- Overview
- Part 1 - UEFI Bootkits and Kernel-Mode Rootkits Development
- Part 2 - Emulating APTs: Building and Deploying Bootkits & Rootkits
This repository contains the complete material from the two-part masterclass series on Offensive Development of Bootkits & Rootkits, covering low-level Windows and UEFI internals, persistence mechanisms, covert execution, and advanced red-team tradecraft. Each session includes the full recording, slides, and references used during the presentations.
Description
Bootkits and Rootkits represent some of the most complex and stealthy forms of malware, capable of achieving full system control before and after the OS is loaded. While often discussed in theory, their actual construction, interaction, and execution flow remain mostly hidden from public view. This session will shed light on how these implants are built and how their components interact across boot stages and kernel space.
We'll explore the internals of a fully functional UEFI Bootkit and Kernel-mode Rootkit, examining their modular design, runtime interactions, and the mechanisms used to hook critical parts of the Windows boot chain. Viewers will see how these implants operate across pre-boot and post-boot phases, including early internet connectivity from firmware, dynamic payload delivery, runtime service hooking, deep kernel control, and advanced capabilities like hiding files, processes, and network activity, blocking traffic, capturing keystrokes, and maintaining command and control directly from kernel space.
Everything shown on the stream will be yours to explore: a complete Bootkit and Rootkit framework, fully customizable and ready to simulate real threats, test defenses, or build something even stealthier.
YouTube Video
π https://www.youtube.com/watch?v=oa2i7JsGOHo
Description
When we talk about truly advanced malware, the kind that only state-level or highly resourced APTs are capable of developing and deploying end-to-end, we're referring to what are known as bootkits and rootkits.
In the first session we did on the Off-By-One Security YouTube channel, we introduced how to start developing these implants, mapping them to their programmable components, and we shared malware examples, proofs of concept, and various resources for you to develop your own.
In this follow-up, we'll go deeper into the source code (including the kinds of changes required to adapt implants across multiple OS versions) and deployment process with live demonstrations in isolated virtual machines where Next-Generation Antivirus and EDR solutions are installed, showing live how these solutions often fail to detect this kind of activity because it originates from as deep as the boot process, where exhaustive monitoring is not possible.
YouTube Video
π Under construction.