://github.com/tianocore/edk2) -> A modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications from www.uefi.org.
* [Github: Getting Started with EDK II](https://github.com/tianocore/tianocore.github.io/wiki/Getting-Started-with-EDK-II) -> Steps for downloading EDK II from GitHub and compiling projects under various OS/compiler environments.
* [Github: Getting Started Writing Simple Application with EDK II](https://github.com/tianocore/tianocore.github.io/wiki/Getting-Started-Writing-Simple-Application) -> How to Write a Simple EDK II UEFI Application.
* [Web Basic Input/Output: "Hello World" Quick Start with EDK II](https://www.basicinputoutput.com/2019/10/hello-world-quick-start-with-edk2.html) -> Setup the EDK on a system and configure it to build a basic "Hello, World" type program.
* [Github: UEFI Pratical Programming](https://github.com/luobing/uefi-practical-programming)
* [GitHub: EDK II Driver Writer's Guide](https://github.com/tianocore-docs/edk2-UefiDriverWritersGuide/blob/master/EXAMPLES.md)
* [Web Linkedin: Understanding and Exploiting UEFI Secure Boot with Intel's EDK2](https://www.linkedin.com/pulse/understanding-exploiting-uefi-secure-boot-intels-edk2-jose-crespo?trk=portfolio_article-card_title)

### ***Videos***

Check out these videos to learn advanced development techniques.

* [Youtube Video: UEFIForum - Driver Development with EDKII](https://www.youtube.com/watch?v=PX4HaWQNrlo) -> The world of UEFI is unlike OS-based software ecosystems in several aspects and the difference can be daunting to a developer who is starting to write UEFI device drivers.
* [Youtube Video: Queso Fuego - UEFI Programming in C](https://www.youtube.com/watch?v=t3iwBQg_Gik&list=PLT7NbkyNWaqZYHNLtOZ1MNxOt8myP5K0p) -> Intro, setup, and hello world program to start programming for x86_64 EFI applications. We'll be writing a program to make GPT disk images with an EFI system partition and basic data partition, and an OS loader EFI application for an operating system bootloader. Everything will follow official specifications and documentation for UEFI, ACPI, FAT32, etc. as much as possible.

### ***PoCs***

UEFI applications and drivers.

* [Github: EDK2 - MdeModulePkg Applications](https://github.com/tianocore/edk2/tree/master/MdeModulePkg/Application/) -> Sample applications of MdeModulePkg package.
* [Github: Shim - A first-stage UEFI bootloader](https://github.com/rhboot/shim) -> Shim is a trivial EFI application that, when run, attempts to open and execute another application. It will initially attempt to do this via the standard EFI LoadImage() and StartImage() calls. If these fail (because Secure Boot is enabled and the binary is not signed with an appropriate key, for instance) it will then validate the binary against a built-in certificate. If this succeeds and if the binary or signing key are not forbidden then shim will relocate and execute the binary.
* [Github: Super UEFIinSecureBoot Disk](https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk) -> Super UEFIinSecureBoot Disk is a proof-of-concept (not actively maintained or enhanced) bootable image with GRUB2 bootloader designed to be used as a base for recovery USB flash drives. Key feature: disk is fully functional with UEFI Secure Boot mode activated. It can launch any operating system or .efi file, even with untrusted, invalid or missing signature.
* [Github: TcpTransport](https://github.com/vinxue/TcpTransport) -> A UEFI application to receive TCP network packets.
* [Github: UefiVarMonitor](https://github.com/tandasat/UefiVarMonitor) -> The runtime DXE driver monitoring access to the UEFI variables by hooking the runtime service table.
* [Github: FakeSecureBoot](https://github.com/Shmurkio/FakeSecureBoot) -> UEFI DXE driver to fake Secure Boot. Hooks the gRT->GetVariable function to always return enabled if Secure Boot state is queried.

---
---
---

## ***Bootkits***

The most advanced malware that infects the boot process, which remains undetectable.

### ***Basics***

What is a bootkit exactly? Are they the elements you can develop with EDK2?

* [Web Kaspersky: Bootkit](https://encyclopedia.kaspersky.com/glossary/bootkit/) -> A bootkit is a malicious program designed to load as early as possible in the boot process, in order to control all stages of the operating system start up, modifying system code and drivers before anti-virus and other security components are loaded. The malicious program is loaded from the Master Boot Record (MBR) or boot sector. In effect, a bootkit is a rootkit that loads before the operating system.
* [Web CrowdStrike: Bootkit - Definition, Prevention, and Removal](https://www.crowdstrike.com/cybersecurity-101/malware/bootkit/) -> A strong cybersecurity strategy should not only include reactive approaches to cyberattacks, but should also include proactive prevention methods for infections such as bootkit. Mitigating the consequences of a bootkit infection and removing the infection are valuable tools for your cybersecurity team. Bootkits are stealthy, and understanding how they work and how to combat them can help keep your business safe from threat actors.
* [Web Positive Technologies: Bootkits: evolution and detection methods](https://global.ptsecurity.com/analytics/bootkits-evolution-and-methods-of-detection) -> Bootkits were previously thought to exist mainly in proof-of-concept form, and not used in real attacks. However, only two years separated the appearance of the first PoC and the first bootkit attack.

### ***Videos***

Watch these videos to learn what a bootkit is and the techniques used in its development.

