firmware security

Analyzing UEFI Bootkit Persistence

Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition (ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation. Covers detection of known bootkit families (BlackLotus, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, chipsec-based firmware integrity verification, and Secure Boot configuration auditing. Activates for requests involving UEFI malware analysis, firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection.

bootkitchipsecespfirmwarepersistencesecure-bootuefi
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • A compromised system re-establishes C2 communication after OS reinstallation or disk replacement
  • Secure Boot has been tampered with, disabled, or shows unexpected Machine Owner Key (MOK) enrollment
  • Firmware integrity verification fails against vendor-provided baselines
  • Memory forensics reveals rootkit components loading during early boot phase
  • Investigating advanced persistent threat (APT) campaigns known to deploy UEFI implants
  • Auditing firmware security posture for enterprise endpoint hardening

Do not use for standard MBR-based bootkits on legacy BIOS systems without UEFI; use MBR/VBR bootkit analysis instead.

Prerequisites

  • chipsec framework for SPI flash dumping, UEFI variable inspection, and firmware security modules
  • UEFITool / UEFIExtract for firmware volume parsing and DXE driver extraction
  • Python 3.8+ with struct, hashlib, subprocess, and os modules
  • Bootable Linux live USB for offline analysis (avoid running compromised OS)
  • Volatility 3 for memory forensics of boot-phase artifacts
  • YARA with UEFI malware rule sets for pattern-based detection
  • Access to vendor firmware baselines for integrity comparison

Workflow

Step 1: Dump SPI Flash Firmware

Acquire the UEFI firmware from the SPI flash chip for offline analysis:

# Using chipsec to dump SPI flash contents
python chipsec_util.py spi dump firmware_dump.rom
 
# Using flashrom as an alternative
flashrom -p internal -r firmware_dump.rom
 
# Verify dump integrity
sha256sum firmware_dump.rom
 
# Read SPI flash descriptor information
python chipsec_util.py spi info
 
# Check SPI flash region access permissions
python chipsec_main.py -m common.spi_access
 
# Verify BIOS write protection is enabled
python chipsec_main.py -m common.bios_wp
 
# Check SPI flash controller lock
python chipsec_main.py -m common.spi_lock

Step 2: Inspect UEFI Variables

Enumerate and analyze UEFI variables for unauthorized modifications:

# List all UEFI variables on a live system
python chipsec_util.py uefi var-list
 
# List UEFI variables from a SPI flash dump
python chipsec_util.py uefi var-list-spi firmware_dump.rom
 
# Read specific Secure Boot variables
python chipsec_util.py uefi var-read SecureBoot 8BE4DF61-93CA-11D2-AA0D-00E098032B8C
python chipsec_util.py uefi var-read SetupMode 8BE4DF61-93CA-11D2-AA0D-00E098032B8C
python chipsec_util.py uefi var-read PK 8BE4DF61-93CA-11D2-AA0D-00E098032B8C
python chipsec_util.py uefi var-read KEK 8BE4DF61-93CA-11D2-AA0D-00E098032B8C
python chipsec_util.py uefi var-read db D719B2CB-3D3A-4596-A3BC-DAD00E67656F
 
# Dump UEFI key databases for analysis
python chipsec_util.py uefi keys
 
# Check Secure Boot configuration module
python chipsec_main.py -m common.secureboot.variables

Step 3: Analyze EFI System Partition (ESP)

Inspect the ESP for unauthorized or modified boot components:

# Mount ESP (typically the first FAT32 partition, ~100-500MB)
mkdir /mnt/esp
mount /dev/sda1 /mnt/esp
 
# List all files on ESP with timestamps
find /mnt/esp -type f -exec ls -la {} \;
 
# Check for BlackLotus indicators - custom directory under ESP:/system32/
ls -la /mnt/esp/system32/ 2>/dev/null
 
# Verify Windows Boot Manager signature
sigcheck -a /mnt/esp/EFI/Microsoft/Boot/bootmgfw.efi
 
# Hash all EFI binaries for comparison against known-good values
find /mnt/esp -name "*.efi" -exec sha256sum {} \;
 
# Check for unauthorized .efi files outside standard directories
find /mnt/esp -name "*.efi" | grep -v "Microsoft\|Boot\|ubuntu\|grub"
 
