IDA plugin for UEFI analysis
This plugin allows you to automatically analyse the input UEFI images, as well as search for dependencies between UEFI images in firmware.
Table of Contents
Analyser & Protocol explorer
Usage
-
Copy
uefi_analyseranduefi_analyser.pyto your%IDA_DIR%/pluginsdirectory -
Open the executable UEFI image in IDA and go to
Edit->Plugins->UEFI analyser(alternatively, you can use the key combinationCtrl+Alt+U)
Example
Before analysis
After analysis
Protocol explorer window
Dependency browser & Dependency graph
Usage
-
Analyse the firmware using analyse_fw_ida.py script with
--allkeyUEFI_RETool A tool for UEFI firmware analysis with IDA Pro usage: python analyse_fw_ida.py [-h] [--all] [--pp_guids] [--get_efi_images] [--update_edk2_guids EDK2_PATH] firmware_path positional arguments: firmware_path path to UEFI firmware for analysis optional arguments: -h, --help show this help message and exit --all analyse of all UEFI firmware modules and output of information to .\log\ida_log_all.md file (example: python analyse_fw_ida.py --all <firmware_path>) --pp_guids analyse all UEFI firmware modules and save a table with proprietry protocols to .\log\ida_pp_guids.md file (example: python analyse_fw_ida.py --pp_guids <firmware_path>) --get_efi_images get all executable images from UEFI firmware (images are stored in .\modules directory, example: python analyse_fw_ida.py --get_efi_images <firmware_path>)
-
Next to the
ida_log_all.mdfile should be theida_log_all.jsonfile -
Load
ida_log_all.jsonfile to IDA (File->UEFI_RETool...)
alternatively, you can use the key combination
Ctrl+Alt+J)
Example
Dependency browser window
Dependency graph