* [Presentation: BlackHat USA 2013 - Detecting OSX and Windows bootkits with RDFU](https://cdn2.hubspot.net/hubfs/3375217/Reversing_Labs_November%202018/File/Presentation-BlackHat-Vegas-2013.pdf)
* [Youtube Video: BlackHat USA 2013 - Detecting OSX and Windows bootkits with RDFU](https://www.youtube.com/watch?v=7UsdRzsue-g) -> UEFI has recently become a very public target for rootkits and malware. To combat this new threat, we developed a Rootkit Detection Framework for UEFI ("RDFU") that incorporates a unified set of tools that address this problem across a wide spectrum of UEFI implementations.
* [Presentation: HackInTheBox 2013 - Dreamboot](https://archive.conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Sebastien%20Kaczmarek%20-%20Dreamboot%20UEFI%20Bootkit.pdf)
* [Youtube Video: HackInTheBox 2013 - Dreamboot](https://www.youtube.com/watch?v=KvTUE5P-Yhs) -> This presentation is a study of the overall architecture of UEFI from a security point of view with a focus on a bootkit implementation for Windows 8 x64 which exploits the UEFI firmware: Dreamboot. Dreamboot has two specific payloads: Privilege escalation and Windows local authentication bypass. DreamBoot comes in the form of a bootable ISO, to use preferably as part of a physical attack (i.e. when the attacker has physical access to the machine peripherals: DVD or USB ports). It is also fully functional in virtualized environments like VMWare Workstation or ESX.
* [Paper: Virus Bulletin 2014 - Bootkits past, present & future](https://www.virusbulletin.com/virusbulletin/2014/11/paper-bootkits-past-present-amp-future)
* [Youtube Video: Virus Bulletin 2014 - Bootkits past, present & future](https://www.youtube.com/watch?v=jN34P4EdIUw) -> Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)?
* [Paper: BlackHat USA 2014 - Exposing Bootkits with BIOS Emulation](https://www.blackhat.com/docs/us-14/materials/us-14-Haukli-Exposing-Bootkits-With-BIOS-Emulation-WP.pdf)
* [Youtube Video: BlackHat USA 2014 - Exposing Bootkits with BIOS Emulation](https://www.youtube.com/watch?v=siMj4bFx5nI) -> Stealth and persistency are invaluable assets to an intruder. You cannot defend against what you cannot see. This talk discusses techniques to counter attempts at subverting modern security features, and regain control of compromised machines, by drilling down deep into internal structures of the operating system to battle the threat of bootkits.
* [Youtube Video: Nullcon 2022 - A UEFI firmware bootkit in the wild](https://www.youtube.com/watch?v=lSpOFUCzFdk) -> Despite the advanced capabilities they provide, low-level implants such as bootkits and rootkits are only deployed by the most sophisticated attackers due to the risk they pose to the victim system's stability. In recent years, Kaspersky has however observed a number of new low-level malware, such as MosaicRegressor, MoonBounce, and the object of this talk, CosmicStrand.
* [Presentation: RSA Conference - ESPecter, Showing the Future of UEFI Threats](https://static.rainfocus.com/rsac/us22/sess/1628600566532001BQMV/finalwebsite/2022_USA22_HT-M01_01_ESPecter-Showing-the-Future-of-UEFI-Threats_1654098813782001estI.pdf)
* [Youtube Video: RSA Conference - ESPecter, Showing the Future of UEFI Threats](https://www.youtube.com/watch?v=rpfE78x7dD4) -> In recent years, it's become clear that UEFI threats are real and have been deployed in the wild. UEFI implants such as LoJax and MosaicRegressor have used the lowest level of persistence, SPI flash, but is it worth it? Actors behind ESPecter bootkit think that compromising the bootloader is the way. This session will explain why and how to protect against this and similar threats.
* [Presentation: OffensiveCon18 - Alex Ionescu Advancing the State of UEFI Bootkits](http://publications.alex-ionescu.com/OffensiveCon/OffensiveCon%202018%20-%20Advancing%20the%20state%20of%20UEFI%20Boot%20Kits.pdf)
* [Youtube Video: OffensiveCon18 - Alex Ionescu Advancing the State of UEFI Bootkits](https://www.youtube.com/watch?v=dpG97TBR3Ys) -> Persistence in the Age of PatchGuard and Windows 10.
* [Presentation: RSA Conference - UEFI Bootkits and Where UEFI Security Fails](https://static.rainfocus.com/rsac/us24/sess/1697270793852001dpne/finalwebsite/2024_USA24_HTA-T09_01_UEFI-Bootkits-and-Where-UEFI-Security-Fails_1713983196427001MzOd.pdf)
* [Youtube Video: RSA Conference - UEFI Bootkits and Where UEFI Security Fails](https://www.youtube.com/watch?v=X3YOKkTdj_k) -> The BlackLotus UEFI bootkit bypassed UEFI Secure Boot on Windows systems that were fully updated, by exploiting an old vulnerability that has been known and patched for over a year. How is that possible? Are there other such vulnerabilities? Join this session for a tour of UEFI threats, vulnerabilities, and issues with UEFI security, and learn what you can do to protect your systems.

### ***Analysis***

Gain a true understanding of this malware by reading its analyses.

* [Web WeLiveSecurity: BlackLotus UEFI bootkit - Myth confirmed](https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/) -> The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality.
* [Web Binarly: The Untold Story of the BlackLotus UEFI Bootkit](https://www.binarly.io/blog/the-untold-story-of-the-blacklotus-uefi-bootkit) -> My experience with the analysis and detection of rootkits and bootkits goes back more than 20 years. In the early 2000s, the main challenge was dealing with infected machines when rootkits and bootkits modified the operating system kernel to conceal malicious components. It was such a fun time reverse engineering advanced threats in the good old days that I co-wrote "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats", a book full of the most interesting stories of our time going down the rabbit hole of advanced malware.
* [Web WeLiveSecurity: UEFI threats moving to the ESP - Introducing ESPecter bootkit](https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/) -> ESET research discovers a previously undocumented UEFI bootkit with roots going back all the way to at least 2012.
* [Web Palo Alto: Diving Into Glupteba's UEFI Bootkit](https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/) -> Glupteba is advanced, modular and multipurpose malware that, for over a decade, has mostly been seen in financially driven cybercrime operations. This article describes the infection chain of a new campaign that took place around November 2023. We will focus on one intriguing and previously undocumented feature: a Unified Extensible Firmware Interface (UEFI) bootkit.
* [Web SecureList: FinSpy - Unseen findings](https://securelist.com/finspy-unseen-findings/104322/) -> FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. Kaspersky has been tracking deployments of this spyware since 2011.
* [Web SecureList: CosmicStrand - The discovery of a sophisticated UEFI firmware rootkit](https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/) -> FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. Kaspersky has been tracking deployments of this spyware since 2011.
* [Web SecureList: MosaicRegressor - Lurking in the Shadows of UEFI](https://securelist.com/mosaicregressor/98849/) -> UEFI has become a prominent technology that is embedded within designated chips on modern day computer systems. Replacing the legacy BIOS, it is typically used to facilitate the machine's boot sequence and load the operating system, while using a feature-rich environment to do so. At the same time, it has become the target of threat actors to carry out exceptionally persistent attacks.
* [Web WeLiveSecurity: LoJax - First UEFI rootkit found in the wild, courtesy of the Sednit group](https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/) -> ESET researchers have shown that the Sednit operators used different components of the LoJax malware to target a few government organizations in the Balkans as well as in Central and Eastern Europe.
* [Web Twitter X: ESETresearch - Malicious EFI samples](https://x.com/ESETresearch/status/1275770256389222400) -> ESETresearch identified multiple malicious EFI bootloader samples. The malware displays a ransom message and prevents the computer from booting. It can compromise computers with disabled UEFI Secure Boot feature.
* [Web VMWare: Detecting UEFI Bootkits in the Wild](https://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html) -> Threat actors are continually looking for ways to improve the persistence of their malware and implants. Bootkits, meaning rootkits running at the firmware level, have been utilized for this purpose. Once bootkits are installed, it can be extremely difficult to detect or remove versus OS-level rootkits as they are executed prior to the actual OS boot process.
* [Web Binarly: UEFI Bootkit Hunting: In-Depth Search for Unique Code Behavior](https://www.binarly.io/blog/uefi-bootkit-hunting-in-depth-search-for-unique-code-behavior) -> Firmware threats such as bootkits and implants have become increasingly prevalent due to their persistence and ability to evade detection compared to traditional OS-level malware. Attackers favor these threats because they can remain undetected even when conventional security measures are in place, especially if UEFI Secure Boot is disabled. Detecting unknown bootkits under these circumstances is a critical challenge in cybersecurity. Mostly, the publicly known UEFI implants and bootkits have been detected after successful deployment, which points to the limitations of the existing security solutions.

### ***Source Code***

Observe that the components shown in the source code are the applications and drivers you can develop with EDK2.

