So doesnt things like windows defender offline scans and other offline scans where the HD bitlocker codes is typed in manually not detect the rootkit?
Half the problem I find with these security products is knowing what their actual abilities are and inabilities. I've assumed wrongly in the past that some security products are doing things when in fact they are not, and thats obviously an area for exploitation.
Obviously requires admin permissions on a running host, but if you're injecting into the bootloader you're already admin (or you can get it easily).