Press ROOT to Continue - Detecting OSX and Windows Bootkits with RDFU

Explore a comprehensive analysis of UEFI-based rootkits and malware detection in this Black Hat USA 2013 conference talk. Delve into the Rootkit Detection Framework for UEFI (RDFU), a unified set of tools developed to combat emerging threats across various UEFI implementations. Examine a sample bootkit for Apple OSX, designed specifically for testing purposes, which demonstrates sophisticated infection techniques and functionalities such as FileVault password sniffing, privilege escalation, and file hiding. Learn about the UEFI conceptual overview, runtime services, and the inner workings of RDFU. Gain insights into bootkit workflows and process hiding techniques. Discover the potential applications of this open-source technology in addressing UEFI-based security challenges.

Intro
Our motivation
Booting with BIOS
UEFI Conceptual overview
UEFI images
UEFI Runtime services
How does RDFU work?
Bootkit workflow
Hiding processes