* [Github: Abyss](https://github.com/TheMalwareGuardian/Abyss) -> Abyss is a comprehensive project thoroughly designed with the explicit goal of establishing a robust foundation for the development of bootkits. By offering a centralized repository of knowledge, Abyss stands as a valuable initiative for anyone looking to contribute to and benefit from the collective understanding of this field.
* [Github: RedLotus](https://github.com/memN0ps/bootkit-rs) -> Windows UEFI Bootkit in Rust designed to facilitate the manual mapping of a driver manual mapper before the kernel (ntoskrnl.exe) is loaded, effectively bypassing Driver Signature Enforcement (DSE).
* [Github: EfiGuard](https://github.com/Mattiwatti/EfiGuard) -> Portable x64 UEFI bootkit that patches the Windows boot manager, boot loader and kernel at boot time in order to disable PatchGuard and Driver Signature Enforcement (DSE).
* [Github: BlackLotus](https://github.com/ldpreload/BlackLotus) -> An innovative UEFI Bootkit designed specifically for Windows. It incorporates a built-in Secure Boot bypass and Ring0/Kernel protection to safeguard against any attempts at removal. This software serves the purpose of functioning as an HTTP Loader.
* [Github: DmaBackdoorBoot](https://github.com/Cr4sh/s6_pcie_microblaze/tree/master/python/payloads/DmaBackdoorBoot) -> UEFI DXE driver intended for executing of kernel mode and user mode payloads under the Windows operating system by having an arbitrary code execution at early boot stage during DXE phase of the platform initialization.
* [Github: Bootlicker](https://github.com/realoriginal/bootlicker) -> A generic UEFI bootkit used to achieve initial usermode execution.
* [Github: Bootkit Showcase](https://github.com/hardenedvault/bootkit-samples) -> Real-World Examples of Infrastructure Security Threats.
* [Github: SandboxBootkit](https://github.com/thesecretclub/SandboxBootkit) -> Bootkit tested on Windows Sandbox to patch ntoskrnl.exe and disable DSE/PatchGuard.
* [Github: Umap](https://github.com/btbd/umap/) -> Windows UEFI bootkit that loads a generic driver manual mapper without using a UEFI runtime driver.
* [Github: UEFI-Bootkit](https://github.com/ajkhoury/UEFI-Bootkit) -> A small bootkit designed to use zero assembly.
* [Github: PeiBackdoor](https://github.com/Cr4sh/PeiBackdoor) -> This project implements early stage firmware backdoor for UEFI based firmware. It allows to execute arbitrary code written in C during Pre EFI Init (PEI) phase of Platform Initialization (PI).
* [Github: Rovnix](https://github.com/m0n0ph1/Win64-Rovnix-VBR-Bootkit) -> Volume Boot Record Bootkit.
* [Github: Vector EDK](https://github.com/hackedteam/vector-edk) -> EFI Development Kit.
* [Github: Dreamboot](https://github.com/quarkslab/dreamboot) -> UEFI bootkit.
* [Github: UEFIBootkit](https://github.com/gfoudree/UEFIBootkit) -> Simple PoC for a bootkit written as a UEFI Option ROM Driver.
* [Web Back Engineering: Voyager - A Hyper-V Hacking Framework For Windows 10 x64 (AMD & Intel)](https://git.back.engineering/_xeroxz/voyager) -> Voyager is a project designed to offer module injection and vmexit hooking for both AMD & Intel versions of Hyper-V. This project works on all versions of Windows 10-x64 (2004-1507).
* [Github: Efi-Memory - PoC EFI runtime driver for memory r/w & kdmapper fork](https://github.com/SamuelTulach/efi-memory) -> Efi-memory is a proof-of-concept EFI runtime driver for reading and writing to virtual memory. It uses EfiGuards method of hooking SetVariable to communicate with the user-mode process.
* [Github: EFI Driver Access](https://github.com/TheCruZ/EFI_Driver_Access) -> Efi Driver Access is a simply project to load a driver during system boot with the idea to give the user kernel access for read/write memory without restrictions.

---
---
---

## ***Windows Kernel***

Explore the heart of Windows.

### ***Basics***

The essentials for learning how Windows operates beneath the surface.

* [Web Microsoft: User mode and kernel mode](https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode) -> A processor in a computer running Windows operates in two different modes: user mode and kernel mode. The processor switches between these modes depending on the type of code it's executing. Applications operate in user mode, while core operating system components function in kernel mode. Although many drivers operate in kernel mode, some can function in user mode.
* [Github: System Internals of Windows](https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/sysinternals.md#windows-internals) -> System architecture, processes, threads, memory management, and more.
* [Web RedTeamNotes: Internals](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals) -> Everything you need to know about Windows kernel.
* [Web SamsClass Info: Windows Internals CTF](https://samsclass.info/126/WI2021.htm) -> Sam Bowne.
* [Blog: Mysteries of the Windows Kernel - Processes & Objects](https://medium.com/@amitmoshel70/mysteries-of-the-windows-kernel-pt-1-processes-objects-d677a5afcd9b) -> I've decided to start a series of Windows Internals articles which at the beginning will not directly be related to security, but after the series will cover some important Windows Internals topics, I'll start connecting the material into some aspects related to security. During the course, I'll show the practical aspects using WinDbg (kernel debugging) and Process Explorer.
* [Blog: Mysteries of the Windows Kernel - Threads Scheduling & CPUs](https://medium.com/@amitmoshel70/mysteries-of-the-windows-kernel-pt-2-threads-scheduling-cpus-30125fbb46a3) -> In this article we'll learn about what is a Thread, what a Thread is consisted off, How Threads are related to the CPU and how they are being scheduled when running on CPU cores.
* [Blog: Mysteries of the Windows Kernel - Memory Management & Address Translation](https://medium.com/@amitmoshel70/mysteries-of-the-windows-kernel-pt-3-memory-management-address-translation-5c3501ac7723) -> In this article I'll talk about the following topics related to "Memory Management".

### ***Videos***

Watch these videos to gain a deeper understanding of Windows' core components.

* [Youtube Video: Pavel Yosifovich - Native Applications What, Why, and How?](https://www.youtube.com/watch?v=EKBvLTuI2Mo) -> Normally, native applications are built by Microsoft only. Examples include Smss.exe (the session manager), CSrss.exe (the Windows subsystem process), and UserInit.exe (normally executed by WinLogon.exe on a successful login).
* [Youtube Video: ACCU 2019 - Windows Native API](https://www.youtube.com/watch?v=a0KozcRhotM) -> Many programmers are familiar with the Windows "Win32" API that provides access to a large variety of services, from user interface to memory management; but far fewer have much idea about the Windows "Native" API which is the mechanism used to access the operating system services located in the kernel.
* [Youtube Video: BlackhHat 2015 - Battle Of The SKM And IUM, How Windows 10 Rewrites OS Architecture](https://www.youtube.com/watch?v=LqaWIn4y26E) -> In Windows 10, Microsoft is introducing a radical new concept to the underlying OS architecture, and likely the biggest change to the NT design since the decision to move the GUI in kernel-mode. In this new model, the Viridian Hypervisor Kernel now becomes a core part of the operating system and implements Virtual Secure Machines (VSMs) by loading a true microkernel - a compact (200kb) NT look-alike with its own drivers called the Secure Kernel Mode (SKM) environment, which then uses the Hypervisor to hook and intercept execution of the true NT kernel. This creates a new paradigm where the NT Kernel, executing in Ring 0, now runs below the Secure Kernel, at Ring ~0 (called Virtual Trust Level 1).
* [Youtube Video: Windows IT Pro - Sysinternals Overview (Microsoft, tools, utilities, demos)](https://www.youtube.com/watch?v=6RqFPrCcWfY) -> Learn about the tools that security, developer, and IT professionals rely on to analyze, diagnose, troubleshoot, and optimize Windows from creator Mark Russinovich. Find out which utilities will help you optimize any Windows system's reliability, efficiency, performance, and security.
* [Youtube Video: DotNext - Pavel Yosifovich, Windows 10 internals for .NET developers](https://www.youtube.com/watch?v=h6BXMcRqYhA) -> The .NET Framework provides some level of abstraction over the Windows OS, but understanding the way Windows works can make you a better .NET developer. Windows 10 is progressing at a faster cadence than in the past. Some of its features are not exposed to .NET developers directly.
* [Youtube Video: REcon 2019 - The Last Generic Win32K KASLR Defeat in Windows](https://www.youtube.com/watch?v=PTnuwchEci0) -> This talk will describe the final mistake that Microsoft made when 'fixing' the shared heap (desktop heap and session heap) structures that are shared by User and GDI objects in Win32k.sys, which have leaked kernel pointers for over 2 decades to user-mode. I will cover how existing techniques were broken in Fall Creator's Update (RS4), and how this build, and the subsequent (RS5 and 19H1) had a critical implementation flaw which still made KASLR bypasses possible.
* [Youtube Video: TryHackMe - Windows Internals](https://www.youtube.com/watch?v=k7UDasbkLJw) -> In this video, we begin working through the "Host Evasion" module on TryHackMe which is part of the Red Team path.

