Efi-memory, EfiDump, and EFI_Driver_Access

There are multiple OS-level drivers which provide interfaces to UEFI via device drivers. CHIPSEC has one (actually 3), for Mac, Windows, and Linux. FWTS has one for Linux. Each UEFI-aware OS has their own driver-level code to interact with UEFI, some of them expose an API/DDI. Below are 3 other UEFI drivers. A secure OS should be checking for any drivers who interact with firmware, and have a user policy for optionally preventing this. Do you know all the tools and drivers in your OS which interacts with firmware?

Efi-memory: Efi-memory is a proof-of-concept EFI runtime driver for reading and writing to virtual memory. It uses EfiGuards method of hooking SetVariable to communicate with the user-mode process.


EfiDump: Yet another PoC EFI runtime driver. This time for direct process memory read/write. This is a simple example of how can process dumper work. If you want to use this for some more complex project, please add memory checks (or you are going to be bluescreening every 5 minutes) and save the Windows kernel exports pointers in the driver once, so you don’t have to send them every time.


EFI_Driver_Access: Efi Driver Access is a simply project to load a driver during system boot with the idea to give the user kernel access for read/write memory without restrictions.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s