# Look for grubx64.efi planted by BlackLotus
find /mnt/esp -name "grubx64.efi" -exec sha256sum {} \;
 
# Examine MeasuredBoot logs for anomalies (Windows)
# Logs located at C:\Windows\Logs\MeasuredBoot\

Step 4: Scan Firmware for Known Bootkit Signatures

Analyze the firmware dump for known UEFI malware patterns:

# Extract all firmware modules with UEFIExtract
UEFIExtract firmware_dump.rom all
 
# Generate firmware module whitelist from vendor baseline
python chipsec_main.py -m tools.uefi.whitelist -a generate,baseline.json,firmware_vendor.rom
 
# Compare current firmware against whitelist
python chipsec_main.py -m tools.uefi.whitelist -a check,baseline.json,firmware_dump.rom
 
# Scan firmware with UEFI-specific YARA rules
yara -r uefi_bootkits.yar firmware_dump.rom
 
# Scan extracted modules individually
find firmware_dump.rom.dump -name "*.efi" -exec yara -r uefi_bootkits.yar {} \;
 
# Check for modified CORE_DXE module (targeted by MoonBounce, CosmicStrand)
# Compare GUID and hash against vendor baseline

Step 5: Detect Secure Boot Bypass Mechanisms

Check for known Secure Boot bypass techniques:

# Check if Secure Boot is enabled
python chipsec_main.py -m common.secureboot.variables
 
# Verify SMM (System Management Mode) protections
python chipsec_main.py -m common.smm
 
# Check SMM BIOS write protection
python chipsec_main.py -m common.bios_smi
 
# On Windows - check boot configuration for bypass indicators
bcdedit /enum firmware
bcdedit /v
 
# Check for testsigning/nointegritychecks/debug flags
bcdedit | findstr /i "testsigning nointegritychecks debug"
 
# Verify HVCI (Hypervisor-enforced Code Integrity) is not disabled
# BlackLotus sets HKLM:\...\DeviceGuard\...\HypervisorEnforcedCodeIntegrity Enabled=0
reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled
 
# Check Secure Boot state via PowerShell
# Confirm-SecureBootUEFI returns True if properly enabled

Step 6: Perform Boot Chain Integrity Verification

Verify every component in the boot chain from firmware through kernel:

# Verify firmware integrity against vendor hash
sha256sum firmware_dump.rom
# Compare with vendor-published hash
 
# Verify bootloader signatures
sigcheck -a C:\Windows\Boot\EFI\bootmgfw.efi
sigcheck -a C:\Windows\System32\winload.efi
sigcheck -a C:\Windows\System32\ntoskrnl.exe
 
# Check for unsigned or invalid boot drivers
sigcheck -u -e C:\Windows\System32\drivers\
 
# Analyze Measured Boot logs for unexpected EFI_Boot_Services_Application entries
# BlackLotus components appear as EV_EFI_Boot_Services_Application
 
# Memory forensics for boot-phase artifacts
vol3 -f memory.dmp windows.modules
vol3 -f memory.dmp windows.driverscan

Step 7: Document UEFI Bootkit Analysis Findings

Compile a comprehensive analysis report:

Report should include:
- Firmware version, vendor, and platform identification
- SPI flash protection status (write protect, lock bits, access control)
- Secure Boot configuration and any bypass indicators detected
- UEFI variable anomalies (unauthorized keys, modified db/dbx, MOK enrollment)
- ESP contents inventory with hash verification against known-good baselines
- Firmware module comparison against vendor whitelist (added, modified, removed)
- Known bootkit family attribution with confidence level
- Boot chain integrity verification results for each component
- Remediation steps (reflash, key rotation, hardware replacement)
- MITRE ATT&CK mapping (T1542.001 - System Firmware, T1542.003 - Bootkit)

