{"id":21437092,"url":"https://github.com/tandasat/wpbt-builder","last_synced_at":"2025-07-08T13:03:34.058Z","repository":{"id":46903715,"uuid":"415428652","full_name":"tandasat/WPBT-Builder","owner":"tandasat","description":"The simple UEFI application to create a Windows Platform Binary Table (WPBT) from the UEFI shell.","archived":false,"fork":false,"pushed_at":"2021-10-12T13:09:33.000Z","size":2886,"stargazers_count":78,"open_issues_count":0,"forks_count":21,"subscribers_count":7,"default_branch":"main","last_synced_at":"2023-08-04T17:08:24.350Z","etag":null,"topics":["acpi","uefi","wpbt"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tandasat.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-10-09T21:48:05.000Z","updated_at":"2023-06-08T09:47:37.000Z","dependencies_parsed_at":"2022-08-26T10:22:04.097Z","dependency_job_id":null,"html_url":"https://github.com/tandasat/WPBT-Builder","commit_stats":null,"previous_names":[],"tags_count":1,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tandasat%2FWPBT-Builder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tandasat%2FWPBT-Builder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tandasat%2FWPBT-Builder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tandasat%2FWPBT-Builder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tandasat","download_url":"https://codeload.github.com/tandasat/WPBT-Builder/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225982013,"owners_count":17554943,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acpi","uefi","wpbt"],"created_at":"2024-11-23T00:17:46.293Z","updated_at":"2024-11-23T00:17:46.778Z","avatar_url":"https://github.com/tandasat.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"WPBT Builder\r\n=============\r\n\r\nThis is a simple UEFI application to create a Windows Platform Binary Table (WPBT) from the UEFI shell.\r\n\r\n![](Images/shell.jpg)\r\n\r\n![](Images/wpbt.jpg)\r\n\r\nMotivation\r\n-----------\r\n\r\nWPBT is one of the Advanced Configuration and Power Interface (ACPI) tables that allows pre-boot software to register a native NT application for its auto-execution when Windows starts up[[1](https://download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx)].\r\n\r\nSince WPBT provides a persistent mechanism for the Windows platform, it gained attention multiple times from a security community in the past. As the latest example, Eclypsium discovered that Windows executes the platform binary that was signed by a revoked certificate, allowing the use of the feature without having to own a legitimate certificate[[2](https://eclypsium.com/2021/09/23/everyone-gets-a-rootkit/)].\r\n\r\nAlthough WPBT has been a known concern for security-minded people for years, it remains to be obscure technology and a challenge for many of those who wish to assess the impacts and risks of potential (ab)use of WPBT. This is due to their unfamiliarity with UEFI programming, which is required to create or modify WPBT.\r\n\r\nGiven that, this program aims to help those security researchers examine the behaviour of WPBT by offering an easy interface to build it with an arbitrary platform binary file.\r\n\r\n\r\nUsage\r\n------\r\n\r\nPlatform Requirements\r\n- Tested on Windows 10 and 11 on UEFI\r\n- Physical machine (due to a lack of required UEFI protocol implementation)\r\n- Secure boot must be disabled to enter the UEFI shell\r\n\r\nTo run the WPBT Builder, follow the steps below:\r\n\r\n1. Preparing a USB thumb drive\r\n    1. Format the USB thumb drive for FAT32\r\n    2. Copy files and directories under `USB` to the USB drive\r\n2. Boot the target system from the USB drive\r\n    1. This is device-specific. Typically, hitting F2 or F12 while the OEM logo is displayed will bring to either the BIOS setup or boot menu, which lets us boot the system from the USB drive. Consult the OEM's documentation.\r\n3. Running the WPBT builder\r\n    1. Select the file-system that corresponds to the USB drive. This is typically `fs0:`\r\n        ```\r\n        Shell\u003e fs0:\r\n        fs0\u003e ls\r\n        ...\r\n        10/09/2021  13:25         35,648  WpbtBuilder.efi\r\n        ...\r\n        ```\r\n    2. Run the WpbtBuilder.efi with a path to the native NT application to be executed through WPBT, for example,\r\n        ```\r\n        fs0\u003e WpbtBuilder.efi NativeHello.exe\r\n        Successfully installed WPBT at: 0x40B98000\r\n          Binary location at: 0x40B8A018\r\n          Binary size: 0x1600\r\n          Command line size: 0x0\r\n        ```\r\n4. Continue booting Windows\r\n    1. Typically, exiting from the UEFI shell and selecting `Windows Boot Manager` from the boot menu is sufficient.\r\n        ```\r\n        fs0\u003e exit\r\n        ```\r\n\r\n\r\nConfirming Execution\r\n---------------------\r\n\r\nA cute turkey ASCII art is displayed if the accompanying native NT application (NativeHello.exe) is specified and successfully executed.\r\n\r\n![](Images/turkey.jpg)\r\n\r\nAlternatively, one can use the \"Boot Logging\" feature with Process Monitor to confirm the wpbbin.exe is started from smss.exe.\r\n\r\n![](Images/procmon.jpg)\r\n\r\n\r\nDebugging smss.exe\r\n-------------------\r\n\r\nTo debug smss.exe code that consumes WPBT, enable the kernel debugging and use the following Windbg commands on the first break-in.