Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats

Alex Matrosov , Eugene Rodionov , Sergey Bratus



Rootkits and Bootkits will teach you how to understand and counter sophisticated, advanced threats buried deep in a machine’s boot process or UEFI firmware.

With the aid of numerous case studies and professional research from three of the world’s leading security experts, you’ll trace malware development over time from rootkits like TDL3 to present-day UEFI implants and examine how they infect a system, persist through reboot, and evade security software. As you inspect and dissect real malware, you’ll learn:

• How Windows boots—including 32-bit, 64-bit, and UEFI mode—and where to find vulnerabilities
• The details of boot process security mechanisms like Secure Boot, including an overview of Virtual Secure Mode (VSM) and Device Guard 
• Reverse engineering and forensic techniques for analyzing real malware, including bootkits like Rovnix/Carberp, Gapz, TDL4, and the infamous rootkits TDL3 and Festi
• How to perform static and dynamic analysis using emulation and tools like Bochs and IDA Pro 
• How to better understand the delivery stage of threats against BIOS and UEFI firmware in order to create detection capabilities
• How to use virtualization tools like VMware Workstation to reverse engineer bootkits and the Intel Chipsec tool to dig into forensic analysis

Cybercrime syndicates and malicious actors will continue to write ever more persistent and covert attacks, but the game is not lost. Explore the cutting edge of malware analysis with Rootkits and Bootkits.


「Rootkits and Bootkits」將教導您如何理解和對抗深藏在機器的引導過程或UEFI固件中的複雜、高級威脅。


- Windows的引導過程,包括32位、64位和UEFI模式,以及漏洞的位置
- 引導過程安全機制的細節,如Secure Boot,包括Virtual Secure Mode(VSM)和Device Guard的概述
- 用於分析真實惡意軟體的逆向工程和法醫技術,包括像Rovnix/Carberp、Gapz、TDL4以及臭名昭著的rootkits TDL3和Festi的bootkits
- 如何使用仿真和工具(如Bochs和IDA Pro)進行靜態和動態分析
- 如何更好地理解針對BIOS和UEFI固件的威脅傳遞階段,以建立檢測能力
- 如何使用虛擬化工具(如VMware Workstation)進行bootkits的逆向工程,以及使用Intel Chipsec工具進行法醫分析

網絡犯罪集團和惡意行為者將繼續編寫更加持久和隱蔽的攻擊,但遊戲並未失敗。與「Rootkits and Bootkits」一起探索惡意軟體分析的前沿。


Alex Matrosov is a leading offensive security researcher at NVIDIA. He has more than two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. Before joining NVIDIA, Alex served as Principal Security Researcher at Intel Security Center of Excellence (SeCoE), spent more than six years in the Intel Advanced Threat Research team, and was Senior Security Researcher at ESET. Alex has authored and co-authored numerous research papers and is a frequent speaker at security conferences, including REcon, ZeroNights, Black Hat, DEFCON, and others. Alex received an award from Hex-Rays for his open source plug-in HexRaysCodeXplorer, supported since 2013 by the team at REhint.

Eugene Rodionov, PhD, is a Security Researcher at Intel working in BIOS security for Client Platforms. Before that, Rodionov ran internal research projects and performed in-depth analysis of complex threats at ESET. His fields of interest include firmware security, kernel-mode programming, anti-rootkit technologies, and reverse engineering. Rodionov has spoken at security conferences, such as Black Hat, REcon, ZeroNights, and CARO, and has co-authored numerous research papers.

Sergey Bratus is a Research Associate Professor in the Computer Science Department at Dartmouth College. He has previously worked at BBN Technologies on Natural Language Processing research. Bratus is interested in all aspects of Unix security, in particular Linux kernel security, and detection and reverse engineering of Linux malware.


Alex Matrosov是NVIDIA的領先攻擊性安全研究員。他在逆向工程、高級惡意軟體分析、韌體安全和利用技術方面擁有超過二十年的經驗。在加入NVIDIA之前,Alex曾在英特爾安全卓越中心(SeCoE)擔任首席安全研究員,在英特爾高級威脅研究團隊工作了六年多,並在ESET擔任高級安全研究員。Alex撰寫並合著了許多研究論文,並經常在安全會議上發表演講,包括REcon、ZeroNights、Black Hat、DEFCON等。Alex因其開源插件HexRaysCodeXplorer而獲得了Hex-Rays的獎項,該插件自2013年以來一直得到REhint團隊的支持。

Eugene Rodionov博士是英特爾的安全研究員,專注於客戶平台的BIOS安全。在此之前,Rodionov在ESET進行內部研究項目並對複雜威脅進行深入分析。他的興趣領域包括韌體安全、核心模式編程、反根結技術和逆向工程。Rodionov曾在Black Hat、REcon、ZeroNights和CARO等安全會議上發表演講,並合著了許多研究論文。

Sergey Bratus是達特茅斯學院計算機科學系的研究副教授。他曾在BBN Technologies從事自然語言處理研究。Bratus對Unix安全的各個方面都感興趣,尤其是Linux內核安全以及Linux惡意軟體的檢測和逆向工程。