MHaggis
commented
1 year ago I'm going to keep it mainly because it is a very interesting sample and campaign. It raises awareness of Bootkits and we're going to add more on bootkits here soon.
Closed Wack0 closed 1 year ago
MHaggis
commented
1 year ago I'm going to keep it mainly because it is a very interesting sample and campaign. It raises awareness of Bootkits and we're going to add more on bootkits here soon.
Wack0
commented
1 year ago that may be so, but the blacklotus driver definitely cannot be loaded like any other driver, even if the unsigned driver can be loaded (the entry point is expected to be called by hooking some other driver, and its entry point does call the OEP of the hooked driver)
the bootkit loads the driver into memory itself, the driver is unsigned and never touches disk as plaintext. (3 of the samples listed were uploaded to VT by me after dumping and decrypting them from the blacklotus bootloader samples)
if you really meant to specify "windows boot applications vulnerable to baton drop", you'll be searching for a long time, especially considering MS removed all bootmgr.efi/bootmgfw.efi/hvloader.efi binaries from the symbol server after it was found out that blacklotus installers downloaded them.