efiSeek for Ghidra

About

The analyzer automates the process of researching EFI files, helps to discover and analyze well-known protocols, smi handlers, etc.

Features

Finds known EFI GUID's

Identifies protocols located with LOCATE_PROTOCOL function

Identifies functions used as the NOTIFY function

Identifies protocols installed in the module through INSTALL_PROTOCOL_INTERFACE

Identifies functions used as an interrupt function (like some hardware, software/child interrupt)

Script for loading efi modules to relevant directories in Headless mode

Sorting smm modules relying on meta information into next folders:

• SwInterrupts
• ChildInterrupts
• HwInterrupts
• UnknownInterrupts

Installation

Set GHIDRA_INSTALL_DIR environment variable to ghidra path.

Start gradlew.bat, after the completion of building a copy archive from the dist directory to GHIDRA_HOME_DIR/Extensions/Ghidra/. And turn on this extention in your ghidra.

Usage

After installation you are free to use this analyzer. If you open a EFI file, the analyzer appears selected automatically. To start the analyzer, press A or Analysis/Auto Analyze and press Analyze.

References

• https://github.com/al3xtjames/ghidra-firmware-utils
• https://github.com/danse-macabre/ida-efitools/