### ***Structures***

Learn about the opaque structures of Windows, the core code of the kernel.

* [Web CodeMachine: Windows kernel data structures](https://codemachine.com/articles/kernel_structures.html) -> Catalog of key Windows kernel data structures.
* [Web Vergilius Project: Windows kernel](https://www.vergiliusproject.com/) -> Take a look into the depths of Windows kernels and reveal more than 60000 undocumented structures.
* [Web Geoff Chappell: Windows kernel](https://www.geoffchappell.com/) -> Because kernel-mode programming, e.g., of device drivers and file system filter drivers, is the commercial specialty that funded this website's early development as a free public resource, it could not easily itself be a subject for the free public resource. Not until 2016 did it start getting serious attention at this website, not even to publish old notes whose commercial value had long passed. Now, however, the Kernel study is well on its way to becoming a resource to reckon with for the functions and structures exposed by the kernel and the HAL.
* [Web ReactOS](https://www.geoffchappell.com/) -> Imagine running your favorite Windows applications and drivers in an open-source environment you can trust. That's the mission of ReactOS!

### ***Debugging***

Analyze and debug critical structures along with the entire kernel.

#### ***Basics***

Debug the Windows OS.

* [Web Microsoft: WinDbg](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/) -> WinDbg is a debugger that can be used to analyze crash dumps, debug live user-mode and kernel-mode code, and examine CPU registers and memory.
* [Web WinDbg Org](http://windbg.org/) -> WinDbg Quick Links, Extensions, Scripts.
* [Web Microsoft: Setting Up Kernel-Mode Debugging](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-kernel-mode-debugging-in-windbg--cdb--or-ntsd) -> How to start debugging Windows kernel.
* [Web Microsoft: Local Kernel-Mode Debugging](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/performing-local-kernel-debugging) -> Debugging Tools for Windows supports local kernel debugging. This is kernel-mode debugging on a single computer. In other words, the debugger runs on the same computer that is being debugged.
* [Web Microsoft: Remote Debugging Using WinDbg](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-debugging-using-windbg) -> Remote debugging involves two debuggers running at two different locations. The debugger that performs the debugging is called the debugging server. The second debugger, called the debugging client, controls the debugging session from a remote location. To establish a remote session, you must set up the debugging server first and then activate the debugging client.
* [Github: Modern Debugging with WinDbg Preview DEFCON 27 workshop](https://github.com/hugsy/defcon_27_windbg_workshop) -> It's 2019 and yet too many Windows developers and hackers alike rely on (useful but rather) old school tools for debugging Windows binaries (OllyDbg, Immunity Debugger). What they don't realize is that they are missing out on invaluable tools and functionalities that come with Microsoft newest WinDbg Preview edition. This hands-on workshop will attempt to level the field, by practically showing how WinDbg has changed to a point where it should be the first tool to be installed on any Windows (10) for binary analysis machine: after a brief intro to the most basic (legacy) commands, this workshop will focus around debugging modern software (vulnerability exploitation, malware reversing, DKOM-based rootkit, JS engine) using modern techniques provided by WinDbg Preview (spoiler alert to name a few, JavaScript, LINQ, TTD).
* [Web Microsoft: Reading and Filtering Debugging Messages](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/reading-and-filtering-debugging-messages) -> The DbgPrintEx, vDbgPrintEx, vDbgPrintExWithPrefix, and KdPrintEx routines send a message to the kernel debugger under conditions that you specify. This procedure enables you to filter out low-priority messages.
* [Web CodeMachine: WinDBG quick start tutorial](https://codemachine.com/articles/windbg_quickstart.html) -> This post goes over the important commands in WinDBG through a step-by-step follow-along style walkthrough to help you get a jump start into using WinDBG and getting familiar with the commonly used commands.
* [Web WinDbg Info: Common WinDbg Commands](http://windbg.info/doc/1-common-cmds.html) -> Common WinDbg Commands thematically grouped by Robert Kuster

#### ***Commands***

Key commands to use in the official Microsoft debugger, WinDbg.

* [Web Microsoft: lm (List Loaded Modules)](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/lm--list-loaded-modules-) -> The lm command displays the specified loaded modules. The output includes the status and the path of the module.
* [Web Microsoft: x (Examine Symbols)](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/x--examine-symbols-) -> The x command displays the symbols in all contexts that match the specified pattern.
* [Web Microsoft: !process](https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/-process) -> The !process extension displays information about the specified process, or about all processes, including the EPROCESS block. This extension can be used only during kernel-mode debugging.
* [Web Microsoft: .block](https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/-block) -> The .block token performs no action; it is used solely to introduce a block of statements.
* [Web Microsoft: .if](https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/-if) -> The .if token behaves like the if keyword in C.
* [Web Microsoft: .for](https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/-for) -> The .for token behaves like the for keyword in C, except that multiple increment commands must be separated by semicolons, not by commas.
* [Web Microsoft: .while](https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/-while) -> The .while token behaves like the while keyword in C.
* [Web Microsoft: .printf](https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/-printf) -> The .printf token behaves like the printf statement in C.
* [Web Microsoft: dt (Display Type)](https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/dt--display-type-) -> The dt command displays information about a local variable, global variable or data type. This can display information about simple data types, as well as structures and unions.
* [Web Microsoft: d, da, db, dc, dd, dD, df, dp, dq, du, dw (Display Memory)](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/d--da--db--dc--dd--dd--df--dp--dq--du--dw--dw--dyb--dyd--display-memor) -> The d* commands display the contents of memory in the given range.
* [Web Microsoft: e, ea, eb, ed, eD, ef, ep, eq, eu, ew, eza (Enter Values)](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/e--ea--eb--ed--ed--ef--ep--eq--eu--ew--eza--ezu--enter-values-) -> The *e* commands enter into memory the values that you specify.
* [Web Microsoft: bp, bu, bm (Set Breakpoint)](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bp--bu--bm--set-breakpoint-) -> The bp, bu, and bm commands set one or more software breakpoints. You can combine locations, conditions, and options to set different kinds of software breakpoints.
* [Web Microsoft: u, ub, uu (Unassemble)](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/u--unassemble-) -> The u* commands display an assembly translation of the specified program code in memory.

#### ***Scripting***

Create a script to automate the debugging process.

