UEFI

UEFI¶

Laptop UEFI Manipulation

Links:
Microsoft's Open Source UEFI
Understanding modern UEFI-based platform boot
https://news.ycombinator.com/item?id=20703891

Looking at the UEFI image¶

If you have a Firmware image use UEFITool to parse and walk down the image.

If you want more Human Readbale versions of the same data see Universal-IFR-Extractor.

Parts of the Image¶

• Sec

  Security

• Pei

  Pre-EFI Initialization

• Dxe

  Driver eXecution Environment

• PEI module/DXE driver/UEFI application: Microsoft PE formatted files containing firmware code
• Protocol: An instance of a struct identified by a GUID

• Pch

  Platform Controller Hub

UEFI Shell¶

[Making a UEFI Application]
https://www.rodsbooks.com/efi-programming/hello.html

Intel Boot Guard¶

Intel Boot Guard is used to verify the boot process

Secure Boot¶

Secure Boot is designed to protect against malicious components coming from outside of the SPI flash memory.

Attacks against secure boot

https://medium.com/@matrosov/bypass-intel-boot-guard-cc05edfca3a9
https://medium.com/@matrosov/breaking-through-another-side-bypassing-firmware-security-boundaries-85807d3fe604

Bypasses¶

https://github.com/SamuelTulach
https://github.com/Mattiwatti/EfiGuard

Rootkits¶

LoJax
LoJax Breakdown

Most rootkits use SPI flash to insure persistence. Some bios developers do not lock down SPI flash.

You can use RWEverything as a Rootkit. It installs a OS Driver that can be used to view information.

https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Jesse-Michael-Get-off-the-kernel-if-you-cant-drive.pdf