Mattiwatti

Mattiwatti/EfiGuard

C++ GPL-3.0 Security Single maintainer risk

Disable PatchGuard and Driver Signature Enforcement at boot time

2.5k stars
401 forks
recent
GitHub +6 / week

2.5k

Stars

401

Forks

19

Open issues

3

Contributors

v1.4 15 Oct 2023

AI Analysis

EfiGuard is a UEFI bootkit for x64 Windows that patches the boot process to disable PatchGuard and Driver Signature Enforcement at startup, supporting Windows Vista SP1 through Windows 11. It is a specialized security/research tool designed for advanced users, security researchers, and developers who need to load unsigned drivers or study kernel protection mechanisms—not for general-purpose Windows administration or end-user deployment.

Security Security Tool Discovery value: 4/10
Documentation 8/10
Activity 9/10
Community 8/10
Code quality 5/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 8/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

bootkit uefi kernel-patching windows-internals driver-development
Actively maintained Well documented Niche/specialized use case Popular
Deep Analysis · Based on README and public signals
6d ago

UEFI bootkit for disabling Windows kernel protections; specialized security research tool with modest, sustained adoption

EfiGuard is a portable x64 UEFI bootkit that patches the Windows boot chain at runtime to disable PatchGuard and Driver Signature Enforcement (DSE). Built for security researchers, kernel developers, and users needing to load unsigned drivers or modify kernel behavior on locked-down systems. Adoption appears concentrated in security research and reverse engineering communities rather than mainstream enterprise or consumer use. The project demonstrates active maintenance as of June 2026, with careful engineering around UEFI boot stages and graceful failure handling.

Origin

EfiGuard was created in March 2019 as part of the UEFI bootkit ecosystem for Windows kernel modification. It emerged alongside similar tools (Chaos-Rootkit, Nidhogg, BestEdrOfTheMarket) in a space where researchers and tool developers sought robust alternatives to older kernel-patching methods, particularly after PatchGuard became more difficult to bypass from within the kernel.

Growth

The project has accumulated 2,465 stars over ~7 years with stable but slow growth (11 stars in the last 7 days as of June 2026). This flat growth pattern is consistent with a specialized tool serving a niche community. The last push on 2026-06-17 indicates the project is not dormant, but the growth trajectory suggests it has reached a stable plateau rather than expanding into new user bases. Repository forks (397) are moderate relative to star count, typical of tools downloaded for reference rather than actively maintained in production.

In production

Adoption not verified in README or metadata. No deployment statistics, user testimonials, or documented production environments mentioned. The tool's nature (kernel modification, anti-cheat bypass capability, DSE circumvention) makes public production disclosure unlikely even if adoption exists. Security researchers and some niche gaming/modding communities may use it, but evidence is not publicly available.

Code analysis
Architecture

Likely uses multi-stage UEFI driver architecture: firmware-level interception of bootmgfw.efi, bootmgr.efi, and winload.efi with runtime instruction decoding via Zydis disassembler for pattern-robust patching. Appears to include both passive driver mode and explicit loader application. README indicates careful boot-stage sequencing and error recovery before ExitBootServices is called, suggesting robust state management. Specific implementation details cannot be verified from README alone.

Tests

Not documented in README. No mention of automated testing, fuzzing, or validation suite. The README describes manual graceful error handling and debugger output capability, but formal test coverage is absent from documentation.

Maintenance

Last push 2026-06-17 (18 days ago relative to 2026-07-05) indicates active but infrequent maintenance. README is comprehensive and up-to-date. The project does not appear abandoned, but the slow commit cadence and minimal recent star gain suggest the author is maintaining rather than actively expanding the project. GPL-3.0 license visible; no indication of abandoned status.

Honest verdict

ADOPT IF: you are a security researcher, kernel developer, or reverse engineer needing to disable PatchGuard/DSE on Windows x64 systems without runtime vulnerability to newer protections, and you understand UEFI boot mechanics and can manage the associated legal/support risks. AVOID IF: you require mainstream vendor support, automated testing, high-volume production deployment, or are developing commercial software without explicit security research justification. MONITOR IF: you depend on DSE bypass for a niche product and HVCI/hypervisor enforcement is not yet deployed on target systems; the technical approach is sound but adoption signals are weak and competitive alternatives may emerge.

Independent dimensions

Mainstream potential

2/10

Technical importance

7/10

Adoption evidence

2/10

Risks
  • Cannot bypass HVCI/HyperGuard; renders the tool non-functional on systems with hypervisor-enforced code integrity, a trend in modern Windows deployments.
  • Adoption not verified; actual user base and incident reports are unknown. Community size is unclear, limiting peer review and bug detection.
  • Legal and vendor support exposure: disabling DSE and PatchGuard violates Windows security model and may breach user agreements; anti-virus/anti-cheat vendors may flag it as malicious or block its use.
  • Slow growth and infrequent maintenance could indicate shrinking relevance as Windows kernel protections evolve; compatibility with future Windows versions uncertain.
  • Checked kernel support absent; limits utility for kernel debugging workflows and may break on future Windows debug builds.
Prediction

EfiGuard will likely remain a specialized research tool with stable but modest adoption. It may gradually lose utility as HVCI deployment increases and alternative boot-time attack surfaces are closed. The project will probably continue to receive maintenance patches for new Windows versions but is unlikely to expand into mainstream use.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

C++
51.5%
C
47.4%
DenizenScript
0.9%
Assembly
0.2%

Information

Language
C++
License
GPL-3.0
Last updated
3w ago
Created
89mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

Idov31

Idov31/Nidhogg

Nidhogg is a Windows kernel rootkit for x64 systems that demonstrates 25+...

2.4k C++ Security
pgkt04

pgkt04/defender-control

Defender Control is an open-source Windows utility that disables Windows...

1.9k C++ Security
ZeroMemoryEx

ZeroMemoryEx/Chaos-Rootkit

Chaos-Rootkit is an x64 Ring 0 Windows kernel rootkit designed for educational...

1.1k C++ Security
LSPosed

LSPosed/CorePatch

CorePatch is an Xposed Framework module for Android that disables signature...

3.1k Java Security
Xacone

Xacone/BestEdrOfTheMarket

BEOTM V3 is a low-level EDR (Endpoint Detection & Response) lab for security...

1.5k C++ Security
vs. alternatives
Nidhogg (2427 stars)

Similar star count; both are UEFI bootkits. Nidhogg appears slightly more popular. Direct feature comparison not possible from README alone, but both target kernel-level protections.

Chaos-Rootkit (1055 stars)

Lower adoption; similar technical domain. EfiGuard's focus on Windows boot chain may offer different scope or complexity tradeoffs.

defender-control (1870 stars)

Overlapping goal (circumvent enforcement) but likely different attack vector. defender-control may target runtime protection disable rather than boot-time patching.

edk2 (6075 stars)

UEFI reference implementation; much larger ecosystem but serves firmware developers, not end-user kernel modification. EfiGuard builds on UEFI abstractions; not a direct competitor.

UPGDSED/DSEFix (referenced in README)

Older DSE bypass techniques that EfiGuard improves upon or offers alternatives to. EfiGuard appears designed as a more robust successor in some use cases.