##### ***Classic***

* [Web Microsoft: Debugger Commands](https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/debugger-commands) -> WinDbg Scripting.
* [Web Microsoft: \$<, \$><, \$$<, \$$><, \$$ >a< (Run Script File)](https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/debugger-commands) -> The \$<, \$><, \$$<, \$$><, and \$$>a< commands read the contents of the specified script file and use its contents as debugger command input.
* [Web KeySight: Debugging Malware with WinDbg](https://www.keysight.com/blogs/tech/nwvs/2020/07/27/debugging-malware-with-windbg) -> We present practical techniques for finding information you may be interested in by stepping through a Locky Ransomware Sample using WinDbg. WinDbg is the debugger of choice by Microsoft, so it should be for us too.
* [Web DumpAnalysis: Introduction to WinDbg Scripts for C/C++ Users](https://www.dumpanalysis.org/WCDA/WCDA-Sample-Chapter.pdf) -> All debuggers from Debugging Tools for Windows package use the same engine dbgeng.dll. It contains a script interpreter for a special language we call WinDbg scripting language for convenience and we use WDS file extension for WinDbg script files.
* [Github: WinDbg_Scripts](https://github.com/yardenshafir/WinDbg_Scripts) -> Useful scripts for WinDbg using the debugger data model.

##### ***JavaScript***

* [Web Microsoft: JavaScript Debugger Scripting](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/javascript-debugger-scripting) -> This topic describes how to use JavaScript to create scripts that understand debugger objects and extend and customize the capabilities of the debugger.
* [Web Microsoft: Microsoft Github Repo Example Scripts](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/javascript-debugger-example-scripts) -> This is a collection of extensions and sample scripts for extending WinDbg. We'll be adding more samples and extensions over time.
* [Github: WinDbg-Scripts](https://github.com/0vercl0k/windbg-scripts) -> A bunch of JavaScript extensions for WinDbg.
* [GitHub: WinDbg JavaScript Scripts](https://github.com/hugsy/windbg_js_scripts) -> Toy scripts for playing with WinDbg JS API.
* [GitHub: KasperskyLab - JS scripts for WinDbg](https://github.com/KasperskyLab/WinDbg-JS-Scripts) -> This is a collection of WinDbg JS scripts useful for dumps analysis.

##### ***Python***

* [Web PyPI: PYKD](https://pypi.org/project/pykd/) -> Python Extension for WinDbg.
* [Blog: PYKD Tutorial Part 1](https://rayanfam.com/topics/pykd-tutorial-part1/) -> Using windbg script syntax is such annoying thing that almost all reverse engineers have problems dealing with it but automating debugging gives such a power that can't be easily ignored. A good solution to solve this problem is using the power and simplicity of Python and Windbg together.
* [Blog: PYKD Tutorial Part 2](https://rayanfam.com/topics/pykd-tutorial-part2/) -> Using windbg script syntax is such annoying thing that almost all reverse engineers have problems dealing with it but automating debugging gives such a power that can't be easily ignored. A good solution to solve this problem is using the power and simplicity of Python and Windbg together.

##### ***PowerShell***

* [Web PowerShell Gallery: WinDbg](https://www.powershellgallery.com/packages/WinDbg/1.0) -> Module for automation of Windows Debugging.
* [Blog: Scripting WinDbg with PowerShell](https://www.leeholmes.com/scripting-windbg-with-powershell/) -> A while back, Roberto Farah published a script library to help control WinDbg through PowerShell. I've been using WinDbg for more debugging lately, and decided (after following one to many object references by hand) that I needed to script my investigations.

##### ***Extensions***

* [GitHub: Awesome WinDbg Extensions](https://github.com/anhkgg/awesome-windbg-extensions)
* [Github: WDBGARK](https://github.com/swwwolf/wdbgark) -> WinDBG Anti-RootKit extension.
* [Github: SwishDbgExt](https://github.com/comaeio/SwishDbgExt) -> Incident Response Debugging Extension.
* [Youtube Video: Creating our first WinDbg extension from scratch](https://www.youtube.com/watch?v=d1uT8tmnhZI) -> In this video I create my very first native WinDbg extension, ever.
* [Youtube Video: Extend WinDbg to build your own dream debugging tool](https://www.youtube.com/watch?v=tSlFd0CIo0g) -> It's the beginning of a new era. After all those years, Microsoft has finally done what we stopped hoping for: WinDbg has been updated with a brand new UI! Past the "wow!" effect, it looks like many of the old WinDbg flaws are still there: a single command window, no history, limited scripting… But fear not, for something has changed: WinDbg now provides a number of extension points (undocumented at this time) that can be used to fully customize the UI and drive the debugging engine. It's up to us to turn this application into our own dream debugging tool!

### ***Protection Mechanisms***

How the core of Windows is secured.

#### ***Driver Signature Enforcement (DSE)***

Prevent the use of unsigned drivers.

##### ***Basics***

* [Web Microsoft: Signing a Driver](https://learn.microsoft.com/en-us/windows-hardware/drivers/develop/signing-a-driver) -> All drivers running on 64-bit versions of Windows must be signed before Windows will load them. However, driver signing is not required on 32-bit versions of Windows. In order to sign a driver, a certificate is required. You can create your own certificate to sign your driver with during development and testing. However, for a public release you must sign your driver with a certificate issued by a trusted root authority.
* [Web Microsoft: Introduction to Test-Signing](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/introduction-to-test-signing) -> Drivers should be test-signed with a digital signature during development and test for the following reasons: To facilitate and automate installation, To be able to load kernel-mode drivers on 64-bit versions of Windows Vista and later versions of Windows, To play back certain types of next-generation premium content, all kernel-mode components in Windows Vista and later versions of Windows must be signed.
* [Web Driver Easy: Disable Driver Signature Enforcement on Windows 10 Easily!](https://www.drivereasy.com/knowledge/disable-driver-signature-enforcement-windows-10-easily/) -> On Windows 8 and Windows 10 (64-bit), Microsoft has included a feature, driver signature enforcement. It is a feature that is designed to ensure that users of Microsoft can only load drivers that have been signed by Microsoft.
* [Web Make Use Of: How to Disable Driver Signature Enforcement and Install Unsigned Drivers on Windows](https://www.makeuseof.com/disable-driver-signature-enforcement-windows/) -> Sometimes, Windows will block you from installing an unsigned driver, which is a driver you've downloaded elsewhere other than through a Windows Update or the device manufacturer's website. But if you need the driver, and you know it is perfectly safe, you can turn off driver signature enforcement and let it through.
* [Web How To Geek: How to Disable Driver Signature Verification on 64-Bit Windows 8 or 10](https://www.howtogeek.com/167723/how-to-disable-driver-signature-verification-on-64-bit-windows-8.1-so-that-you-can-install-unsigned-drivers/) -> 64-bit versions of Windows 10 and 8 include a "driver signature enforcement" feature. They'll only load drivers that have been signed by Microsoft. To install less-than-official drivers, old unsigned drivers, or drivers you're developing yourself, you'll need to disable driver signature enforcement.

