For those of you who don’t know, a bootkit is a type of rootkit that begins executing at boot time. By infecting the BIOS, Master Boot Record, Volume Boot Record or Initial Program Loader; Malware can begin execution early on in the operating system boot process, way before the OS is loaded. Most of the operating system’s security measures are initialized later on by the kernel, so code running during the early boot stage has unrestricted access to the system, which can be used to subvert or even disable OS security features. The aim of most bootkits is to load a kernel driver that will allow the malicious code to continue executing once the OS is fully loaded; On 64-bit operating systems where kernel mode code signing is enforced, a bootkit can be used to patch out routines responsible for verifying driver signatures, allowing unsigned drivers to be loaded.
The reason i chose XP 32-bit is because the bootkit is actually designed as a payload for a much cooler proof-of-concept I’m working on, I didn’t really have time to make a universal bootkit and I also didn’t want to risk making the code to appealing to criminals for legal reasons (I believe an overzealous Kaspersky tried to prosecute fellow researcher Peter Kleissner for his “stoned” bootkit). Although the main proof-of-concept (that this bootkit serves as a payload for) is not complete, I thought it might be nice to release this part of it for people to study and to mark the death of XP.
The bootkit is a mix of 16-bit and 32-bit real mode and protected mode ASM, which is assembled using flat-assembler, The payload driver is a template driver written in C using Visual Studio 2012. Although targeted at XP Service Pack 3, the code appears to work fine on SP1 & SP2, but not SP0. I’ve not yet been able to test the kit on a physical machine but have done testing with VMware and Bochs.
The code is well commented, but I’ve also created a PDF based documentation that explains the XP boot process and the bootkit.