Back to Details

analyzing-bootkit-and-rootkit-samples

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Analyzing Bootkit and Rootkit Samples

Bootkit与Rootkit样本分析

When to Use

适用场景

  • A system shows signs of compromise that persist through OS reinstallation
  • Antivirus and EDR are unable to detect malware despite clear evidence of compromise
  • UEFI Secure Boot has been disabled or shows integrity violations
  • Memory forensics reveals rootkit behavior (hidden processes, hooked system calls)
  • Investigating nation-state level threats known to deploy bootkits (APT28, APT41, Equation Group)
Do not use for standard user-mode malware; bootkits and rootkits operate at a fundamentally different level requiring specialized analysis techniques.
  • 系统在重装操作系统后仍存在被入侵的迹象
  • 存在明确的入侵证据,但杀毒软件和EDR无法检测到恶意软件
  • UEFI安全启动已被禁用或显示完整性违规
  • 内存取证发现Rootkit行为(隐藏进程、挂钩系统调用)
  • 调查已知会部署Bootkit的国家级威胁(APT28、APT41、方程式组织)
请勿用于标准用户态恶意软件分析;Bootkit和Rootkit运行在完全不同的层级,需要专门的分析技术。

Prerequisites

前置条件

  • Disk imaging tools (dd, FTK Imager) for acquiring MBR/VBR sectors
  • UEFITool for UEFI firmware volume analysis and module extraction
  • chipsec for hardware-level firmware security assessment
  • Ghidra with x86 real-mode and 16-bit support for MBR code analysis
  • Volatility 3 for kernel-level rootkit artifact detection
  • Bootable Linux live USB for offline system analysis
  • 磁盘镜像工具(dd、FTK Imager),用于获取MBR/VBR扇区
  • UEFITool,用于UEFI固件卷分析和模块提取
  • chipsec,用于硬件级固件安全评估
  • 支持x86实模式和16位的Ghidra,用于MBR代码分析
  • Volatility 3,用于内核级Rootkit痕迹检测
  • 可引导Linux live USB,用于离线系统分析

Workflow

分析流程

Step 1: Acquire Boot Sectors and Firmware

步骤1:获取引导扇区与固件

Extract MBR, VBR, and UEFI firmware for offline analysis:
bash
undefined
提取MBR、VBR和UEFI固件进行离线分析:
bash
undefined

Acquire MBR (first 512 bytes of disk)

Acquire MBR (first 512 bytes of disk)

dd if=/dev/sda of=mbr.bin bs=512 count=1
dd if=/dev/sda of=mbr.bin bs=512 count=1

Acquire first track (usually contains bootkit code beyond MBR)

Acquire first track (usually contains bootkit code beyond MBR)

dd if=/dev/sda of=first_track.bin bs=512 count=63
dd if=/dev/sda of=first_track.bin bs=512 count=63

Acquire VBR (Volume Boot Record - first sector of partition)

Acquire VBR (Volume Boot Record - first sector of partition)

dd if=/dev/sda1 of=vbr.bin bs=512 count=1
dd if=/dev/sda1 of=vbr.bin bs=512 count=1

Acquire UEFI System Partition

Acquire UEFI System Partition

mkdir /mnt/efi mount /dev/sda1 /mnt/efi cp -r /mnt/efi/EFI /analysis/efi_backup/
mkdir /mnt/efi mount /dev/sda1 /mnt/efi cp -r /mnt/efi/EFI /analysis/efi_backup/

Dump UEFI firmware (requires chipsec or flashrom)

Dump UEFI firmware (requires chipsec or flashrom)

Using chipsec:

Using chipsec:

python chipsec_util.py spi dump firmware.rom
python chipsec_util.py spi dump firmware.rom

Using flashrom:

Using flashrom:

flashrom -p internal -r firmware.rom
flashrom -p internal -r firmware.rom

Verify firmware dump integrity

Verify firmware dump integrity

sha256sum firmware.rom
undefined
sha256sum firmware.rom
undefined

Step 2: Analyze MBR/VBR for Bootkit Code

步骤2:分析MBR/VBR中的Bootkit代码

Examine boot sector code for malicious modifications:
bash
undefined
检查引导扇区代码是否存在恶意修改:
bash
undefined

Disassemble MBR code (16-bit real mode)