##### ***Bypasses***

* [Web Code Project: Disable Driver Signature Enforcement with DSE-Patcher](https://www.codeproject.com/Articles/5348168/Disable-Driver-Signature-Enforcement-with-DSE-Patc) -> Driver Signature Enforcement (DSE) was introduced by Microsoft starting with Windows Vista x64. DSE is a security feature of the operating system, which ensures that only valid signed drivers are loaded. To install unsigned drivers, the DSE security feature has to be disabled. DSE-Patcher can be used to disable DSE on all 64-bit operating systems starting with Windows Vista and later. We developed DSE-Patcher to show the interested coder how easy it is to use known vulnerabilities and change memory in kernel address space.
* [Web Fortinet: The Swan Song for Driver Signature Enforcement Tampering](https://www.fortinet.com/blog/threat-research/driver-signature-enforcement-tampering) -> Code Integrity is a threat protection feature first introduced by Microsoft over 15 years ago. On x64-based versions of Windows, kernel-mode drivers must be digitally signed and checked each time they are loaded into memory. This is also referred to as Driver Signature Enforcement (DSE).
* [Blog: The dusk of g_CiOptions: circumventing DSE with VBS enabled](blog.cryptoplague.net/main/research/windows-research/the-dusk-of-g_cioptions-circumventing-dse-with-vbs-enabled) -> In this article, we will explore the concept of bypassing Driver Signature Enforcement (DSE) in the Virtualization Based Security (VBS) era with only a write-what-where exploit primitive.
* [Blog: Offset-free DSE bypass across Windows 11 & 10: utilising ntkrnlmp.pdb](https://blog.cryptoplague.net/main/research/windows-research/offset-free-dse-bypass-across-windows-11-and-10-utilising-ntkrnlmp.pdb) -> Parsing ntkrnlmp.pdb on the target to eliminate the need for static offsetting and thus safely and dynamically bypassing driver signature enforcement across multiple Windows 10 & 11 versions.
* [Blog: g_CiOptions in a Virtualized World](https://blog.xpnsec.com/gcioptions-in-a-virtualized-world/) -> In this post we will look at a common technique used to disable driver signing enforcement, how VBS has attempted to stop attackers from exploiting this, and how when not partnered with HVCI, just how easy it is to bypass this security control.
* [Github: DisableDSE](https://github.com/rogxo/DisableDSE) -> A method to Disable DSE using .data ptr hooks.
* [Github: DSE Hook](https://github.com/emlinhax/dse_hook) -> Load unsigned kernel-driver by patching dse in 248 lines. This project abuses a vulnerable driver called "winio64.sys".
* [Github: DSE & PG bypass via BYOVD attack](https://github.com/4l3x777/dse_pg_bypass)
* [Github: PastDSE](https://github.com/utoni/PastDSE) -> It is a Driver Sign Enforcement "bypass" using a leaked EV code signing certificate. It is actually not a real bypass since it does only change the date to 01-01-2014 before signing the driver and restores it afterwards. The Kernel driver loader will accept all driver images as long as the code was signed by a extended validation code signing certificate which was not revoked.
* [Github: Gigabyte Disable DSE](https://github.com/cygnosic/Gigabyte_Disable_DSE) -> Code to disable DSE (Driver Signature Enforcement) using vulnerable gigabyte driver.

#### ***Virtualization Based Security (VBS)***

Assume the kernel can be compromised and create an isolated virtual environment.

##### ***Basics***

* [Web Microsoft: Virtualization-based Security (VBS)](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs) -> Virtualization-based security, or VBS, uses hardware virtualization and the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Windows uses this isolated environment to host a number of security solutions, providing them with greatly increased protection from vulnerabilities in the operating system, and preventing the use of malicious exploits which attempt to defeat protections. VBS enforces restrictions to protect vital system and operating system resources, or to protect security assets such as authenticated user credentials.

##### ***Videos***

* [Presentation: BlackHat USA 2016: Analysis of the Attack Surface of Windows 10 Virtualization-Based Security](https://www.blackhat.com/docs/us-16/materials/us-16-Wojtczuk-Analysis-Of-The-Attack-Surface-Of-Windows-10-Virtualization-Based-Security.pdf)
* [Youtube Video: BlackHat USA 2016: Analysis of the Attack Surface of Windows 10 Virtualization-Based Security](https://www.youtube.com/watch?v=_646Gmr_uo0) -> In Windows 10, Microsoft introduced virtualization-based security (VBS), the set of security solutions based on a hypervisor. In this presentation, we will talk about details of VBS implementation and assess the attack surface - it is very different from other virtualization solutions. We will focus on the potential issues resulting from the underlying platform complexity (UEFI firmware being a primary example).
* [Youtube Video: BSidesKC 2022 - No Code Execution? No Problem! - Living The Age of Virtualization-Based Security](https://www.youtube.com/watch?v=OBreVsVK-L8) -> Windows 11 saw the default enablement of some of the most powerful exploit mitigations on the market - many of them falling under the purview of Virtualization-Based Security, or VBS. These exploit mitigations are instrumented through Microsoft's hypervisor, Hyper-V, which provides a "higher root of trust" than the Windows kernel itself. With the advent of the default enablement of these mitigations - simply put - the "old" way of doing things won't suffice when it comes to kernel exploitation. Hypervisor-Protected Code Integrity (HVCI), one of these hypervisor-based mitigations, works by outright preventing any malicious, unsigned shellcode from running within the Windows kernel. Does this now mean "game over" for attackers? This talk investigates how these new, modern mitigations work and how today's attackers must and can adapt to the new bar set by these exploit mitigations.

#### ***Kernel Patch Protection (KPP) / PatchGuard***

Prevent alterations to critical components and structures.

##### ***Basics***

* [Web Windows-Internals: Secure Kernel Patch Guard - SKPG Initialization](https://windows-internals.com/hyperguard-secure-kernel-patch-guard-part-1-skpg-initialization/) -> This first part will focus on what SKPG is and how it's being initialized.
* [Web Windows-Internals: Secure Kernel Patch Guard - SKPG Extents](https://windows-internals.com/hyperguard-secure-kernel-patch-guard-part-2-skpg-extents/) -> This part will start describing the data structure and components of SKPG, and more specifically the way it's activated.
* [Demystifying PatchGuard: An In-Depth Analysis Through Practical Engineering](https://web.archive.org/web/20230510133129/https://zerocondition.com/posts/demystifying-patchguard/) -> The presence of PatchGuard in the 64-bit Windows operating system is a remarkable security measure that thwarts the efforts of kernel-level rootkits and other malware to manipulate critical system code and structures. Its method of operation is through regular monitoring of the kernel to identify any illicit modifications and counteracting them without delay.

##### ***Videos***

* [Youtube Video: RSA Conference - Windows Kernel Patch Protection](https://www.youtube.com/watch?v=wXRLnp2JoWU) -> This session will look at a critical flaw in the design of Windows Kernel Patch Protection (PatchGuard), a system used to prevent modification to kernel code and other critical structure. The design of PatchGuard will be discussed, along with the design of an attack which uses the flaw in PatchGuard to disable the PatchGuard response entirely.

##### ***Bypasses***

* [Web Uninformed: Bypassing Patchguard on Windows](https://web.archive.org/web/20160817134601/http://uninformed.org/index.cgi?v=3&a=3&p=1) -> In the caste system of operating systems, the kernel is king. And like most kings, the kernel is capable of defending itself from the lesser citizens, such as user-mode processes, through the castle walls of privilege separation. However, unlike most kings, the kernel is typically unable to defend itself from the same privilege level at which it operates. Without the kernel being able to protect its vital organs at its own privilege level, the entire operating system is left open to modification and subversion if any code is able to run with the same privileges as the kernel itself.
* [GitHub: PatchGuardBypass](https://github.com/AdamOron/PatchGuardBypass) -> Bypassing PatchGuard on modern x64 systems.
* [Web CyberArk: GhostHook](https://www.cyberark.com/resources/threat-research-blog/ghosthook-bypassing-patchguard-with-processor-trace-based-hooking) -> Bypassing PatchGuard with Processor Trace Based Hooking.
* [GitHub: InfinityHook](https://github.com/everdox/InfinityHook) -> Kernel driver that will hook system calls.
* [Blog: New bypass disclosed in Microsoft PatchGuard (KPP)](https://www.zdnet.com/article/new-bypass-disclosed-in-microsoft-patchguard-kpp/) -> After GhostHook and InfinityHook, we now have ByePg.
* [Blog: ByePg](https://blog.can.ac/2019/10/19/byepg-defeating-patchguard-using-exception-hooking/) -> Defeating Patchguard Using Exception - Hooking.
* [Github: Shark](https://github.com/9176324/Shark) -> Turn off PatchGuard in real time for win7 (7600) ~ later.
* [Github: UPGDSED](https://github.com/hfiref0x/UPGDSED) -> Universal PatchGuard and Driver Signature Enforcement Disable.
* [Github: PgResarch](https://github.com/tandasat/PgResarch) -> PatchGuard Research.

