Pre-OS Boot: System Firmware
View on attack.mitre.org →10 syscalls implement this technique
- NtAddDriverEntry
Registers a new EFI_DRIVER_ENTRY in the firmware so the UEFI environment loads a driver before the OS.
- NtModifyDriverEntry
Overwrites an existing EFI_DRIVER_ENTRY identified by its ID, rewriting the UEFI Driver#### NVRAM variable in place.
- NtDeleteDriverEntry
Removes a registered EFI_DRIVER_ENTRY by ID, deleting the corresponding UEFI Driver#### NVRAM variable.
- NtEnumerateDriverEntries
Returns a packed list of every registered EFI_DRIVER_ENTRY — the UEFI Driver#### variables dispatched before the boot manager.
- NtQueryDriverEntryOrder
Reads the platform's UEFI DriverOrder list — the sequence in which UEFI Driver#### entries load at boot.
- NtSetDriverEntryOrder
Rewrites the platform's UEFI DriverOrder list, controlling which UEFI drivers load first at boot.
- NtQuerySystemEnvironmentValue
Reads a legacy x86 BIOS/NV-RAM system environment variable by name (pre-UEFI interface).
- NtSetSystemEnvironmentValue
Writes a legacy x86 BIOS/NV-RAM system environment variable (pre-UEFI interface).
- NtQuerySystemEnvironmentValueEx
Reads a UEFI variable identified by a (name, vendor GUID) pair and returns its data plus attributes.
- NtSetSystemEnvironmentValueEx
Writes or deletes a UEFI variable identified by (name, vendor GUID) — the canonical firmware-persistence surface.