Bootkit for Windows 7 x86 and x64.
You should be easily able to adapt this for Windows 8 and up. You might run into trouble if you're using Secure Boot though (since that's supposed to verify bootmgr's signing before execution).
Written for COMP9447 at the University of NSW in 2011. I'm releasing it since it might be useful for somebody else, and also so I don't lose my own work.
This originally came with a rootkit driver which was meant to do keylogging, as well as hiding itself and the rootkit installation. However, that code wasn't written by me so I'm not including it here.
If you're actually making use of the resources here, I would assume you could come up with one of your own.
Released under the MIT license.
Assuming you have any version of Windows 7 x64 SP1 installed (probably works with-out service pack too, but have not tested), do the following:
In Explorer, make sure you can view System and Hidden files.
Change ownership from
Administratorsgroup on: C:\bootmgr C:\WINDOWS\System32\winload.exe
You also wanna give yourself (at least) write permissions. Full control should do the trick. ;)
Reboot, and cross your fingers!
As mentioned in the report (and inside
payload/install.bat) this could all
be done automatically.
Getting the driver running on boot
Copy your rootkit driver into the payload folder as
NPFROOTY.sys, and run
Then just reboot. You should be able to see the driver printing messages if you run DebugView as Administrator and check all the boxes (ie show kernel messages etc). You may need to turn on Show boot log and reboot for anything to come up. DebugView is in winload-hacks\tools if you need it.