07-19-2024, 04:35 PM
Using Windows' own bootloader as a shim to bypass Secure Boot.
How this works?
How this works?
Quote:The Windows bootloader (winload.efi) does not check the code signature or integrity of the mcupdate_<platform>.dll file when starting the system if the 'Disable Driver Signature Enforcement' option is selected. The file is loaded very early in the boot stage, and its entry point is executed from within the bootloader before a call to ExitBootServices(), which means that you can just restore the context and return back to the firmware. The plot twist is that mcupdate_<platform>.dll it not inside a valid memory mapping in the firmware context, so this project just remaps itself over the bootloader.
Quote:Note: In its current form, the proof-of-concept can only boot from the selected boot device (without rebooting). You may use it to hook into the boot process or, if you want to get creative, manually map the actual bootloader and boot into a different OS altogether (like Linux).
![[Image: e47c91a87cc521d1efbd20183b42ee4259c9c593.gifv]](https://external-content.duckduckgo.com/iu/?u=https://64.media.tumblr.com/c28f803dbfef10a302ff051a43746f2f/3c5cd0a36f0a9b03-5f/s540x810/e47c91a87cc521d1efbd20183b42ee4259c9c593.gifv)