Key Concepts

Term Definition
UEFI Bootkit Malware that persists in UEFI firmware or the boot process, executing before the operating system loads and surviving OS reinstallation
SPI Flash Serial Peripheral Interface flash memory chip on the motherboard storing UEFI firmware; firmware-level bootkits like LoJax and MoonBounce modify SPI flash contents
EFI System Partition (ESP) FAT32 partition containing EFI bootloaders and drivers; bootkits like BlackLotus and ESPecter modify files on the ESP for persistence
Secure Boot UEFI security feature that verifies digital signatures of boot components; can be bypassed via vulnerabilities (CVE-2022-21894) or MOK enrollment
DXE Driver Driver Execution Environment driver loaded during UEFI boot; firmware implants inject malicious DXE drivers that execute before the OS
Machine Owner Key (MOK) User-installable Secure Boot key; BlackLotus enrolls attacker-controlled MOKs to sign malicious bootloaders
chipsec Intel platform security assessment framework for analyzing SPI flash, UEFI variables, Secure Boot, and hardware security configurations
HVCI Hypervisor-enforced Code Integrity, a Windows security feature that bootkits disable to load unsigned kernel drivers

Tools & Systems

  • chipsec: Intel framework for dumping SPI flash, reading UEFI variables, verifying firmware write protection, and Secure Boot configuration auditing
  • UEFITool: Open-source UEFI firmware image parser for inspecting firmware volumes, extracting DXE drivers, and comparing module GUIDs
  • sigcheck: Sysinternals utility for verifying digital signatures of EFI binaries and boot chain components
  • flashrom: Open-source SPI flash programmer for reading and writing firmware chips on supported platforms
  • YARA: Pattern matching engine used with UEFI-specific rule sets to detect known bootkit signatures in firmware dumps

Common Scenarios

Scenario: Investigating Persistent Compromise Surviving OS Reinstallation

Context: An enterprise endpoint was reimaged after a confirmed breach, but identical C2 beaconing resumed within hours. The endpoint has UEFI firmware with Secure Boot enabled, and a TPM 2.0 chip. The security team suspects a UEFI-level implant similar to BlackLotus or LoJax.

Approach:

  1. Boot the system from a trusted Linux live USB to avoid executing any compromised OS components
  2. Dump SPI flash firmware using chipsec_util.py spi dump for offline analysis
  3. Mount the ESP and hash all .efi files for comparison against known-good values from identical hardware
  4. Check for the ESP:/system32/ directory (BlackLotus indicator) and unauthorized grubx64.efi
  5. Extract firmware modules with UEFIExtract and compare GUID inventory against vendor baseline
  6. Verify Secure Boot variables -- look for unauthorized MOK enrollment or modified db/dbx
  7. Check SPI flash write protection and lock bits using chipsec modules
  8. Scan firmware dump and extracted modules with UEFI-specific YARA rules
  9. If BlackLotus is suspected, check registry for HVCI disabled and MeasuredBoot logs for anomalous entries

Pitfalls:

  • Running analysis from the compromised OS (rootkit components hide from live analysis)
  • Only checking the ESP without examining SPI flash firmware (misses firmware-level implants like LoJax, MoonBounce)
  • Assuming Secure Boot prevents all bootkits (CVE-2022-21894 and other bypasses exist)
  • Not preserving the original firmware dump before remediation (critical forensic evidence)
  • Reflashing firmware without verifying the vendor image is authentic and unmodified

Output Format

UEFI BOOTKIT PERSISTENCE ANALYSIS REPORT
============================================
System:           Lenovo ThinkPad X1 Carbon Gen 11
Firmware:         N3HET82W (1.54) - Lenovo UEFI BIOS
Platform:         Intel 13th Gen (Raptor Lake)
TPM:              2.0 (Infineon SLB 9672)
Secure Boot:      ENABLED (BYPASSED via CVE-2022-21894)
Analysis Method:  Linux live USB + chipsec + UEFITool
 
SPI FLASH PROTECTION STATUS
BIOS Write Protection:    DISABLED [!]
SPI Flash Lock (FLOCKDN): SET [OK]
SMM BIOS Write Protect:   DISABLED [!]
SPI Protected Ranges:     Region 0 only (descriptor)
 
UEFI VARIABLE ANALYSIS
SecureBoot:        Enabled (value=1)
SetupMode:         Disabled (value=0)
PK:                Lenovo Ltd. (legitimate)
KEK:               Microsoft + Lenovo (legitimate)
db:                MODIFIED - contains unauthorized entry [!]
  [!] Unknown certificate: CN=Secure Boot Signing, O=Unknown
  [!] Not present in vendor baseline db
MOK:               1 unauthorized key enrolled [!]
  [!] MOK enrolled: CN=shim, self-signed, not from distro vendor
 
ESP PARTITION ANALYSIS
Total EFI binaries:     12
Verified (signed):      9
Modified (hash mismatch): 2 [!]
Unauthorized:           1 [!]
 
