Abstract: This paper analyzed the work mechanism and key technology of UEFI Bootkit, expanded the definition of Trojan according to it,illustrated the differences of hiding technology between UEFI Bootkit and Trojan,built a formal model of UEFI Bootkit cooperative concealment, showed an application of the model, proved the idea that detecting Bootkit before the operating system kernel starting can obtain a better effect than after the operating system starting.We designed and developed UEFI I3ootkit detection system which works before the operating system kernel starts. The detection system was used to do practical test, and the results show UEFI Bootkit detection system obtains a good effect and has the accuracy.

Key words: UEFI, Formal description, Bootkit, Hiding technology, Trusted computing, Detection system