Disassemble MBR code (16-bit real mode)

ndisasm -b16 mbr.bin > mbr_disasm.txt
ndisasm -b16 mbr.bin > mbr_disasm.txt

Compare MBR with known-good Windows MBR

Compare MBR with known-good Windows MBR

Standard Windows MBR begins with: EB 5A 90 (JMP 0x5C, NOP)

Standard Windows MBR begins with: EB 5A 90 (JMP 0x5C, NOP)

Standard Windows 10 MBR: 33 C0 8E D0 BC 00 7C (XOR AX,AX; MOV SS,AX; MOV SP,7C00h)

Standard Windows 10 MBR: 33 C0 8E D0 BC 00 7C (XOR AX,AX; MOV SS,AX; MOV SP,7C00h)

python3 << 'PYEOF' with open("mbr.bin", "rb") as f: mbr = f.read()
python3 << 'PYEOF' with open("mbr.bin", "rb") as f: mbr = f.read()

Check MBR signature (bytes 510-511 should be 0x55AA)

Check MBR signature (bytes 510-511 should be 0x55AA)

if mbr[510:512] == b'\x55\xAA': print("[*] Valid MBR signature (0x55AA)") else: print("[!] Invalid MBR signature")
if mbr[510:512] == b'\x55\xAA': print("[*] Valid MBR signature (0x55AA)") else: print("[!] Invalid MBR signature")

Check for known bootkit signatures

Check for known bootkit signatures

bootkit_sigs = { b'\xE8\x00\x00\x5E\x81\xEE': "TDL4/Alureon bootkit", b'\xFA\x33\xC0\x8E\xD0\xBC\x00\x7C\x8B\xF4\x50\x07': "Standard Windows MBR (clean)", b'\xEB\x5A\x90\x4E\x54\x46\x53': "Standard NTFS VBR (clean)", }
for sig, name in bootkit_sigs.items(): if sig in mbr: print(f"[{'!' if 'clean' not in name else '*'}] Signature match: {name}")
bootkit_sigs = { b'\xE8\x00\x00\x5E\x81\xEE': "TDL4/Alureon bootkit", b'\xFA\x33\xC0\x8E\xD0\xBC\x00\x7C\x8B\xF4\x50\x07': "Standard Windows MBR (clean)", b'\xEB\x5A\x90\x4E\x54\x46\x53': "Standard NTFS VBR (clean)", }
for sig, name in bootkit_sigs.items(): if sig in mbr: print(f"[{'!' if 'clean' not in name else '*'}] Signature match: {name}")

Check partition table entries

Check partition table entries

print("\nPartition Table:") for i in range(4): offset = 446 + (i * 16) entry = mbr[offset:offset+16] if entry != b'\x00' * 16: boot_flag = "Active" if entry[0] == 0x80 else "Inactive" part_type = entry[4] start_lba = int.from_bytes(entry[8:12], 'little') size_lba = int.from_bytes(entry[12:16], 'little') print(f" Partition {i+1}: Type=0x{part_type:02X} {boot_flag} Start=LBA {start_lba} Size={size_lba} sectors") PYEOF
undefined
print("\nPartition Table:") for i in range(4): offset = 446 + (i * 16) entry = mbr[offset:offset+16] if entry != b'\x00' * 16: boot_flag = "Active" if entry[0] == 0x80 else "Inactive" part_type = entry[4] start_lba = int.from_bytes(entry[8:12], 'little') size_lba = int.from_bytes(entry[12:16], 'little') print(f" Partition {i+1}: Type=0x{part_type:02X} {boot_flag} Start=LBA {start_lba} Size={size_lba} sectors") PYEOF
undefined

Step 3: Analyze UEFI Firmware for Implants

步骤3:分析UEFI固件中的植入物

Inspect UEFI firmware volumes for unauthorized modules:
bash
undefined
检查UEFI固件卷是否存在未授权模块:
bash
undefined

Extract UEFI firmware components with UEFITool

Extract UEFI firmware components with UEFITool

GUI: Open firmware.rom -> Inspect firmware volumes

GUI: Open firmware.rom -> Inspect firmware volumes

CLI:

CLI:

UEFIExtract firmware.rom all
UEFIExtract firmware.rom all

List all DXE drivers (most common target for UEFI implants)

List all DXE drivers (most common target for UEFI implants)

find firmware.rom.dump -name "*.efi" -exec file {} ;
find firmware.rom.dump -name "*.efi" -exec file {} ;

Compare against known-good firmware module list

Compare against known-good firmware module list

Each UEFI module has a GUID - compare against vendor baseline

Each UEFI module has a GUID - compare against vendor baseline

Verify Secure Boot configuration

Verify Secure Boot configuration

python chipsec_main.py -m common.secureboot.variables
python chipsec_main.py -m common.secureboot.variables

