Skip to content

DSecurity/efiSeek

Folders and files

NameName
Last commit message
Last commit date

Latest commit

author
Евгений Рассказов
Apr 26, 2022
573f4b9 · Apr 26, 2022

History

25 Commits
Jul 4, 2020
Nov 8, 2020
Apr 26, 2022
Jul 4, 2020
Apr 26, 2022
Oct 18, 2020
Jul 4, 2020
Jul 4, 2020
Jul 7, 2020
Sep 30, 2020
Mar 9, 2021
Jul 4, 2020
Jul 4, 2020

Repository files navigation

efiSeek for Ghidra

About

The analyzer automates the process of researching EFI files, helps to discover and analyze well-known protocols, smi handlers, etc.

Features

Finds known EFI GUID's

guids

Identifies protocols located with LOCATE_PROTOCOL function

locateProtocols

Identifies functions used as the NOTIFY function

notify

Identifies protocols installed in the module through INSTALL_PROTOCOL_INTERFACE

install

Identifies functions used as an interrupt function (like some hardware, software/child interrupt)

ioTrap

sx

child

sw

Script for loading efi modules to relevant directories in Headless mode

Sorting smm modules relying on meta information into next folders:

  • SwInterrupts
  • ChildInterrupts
  • HwInterrupts
  • UnknownInterrupts

sort

Installation

Set GHIDRA_INSTALL_DIR environment variable to ghidra path.

Start gradlew.bat, after the completion of building a copy archive from the dist directory to GHIDRA_HOME_DIR/Extensions/Ghidra/. And turn on this extention in your ghidra.

Usage

After installation you are free to use this analyzer. If you open a EFI file, the analyzer appears selected automatically. To start the analyzer, press A or Analysis/Auto Analyze and press Analyze.

References