https://github.com/DSecurity/efiSeek

Ghidra analyzer for UEFI firmware.
https://github.com/DSecurity/efiSeek

firmware ghidra-plugin reverse-engineering uefi

Last synced: 5 months ago
JSON representation

Ghidra analyzer for UEFI firmware.

• Host: GitHub
• URL: https://github.com/DSecurity/efiSeek
• Owner: DSecurity
• License: apache-2.0
• Created: 2020-07-04T11:09:15.000Z (almost 5 years ago)
• Default Branch: master
• Last Pushed: 2023-07-04T13:19:32.000Z (almost 2 years ago)
• Last Synced: 2024-04-08T20:14:17.609Z (about 1 year ago)
• Topics: firmware, ghidra-plugin, reverse-engineering, uefi
• Language: Java
• Homepage:
• Size: 1.41 MB
• Stars: 300
• Watchers: 16
• Forks: 19
• Open Issues: 6
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-uefi-security - efiSeek
• awesome-ghidra - efiSeek for Ghidra - The analyzer automates the process of researching EFI files. (Ghidra Scripts/Plugins/Extension)

README

        
# ***efiSeek for Ghidra***

## About

The analyzer automates the process of researching EFI files, helps to discover and analyze well-known protocols, smi handlers, etc.

## Features

### Finds known EFI GUID's

![guids](./img/guids.png)

### Identifies protocols located with `LOCATE_PROTOCOL` function

![locateProtocols](./img/locateProtocols.png)

### Identifies functions used as the `NOTIFY` function

![notify](./img/notify.png)

### Identifies protocols installed in the module through `INSTALL_PROTOCOL_INTERFACE`

![install](./img/install.png)

### Identifies functions used as an interrupt function (like some hardware, software/child interrupt)

![ioTrap](./img/ioTrap.png)

![sx](./img/sx.png)

![child](./img/child.png)

![sw](./img/sw.png)

### Script for loading efi modules to relevant directories in `Headless mode`

Sorting smm modules relying on meta information into next folders:

* SwInterrupts

* ChildInterrupts

* HwInterrupts

* UnknownInterrupts

![sort](img/sort.png)

## Installation

Set `GHIDRA_INSTALL_DIR` environment variable to ghidra path.

Start `gradlew.bat`, after the completion of building a copy archive from the `dist` directory to `GHIDRA_HOME_DIR/Extensions/Ghidra/`.

And turn on this extention in your ghidra.

## Usage

After installation you are free to use this analyzer. If you open a EFI file, the analyzer appears selected automatically.

To start the analyzer, press `A` or `Analysis/Auto Analyze` and press `Analyze`.

## References

* https://github.com/al3xtjames/ghidra-firmware-utils

* https://github.com/danse-macabre/ida-efitools/