  [!] EFI/Microsoft/Boot/bootmgfw.efi - MODIFIED
      Expected SHA-256: a3f2c8...
      Current SHA-256:  7b1e4d...
      Signature:        Valid (signed with unauthorized MOK)
 
  [!] EFI/Microsoft/Boot/grubx64.efi - UNAUTHORIZED
      SHA-256:  e9c1a7...
      Not present in vendor baseline
      Matches BlackLotus stage-2 loader signature
 
  [!] system32/ directory present on ESP (BlackLotus artifact)
      Directory empty (files deleted post-installation)
 
FIRMWARE MODULE ANALYSIS
Total firmware modules:   312
Vendor baseline modules:  312
Added modules:            0
Modified modules:         0
SPI flash integrity:      CLEAN (no firmware-level implant detected)
 
BOOTKIT ATTRIBUTION
Family:           BlackLotus
Confidence:       HIGH
Persistence:      ESP-based (not SPI flash)
Bypass Method:    CVE-2022-21894 (baton drop)
MITRE ATT&CK:    T1542.003 (Bootkit), T1553.006 (Code Signing Policy Modification)
 
INDICATORS OF COMPROMISE
- ESP:/system32/ directory (empty, post-cleanup artifact)
- ESP:/EFI/Microsoft/Boot/grubx64.efi (unauthorized, BlackLotus loader)
- Modified bootmgfw.efi (re-signed with attacker MOK)
- HVCI disabled via registry: DeviceGuard\...\Enabled = 0
- Unauthorized MOK enrollment in UEFI variable store
- MeasuredBoot log shows EV_EFI_Boot_Services_Application for grubx64.efi
 
REMEDIATION
1. Replace bootmgfw.efi with authentic copy from Windows installation media
2. Delete unauthorized grubx64.efi and system32/ directory from ESP
3. Reset Secure Boot keys to factory defaults (clear MOK, restore PK/KEK/db)
4. Enable BIOS write protection and verify SPI flash lock bits
5. Apply firmware update to latest version (patches CVE-2022-21894)
6. Enable HVCI and verify via Group Policy
7. Reimport only trusted certificates into Secure Boot db
8. Monitor MeasuredBoot logs for anomalous boot component loading
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md5.6 KB

API Reference: UEFI Bootkit Analysis Tools

chipsec - Platform Security Assessment Framework

SPI Flash Operations

python chipsec_util.py spi info                          # SPI flash info
python chipsec_util.py spi dump firmware.rom             # Dump entire SPI flash
python chipsec_util.py spi read 0x700000 0x100000 bios.bin  # Read specific region
python chipsec_util.py spi write 0x0 0x1000 data.bin     # Write to SPI flash

UEFI Variable Operations

python chipsec_util.py uefi var-list                     # List all UEFI variables
python chipsec_util.py uefi var-list-spi firmware.rom    # List vars from dump
python chipsec_util.py uefi var-read <name> <GUID>       # Read specific variable
python chipsec_util.py uefi var-find <name>              # Find variable by name
python chipsec_util.py uefi keys                         # Dump Secure Boot keys
python chipsec_util.py uefi tables                       # List UEFI tables
python chipsec_util.py uefi decode firmware.rom          # Decode firmware image

Security Assessment Modules

python chipsec_main.py -m <module>                       # Run security module
python chipsec_main.py -m common.secureboot.variables    # Secure Boot check
python chipsec_main.py -m common.bios_wp                 # BIOS write protection
python chipsec_main.py -m common.spi_lock                # SPI flash lock bits
python chipsec_main.py -m common.spi_access              # SPI region permissions
python chipsec_main.py -m common.spi_desc                # SPI descriptor check
python chipsec_main.py -m common.smm                     # SMM protection
python chipsec_main.py -m common.bios_smi                # SMI suppression