Check SPI flash write protection

Check SPI flash write protection

python chipsec_main.py -m common.bios_wp
python chipsec_main.py -m common.bios_wp

Check for known UEFI malware patterns

Check for known UEFI malware patterns

yara -r uefi_malware.yar firmware.rom
undefined
Known UEFI Bootkit Detection Points: ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ LoJax (APT28):
  • Modified SPI flash
  • Added DXE driver that drops agent to Windows
  • Persists through OS reinstall and disk replacement
BlackLotus:
  • Exploits CVE-2022-21894 to bypass Secure Boot
  • Modifies EFI System Partition bootloader
  • Installs kernel driver during boot
CosmicStrand:
  • Modifies CORE_DXE firmware module
  • Hooks kernel initialization during boot
  • Drops shellcode into Windows kernel memory
MoonBounce:
  • SPI flash implant in CORE_DXE module
  • Modified GetVariable() function
  • Deploys user-mode implant through boot chain
ESPecter:
  • Modifies Windows Boot Manager on ESP
  • Patches winload.efi to disable DSE
  • Loads unsigned kernel driver
undefined
yara -r uefi_malware.yar firmware.rom
undefined
已知UEFI Bootkit检测要点: ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ LoJax (APT28):
  • 修改SPI闪存
  • 添加DXE驱动,向Windows释放代理程序
  • 在重装系统和更换磁盘后仍能保持持久化
BlackLotus:
  • 利用CVE-2022-21894绕过安全启动
  • 修改EFI系统分区中的引导加载程序
  • 在启动过程中安装内核驱动
CosmicStrand:
  • 修改CORE_DXE固件模块
  • 在启动过程中挂钩内核初始化流程
  • 将shellcode注入Windows内核内存
MoonBounce:
  • 在CORE_DXE模块中植入SPI闪存恶意代码
  • 修改GetVariable()函数
  • 通过引导链部署用户态植入物
ESPecter:
  • 修改ESP上的Windows Boot Manager
  • 修补winload.efi以禁用DSE
  • 加载未签名的内核驱动
undefined

Step 4: Detect Kernel-Level Rootkit Behavior

步骤4:检测内核级Rootkit行为

Analyze the running system for rootkit artifacts:
bash
undefined
分析运行中的系统,寻找Rootkit痕迹:
bash
undefined

Memory forensics for rootkit detection

Memory forensics for rootkit detection

SSDT hook detection

SSDT hook detection

vol3 -f memory.dmp windows.ssdt | grep -v "ntoskrnl|win32k"
vol3 -f memory.dmp windows.ssdt | grep -v "ntoskrnl|win32k"

Hidden processes (DKOM)

Hidden processes (DKOM)

vol3 -f memory.dmp windows.psscan > psscan.txt vol3 -f memory.dmp windows.pslist > pslist.txt
vol3 -f memory.dmp windows.psscan > psscan.txt vol3 -f memory.dmp windows.pslist > pslist.txt

Diff to find hidden processes

Diff to find hidden processes

Kernel callback registration (rootkits register callbacks for filtering)

Kernel callback registration (rootkits register callbacks for filtering)

vol3 -f memory.dmp windows.callbacks
vol3 -f memory.dmp windows.callbacks

Driver analysis

Driver analysis

vol3 -f memory.dmp windows.driverscan vol3 -f memory.dmp windows.modules
vol3 -f memory.dmp windows.driverscan vol3 -f memory.dmp windows.modules

Check for unsigned drivers

Check for unsigned drivers

vol3 -f memory.dmp windows.driverscan | while read line; do driver_path=$(echo "$line" | awk '{print $NF}') if [ -f "$driver_path" ]; then sigcheck -nobanner "$driver_path" 2>/dev/null | grep "Unsigned" fi done
vol3 -f memory.dmp windows.driverscan | while read line; do driver_path=$(echo "$line" | awk '{print $NF}') if [ -f "$driver_path" ]; then sigcheck -nobanner "$driver_path" 2>/dev/null | grep "Unsigned" fi done

IDT hook detection

IDT hook detection

vol3 -f memory.dmp windows.idt
undefined
vol3 -f memory.dmp windows.idt
undefined

Step 5: Boot Process Integrity Verification

步骤5:验证引导流程完整性

Verify the integrity of the entire boot chain:
bash
undefined
验证整个引导链的完整性:
bash
undefined

