Pre-OS Boot: Bootkit
View on attack.mitre.org →10 syscalls implement this technique
- NtAddBootEntry
Registers a new BOOT_ENTRY in the Boot Configuration Database (BCD) and returns its assigned ID.
- NtModifyBootEntry
Replaces an existing BOOT_ENTRY in the Boot Configuration Database with a new descriptor, keyed by its ID.
- NtDeleteBootEntry
Removes a BOOT_ENTRY from the Boot Configuration Database by ID, deleting the corresponding firmware variable on UEFI.
- NtEnumerateBootEntries
Returns a packed array of BOOT_ENTRY structures describing every registered firmware boot option.
- NtQueryBootEntryOrder
Reads the firmware's ordered list of BOOT_ENTRY IDs — the sequence the platform will attempt at next power-on.
- NtSetBootEntryOrder
Writes the firmware boot-attempt order — the array of BOOT_ENTRY IDs the platform will try in sequence.
- NtAddDriverEntry
Registers a new EFI_DRIVER_ENTRY in the firmware so the UEFI environment loads a driver before the OS.
- NtModifyDriverEntry
Overwrites an existing EFI_DRIVER_ENTRY identified by its ID, rewriting the UEFI Driver#### NVRAM variable in place.
- NtSetDriverEntryOrder
Rewrites the platform's UEFI DriverOrder list, controlling which UEFI drivers load first at boot.
- NtSetSystemEnvironmentValueEx
Writes or deletes a UEFI variable identified by (name, vendor GUID) — the canonical firmware-persistence surface.