0xbekoo

UEFI DXE bootkit targeting x64 Windows systems. Survives OS reinstalls by persisting in the EFI System Partition.

Overview

WhiteLotus is a UEFI-based bootkit that installs a malicious DXE driver into the EFI System Partition. It hooks Windows boot manager functions to inject a kernel driver before the OS loads, bypassing Secure Boot on misconfigured systems.

Components

Dropper — Windows EXE that extracts and installs the UEFI payload via a UAC bypass (ICMLuaUtil + PEB masquerade)
LoadEfi — Elevated loader that mounts the ESP and writes the DXE driver
DXE Driver — UEFI firmware driver that hooks ExitBootServices and injects shellcode into the Windows kernel

Techniques

PEB masquerade (ImagePathName + LDR enumeration) to impersonate explorer.exe
COM elevation via CLSID_CMSTPLUA elevation moniker
UEFI DXE runtime driver persistence
winload.efi hook via ExitBootServices callback

WhiteLotus

Overview

Components

Techniques

< Back to Projects