creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-uefi-bootkit-persistence/references/api-reference.md
T

5.6 KiB
Raw Blame History

API Reference: UEFI Bootkit Analysis Tools

chipsec - Platform Security Assessment Framework

SPI Flash Operations

python chipsec_util.py spi info                          # SPI flash info
python chipsec_util.py spi dump firmware.rom             # Dump entire SPI flash
python chipsec_util.py spi read 0x700000 0x100000 bios.bin  # Read specific region
python chipsec_util.py spi write 0x0 0x1000 data.bin     # Write to SPI flash

UEFI Variable Operations

python chipsec_util.py uefi var-list                     # List all UEFI variables
python chipsec_util.py uefi var-list-spi firmware.rom    # List vars from dump
python chipsec_util.py uefi var-read <name> <GUID>       # Read specific variable
python chipsec_util.py uefi var-find <name>              # Find variable by name
python chipsec_util.py uefi keys                         # Dump Secure Boot keys
python chipsec_util.py uefi tables                       # List UEFI tables
python chipsec_util.py uefi decode firmware.rom          # Decode firmware image

Security Assessment Modules

python chipsec_main.py -m <module>                       # Run security module
python chipsec_main.py -m common.secureboot.variables    # Secure Boot check
python chipsec_main.py -m common.bios_wp                 # BIOS write protection
python chipsec_main.py -m common.spi_lock                # SPI flash lock bits
python chipsec_main.py -m common.spi_access              # SPI region permissions
python chipsec_main.py -m common.spi_desc                # SPI descriptor check
python chipsec_main.py -m common.smm                     # SMM protection
python chipsec_main.py -m common.bios_smi                # SMI suppression

Firmware Whitelist Module

# Generate whitelist from known-good firmware
python chipsec_main.py -m tools.uefi.whitelist -a generate,baseline.json,vendor.rom

# Check firmware against whitelist
python chipsec_main.py -m tools.uefi.whitelist -a check,baseline.json,suspect.rom

Key Modules Reference

Module Purpose
common.secureboot.variables Verify Secure Boot PK, KEK, db, dbx variables
common.bios_wp Check BIOS region write protection (BIOSWE, BLE, SMM_BWP)
common.spi_lock Verify SPI flash controller lock (FLOCKDN)
common.spi_access Check SPI flash region read/write permissions
common.spi_desc Verify SPI flash descriptor is write-protected
common.smm Verify SMRAM range register protection (SMRR)
common.bios_smi Check SMI event configuration and suppression
tools.uefi.whitelist Generate and verify firmware module whitelists
tools.uefi.scan_image Scan firmware image for known vulnerabilities
tools.uefi.uefivar_fuzz Fuzz UEFI variable interface for vulnerabilities

UEFITool / UEFIExtract

UEFIExtract CLI

UEFIExtract firmware.rom all                             # Extract all modules
UEFIExtract firmware.rom <GUID> body                     # Extract specific module
UEFIExtract firmware.rom report                          # Generate report

Output Structure

Extracted firmware is organized by GUID into a directory tree containing:

  • PEI modules (Pre-EFI Initialization)
  • DXE drivers (Driver Execution Environment)
  • SMM drivers (System Management Mode)
  • Option ROMs
  • NVRAM variables

Secure Boot Variable GUIDs

Variable GUID Description
SecureBoot 8BE4DF61-93CA-11D2-AA0D-00E098032B8C Secure Boot enable status
SetupMode 8BE4DF61-93CA-11D2-AA0D-00E098032B8C Setup mode (keys not enrolled)
PK 8BE4DF61-93CA-11D2-AA0D-00E098032B8C Platform Key (root of trust)
KEK 8BE4DF61-93CA-11D2-AA0D-00E098032B8C Key Exchange Key
db D719B2CB-3D3A-4596-A3BC-DAD00E67656F Signature database (allowed)
dbx D719B2CB-3D3A-4596-A3BC-DAD00E67656F Forbidden signature database
MokList 605DAB50-E046-4300-ABB6-3DD810DD8B23 Machine Owner Key list

flashrom - SPI Flash Programmer

Syntax

flashrom -p internal -r firmware.rom                     # Read/dump flash
flashrom -p internal -w clean.rom                        # Write/reflash
flashrom -p internal --verify clean.rom                  # Verify contents
flashrom -p internal --flash-size                        # Show flash size
flashrom -L                                              # List supported chips

sigcheck - Signature Verification (Windows)

Syntax

sigcheck -a file.efi                                     # Full signature info
sigcheck -u -e C:\Windows\System32\drivers\              # Find unsigned drivers
sigcheck -c -h file.efi                                  # CSV output with hashes

bcdedit - Boot Configuration (Windows)

Syntax

bcdedit /enum firmware                                   # List firmware entries
bcdedit /v                                               # Verbose boot config
bcdedit | findstr /i "testsigning nointegritychecks"      # Check bypass flags

YARA - Firmware Pattern Scanning

UEFI Bootkit Rules

yara -r uefi_bootkits.yar firmware.rom                   # Scan firmware dump
yara -s -r rules.yar firmware.rom                        # Show matching strings

Example UEFI Detection Rule

rule BlackLotus_ESP_Indicator {
    meta:
        description = "Detects BlackLotus ESP-based bootkit artifacts"
        reference = "ESET Research 2023"
    strings:
        $mok_enroll = { 4D 00 6F 00 6B 00 4C 00 69 00 73 00 74 }
        $esp_path = "\\EFI\\Microsoft\\Boot\\grubx64.efi"
        $hvci_disable = "HypervisorEnforcedCodeIntegrity"
    condition:
        any of them
}
Reference in New Issue View Git Blame Copy Permalink