Verify Windows Boot Manager signature

Verify Windows Boot Manager signature

sigcheck -a C:\Windows\Boot\EFI\bootmgfw.efi
sigcheck -a C:\Windows\Boot\EFI\bootmgfw.efi

Verify winload.efi

Verify winload.efi

sigcheck -a C:\Windows\System32\winload.efi
sigcheck -a C:\Windows\System32\winload.efi

Verify ntoskrnl.exe

Verify ntoskrnl.exe

sigcheck -a C:\Windows\System32\ntoskrnl.exe
sigcheck -a C:\Windows\System32\ntoskrnl.exe

Check Measured Boot logs (if TPM is available)

Check Measured Boot logs (if TPM is available)

Windows: BCDEdit /enum firmware

Windows: BCDEdit /enum firmware

bcdedit /enum firmware
bcdedit /enum firmware

Verify Secure Boot state

Verify Secure Boot state

Confirm-SecureBootUEFI # PowerShell cmdlet
Confirm-SecureBootUEFI # PowerShell cmdlet

Check boot configuration for tampering

Check boot configuration for tampering

bcdedit /v
bcdedit /v

Look for boot configuration changes

Look for boot configuration changes

testsigning: should be No

testsigning: should be No

nointegritychecks: should be No

nointegritychecks: should be No

debug: should be No

debug: should be No

bcdedit | findstr /i "testsigning nointegritychecks debug"
undefined
bcdedit | findstr /i "testsigning nointegritychecks debug"
undefined

Step 6: Document Bootkit/Rootkit Analysis

步骤6:记录Bootkit/Rootkit分析结果

Compile comprehensive analysis findings:
Analysis should document:
- Boot sector (MBR/VBR) integrity status with hex comparison
- UEFI firmware module inventory and integrity verification
- Secure Boot status and any bypass mechanisms detected
- Kernel-level hooks (SSDT, IDT, IRP, inline) identified
- Hidden processes, drivers, and files discovered
- Persistence mechanism (SPI flash, ESP, MBR, kernel driver)
- Boot chain integrity verification results
- Attribution to known bootkit families if possible
- Remediation steps (reflash firmware, rebuild MBR, replace hardware)
整理全面的分析结论:
分析文档应包含:
- 引导扇区(MBR/VBR)完整性状态及十六进制对比
- UEFI固件模块清单与完整性验证结果
- 安全启动状态及检测到的绕过机制
- 已识别的内核级挂钩(SSDT、IDT、IRP、内联挂钩)
- 发现的隐藏进程、驱动和文件
- 持久化机制(SPI闪存、ESP、MBR、内核驱动)
- 引导链完整性验证结果
- 若可能,归属到已知Bootkit家族
-  remediation步骤(重刷固件、重建MBR、更换硬件)

Key Concepts

核心概念

TermDefinition
BootkitMalware that infects the boot process (MBR, VBR, UEFI) to execute before the operating system loads, gaining persistent low-level control
MBR (Master Boot Record)First 512 bytes of a disk containing bootstrap code and partition table; MBR bootkits replace this code with malicious loaders
UEFI (Unified Extensible Firmware Interface)Modern firmware interface replacing BIOS; UEFI bootkits implant malicious modules in firmware volumes or modify the ESP
Secure BootUEFI security feature verifying digital signatures of boot components; bootkits like BlackLotus exploit vulnerabilities to bypass it
SPI FlashFlash memory chip storing UEFI firmware; advanced bootkits like LoJax and MoonBounce modify SPI flash for firmware-level persistence
DKOM (Direct Kernel Object Manipulation)Rootkit technique modifying kernel structures to hide processes, files, and network connections without hooking functions
Driver Signature Enforcement (DSE)Windows security feature requiring kernel drivers to be digitally signed; bootkits disable DSE during boot to load unsigned rootkit drivers
术语定义
Bootkit感染引导过程(MBR、VBR、UEFI)以在操作系统加载前执行的恶意软件,可获取底层持久化控制权
MBR (Master Boot Record)磁盘的前512字节,包含引导代码和分区表;MBR Bootkit会将此代码替换为恶意加载器
UEFI (Unified Extensible Firmware Interface)替代BIOS的现代固件接口;UEFI Bootkit会在固件卷中植入恶意模块或修改ESP
Secure BootUEFI安全功能,用于验证引导组件的数字签名;BlackLotus等Bootkit会利用漏洞绕过该功能
SPI Flash存储UEFI固件的闪存芯片;LoJax和MoonBounce等高级Bootkit会修改SPI闪存以实现固件级持久化
DKOM (Direct Kernel Object Manipulation)Rootkit技术,通过修改内核结构隐藏进程、文件和网络连接,无需挂钩函数
Driver Signature Enforcement (DSE)Windows安全功能,要求内核驱动必须经过数字签名;Bootkit会在启动过程中禁用DSE以加载未签名的Rootkit驱动

