analyzing-bootkit-and-rootkit-sampleslisted

# Analyzing Bootkit and Rootkit Samples ## When to Use - A system shows signs of compromise that persist through OS reinstallation - Antivirus and EDR are unable to detect malware despite clear evidence of compromise - UEFI Secure Boot has been disabled or shows integrity violations - Memory forensics reveals rootkit behavior (hidden processes, hooked system calls) - Investigating nation-state level threats known to deploy bootkits (APT28, APT41, Equation Group) **Do not use** for standard user-mode malware; bootkits and rootkits operate at a fundamentally different level requiring specialized analysis techniques. ## Prerequisites - Disk imaging tools (dd, FTK Imager) for acquiring MBR/VBR sectors - UEFITool for UEFI firmware volume analysis and module extraction - chipsec for hardware-level firmware security assessment - Ghidra with x86 real-mode and 16-bit support for MBR code analysis - Volatility 3 for kernel-level rootkit artifact detection - Bootable Linux live USB for offline system analysis ## Workflow ### Step 1: Acquire Boot Sectors and Firmware Extract MBR, VBR, and UEFI firmware for offline analysis: ```bash # Acquire MBR (first 512 bytes of disk) dd if=/dev/sda of=mbr.bin bs=512 count=1 # Acquire first track (usually contains bootkit code beyond MBR) dd if=/dev/sda of=first_track.bin bs=512 count=63 # Acquire VBR (Volume Boot Record - first sector of partition) dd if=/dev/sda1 of=vbr.bin bs=512 count=1 # Acquire UEFI System Partition mkdir /mnt/efi mo