William has done another tool review, this time of Nikolaj’s CrScreenshotDxe tool. He does must longer blog posts on tool reviews than me, so it is always nice to see another review from him. 🙂
[…] “Nikolaj did us all a great service by posting this utility on Github. It was easy to integrate and worked flawlessly.” […]
Bruno Pujos has a presentation entitled “Introduction to Reversing DXE drivers” from February of this year.
Click to access lt-2016-02-09-Bruno%20Pujos-RE%20DXE.pdf
If anyone knows where to find Audio or Video of this presentation, PLEASE leave a comment with an URL! Thanks.
Nikolaj has written a UEFI DXE driver that takes screenshots. In addition to a useful new UEFI tool (since taking pre-OS screenshots outside of a VMM are often a PITA), the article is a nice introduction to EFI development. Attackers can use techniques like this to capture display activity in the background, just like they do in OS-level malware.
UEFI DXE driver to take screenshots from GOP-compatible graphic console: This DXE driver tries to register keyboard shortcut (LCtrl + LAlt + F12) handler for all text input devices. The handler tries to find a writable FS, enumerates all GOP-capable video devices, takes screenshots from them and saves the result as PNG files on that writable FS. The main goal is to be able to make BIOS Setup screenshots for systems without serial console redirection support, but it can also be used to take screenshot from UEFI shell, UEFI apps and UEFI bootloaders.
See the readme and the blog post (in Russian) for more information: