Hide SMBIOS/disk/NIC serials from EFI bootkit

Rainbow

Rainbow is a bootkit like HWID spoofer for Windows. It abuses several hooks in EFI runtime services and uses clever DKOM to hide hardware serials before any boot-time drivers are even started.

Screenshots

screen0 screen1 screen2

Video

video

Usage

In order to use rainbow spoofer, you need to load it. First, obtain a copy of rainbow.efi and a copy of EDK2 efi shell. Now follow these steps:

  1. Extract downloaded efi shell and rename file Shell.efi (should be in folder UefiShell/X64) to bootx64.efi
  2. Format some USB drive to FAT32
  3. Create following folder structure:
USB:.
 │   rainbow.efi
 │
 └───EFI
      └───Boot
              bootx64.efi
  1. Boot from the USB drive
  2. An UEFI shell should start, change directory to your USB (FS0 should be the USB since we are booting from it) and list files:
FS0:
ls
  1. You should see file rainbow.efi, if you do, load it:
load rainbow.efi
  1. Now you should see output from rainbow. If it was successful, exit and boot into Windows (change to Windows boot media - usually FS1 - and run \EFI\Boot\bootx64.efi)

Download

Check out UnknownCheats.

Compiling

See VisualEfi. Please note that I've made some changes to the EDK2 directory.

Owner
Samuel Tulach
otiosum#2531 | @ootiosum bc1quqye8z97pcaymhy9gxaexqnt4ulryqtua0t82v
Samuel Tulach
Similar Resources

Hide a process,port,self under Linux using the ld_preload

vbackdoor 中文 Hide a process,port,self under Linux using the LD_PRELOAD rootkit. compile the library git clone https://github.com/veo/vbackdoor.git cd

Nov 24, 2022

Graphs the disk IO in a linux terminal.

Graphs the disk IO in a linux terminal.

diskgraph Monitor for disk IO Introduction The diskgraph tool will graph disk IO under linux, in a terminal. Examples: $ ./diskgraph /dev/nvme0n1 $ ./

Nov 14, 2022

Microcontroller based switchless ROM switcher for the Commodore 1541-II disk drive

Retroninja 1541-II Switchless Multi-ROM A microcontroller based switchless ROM switcher for the Commodore 1541-II disk drive. Switch between stock CBM

Sep 3, 2022

A small proof-of-concept for using disk devices for DMA on Windows.

A small proof-of-concept for using disk devices for DMA on Windows.

ddma A small proof-of-concept for using disk devices for DMA on Windows. Why Some native hypervisors (i.e. Hyper-V) allow the guest unvirtualized devi

Oct 27, 2022

A method from GH on how to stream a dll without touching disk, TAGS: fortnite cheat fortnite injector dll injector

A method from GH on how to stream a dll without touching disk, TAGS: fortnite cheat fortnite injector dll injector

dll-encryptor People who make pay hacks typically have down syndrome and are incapable of using their brains in any fashion, and yet these bath salt s

Nov 24, 2021

ImDisk Virtual Disk Driver

ImDisk Virtual Disk Driver for Windows NT/2000/XP/2003/Vista/7/8/8.1/10. This driver emulates harddisk partitions, floppy drives and CD/DVD-ROM d

Nov 24, 2022

Tools to read Dragon32 VDK disk image files

Quick and dirty UNIX port of ddosutils This is originally an MSDOS tool to read Dragon 32 floppy disks. This version is crudely converted to operate o

Sep 20, 2022

Creates a virtual disk in memory and provides the user a shell to interact with it

Tiny-File-System Creates a virtual disk in memory and provides the user a shell to interact with it Known bugs with Export missing chars at the end of

Oct 7, 2022

Comparing data of module exports from disk and memory, then caching any differences.

Comparing data of module exports from disk and memory, then caching any differences.

Inline-PatchFinder Need to see if the process you're reversing/analyzing is patching/hooking any loaded module's exports? Well, look no further. Inlin

Oct 15, 2022
Comments
  • I get a BlueScreen when booting windows 20H2 after loading this bootkit

    I get a BlueScreen when booting windows 20H2 after loading this bootkit

    Like said in the title, I get an SYSTEM_THREAD_EXCEPTION_NOT_HANDLED BSOD when booting Windows 10 20H2 (19042.985) with the driver loaded. I have no idea from which part of the bypass this comes. If you need any information to debug this, let me know, and I will send them.

Opencore-based Hackintosh EFI and guide for Lenovo Thinkpad X1 Carbon Gen 7
Opencore-based Hackintosh EFI and guide for Lenovo Thinkpad X1 Carbon Gen 7

macOS on Thinkpad X1 Carbon 7th Generation OpenCore-based Hackintosh EFI and guide for Lenovo Thinkpad X1 Carbon Gen 7. This guide has been generated

Aug 9, 2022
ThatOS64 is for the youtube series on 64-Bit Kernel Development pre-loaded by the EFI
ThatOS64 is for the youtube series on 64-Bit Kernel Development pre-loaded by the EFI

Step by Step Tutorials on how to code a 64-Bit loader and kernel for OS Development NOTES Starting with CODE5, the resolution from the EFI file sets t

Jul 10, 2022
Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)
Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)

SecureFakePkg is a simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled. In other words, it fakes secure boot status.

Oct 20, 2022
fortnite cheat external that uses efi drivers and is updated

fortnite-external-efi-drivers fortnite cheat external that uses efi drivers and is updated ALL CREDITS TO CHASE: https://github.com/Chase1803 i just u

Jun 5, 2022
Basic EFI with Opencore for AMD Ryzen and Threadripper

BASE EFI AMD - Ryzen and Threadripper (1XXX, 2XXX, 3XXX, 4XXX, 5XXX) and Athlon 2xxGE Note Description Initial macOS Support macOS 10.13, High Sierra.

Nov 27, 2022
GNU-EFI fork without the bs.

reduced-gnu-efi =============== reduced-gnu-efi is a fork of GNU-EFI that strips out all code save for the relocation assembly stubs and the EFI head

Nov 5, 2022
Hide skip button in cutscenes in Max Payne 3
Hide skip button in cutscenes in Max Payne 3

MaxPayne3.FusionFix This is a small project intended to add ability to hide button in Max Payne 3. Additionally, added an option to increase the size

Sep 29, 2022
A program that allows you to hide certain windows when sharing your full screen
A program that allows you to hide certain windows when sharing your full screen

Invisiwind Invisiwind (short for Invisible Window) is an application that allows you to hide certain windows when sharing your full screen.

Nov 25, 2022
Inject dll to explorer.exe and hide file from process.

Hide-FS Inject dll to explorer.exe and hide file from process. Requierments: Microsoft Detours Library - https://github.com/microsoft/Detours Compile:

Nov 9, 2022
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Nov 26, 2022