efiXplorer - IDA plugin for UEFI firmware analysis and reverse engineering automation
Contributors:
- Alex Matrosov (@matrosov)
- Andrey Labunets (@isciurus)
- Philip Lebedev (@p41l)
- Yegor Vasilenko (@yeggor)
Supported versions of Hex-Rays products: everytime we focus on last versions of IDA and Decompiler because we try to use most recent features from new SDK releases. That means we tested only on recent versions of Hex-Rays products and do not guarantee stable work on previous generations.
Why not IDApython: all code developed in C++ because it's a more stable and performant way to support a complex plugin and get full power of most recent SDK's features.
Supported Platforms: Windows, Linux and OSX (x86/x64).
efiXplorer Key features
Identify available Boot Services automatically
Annotate Boot Services calls in assembly code automatically
Identify available Runtime Services automatically
Annotate Runtime Services calls in assembly code automatically
Identify available SMM services automatically
Annotate SMM Services calls in assembly code automatically
Identify available PEI services automatically
Annotate PEI Services calls in assembly code automatically
Identify available EFI Protocols automatically
- Build the list of EFI Protocols firmware consumes and installes
Identify known EFI GUID's
- Build the list of identified EFI GUID's (including protocol names for known GUIDS)
efiXloader Key features
efiXloader
is an IDA Pro loader module, responsible for processing UEFI drivers within single IDA Pro instance.
UEFI drivers entry points identification
- During UEFI drivers analysis
efiXloader
identifies each driver's entry.
Navigation between different UEFI drivers
- Each UEFI driver is accessible within single IDA Pro instance for reverse-engineering.
UEFI drivers extraction
- All processed UEFI drivers are dropped into prepared folder.
efiXplorer + efiXloader in action
- All
efiXplorer
analysis capabilities can be applied to the whole UEFI firmware image (instead of reverse-engineering each single executable in a separate IDA session)
SMI handlers identification within the whole firmware
Build instruction
We try to make the build process for all supported platforms very simple, just use the build script to automate this process.
Build script
Usage: build.py [OPTIONS] IDASDK_DIR
Options:
--copy TEXT path to IDA plugins directory
--help Show this message and exit.
example of build process:
./build.py <IDASDK75_DIR>
Compilation with cmake
mkdir build
cd build
cmake .. -DIdaSdk_ROOT_DIR="/path/to/idasdk"
cmake --build . --config Release
efiXloader compilation and installation
The common steps are next.
cd efiXloader
mkdir build
cd build
cmake .. -DIdaSdk_ROOT_DIR="/path/to/idasdk"
cmake --build . --config Release
Installation
efiXplorer
Copy compiled binaries of efiXplorer
plugin and guids
directory to <IDA_DIR>/plugins
. Enjoy!
efiXloader
Copy builds/efiXloader64.dll
to <IDA_DIR>/loaders
.
Features summary table
Feature \ Bitness | 32-bit | 64-bit |
---|---|---|
Boot Services | + | + |
Runtime Services | + | + |
SMM services | - | + |
PEI Services | + | - |
Loader | - | + |