Infecting the Boot to Own the Kernel: Bootkits and Rootkits Development

Presented at DEF CON 33 (2025), Aug. 8, 2025, 4 p.m. (45 minutes).

Bootkits and Rootkits represent some of the most complex and stealthy forms of malware, capable of achieving full system control before and after the OS is loaded. While often discussed in theory, their actual construction, interaction, and execution flow remain mostly hidden from public view. This talk sheds light on how these implants are built and how their components interact across boot stages and kernel space. We'll explore the internals of a fully functional UEFI Bootkit and Kernel-mode Rootkit, examining their modular design, runtime interactions, and the mechanisms used to hook critical parts of the Windows boot chain. Attendees will see how these implants operate across pre-boot and post-boot phases, including early internet connectivity from firmware, dynamic payload delivery, runtime service hooking, deep kernel control, and advanced capabilities like hiding files, processes, and network activity, blocking traffic, capturing keystrokes, and maintaining command and control directly from kernel space. Everything shown on stage will be yours to explore: a complete Bootkit and Rootkit framework, fully customizable and ready to simulate real threats, test defenses, or build something even stealthier. References: - UEFI Specification, Version 2.11. Unified Extensible Firmware Interface Forum. [link](https://uefi.org/specs/UEFI/2.11/) - Alex Matrosov, Eugene Rodionov, Sergey Bratus – Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats. - Pavel Yosifovich - Windows Kernel Programming, 2nd Edition. - Pavel Yosifovich, Andrea Allievi, Alex Ionescu, Mark E. Russinovich, David A. Solomon – Windows Internals, Part 1 & 2, 7th Edition. - Martin Smolár and Anton Cherepanov (ESET Research team) – UEFI threats moving to the ESP: Introducing ESPecter bootkit [link](https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/) - Martin Smolár (ESET Research team) – BlackLotus UEFI bootkit: Myth confirmed [link](https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/) - Lior Rochberger and Dan Yashnik (Palo Alto Networks Unit 42) – Diving Into Glupteba's UEFI Bootkit [link](https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/) - Takahiro Haruyama, Fabio Pagani, Yegor Vasilenko, Anton Ivanov, and Sam Thomas (Binarly Research team) – UEFI Bootkit Hunting: In-Depth Search for Unique Code Behavior [link](https://www.binarly.io/blog/uefi-bootkit-hunting-in-depth-search-for-unique-code-behavior) - Alejandro Vazquez Vazquez – Awesome Bootkits & Rootkits Development (curated learning repository) [link](https://github.com/TheMalwareGuardian/Awesome-Bootkits-Rootkits-Development)

Presenters:

• Alejandro "TheMalwareGuardian" Vazquez
  Alejandro Vázquez Vázquez is a security researcher and Red Team Operator with deep expertise in Windows Internals, malware development, and advanced threat emulation. He is one of the few professionals who has publicly presented live bootkit and rootkit development, including real-world demos and open-source examples such as Abyss and Benthic. He has been behind some of the most hands-on offensive projects out there: crafting custom malware for Red Team ops, deploying stealthy UEFI implants for long-term persistence, developing real OT honeypots to lure attackers targeting critical infrastructure, building AI-powered frameworks that automate and scale pentest workflows, and designing platforms to hunt and profile ransomware groups. By day, he conducts offensive security operations while also serving as an instructor in several master's degrees, teaching malware analysis, exploit development, bootkits, and rootkits to the next generation of cybersecurity professionals. By night, he writes implants that play nice with modern security mechanisms. From pre-boot to the kernel, if it runs low enough, he wants to control it. And if it's undocumented, even better. He doesn't just give talks. He builds the tools, shares the code, and gives you the full presentation, so you can run it yourself and teach others.
• Maria "drkrysSrng" San Jose
  Maria is a cybersecurity specialist working for the Guardia Civil, Spain's national military police force. She has served in some of the most specialized cyber units within the organization, including the Cyberterrorism Group and, currently, the Cybercrime Department of the Central Operative Unit (UCO), where she focuses on cybercrime investigations and threat intelligence. Before joining the Guardia Civil, Maria built a strong foundation as a software engineer, contributing to flight simulation systems for major air navigation entities such as ENAIRE (AENA) and ROMATSA (Romania). Outside her official duties, she is passionate about malware analysis and reverse engineering, dedicating personal time to studying advanced threats and attack techniques. Her combined experience in software development and threat investigation gives her a unique, well-rounded perspective on both offensive and defensive security.

Similar Presentations:

• Black Hat USA 2013 / Press ROOT to Continue: Detecting OSX and Windows Bootkits with RDFU
• REcon 2023 / Portrait of the artist as a young vx-er: This painting is an MBR bootkit
• REcon 2012 / Bootkit Threats: In-Depth Reverse Engineering & Defense