Link to this headingUEFI

Laptop UEFI Manipulation

Links:
UEFI Specification
Microsoft’s Open Source UEFI
Understanding modern UEFI-based platform boot
https://news.ycombinator.com/item?id=20703891

Link to this headingLooking at the UEFI image

If you have a Firmware image use UEFITool to parse and walk down the image.

If you want more Human Readbale versions of the same data see Universal-IFR-Extractor.

Link to this headingParts of the Image

  • SEC: Security
  • PEI: Pre-EFI Initialization
  • DXE: Driver eXecution Environment
  • PEI module/DXE driver/UEFI application: Microsoft PE formatted files containing firmware code
  • Protocol: An instance of a struct identified by a GUID
  • PCH: Platform Controller Hub

Link to this headingUEFI Shell

[Making a UEFI Application]
https://www.rodsbooks.com/efi-programming/hello.html

Link to this headingIntel Boot Guard

Intel Boot Guard is used to verify the boot process

Link to this headingSecure Boot

[Secure Boot](/Blue Team/Secure Boot.md) is designed to protect against malicious components coming from outside of the SPI flash memory.

Attacks against secure boot

https://medium.com/@matrosov/bypass-intel-boot-guard-cc05edfca3a9
https://medium.com/@matrosov/breaking-through-another-side-bypassing-firmware-security-boundaries-85807d3fe604

Link to this headingBypasses

https://github.com/SamuelTulach
https://github.com/Mattiwatti/EfiGuard

Link to this headingRootkits

LoJax
LoJax Breakdown

Most rootkits use SPI flash to insure persistence. Some bios developers do not lock down SPI flash.

You can use RWEverything as a Rootkit. It installs a OS Driver that can be used to view information.

https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Jesse-Michael-Get-off-the-kernel-if-you-cant-drive.pdf

Link to this headingUEFI Drivers

Link to this headingUEFI Boot-time Driver

  • A driver that extends UEFI during the pre-boot (firmware) phase only.
  • Gets unloaded or becomes useless once the OS loader calls ExitBootServices().

Link to this headingUEFI Runtime Driver

Most of UEFI is not running after booting into the OS. But there are some Runtime Drivers that persists after the OS has booted. Using a Kernel module you can interact with these services. Some of the services that are not Rootkits are NVRAM configuration, Firmware Update, system clock.