Tiny UEFI bootkit that patches Driver Signature Enforcement (DSE) at boot, allowing unsigned drivers to load.
This project started as an experiment in writing pure ASM and optimizing for extreme size constraints. The result is a fully working bootkit that achieves DSE bypass before Windows initializes, while keeping the final binary under 1 KB.
- Written entirely in x64 ASM
- HVCI support
- Disables DSE by manipulating
g_CiOptions - No traces left after
ExitBootServicesexcept the patch itself - Compiled binary size is only 976 bytes in size
The full write-up explaining the internals, patching logic, and size optimization tricks is available here:
DSEclipse - Story behind bootkit that bypasses DSE in under 1 KB