UEFI modules analysing with BinDiff IDA plugin
Table of Contents
GitHub repo
GitHub repo is here
Introduction
In fact, most real UEFI firmwares are building using edk2. Thus, to simplify the analysis, we can match debug versions of UEFI images with release versions from real firmware using BinDiff.
debug-efi-elf-modules directory contains some UEFI images with debugging information that were obtained when building MdeModulePkg and OvmfPkg packages from edk2.
Software
Usage
idb and i64 files generation
- extract
debug-efi-elf-modulesdirectory fromdebug-efi-elf-modules.7zarchive - copy
analyse_and_exit.pyscript toidcIDA directory (for example:C:\Program Files\IDA Pro 7.4\idc) - check values in
config.jsonfile - run the
gen_idbs.pyscript to generateidbandi64files- after the script runs, you should see the IDA database files next to each
.debugfile
- after the script runs, you should see the IDA database files next to each
Analysing release versions of UEFI images with BinDiff IDA plugin
Check here to get started with BinDiff IDA plugin.
If the plugin is installed:
- open UEFI module in IDA
File-BinDiff- choose
.debug.idbor.debug.i64file with similar name fromdebug-efi-elf-modulesdirectory - for example, for
DxeCoreX64file choosedebug-efi-elf-modules\X64\MdeModule\DxeCore.debug.i64ordebug-efi-elf-modules\X64\Ovmf\DxeCore.debug.i64file
- choose
-
you can import symbols and comments in
Matched Functionswindow
-
also you can compare the flow of execution for each function

Conclusion
Using this method, you can significantly reduce the time for analysing UEFI images.
Leave a comment