### ***Drivers***

Components linked to malware that targets the core of Windows.

#### ***Basics***

Learn the basics of creating kernel mode drivers.

* [Web Microsoft: Get started with drivers on Windows](https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/) -> General overview of Windows components, types of device drivers used in Windows, goals of Windows device drivers, generic sample device drivers.
* [Web Microsoft: Kernel-Mode Driver Architecture Design Guide](https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/) -> This section includes general concepts to help you understand kernel-mode programming and describes specific techniques of kernel programming.
* [Blog: Red Team Tactics - Writing Windows Kernel Drivers for Advanced Persistence (Part 1)](https://v3ded.github.io/redteam/red-team-tactics-writing-windows-kernel-drivers-for-advanced-persistence-part-1) -> This post, as indicated by the title, will cover the topic of writing Windows kernel drivers for advanced persistence. Because the subject matter is relatively complex, I have decided to divide the project into a three or a four part series. This being the first post in the series, it will cover the fundamental information you need to know to get started with kernel development. This includes setting up a development environment, configuring remote kernel debugging and writing your first "Hello World" driver.
* [Blog: Red Team Tactics - Writing Windows Kernel Drivers for Advanced Persistence (Part 2)](https://v3ded.github.io/redteam/red-team-tactics-writing-windows-kernel-drivers-for-advanced-persistence-part-2) -> In today's post, we will be covering the Windows Filtering Platform (WFP) and how it can be used to process network packets via our driver. Specifically, we will be focusing on ICMP packets. Given the basic nature of this protocol, we will also delve into creating a custom "protocol" within ICMP itself that will enable us to issue commands to the machines that have our driver installed.
* [Blog: Loading unsigned Windows drivers without reboot](https://v1k1ngfr.github.io/loading-windows-unsigned-driver/) -> How can we load this unsigned drivers into the Windows kernel bypassing Driver Signing Enforcement (DSE)?

#### ***Windows Driver Kit (WDK)***

Configure the workspace to develop those unique drivers.

* [Web Microsoft: Windows Driver Kit (WDK)](https://learn.microsoft.com/en-us/windows-hardware/drivers/other-wdk-downloads) -> This is used to develop, test, and deploy Windows Drivers.
* [Web Microsoft: Windows Driver Documentation](https://github.com/MicrosoftDocs/windows-driver-docs) -> The official Windows Driver Kit documentation sources.
* [Web Microsoft: Write a Hello World Windows Driver (KMDF)](https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/writing-a-very-small-kmdf--driver) -> This article describes how to write a small Universal Windows driver using Kernel-Mode Driver Framework (KMDF) and then deploy and install your driver on a separate computer.
* [Web Microsoft: Development & Demo of Windows Kernel Driver](https://apchavan.medium.com/development-demo-of-windows-kernel-driver-47fc2150e128) -> The Kernel mode driver can run in highest privileged ring 0. It means the kernel driver mostly have highest level of permissions (like kernel) while executing.
* [Web Microsoft: DriverEntry for WDF Drivers routine](https://learn.microsoft.com/en-us/windows-hardware/drivers/wdf/driverentry-for-kmdf-drivers) -> DriverEntry is the first driver-supplied routine that is called after a driver is loaded. It is responsible for initializing the driver.
* [Web Microsoft: DriverUnload callback function](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nc-wdm-driver_unload) -> The Unload routine performs any operations that are necessary before the system unloads the driver.

#### ***Videos***

Learn with visual examples how to develop those drivers.

* [Youtube Video: GuidedHacking - How to make a Kernel Driver](https://www.youtube.com/watch?v=9h1FsOISwX0) -> This tutorial series will teach you everything you need to make a kernel driver on Windows.
* [Youtube Video: Nir Lichtman - Making Simple Windows Driver in C](https://www.youtube.com/watch?v=GTrekHE8A00) -> In this video I will demonstrate how you can write a simple "Hello, World" driver for Microsoft Windows 10 using the C Programming Language.
* [Youtube Video: Your first kernel driver (Full Guide)](https://www.youtube.com/watch?v=n463QJ4cjsU) -> In this video we use Visual Studio to code an IOCTL driver for any version of Windows. The driver itself implements a custom way to read/write process memory. Alongside this we program a "user mode" application which can communicate with the driver to send it requests. This combination will effectively bypass most user mode anti-cheats out there.
* [Youtube Video: Programming LoL - Windows Driver Development Tutorial](https://www.youtube.com/watch?v=T5VtaP-wtkk&list=PLZ4EgN7ZCzJyUT-FmgHsW4e9BxfP-VMuo)

#### ***Source Code***

Samples of kernel mode drivers.

* [Github: Windows driver samples](https://github.com/Microsoft/Windows-driver-samples) -> This repo contains driver samples prepared for use with Microsoft Visual Studio and the Windows Driver Kit (WDK). It contains both Universal Windows Driver and desktop-only driver samples.
* [Github: Windows Kernel Programming second edition book samples](https://github.com/zodiacon/windowskernelprogrammingbook2e)
* [Github: VectorKernel](https://github.com/daem0nc0re/VectorKernel) -> PoCs for Kernelmode rootkit techniques research or education. Currently focusing on Windows OS. All modules support 64bit OS only.
* [Github: Hidden](https://github.com/hfiref0x/TDL) -> Hidden has been developed like a solution for reverse engineering and researching tasks. This is a windows driver with a usermode interface which is used for hiding specific environment on your windows machine, like installed RCE programs (ex. procmon, wireshark), vm infrastructure (ex. vmware tools) and etc.
* [Web Back Engineering: Physmeme - Windows Unsigned Kernel Driver Mapper](https://blog.back.engineering/19/04/2020/) -> Physmeme is a driver mapper that works with any form of read and write to physical memory. It is highly modular code that allows a reverse engineer to easily integrate their own vulnerable driver. If you are able to read and write to physical memory you can now map an unsigned driver into your kernel just by coding four functions.
* [Github: Anti-Delete](https://github.com/NtRaiseHardError/Anti-Delete) -> Protects deletion of files with a specified extension using a kernel-mode driver.
* [Github: DisplayMiniportHooking](https://github.com/SHA-MRIZ/DisplayMiniportHooking) -> Port and miniport drivers are a concept that Microsoft uses to simplify the development of kernel code by different vendors. The port driver (Supplied by Microsoft) is responsible of performing common tasks and by that it helps vendors to avoid writing a lot of boilerplate code. Miniport drivers, supplied by third party vendors, are responsible for the execution tasks for a specific device. The miniport registers its callback functions with the port driver, which triggers them when needed.
* [Github: KernelProcessList](ttps://github.com/danielkrupinski/KernelProcessList) -> Example Windows Kernel-mode Driver which enumerates running processes.
* [Github: Blackout](https://github.com/ZeroMemoryEx/Blackout) -> Kill anti-malware protected processes (BYOVD) (Microsoft Won).
* [Github: Kernel Callbacks Removal (Bypassing EDR Detections)](https://github.com/ZeroMemoryEx/Blackout)
* [Github: RealBlindingEDR](https://github.com/myzxcg/RealBlindingEDR) -> Remove AV/EDR Kernel ObRegisterCallbacks, CmRegisterCallback, MiniFilter Callback, PsSetCreateProcessNotifyRoutine Callback, PsSetCreateThreadNotifyRoutine Callback, PsSetLoadImageNotifyRoutine Callback...
* [Github: Offensive Windows Drivers Development](https://github.com/CyberSecurityUP/Offensive-Windows-Drivers-Development) -> Offensive-Windows-Drivers-Development is a research project designed to explore the development of Windows kernel-mode and user-mode drivers for offensive security purposes. The project focuses on techniques for low-level interaction with the Windows operating system, including file system interception, process manipulation, and advanced memory operations.

