NOTE: This utility is work in progress.
Scan for memory data structures as known from UEFI PI firmware, i.e., EDK2 and derivatives.
You can access EFI memory e.g. using a Linux kernel with full access to
/dev/mem.
Run make to build a statically linked release binary.
To run the command directly with arguments, you need to explicitly pass
--target x86_64-unknown-linux-gnu and put arguments behind a --:
cargo run --release --target x86_64-unknown-linux-gnu -- -f memdumpInvoke ems --file /dev/mem to locate occurrences of known EFI data
structures, via their tags and also by providing a custom --pattern.
Use the --offset and --limit arguments to narrow down the search.
It is recommended to get a copy of that memory for offline analysis.
For example, a Lenovo ThinkPad X270's EFI memory starts at 0xb56e4000.
That is the first address where an EFI memory "pool head" is found.
Dumping it with u-root's dd:
dd if=/dev/mem bs=4096 skip=0xb56e4 count=43292 of=/tmp/memdumpThe above example will dump about 190 MB. Put the resulting file on a USB drive or copy it over network to continue.
Rerun ems with --file again, passing the path to your copy.
You will need a kernel with specific settings to fully access /dev/mem.
To build your own, copy the file linux_ems_defconfig to your Linux tree in
the config directory as arch/x86/configs/ems_defconfig. For non-x86
architectures, adjust as necessary.
The configuration expects an initramfs. Pick your own or get one from
https://github.com/linuxboot/u-root-builder as you like. Add the ems command
to your custom initramfs or load it through your preferred mechanism later.
Build the kernel with the defconfig:
make ems_defconfig
make -j8The resulting arch/x86/boot/bzImage is a PE32 binary that you can put on a FAT
partition on a GPT partitioned USB drive at EFI/BOOT/BOOTX64.EFI.
- reconstruct the memory to access the data