Tools & Systems

工具与系统

  • UEFITool: Open-source UEFI firmware image editor and parser for inspecting firmware volumes, drivers, and modules
  • chipsec: Intel hardware security assessment framework for verifying SPI flash protection, Secure Boot, and UEFI configuration
  • Volatility: Memory forensics framework with SSDT, IDT, callback, and driver analysis plugins for kernel rootkit detection
  • GMER: Windows rootkit detection tool scanning for SSDT hooks, IDT hooks, hidden processes, and modified kernel modules
  • Bootkits Analyzer: Specialized tool for analyzing MBR/VBR code including disassembly and comparison against known-good baselines
  • UEFITool: 开源UEFI固件镜像编辑器和解析器,用于检查固件卷、驱动和模块
  • chipsec: Intel硬件安全评估框架,用于验证SPI闪存保护、安全启动和UEFI配置
  • Volatility: 内存取证框架,包含SSDT、IDT、回调和驱动分析插件,用于检测内核Rootkit
  • GMER: Windows Rootkit检测工具,可扫描SSDT挂钩、IDT挂钩、隐藏进程和修改后的内核模块
  • Bootkits Analyzer: 专门用于分析MBR/VBR代码的工具,包含反汇编和与已知正常基线对比功能

Common Scenarios

常见场景

Scenario: Investigating Persistent Compromise Surviving OS Reinstallation

场景:调查重装系统后仍存在的持久化入侵

Context: An organization reimaged a compromised workstation, but the same C2 beaconing resumed within hours. Standard disk forensics finds no malware. UEFI bootkit is suspected.
Approach:
  1. Boot from a Linux live USB to avoid executing any compromised OS components
  2. Dump the SPI flash firmware using chipsec or flashrom for offline analysis
  3. Dump the MBR and VBR sectors with dd for boot sector analysis
  4. Copy the EFI System Partition for bootloader integrity verification
  5. Open the SPI dump in UEFITool and compare module GUIDs against vendor-provided firmware
  6. Look for additional or modified DXE drivers that should not be present
  7. Analyze any suspicious modules with Ghidra (x86_64 UEFI module format)
  8. Verify Secure Boot configuration and check for exploit-based bypasses
Pitfalls:
  • Analyzing the system while the compromised OS is running (rootkit may hide from live analysis)
  • Not checking SPI flash (only analyzing disk-based boot components misses firmware-level implants)
  • Assuming Secure Boot prevents all bootkits (known bypasses exist, e.g., CVE-2022-21894)
  • Not preserving the original firmware dump before reflashing (critical evidence for attribution)
背景: 某组织对受入侵的工作站进行了镜像重装,但数小时内恢复了相同的C2 beacon通信。标准磁盘取证未发现恶意软件,怀疑存在UEFI Bootkit。
分析方法:
  1. 从Linux live USB启动,避免执行任何受入侵的OS组件
  2. 使用chipsec或flashrom导出SPI闪存固件进行离线分析
  3. 使用dd导出MBR和VBR扇区进行引导扇区分析
  4. 复制EFI系统分区以验证引导加载程序完整性
  5. 在UEFITool中打开SPI镜像,将模块GUID与厂商提供的固件进行对比
  6. 查找不应存在的额外或修改后的DXE驱动
  7. 使用Ghidra分析可疑模块(x86_64 UEFI模块格式)
  8. 验证安全启动配置,检查是否存在基于漏洞的绕过方式
注意事项:
  • 在受入侵的OS运行时进行分析(Rootkit可能会躲避实时分析)
  • 未检查SPI闪存(仅分析基于磁盘的引导组件会遗漏固件级植入物)
  • 假设安全启动可阻止所有Bootkit(已知存在绕过方式,如CVE-2022-21894)
  • 在重刷固件前未保留原始固件镜像(这是归属分析的关键证据)

