TrickBoot

Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.

5 syscalls cited

NtModifyBootEntry
Replaces an existing BOOT_ENTRY in the Boot Configuration Database with a new descriptor, keyed by its ID.
NtDeleteBootEntry
Removes a BOOT_ENTRY from the Boot Configuration Database by ID, deleting the corresponding firmware variable on UEFI.
NtEnumerateBootEntries
Returns a packed array of BOOT_ENTRY structures describing every registered firmware boot option.
NtQueryBootEntryOrder
Reads the firmware's ordered list of BOOT_ENTRY IDs — the sequence the platform will attempt at next power-on.
NtSetBootEntryOrder
Writes the firmware boot-attempt order — the array of BOOT_ENTRY IDs the platform will try in sequence.