Hide SMBIOS/disk/NIC serials from EFI bootkit

Related tags

Miscellaneous rainbow
Overview

Rainbow

Rainbow is a bootkit like HWID spoofer for Windows. It abuses several hooks in EFI runtime services and uses clever DKOM to hide hardware serials before any boot-time drivers are even started.

Screenshots

screen0 screen1 screen2

Video

video

Usage

In order to use rainbow spoofer, you need to load it. First, obtain a copy of rainbow.efi and a copy of EDK2 efi shell. Now follow these steps:

  1. Extract downloaded efi shell and rename file Shell.efi (should be in folder UefiShell/X64) to bootx64.efi
  2. Format some USB drive to FAT32
  3. Create following folder structure:
USB:.
 │   rainbow.efi
 │
 └───EFI
      └───Boot
              bootx64.efi
  1. Boot from the USB drive
  2. An UEFI shell should start, change directory to your USB (FS0 should be the USB since we are booting from it) and list files:
FS0:
ls
  1. You should see file rainbow.efi, if you do, load it:
load rainbow.efi
  1. Now you should see output from rainbow. If it was successful, exit and boot into Windows (change to Windows boot media - usually FS1 - and run \EFI\Boot\bootx64.efi)

Download

Check out UnknownCheats.

Compiling

See VisualEfi. Please note that I've made some changes to the EDK2 directory.

You might also like...
Hide a process,port,self under Linux using the ld_preload

vbackdoor 中文 Hide a process,port,self under Linux using the LD_PRELOAD rootkit. compile the library git clone https://github.com/veo/vbackdoor.git cd

veo 107 Dec 31, 2022
Graphs the disk IO in a linux terminal.
Graphs the disk IO in a linux terminal.

diskgraph Monitor for disk IO Introduction The diskgraph tool will graph disk IO under linux, in a terminal. Examples: $ ./diskgraph /dev/nvme0n1 $ ./

Bram Stolk 184 Nov 14, 2022
Microcontroller based switchless ROM switcher for the Commodore 1541-II disk drive

Retroninja 1541-II Switchless Multi-ROM A microcontroller based switchless ROM switcher for the Commodore 1541-II disk drive. Switch between stock CBM

retroninja 5 Sep 3, 2022
A small proof-of-concept for using disk devices for DMA on Windows.
A small proof-of-concept for using disk devices for DMA on Windows.

ddma A small proof-of-concept for using disk devices for DMA on Windows. Why Some native hypervisors (i.e. Hyper-V) allow the guest unvirtualized devi

null 55 Dec 30, 2022
A method from GH on how to stream a dll without touching disk, TAGS: fortnite cheat fortnite injector dll injector
A method from GH on how to stream a dll without touching disk, TAGS: fortnite cheat fortnite injector dll injector

dll-encryptor People who make pay hacks typically have down syndrome and are incapable of using their brains in any fashion, and yet these bath salt s

Micca 2 Nov 24, 2021
ImDisk Virtual Disk Driver

ImDisk Virtual Disk Driver for Windows NT/2000/XP/2003/Vista/7/8/8.1/10. This driver emulates harddisk partitions, floppy drives and CD/DVD-ROM d

Olof Lagerkvist 135 Jan 6, 2023
Tools to read Dragon32 VDK disk image files

Quick and dirty UNIX port of ddosutils This is originally an MSDOS tool to read Dragon 32 floppy disks. This version is crudely converted to operate o

Adrien Destugues 3 Sep 20, 2022
Creates a virtual disk in memory and provides the user a shell to interact with it

Tiny-File-System Creates a virtual disk in memory and provides the user a shell to interact with it Known bugs with Export missing chars at the end of

Alex Fuller 2 Oct 7, 2022
Comparing data of module exports from disk and memory, then caching any differences.
Comparing data of module exports from disk and memory, then caching any differences.

Inline-PatchFinder Need to see if the process you're reversing/analyzing is patching/hooking any loaded module's exports? Well, look no further. Inlin

null 14 Oct 15, 2022
Comments
  • I get a BlueScreen when booting windows 20H2 after loading this bootkit

    I get a BlueScreen when booting windows 20H2 after loading this bootkit

    Like said in the title, I get an SYSTEM_THREAD_EXCEPTION_NOT_HANDLED BSOD when booting Windows 10 20H2 (19042.985) with the driver loaded. I have no idea from which part of the bypass this comes. If you need any information to debug this, let me know, and I will send them.

    opened by louga31 0
Owner
Samuel Tulach
otiosum#2531 | @ootiosum bc1quqye8z97pcaymhy9gxaexqnt4ulryqtua0t82v
Samuel Tulach
GitHub
Opencore-based Hackintosh EFI and guide for Lenovo Thinkpad X1 Carbon Gen 7

macOS on Thinkpad X1 Carbon 7th Generation OpenCore-based Hackintosh EFI and guide for Lenovo Thinkpad X1 Carbon Gen 7. This guide has been generated

Aidan Chandra 35 Dec 19, 2022
ThatOS64 is for the youtube series on 64-Bit Kernel Development pre-loaded by the EFI

Step by Step Tutorials on how to code a 64-Bit loader and kernel for OS Development NOTES Starting with CODE5, the resolution from the EFI file sets t

ThatOSDev 2 Dec 25, 2022
Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)

SecureFakePkg is a simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled. In other words, it fakes secure boot status.

Samuel Tulach 80 Dec 30, 2022
fortnite cheat external that uses efi drivers and is updated

fortnite-external-efi-drivers fortnite cheat external that uses efi drivers and is updated ALL CREDITS TO CHASE: https://github.com/Chase1803 i just u

null 12 Dec 18, 2022
Basic EFI with Opencore for AMD Ryzen and Threadripper

BASE EFI AMD - Ryzen and Threadripper (1XXX, 2XXX, 3XXX, 4XXX, 5XXX) and Athlon 2xxGE Note Description Initial macOS Support macOS 10.13, High Sierra.

Gabriel Luchina 58 Dec 26, 2022
GNU-EFI fork without the bs.

reduced-gnu-efi =============== reduced-gnu-efi is a fork of GNU-EFI that strips out all code save for the relocation assembly stubs and the EFI head

Limine 13 Dec 1, 2022
Hide skip button in cutscenes in Max Payne 3

MaxPayne3.FusionFix This is a small project intended to add ability to hide button in Max Payne 3. Additionally, added an option to increase the size

Sergey P. 26 Sep 29, 2022
A program that allows you to hide certain windows when sharing your full screen

Invisiwind Invisiwind (short for Invisible Window) is an application that allows you to hide certain windows when sharing your full screen.

Joshua T. 75 Dec 20, 2022
Inject dll to explorer.exe and hide file from process.

Hide-FS Inject dll to explorer.exe and hide file from process. Requierments: Microsoft Detours Library - https://github.com/microsoft/Detours Compile:

null 12 Dec 26, 2022
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Mariusz B. 761 Jan 9, 2023