[Series] RootkitBootkit — A New Series For Studying Rootkits & Bootkits

First Post:

Last Update:

Word Count:
362

Read Time:
2 min

Introduction

While studying different malware, I recently analyzed Petya and NotPetya. This led me to realize something important.

Although Petya is classified as ransomware, it goes beyond typical ransomware behavior — it incorporates a bootkit. Unlike ransomware such as WannaCry and NotPetya, which primarily operates within the operating system, Petya modifies the boot process and gains control before the OS even loads.

While analyzing Petya’s bootkit, I became aware of a gap in my understanding of low-level systems, especially in areas such as rootkits and bootkits.

Therefore, I decided to start a new series — “RootkitBootkit”.

The name was inspired by how it sounds a bit like “Oogie Boogie” from The Nightmare Before Christmas.

Why?

As I mentioned in another article and NotPetya, learning low-level concepts such as assembly and system internals has become increasingly difficult over time.

At the same time, modern malware often relies on these low-level techniques to achieve stealth and persistence.

By studying rootkits, bootkits, and related vulnerabilities, I aim to bridge this gap and strengthen my understanding of system internals.

RootkitBootkit

In this series, I plan to explore:

  • Foundations

    • Assembly language
    • System programming

  • Rootkits

    • Basic concepts and techniques
    • TDL3
    • Festi

  • Bootkits

    • Windows boot process
    • MBR / VBR / IPL
    • ELAM
    • UEFI

  • Practical exploration

    • Building minimal rootkits
    • Understanding how bootkits are implemented

Ultimate Goals

  • Build a solid understanding of low-level systems and assembly
  • Understand how stealth and persistence are achieved below the OS level
  • Analyze real-world rootkits and bootkits

Lastly

Before ending this article, I want to share my thoughts on learning offensive techniques (e.g., rootkits, bootkits, ransomware, etc.).

Some people argue that we should avoid learning these techniques because they are associated with illegal activities. However, I believe the techniques themselves are not inherently malicious — it is how they are used that matters.

Threat actors continue to study and evolve these techniques, while defenders who ignore them risk falling behind. Without understanding how such attacks work at a low level, it becomes much harder to build effective defenses.

For me, studying these topics is not about misuse, but about gaining the knowledge necessary to understand, analyze, and ultimately defend against them.

Articles

(Coming soon…)

THANKS FOR READING