Output Format

输出格式

BOOTKIT / ROOTKIT ANALYSIS REPORT
====================================
System:           Dell OptiPlex 7090 (UEFI, TPM 2.0)
Firmware Version: 1.15.0 (Dell)
Secure Boot:      ENABLED (but bypassed)
Capture Method:   Linux Live USB + chipsec SPI dump

MBR/VBR ANALYSIS
MBR Signature:    Valid (0x55AA)
MBR Code:         MATCHES standard Windows 10 MBR (clean)
VBR Code:         MATCHES standard NTFS VBR (clean)

UEFI FIRMWARE ANALYSIS
Total Modules:    287
Vendor Expected:  285
Extra Modules:    2 UNAUTHORIZED
  [!] DXE Driver GUID: {ABCD1234-...} "SmmAccessDxe_mod" (MODIFIED)
      Original Size: 12,288 bytes
      Current Size:  45,056 bytes (32KB ADDED)
      Entropy: 7.82 (HIGH - encrypted payload)

  [!] DXE Driver GUID: {EFGH5678-...} "UefiPayloadDxe" (NEW - not in vendor firmware)
      Size: 28,672 bytes
      Function: Drops persistence agent during boot

BOOT CHAIN INTEGRITY
bootmgfw.efi:     MODIFIED (hash mismatch, Secure Boot bypass via CVE-2022-21894)
winload.efi:      MODIFIED (DSE disabled at load time)
ntoskrnl.exe:     CLEAN (but unsigned driver loaded after boot)

KERNEL ROOTKIT COMPONENTS
Driver:           C:\Windows\System32\drivers\null_mod.sys (unsigned, hidden)
SSDT Hooks:       3 (NtQuerySystemInformation, NtQueryDirectoryFile, NtDeviceIoControlFile)
Hidden Processes: 2 (PID 6784: beacon.exe, PID 6812: keylog.exe)
Hidden Files:     C:\Windows\System32\drivers\null_mod.sys

ATTRIBUTION
Family:           BlackLotus variant
Confidence:       HIGH (CVE-2022-21894 exploit, ESP modification pattern matches)

REMEDIATION
1. Reflash SPI firmware with clean vendor image via hardware programmer
2. Rebuild EFI System Partition from clean Windows installation media
3. Reinstall OS from verified media
4. Enable all firmware write protections
5. Update firmware to latest version (patches CVE-2022-21894)
BOOTKIT / ROOTKIT 分析报告
====================================
系统:           Dell OptiPlex 7090 (UEFI, TPM 2.0)
固件版本:       1.15.0 (Dell)
安全启动:       已启用(但被绕过)
采集方式:       Linux Live USB + chipsec SPI镜像导出

MBR/VBR分析
MBR签名:        有效(0x55AA)
MBR代码:        匹配标准Windows 10 MBR(正常)
VBR代码:        匹配标准NTFS VBR(正常)

UEFI固件分析
总模块数:       287
厂商预期数量:   285
额外模块:       2个未授权模块
  [!] DXE驱动GUID: {ABCD1234-...} "SmmAccessDxe_mod"(已修改)
      原始大小: 12,288字节
      当前大小:  45,056字节(增加了32KB)
      熵值: 7.82(高 - 包含加密载荷)

  [!] DXE驱动GUID: {EFGH5678-...} "UefiPayloadDxe"(新增 - 厂商固件中不存在)
      大小: 28,672字节
      功能: 在启动过程中释放持久化代理

引导链完整性
bootmgfw.efi:   已修改(哈希不匹配,通过CVE-2022-21894绕过安全启动)
winload.efi:    已修改(加载时禁用DSE)
ntoskrnl.exe:   正常(但启动后加载了未签名驱动)

内核Rootkit组件
驱动:           C:\Windows\System32\drivers\null_mod.sys(未签名、隐藏)
SSDT挂钩:       3个(NtQuerySystemInformation、NtQueryDirectoryFile、NtDeviceIoControlFile)
隐藏进程:       2个(PID 6784: beacon.exe、PID 6812: keylog.exe)
隐藏文件:       C:\Windows\System32\drivers\null_mod.sys

归属分析
家族:           BlackLotus变种
置信度:         高(使用CVE-2022-21894漏洞、ESP修改模式匹配)

 remediation措施
1. 通过硬件编程器重刷SPI固件为干净的厂商镜像
2. 从干净的Windows安装介质重建EFI系统分区
3. 从经过验证的介质重装操作系统
4. 启用所有固件写保护
5. 将固件更新至最新版本(修复CVE-2022-21894漏洞)