\r\n```\r\n\u003e ad /q ImageFileName; bp nt!PspInsertProcess \"aS /ma ${/v:ImageFileName} @@c++(((nt!_EPROCESS *) @rcx)-\u003eImageFileName); .block { .if ($spat(\\\"${ImageFileName}\\\", \\\"smss*\\\")) { } .else { gc }}\"; g\r\n\r\n\u003e .process /r /p @rcx; eb @$peb+2 1; g\r\n\r\n\u003e .reload /user; bu smss!NtProcessStartupW; g\r\n```\r\nIn the end, the debugger will break into the target at the entry point of smss.exe. This lets you debug code as you need.\r\n\r\n\r\nBuilding and Signing NativeHello\r\n---------------------------------\r\n\r\nUse Visual Studio 2019 to build it. Then, place the compiled binary into `WPBT-Builder\\NativeHello\\Signing` and run `SignNativeHello.bat` with the administrator privileges.\r\n\r\n```\r\n\u003ecd NativeHello\\Signing\r\n\u003ecopy /y ..\\x64\\Release\\NativeHello.exe .\r\n        1 file(s) copied.\r\n\u003eSignNativeHello.bat\r\nChanging the system clock for signing.\r\nThe following certificate was selected:\r\n    Issued to: HT Srl\r\n    Issued by: VeriSign Class 3 Code Signing 2010 CA\r\n    Expires:   Sat Aug 08 16:59:59 2015\r\n    SHA1 hash: 598B7172B3790CCCB7CB07388E0D0A644D614D9C\r\n\r\nCross certificate chain (using machine store):\r\n    Issued to: Microsoft Code Verification Root\r\n    Issued by: Microsoft Code Verification Root\r\n    Expires:   Sat Nov 01 06:54:03 2025\r\n    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3\r\n\r\n        Issued to: VeriSign Class 3 Public Primary Certification Authority - G5\r\n        Issued by: Microsoft Code Verification Root\r\n        Expires:   Mon Feb 22 12:35:17 2021\r\n        SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B\r\n\r\n            Issued to: VeriSign Class 3 Code Signing 2010 CA\r\n            Issued by: VeriSign Class 3 Public Primary Certification Authority - G5\r\n            Expires:   Fri Feb 07 16:59:59 2020\r\n            SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F\r\n\r\n                Issued to: HT Srl\r\n                Issued by: VeriSign Class 3 Code Signing 2010 CA\r\n                Expires:   Sat Aug 08 16:59:59 2015\r\n                SHA1 hash: 598B7172B3790CCCB7CB07388E0D0A644D614D9C\r\n\r\nDone Adding Additional Store\r\nSuccessfully signed: NativeHello.exe\r\n\r\nNumber of files successfully Signed: 1\r\nNumber of warnings: 0\r\nNumber of errors: 0\r\nRestoring the system clock for signing.\r\n```\r\n\r\n\r\nBuilding WpbtBuilder\r\n---------------------\r\n\r\nBuilding a UEFI application is painful if you have never done it. It is particularly true on Windows. The author strongly recommends using WSL (or Linux) for it. The following are the step-by-step instructions for it on WSL.\r\n\r\n1. Install VSCode on Windows. No change in install options is required. The installer can be downloaded from https://code.visualstudio.com/download.\r\n2. Install the \"Remote - WSL extension\" from https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-wsl\r\n3. On the WSL shell, check out the repository recursively.\r\n    ```\r\n    $ sudo apt update\r\n    $ sudo apt upgrade\r\n    $ sudo apt install git\r\n    $ git clone https://github.com/tandasat/WPBT-Builder.git --recursive\r\n    ```\r\n4. Install the required packages to build the program.\r\n    ```\r\n    $ sudo apt install build-essential uuid-dev iasl git gcc nasm python3-distutils\r\n    ```\r\n5. Open the WpbtTestPkg workspace with VSCode. Trust the authors if prompted.\r\n    ```\r\n    $ cp -r WpbtTestPkg/ edk2/\r\n    $ code edk2/WpbtTestPkg/WpbtTestPkg.code-workspace\r\n    Installing VS Code Server for x64 (93c2f0fbf16c5a4b10e4d5f89737d9c2c25488a3)\r\n    Downloading: 100%\r\n    Unpacking: 100%\r\n    ```\r\n6. Allow access for the private networks if prompted.\r\n7. Hit `Ctrl+Shift+B` to kick off the build. If successful, the Terminal tag in VSCode shows output like this.\r\n    ```\r\n    - Done -\r\n    Build end time: 15:50:31, Oct.09 2021\r\n    Build total time: 00:00:11\r\n\r\n    ✅ Successfully built onto (...)/WPBT-Builder/edk2/Build/WpbtTestPkg/NOOPT_GCC5/X64\r\n    ❗ Failed to copy WpbtBuilder.efi with error 4\r\n    ❗ Failed to copy startup.nsh with error 4\r\n\r\n    Terminal will be reused by tasks, press any key to close it.\r\n    ```\r\n8. Confirm that WpbtBuilder.efi is created.\r\n    ```\r\n    $ ls -l ./edk2/Build/WpbtTestPkg/NOOPT_GCC5/X64\r\n    ...\r\n    -rwxrwxrwx 1 user user  35520 Oct  9 15:50 WpbtBuilder.efi\r\n    ...\r\n    ```\r\n\r\n\r\nAcknowledgment\r\n---------------\r\n\r\n- Thanks [Mickey (@HackingThings)](https://twitter.com/HackingThings) for patiently helping me reproduce the reported behaviour.\r\n\r\n\r\nReferences\r\n-----------\r\n\r\n- [RWEverything](http://rweverything.com/) for checking contents of the ACPI tables from Windows\r\n- [acpidump.efi](https://acpica.org/downloads/uefi-support) ([source](https://github.com/acpica/acpica)) for doing the same from the UEFI shell\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftandasat%2Fwpbt-builder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftandasat%2Fwpbt-builder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftandasat%2Fwpbt-builder/lists"}