Skip to content

DSecurity/efiSeek

Repository files navigation

efiSeek for Ghidra

About

The analyzer automates the process of researching EFI files, helps to discover and analyze well-known protocols, smi handlers, etc.

Features

Finds known EFI GUID's

guids

Identifies protocols located with LOCATE_PROTOCOL function

locateProtocols

Identifies functions used as the NOTIFY function

notify

Identifies protocols installed in the module through INSTALL_PROTOCOL_INTERFACE

install

Identifies functions used as an interrupt function (like some hardware, software/child interrupt)

ioTrap

sx

child

sw

Script for loading efi modules to relevant directories in Headless mode

Sorting smm modules relying on meta information into next folders:

  • SwInterrupts
  • ChildInterrupts
  • HwInterrupts
  • UnknownInterrupts

sort

Installation

Set GHIDRA_INSTALL_DIR environment variable to ghidra path.

Start gradlew.bat, after the completion of building a copy archive from the dist directory to GHIDRA_HOME_DIR/Extensions/Ghidra/. And turn on this extention in your ghidra.

Usage

After installation you are free to use this analyzer. If you open a EFI file, the analyzer appears selected automatically. To start the analyzer, press A or Analysis/Auto Analyze and press Analyze.

References