analyzing-bootkit-and-rootkit-samples

Featured

Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware detection.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Bootkit and Rootkit Samples ## When to Use - A system shows signs of compromise that persist through OS reinstallation - Antivirus and EDR are unable to detect malware despite clear evidence of compromise - UEFI Secure Boot has been disabled or shows integrity violations - Memory forensics reveals rootkit behavior (hidden processes, hooked system calls) - Investigating nation-state level threats known to deploy bootkits (APT28, APT41, Equation Group) **Do not use** for standard user-mode malware; bootkits and rootkits operate at a fundamentally different level requiring specialized analysis techniques. ## Prerequisites - Disk imaging tools (dd, FTK Imager) for acquiring MBR/VBR sectors - UEFITool for UEFI firmware volume analysis and module extraction - chipsec for hardware-level firmware security assessment - Ghidra with x86 real-mode and 16-bit support for MBR code analysis - Volatility 3 for kernel-level rootkit artifact detection - Bootable Linux live USB for offline system analysis ## Workflow ### Step 1: Acquire Boot Sectors and Firmware Extract MBR, VBR, and UEFI firmware for offline analysis: ```bash # Acquire MBR (first 512 bytes of disk) dd if=/dev/sda of=mbr.bin bs=512 count=1 # Acquire first track (usually contains bootkit code beyond MBR) dd if=/dev/sda of=first_track.bin bs=512 count=63 # Acquire VBR (Volume Boot Record - first sector of partition) dd if=/dev/sda1 of=vbr.bin bs=512 count=1 # Acquire UEFI System Partition mkdir /mnt/efi mo...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-uefi-bootkit-persistence

Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition (ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation. Covers detection of known bootkit families (BlackLotus, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, chipsec-based firmware integrity verification, and Secure Boot configuration auditing. Activates for requests involving UEFI malware analysis, firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection.

12,642 Updated today
mukul975
AI & Automation Featured

performing-firmware-malware-analysis

Analyzes firmware images for embedded malware, backdoors, and unauthorized modifications targeting routers, IoT devices, UEFI/BIOS, and embedded systems. Covers firmware extraction, filesystem analysis, binary reverse engineering, and bootkit detection. Activates for requests involving firmware security analysis, IoT malware investigation, UEFI rootkit detection, or embedded device compromise assessment.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-rootkit-activity

Detects rootkit presence on compromised systems by identifying hidden processes, hooked system calls, modified kernel structures, hidden files, and covert network connections using memory forensics, cross-view detection, and integrity checking techniques. Activates for requests involving rootkit detection, hidden process discovery, kernel integrity checking, or system call hook analysis.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-linux-kernel-rootkits

Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures.

12,642 Updated today
mukul975
Data & Documents Listed

chipsec

Static analysis of UEFI/BIOS firmware dumps using Intel's chipsec framework. Decode firmware structure, detect known malware and rootkits (LoJax, ThinkPwn, HackingTeam, MosaicRegressor), generate EFI executable inventories with hashes, extract NVRAM variables, and parse SPI flash descriptors. Use when analyzing firmware .bin/.rom/.fd/.cap files offline without requiring hardware access.

335 Updated today
aiskillstore