D
DioProcess

UEFI Bootkit

EFI

Boot-time kernel patching via a UEFI DXE driver. Bypass DSE and PatchGuard before Windows loads.

Extreme Caution Required

The UEFI bootkit modifies the Windows boot process. Incorrect use can render your system unbootable. Use only on test systems with proper backups.

Architecture

┌──────────────────────────────────────────────────┐
│  DioProcess UI (Dioxus) — UEFI Tab               │
│  [DSE: ON/OFF] [PatchGuard: ON/OFF]              │
│  [Install to ESP] [Remove from ESP] [Status]     │
└──────────────────┬───────────────────────────────┘
                   │ Win32 API (SetFirmwareEnvironmentVariableW)
                   │ + std::process::Command (mountvol, bcdedit)
┌──────────────────▼───────────────────────────────┐
│  UEFI NVRAM Variables (persist across reboots)   │
│  {D10PR0C5-1337-4242-BEEF-CAFEBABE0001}         │
│  DioProcessDseBypass = 0 or 1                    │
│  DioProcessKppBypass = 0 or 1                    │
└──────────────────┬───────────────────────────────┘
                   │ Read at boot time
┌──────────────────▼───────────────────────────────┐
│  DioProcessEfi.efi (UEFI DXE Driver — EDK2/C)   │
│  1. Hook gBS->ExitBootServices                   │
│  2. Read NVRAM config variables                  │
│  3. If DseBypass=1: NOP g_CiOptions in winload   │
│  4. If KppBypass=1: RET PatchGuard init          │
│  5. Restore original and call ExitBootServices   │
└──────────────────────────────────────────────────┘

Requirements

  • UEFI system — Legacy BIOS not supported
  • Secure Boot disabled — Required for unsigned EFI driver
  • Administrator privileges — For ESP access and NVRAM writes

Features

DSE Bypass
Disable Driver Signature Enforcement at boot time
KPP Bypass
Disable PatchGuard (Kernel Patch Protection) at boot time

Installation

EFI driver installation is handled from the title bar buttons:

  • Install EFI — Installs the EFI driver to ESP
  • Uninstall EFI — Removes boot entry and ESP files
  • • With -debug flag: "Browse Local File" option available

UEFI Tab

The UEFI Bootkit tab provides three sections:

Boot Patches

Toggle DSE/KPP bypass, save to NVRAM

Boot Debug Log

Read/clear UEFI debug log from ESP

System Information

Firmware type, Secure Boot status, test signing

Boot Animation

The EFI driver displays a custom animated boot screen during the 5-second delay before chainloading Windows. Uses GOP (Graphics Output Protocol).

  • • Format: BGRA32 (matches GOP PixelBlueGreenRedReserved8BitPerColor)
  • • Frames pre-converted at build time (no runtime GIF decoding)
  • • Recommended: max 256x256 resolution, 10-15 fps

Source Files

efi/DioProcessEfi/
├── DioProcessEfi.c    # DXE entry + ExitBootServices hook
├── Config.c/h         # NVRAM variable reader
├── Graphics.c/h       # GOP-based boot animation
├── Animation.h        # Pre-converted BGRA32 frames
├── PatchDse.c/h       # DSE bypass implementation
├── PatchKpp.c/h       # PatchGuard bypass implementation
├── PatternScan.c/h    # Wildcard byte pattern scanner
├── PeUtils.c/h        # PE32+ parsing utilities
├── DioProcessEfi.inf  # EDK2 module definition
└── DioProcessEfi.dsc  # EDK2 platform description