#### ***Reversing***

Explore the functional behavior of official drivers.

##### ***Basics***

* [Blog: Mimidrv In Depth: Exploring Mimikatz's Kernel Driver](https://medium.com/@matterpreter/mimidrv-in-depth-4d273d19e148) -> Mimikatz provides the opportunity to leverage kernel mode functions through the included driver, Mimidrv. Mimidrv is a signed Windows Driver Model (WDM) kernel mode software driver meant to be used with the standard Mimikatz executable by prefixing relevant commands with an exclamation point (!). Mimidrv is undocumented and relatively underutilized, but provides a very interesting look into what we can do while operating at ring 0.
* [Blog: Methodology for Static Reverse Engineering of Windows Kernel Drivers](https://medium.com/@matterpreter/methodology-for-static-reverse-engineering-of-windows-kernel-drivers-3115b2efed83) -> Attacks against Windows kernel mode software drivers, especially those published by third parties, have been popular with many threat groups for a number of years. Popular and well-documented examples of these vulnerabilities are the CAPCOM.sys arbitrary function execution, Win32k.sys local privilege escalation, and the EternalBlue pool corruption. Exploiting drivers offers interesting new perspectives not available to us in user mode, both through traditional exploit primitives and abusing legitimate driver functionalities.
* [Blog: Windows kernel driver static reverse using IDA and GHIDRA](https://v1k1ngfr.github.io/winkernel-reverse-ida-ghidra/) -> Here are some notes for Windows drivers reverse enginering noob. This topic is already covered and you can find many resources on Internet, here we will use IDA and GHIDRA and observe differences.

##### ***Videos***

* [Youtube Video: Nir Lichtman - Reverse Engineering Simple Windows Driver](https://www.youtube.com/watch?v=cabuolISweY) -> In this video I will demonstrate how you can reverse engineer a simple "Hello, World" driver on Windows 10.
* [Presentation: REcon 2015 - Reverse Engineering Windows AFD.sys (Steven Vittitoe)](https://recon.cx/2015/slides/recon2015-20-steven-vittitoe-Reverse-Engineering-Windows-AFD-sys.pdf)
* [Youtube Video: REcon 2015 - Reverse Engineering Windows AFD.sys (Steven Vittitoe)](https://www.youtube.com/watch?v=2sPNUpfTJ5A) -> What happens when you make a socket() call in Windows? This presentation will briefly walk through the rather well documented winsock user mode framework before diving into the turmoil of ring 0. There is no map to guide us here. Our adventure will begin where MSDN ends and our first stop along the way is with an IOCTL to AFD.sys, or the awkwardly named ancillary function driver. This driver is of particular interest because it is so widely used and yet most people that use it do not even know it exists. Nearly every Windows program managing sockets depends on this driver. Even more interesting is that the device created by AFD.sys is accessible from every sandbox Google Project Zero looked at. In fact, there isn't even support to restrict access to this device until Windows 8.1. Staying true to Windows style AFD.sys is a complex driver with over 70 reachable IOCTL's and support for everything from SAN to TCP. It is no wonder that this driver weighs in at 500KB. This complexity combined with accessibility breed a robust ring 0 attack surface. Current fuzzing efforts will also be shared in this presentation and the time we are done you should have a good idea of what happens when making a socket() call without having to spend hours in IDA to figure it out.

#### ***Fuzzing***

Identify vulnerabilities in those drivers.

##### ***Basics***

* [Web Check Point: Bugs on the Windshield - Fuzzing the Windows Kernel](https://research.checkpoint.com/2020/bugs-on-the-windshield-fuzzing-the-windows-kernel/) -> In our previous research, we used WinAFL to fuzz user-space applications running on Windows, and found over 50 vulnerabilities in Adobe Reader and Microsoft Edge. For our next challenge, we decided to go after something bigger: fuzzing the Windows kernel. As an added bonus, we can take our user-space bugs and use them together with any kernel bugs we find to create a full chain - because RCEs without a sandbox escape/privilege escalation are pretty much worthless nowadays.
* [Web CyberArk: Finding Bugs in Windows Drivers, Part 1 - WDM](https://www.cyberark.com/resources/threat-research-blog/finding-bugs-in-windows-drivers-part-1-wdm) -> Finding vulnerabilities in Windows drivers was always a highly sought-after prize by sophisticated threat actors, game cheat writers and red teamers. As you probably know, every bug in a driver is, in essence, a bug in the Windows kernel, as every driver shares the memory space of the kernel. Don't get me started about user-mode drivers, as they are not interesting. Thus, having the capability to either run code in the kernel, read and write from the model registers, or duplicate privileged access tokens is really all you need to own the system. This two-part blog series will go through the methodology of finding vulnerabilities in WDM drivers, followed by utilizing kernel fuzzing via kAFL. We won't go through other frameworks and models since they are either too niche (looking at your WIA mini driver) or too complicated (looking at you, NDIS). Most bugs seem to be in WDM or in KMDF (might visit KMDF in a future blogpost). In the second blog, timed for RSA Conference in San Francisco, we will talk about kernel fuzzing via kAFL and Intel PT, combining the expertise of low-level reversing, manual vulnerability research with the strong engine of kAFL, alongside using grammar-based fuzzing, which results in finding multiple vulnerabilities.

##### ***Videos***

* [Youtube Video: HackInTheBox 2019 - The Art Of The Windows Kernel Fuzzing](https://www.youtube.com/watch?v=9FPuKfwucsw) -> Over the year, the Windows kernel has been enhanced through a variety of kernel security additions making it harder for security researchers to find kernel issues, bugs, and exploits. This talk will cover the art of the kernel fuzzing and a tool I developed to aid security researchers in kernel fuzzing. I will introduce a new method of fuzzing Windows kernels, demonstrate the fuzzing framework and how it works.

##### ***Tools***

* [Github: MS Fuzz - Targeting Windows Kernel Driver Fuzzer](https://github.com/0dayResearchLab/msFuzz) -> MS Fuzzer is coverage-guided Fuzzer that is targeting Windows Kernel Driver.
* [Github: kAFL - A fuzzer for full VM kernel/driver targets](https://github.com/IntelLabs/kAFL) -> kAFL/Nyx is a fast guided fuzzer for the x86 VM. It is great for anything that executes as QEMU/KVM guest, in particular x86 firmware, kernels and full-blown operating systems.
* [Web Ssdeep Project: Ssdeep - Fuzzy hashing program](https://ssdeep-project.github.io/ssdeep/index.html) -> Ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.

#### ***Exploitation***

Take advantage of the vulnerabilities.

##### ***Basics***

* [Web Living Off The Land Drivers](https://www.loldrivers.io/) -> Living Off The Land Drivers is a curated list of Windows drivers used by adversaries to byp

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/TheMalwareGuardian/Awesome-Bootkits-Rootkits-Development

Awesome Lists containing this project

README