Practical Firmware Implants and Bootkits


Mickey Shkatov and Jesse Michael


In recent years as firmware based attacks are becoming more and more frequent, there is a growing need for understanding the motivation, capabilities and complexities of such attacks. How do they work? How hard is it to create an implant? What are the attacker's considerations and thoughts when creating firmware implants?

“Practical Firmware Implants and Bootkits” is a crash course in UEFI development for security practitioners in which we will spend most of our time working hands-on understanding how system firmware works, basic development and coding, firmware implantation strategies, attack and defense tactics and more.

Hands on labs will help you learn about and better understand:

  • Hardware and UEFI boot process
  • The UEFI EDK build environment
  • How to build your own UEFI BIOS and test it
  • EFI Shell application development
  • DXE Driver development
  • Debugging and troubleshooting your code
  • Understand UEFI Implant benefits and caveats
  • Build and Deploy your own UEFI implant
  • Understand UEFI Option ROM Implant benefits and caveats
  • Build and Deploy your own UEFI Option ROM implant
  • Understand SMM capabilities and SMI vulnerabilities
  • Create and Deploy your own Bootkit
  • Understand and use Intel hardware Debug

Who should take this course

This course is designed for those who have a basic understanding of C/C++ and who would like to start exploring the world of UEFI and BIOS security.

When you finish this class you will

  • Have a solid foundation to build on when it comes to UEFI and BIOS.
  • Know and understand how to build a firmware implant and the challenges involved.
  • Know and understand how to build a Bootloader Rootkits and the challenges involved.
  • Have a foundation of how to search and detect firmware implants.

Course Outline

Part 1

  • Background and overview of UEFI and Boot process
  • Hands-On: Development and debug environment
  • Driver and Application development
  • Hands-On: Hello world exercise

Part 2

  • Firmware image structure and tools
  • Hands-On: Integrating your driver into the firmware image
  • Firmware implant and payloads, background and techniques
  • Hands-On: building custom implant and payload of your choice

Part 3

  • Option ROMs
  • Hands-On: OPROM Implant
  • SMM and SMI
  • Hands-On: SMM implant and SMI exploitation

Part 4

  • Secure boot bypasses and bootloader rootkits
  • Hands-On: building a custom WPBT payload for Windows
  • How To: Intel Hardware debugging
  • Lessons Learned: physical access attacks
  • Overview and summary

Student Prerequisites

  • Basic programming experience
  • (Plus) Experience using VMWare

System Prerequisites

  • A modern computer capable of running x86-64 virtual machines.
  • Minimum 16GB of RAM
  • 80GB of free storage space
  • VMware Workstation Player 16 (Free) or Pro (Requires license)