ldpreload / blacklotus Goto Github PK

BlackLotus UEFI Windows Bootkit

PHP 4.15% C 95.46% CSS 0.40%

blacklotus's Introduction

BlackLotus

BlackLotus is an innovative UEFI Bootkit designed specifically for Windows. It incorporates a built-in Secure Boot bypass and Ring0/Kernel protection to safeguard against any attempts at removal. This software serves the purpose of functioning as an HTTP Loader. Thanks to its robust persistence, there is no necessity for frequent updates of the Agent with new encryption methods. Once deployed, traditional antivirus software will be incapable of scanning and eliminating it. The software comprises two primary components: the Agent, which is installed on the targeted device, and the Web Interface, utilized by administrators to manage the bots. In this context, a bot refers to a device equipped with the installed Agent.

FYI: This version of BlackLotus (v2) has removed baton drop, and replaced the original version SHIM loaders with bootlicker. UEFI loading, infection and post-exploitation persistence are all the same.

General

Written in C and x86asm
Utilizes on Windows API, NTAPI, EFIAPI (NO 3rd party libraries used),
NO CRT (C Runtime Library).
Compiled binary including the user-mode loader is only 80kb in size
Uses secure HTTPS C2 communication by using RSA and AES encryption
Dynamic configuration

Features

HVCI bypass
UAC bypass
Secure Boot bypass
BitLocker boot sequence bypass
Windows Defender bypass (patch Windows Defender drivers in memory, and prevent Windows Defender usermode engine from scanning/uploading files)
Dynamic hashed API calls (hell's gate)
x86<=>x64 process injection
API Hooking engine
Anti-Hooking engine (for disabling, bypassing, and controlling EDRs)
Modular plugin system

Installation

Download and install EDK2, from https://github.com/tianocore/edk2
Instructions can be obtained here

After installing EDK2, you are ready to compile the EFI drivers. Edit the config.c file to include your C2s hostname or IP address. After that, compliation should be easy, just keep the included settings in the Visual Studio solution.

Default Panel Credentials:

user: yukari
password: default

References

Welivesecurity: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed
Binarly: https://www.binarly.io/posts/The_Untold_Story_of_the_BlackLotus_UEFI_Bootkit/index.html
NSA Mitigation Guide: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3435305/nsa-releases-guide-to-mitigate-blacklotus-threat
TheHackerNews: https://thehackernews.com/2023/03/blacklotus-becomes-first-uefi-bootkit.html
Bootlicker: https://github.com/realoriginal/bootlicker

blacklotus's People

Contributors

Stargazers

Watchers

Forkers

mhaggis deadbits diego-altf4 apkc perfectpersona1 alexnatrix kiwids0220 ffilipef yoti pdolinic farrimwildaxe gavz trickster0 c3rb3ru5d3d53c rookie0o9 0r13lc0ch4v1 cvlabsio sameerlike141 ginos8 thomasxm frangarb strf0x1 benheise dalvarezperez zarulshahrin sasqwatch patilanz zuzannaonuca augustin-fl zeropart zaee-k come2darkside maliciousgroup ssnowl shinichii pyperanger gmh5225 sleepmod gustavogino rakan-dev crackinglandia jiab77 askyeye windowskernel scalefree v1rtu0l sec-fork hzmslx orange088 fengjixuchui exporx empty2081 tyhk cpo-eh 0xh4ze pp2579912 archar123 0xff1e071f developer191 burningcyclebike ykankaya lck0 meafs egebalci leongross exord66 r0sars 0xminego800m classic130 tigr0w wolfcod 126789t dom0ng 0x75696430 sodinokibi tropicaligloo lucnux freeide splitx12 smoktyn wbaby apt64 zha0 fwxs mellonaut ongyuann 3v1lw1th1n kgeldard schmelatwork alxvd jeffjerousek nancyjlau malwaee ruslanberz nou4r a0ki halosghost aguafrianet met-detection zach0809

blacklotus's Issues

Full Source

Where is full source code ?

Compilation ENV

need which version of VS & WDK?
And which EFI drivers?

Idea

100+ errors on visual studio

impossible to build getting hundreds of errors

Compile failure

When compiling on in Visual Studio 2022 on Windows 10 (Release/x64), I get this error:

more errors than i have braincells to actually fix them

hey guys when i downloaded it i got like 800 errors and some errors saying: "cant open source file 'Windows.h'" but windows.h is a normal source file that can be included idk why its giving me these seemingly to me illogical errors so please someone help me

Bypass Bitlocker with TPM

if no os password, and the os screenlocked, how to bypass bitlocker with tpm, restart os will need number password
i guess, it's unsupported

Include Errors

Im getting weired include errors, that it cannot include the <Windows.h> for some reason in the "Shared\API" files.
I have a similar problem with NTSecAPI.h , TlHelp32.h, ShlObj.h, Wininet.h, stdio.h...
That makes absolutely no sense because those headers come with the Windows SDK which is installed and works for everything else. Would be nice if someone helps me

Database is empty

Hi guys, I finished compiling, loaded it up on centos 7 with apache and mariadb, set firewall rules, etc. Can connect to localhost and login.

Question: I now have an empty database I need to populate. Supposedly when I load up bot,exe it should show up in the database, no?

cant compile,tryed many settings

i had a lot of errors but after changing to X86 and changedlinker settings am getting linker errors like entrypoint and subsystem

you cant compile it just like that, can u please help us with the compiling issue?

after playing with settings my only error is
nzt.obj : error LNK2019: unresolved external symbol _BookitInitialize referenced in function _BotInitialize

Compilation environment

What is its compilation environment? Thank you

cant compile

There is no implementation of BookitInitialize in this code

It may be in some assembly file, but the author did not upload this part of the code

Help

Hello, I would like to know how do I compile the bootkit efi driver using edk2? there are no instructions in the project...

Compiled Success but no connection

I just compiled with no error and code seems perfect.
but no connection anyone can help.

Share compiled version

Somehow i cant compile this by myself.
Could someone share an already compiled version

Instructions

How to even use it @ldpreload

Where is the implementation of BookitInitialize?

Why is BookitInitialize missing?

login incorrect

the authentication data is incorrect

Can't compile, unresolved externals

Tried using 2019, 2022, tried building with intel, wont even show me where the errors are

[BUG] No connection on any C2 Hostname Or IP

Finally got it to build after days of pain, but can't get any connections to work on any c2 hostname or IP. I've opened ports on all I've tried, tried using a dns for hostname, tried using multiple IPS or just one, nothing will connect. Panel is located at ip/panel/index.php if it matters

Ran the exe in multiple vms, as well as real machines on different networks, with no results.

Everything is configured and built correctly, just fully not working when it should be. Not an antivirus issue or a compilation issue, just an issue of it not working at all