More IDA plugins for UEFI

The other day I posted a pointer to a new list of IDA plugins:

https://firmwaresecurity.com/2015/09/18/new-list-of-ida-plugins/

Here are a few more IDA plugins for UEFI, the new list only mentions Danse-Macbre’s IDA-EFItools project:

https://github.com/danse-macabre/ida-efitools

http://ho.ax/posts/2012/09/ida-pro-scripts-for-efi-reversing/
https://github.com/snare/ida-efiutils/

https://github.com/gdbinit/TELoader

http://www.hexblog.com/?p=116

http://bioshacking.blogspot.com/2012/06/ida-pro-support-for-efi-byte-code-ebc.html

Also see chapter 4 and 22 (at least) of this new book:
https://www.nostarch.com/rootkits

Does anyone know of any others? If so, please leave a Comment (see left) or send email (see upper right). Thanks.

new list of IDA Plugins

There’s a new list of IDA Pro plugins:

https://twitter.com/agelastic/status/644766426973106177

Of the dozens on the list, besides the classics, I found a handful of interesting ones I’d never heard of, including these 3 ROM/firmware-related ones:

* Bootroom Analysis Library: IBAL is the IDA Pro Bootrom Analysis Library, which contains a number of useful functions for analyzing embedded ROMs.
* EFI Scripts: Some IDA scripts and tools to assist with reverse engineering EFI executables.
* Sega Genesis/Megadrive Tools: Special IDA Pro tools for the Sega Genesis/Megadrive romhackers. Tested work on v5.2, v6.6. Should work on other versions.

I’ve mentioned a few (3?) UEFI-centric IDA plugins in earlier blog posts, plugins I didn’t see on this list. I guess I need to track them down and help with this list.

https://github.com/onethawt/idaplugins-list/blob/master/README.md
https://github.com/onethawt/idaplugins-list/

tool: TELoader, TE image loader for IDA

The EFI Monster (@osxreverser)¬† has just released a UEFI TE (Terse Executable) image loader for IDA. See the readme for a pointer to the 44con talk’s PDF, as well as the source:

https://github.com/gdbinit/TELoader

 

Immunity: free Infiltrate tickets for improving BinNavi

Dave Aitel of Immunity has announced free tickets to Infiltrate for people who can improve the recently-opensourced BinNavi project:

INFILTRATE Contests: BINNAVI
Every year, from HackCup to various coding challenges, we like to think of unique ways you can join us at THE BEST SECURITY CONFERENCE here in Miami next April 7th and 8th. We are starting this year with two new contests now that BinNavi is Open Sourced: 1) If you and your friends add Capstone (or another disassembler/analyzer) to BinNavi, to remove the IDA requirement, then we will send you three free tickets to INFILTRATE 2016! 2) If you and your friends integrate a decompiler with BinNavi, then we will also send you three free tickets to INFILTRATE 2016! If you do both, you get six free tickets to INFILTRATE.

Details:
https://lists.immunityinc.com/pipermail/dailydave/2015-August/000987.html

tool mini-review: UEFI Firmware Parser

Here’s a short review of “UEFI Firmware Parser”, a UEFi security/diagnostic tool by Teddy ‘theopolis’ Reed.

“The UEFI firmware parser is a simple module and set of scripts for parsing, extracting, and recreating UEFI firmware volumes. This includes parsing modules for BIOS, OptionROM, Intel ME and other formats. Features:
– UEFI Firmware Volumes, Capsules, FileSystems, Files, Sections parsing
– Intel PCH Flash Descriptors
– Intel ME modules parsing (for ARC5)
– Dell PFS (HDR) updates parsing
– Tiano/EFI, and native LZMA (7z) [de]compression
– Complete UEFI Firmware volume object heirarchy display
– Firmware descriptor [re]generation using the parsed input volumes
– Firmware File Section injection”

This package is actually three tools, not just one:

fv_parser.py is a UEFI Firmware Parser, which searches a file for UEFI firmware volumes, there are two other tools/scripts.

uefi_guids.py is another tool, which outputs GUIDs for files, optionally write GUID structure file, and will import GUID labels into IDA.

fv_injector.py is the GUID Injector, which replaces GUIDs on sections within a UEFI firmware file, or on UEFI firmware files within a firmware filesystem.

The tools are written in Python. It requires Python development headers, GCC, and the Python pefile library. To install, use the normal:

$ sudo python ./setup.py install

Usage:

$ python ./scripts/fv_parser.py -h
usage: fv_parser.py [-h] [–type {VARIOUS_TYPES}]
[-b] [-q] [-o OUTPUT] [-e] [-g GENERATE] [–test]
file [file …]
-h, –help¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† show this help message and exit
–type {VARIOUS_TYPES} Parse files as a specific firmware type.
-b, –brute¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† The input is a blob and may contain FV headers.
-q, –quiet¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† Do not show info.
-o OUTPUT, –output OUTPUT Dump EFI Files to this folder.
-e, –extract¬†¬†¬†¬†¬†¬†¬†¬† Extract all files/sections/volumes.
-g GENERATE, –generate GENERATE Generate a FDF, implies extraction
–test¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† Test file parsing, output name/success.

$ python ./scripts/uefi_guids.py -h
usage: uefi_guids.py [-h] [-c] [-b] [-d] [-g GENERATE] [-u] file
-h, –help¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† show this help message and exit
-c, –capsule¬†¬†¬†¬†¬†¬†¬†¬† The input file is a firmware capsule, do not search.
-b, –brute¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† The input file is a blob, search for firmware volume headers.
-d, –flash¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† The input file is a flash descriptor.
-g GENERATE, –generate GENERATE¬† Generate a behemonth-style GUID output.
-u, –unknowns¬†¬†¬†¬†¬†¬†¬† When generating also print unknowns.

$ python ./scripts/fv_injector.py -h
usage: fv_injector.py [-h] [-c] [-p] [-f] [–guid GUID] –injection INJECTION
[-o OUTPUT]
file
-h, –help¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† show this help message and exit
-c, –capsule¬†¬†¬†¬†¬†¬†¬†¬† The input file is a firmware capsule.
-p, –pfs¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† The input file is a Dell PFS.
-f, –ff¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† Inject payload into firmware file.
–guid GUID¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† GUID to replace (inject).
–injection INJECTION Pre-generated EFI file to inject.
-o OUTPUT, –output OUTPUT Name of the output file.

More Information:

https://raw.githubusercontent.com/theopolis/uefi-firmware-parser/master/README.rst
https://github.com/theopolis/uefi-firmware-parser