image image
Alex Matrosov

Hunting UEFI Firmware Implants

Duration: 4 days (5hrs for each day )

Date: 2nd to 5th November 2020


Alex Matrosov

This training is cancelled due to unforeseen reasons & Students will receive a detailed email regarding refund process.

This 3-day course introduces students to real-world attack scenarios on devices powered by UEFI firmware. The course starts from low-level internals of modern operating systems boot process from the perspective of a security researcher interested in bootkits analysis, detection/forensics and vulnerability research. After the OS boot process, the course going down to the firmware, and discuss UEFI architecture and internals with focus on security researcher needs (include common vulnerabilities and design mistakes). The second part of the course focused on UEFI firmware implants (from hardware and firmware perspective), it's cover threat modeling, attack surface, forensics, and reverse engineering. The course will build a mindset for hunting unknown firmware threats include the supply chain perspective.

Students will learn about UEFI internals from different perspectives such as firmware implant developer, malware and vulnerability researcher over the course. After the course, students will have knowledge about common firmware attacks, exploits, security feature bypasses and architectural mistakes in the firmware development process which can potentially lead successful implant installation. During the course, most part of exercises based on hardware-based challenges specially created to have the same environment as in real life.

Topics Covered

  • Common UEFI firmware vulnerabilities which leads implant installation
  • Hunt for implants with common tools (UEFItool, Chipsec, RWEverything)
  • Reverse engineering UEFI drivers DXE/PEI (include QEMU automation tricks, idapython and custom plugins)
  • FForensic approaches for UEFI (include firmware acquisition with software and hardware tools (GreatFET, DediProg))
  • Common security configuration mistakes and supply chain risk model

Course Outline

Day 1: digging down to the firmware

  • Modern OS boot process internals and reversing
  • Legacy bootkits case study, deep dive too boot sectors (MBR/VBR)
  • Evolution of bootkits, mess with OS bootloaders (MS Win10)
  • Introduction to UEFI world from security challenges perspective
  • Connection points between UEFI and OS (UEFI System/Runtime Services, ACPI, HW ports)
  • UEFI firmware boot process, hardware relations and where security features get enabled

Day 2: deep dive into UEFI internals

  • Different shades of UEFI Secure Boot
  • Intel Boot/BIOS Guards and where implementation fails
  • UEFI firmware update process from OS and UEFI shell
  • Introduction to UEFI firmware implants world.
  • Types and classification for UEFI firmware/hardware implants
  • Creating threat model/attack surface from implant installation perspective
  • Difference from implant perspective between UEFI firmware vendors Coreboot and AMI/Phoenix/Insyde
  • Playing with IDA and Ghidra to understand implant behavioral and nature

Day 3: dissecting UEFI implants

  • HW-based implants, let's dig into DMA attack surface
  • Hunt implants in real-world environment
  • Introduction to common hardware and firmware supply-chain risks models
  • Dissecting supply chain problems on real-world hardware
  • Digging deeper into IDA and Ghidra code REconstruction specifics with UEFI flavor
  • REconstructing UEFI protocols and creating behavioral models
  • Creating effective Yara rules for implants detection
  • Understanding the impact from firmware implants RE
  • RE automation for UEFI implants hunting (professional tricks)


The relative breakdown of the course materials is as follows:

  • 40% Lecture
  • 50% Lab
  • 10% Discussion


Students should have prior experience in reverse engineering and familiar with malware analysis techniques.

What to bring?

Students bring x86 laptop with approximately 15GB of free space. A variety of (Python-based) tools will be installed and used, which can run on Linux and Windows. VMWare image will be provided which has all tools installed, but students are free to directly install the tools on their own computer.

Students are encouraged to bring a computer with VMWare Workstation already installed to reduce setup time.

Trainer bio:

Alex Matrosov is well recognized offensive security researcher. He has more than two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. Alex served as Senior Principal Security Researcher at Nvidia, Intel Security Center of Excellence (SeCoE), spent more than six years in the Intel Advanced Threat Research team, and was Senior Security Researcher at ESET. Alex has authored and co-authored numerous research papers, and is a frequent speaker at security conferences, including REcon, Zeronigths, Black Hat, DEFCON, and others. Additionally, he is awarded by Hex-Rays for open-source plugin HexRaysCodeXplorer which is developed and supported since 2013 by REhint's team.