(This article is a reminder of a new kind of Bootkit technology: Tophet, and some novel techniques used by its first-generation template, Tophet.a. Tophet.a is not a virus or Trojan horse, it is only used to demonstrate high-end startup, penetration and stealth technology. Bootkit is a more advanced Rootkit. The concept was first mentioned by eEyeDigital in their "BootRoot project" in 2005. This project bypasses kernel detection and starts stealth by infecting MBR (disk master record). It is believed that all technologies that are loaded earlier than the Windows kernel at boot time and realize kernel hijacking can be called Bootkit, such as later BIOSRootkit, VBootkit, SMMRootkit, etc. In today's well-known locations of MBR\BootSector\NtOSLoader All are strictly guarded by HIPS monitoring software and detection software, and when the startup directions such as BIOS, SMM, ROMfirmware are determined or the generality is not good enough, how to simply, universally and effectively carry out Windows kernel boot hijacking? Tophet .a uses a new method: NtBootdd.sys. At the same time, Tophet.a reminds some disk-level penetration and concealment technologies, which can penetrate all current protection software, install it, and detect any rootkit files at the same time. Incognito.
Premium Bootkit-tophet.doc)