Firmware Whitelist Module

# Generate whitelist from known-good firmware
python chipsec_main.py -m tools.uefi.whitelist -a generate,baseline.json,vendor.rom
 
# Check firmware against whitelist
python chipsec_main.py -m tools.uefi.whitelist -a check,baseline.json,suspect.rom

Key Modules Reference

Module Purpose
common.secureboot.variables Verify Secure Boot PK, KEK, db, dbx variables
common.bios_wp Check BIOS region write protection (BIOSWE, BLE, SMM_BWP)
common.spi_lock Verify SPI flash controller lock (FLOCKDN)
common.spi_access Check SPI flash region read/write permissions
common.spi_desc Verify SPI flash descriptor is write-protected
common.smm Verify SMRAM range register protection (SMRR)
common.bios_smi Check SMI event configuration and suppression
tools.uefi.whitelist Generate and verify firmware module whitelists
tools.uefi.scan_image Scan firmware image for known vulnerabilities
tools.uefi.uefivar_fuzz Fuzz UEFI variable interface for vulnerabilities

UEFITool / UEFIExtract

UEFIExtract CLI

UEFIExtract firmware.rom all                             # Extract all modules
UEFIExtract firmware.rom <GUID> body                     # Extract specific module
UEFIExtract firmware.rom report                          # Generate report

Output Structure

Extracted firmware is organized by GUID into a directory tree containing:

  • PEI modules (Pre-EFI Initialization)
  • DXE drivers (Driver Execution Environment)
  • SMM drivers (System Management Mode)
  • Option ROMs
  • NVRAM variables

Secure Boot Variable GUIDs

Variable GUID Description
SecureBoot 8BE4DF61-93CA-11D2-AA0D-00E098032B8C Secure Boot enable status
SetupMode 8BE4DF61-93CA-11D2-AA0D-00E098032B8C Setup mode (keys not enrolled)
PK 8BE4DF61-93CA-11D2-AA0D-00E098032B8C Platform Key (root of trust)
KEK 8BE4DF61-93CA-11D2-AA0D-00E098032B8C Key Exchange Key
db D719B2CB-3D3A-4596-A3BC-DAD00E67656F Signature database (allowed)
dbx D719B2CB-3D3A-4596-A3BC-DAD00E67656F Forbidden signature database
MokList 605DAB50-E046-4300-ABB6-3DD810DD8B23 Machine Owner Key list

flashrom - SPI Flash Programmer

Syntax

flashrom -p internal -r firmware.rom                     # Read/dump flash
flashrom -p internal -w clean.rom                        # Write/reflash
flashrom -p internal --verify clean.rom                  # Verify contents
flashrom -p internal --flash-size                        # Show flash size
flashrom -L                                              # List supported chips

sigcheck - Signature Verification (Windows)

Syntax

sigcheck -a file.efi                                     # Full signature info
sigcheck -u -e C:\Windows\System32\drivers\              # Find unsigned drivers
sigcheck -c -h file.efi                                  # CSV output with hashes

bcdedit - Boot Configuration (Windows)

Syntax

bcdedit /enum firmware                                   # List firmware entries
bcdedit /v                                               # Verbose boot config
bcdedit | findstr /i "testsigning nointegritychecks"      # Check bypass flags

YARA - Firmware Pattern Scanning

UEFI Bootkit Rules

yara -r uefi_bootkits.yar firmware.rom                   # Scan firmware dump
yara -s -r rules.yar firmware.rom                        # Show matching strings

Example UEFI Detection Rule

rule BlackLotus_ESP_Indicator {
    meta:
        description = "Detects BlackLotus ESP-based bootkit artifacts"
        reference = "ESET Research 2023"
    strings:
        $mok_enroll = { 4D 00 6F 00 6B 00 4C 00 69 00 73 00 74 }
        $esp_path = "\\EFI\\Microsoft\\Boot\\grubx64.efi"
        $hvci_disable = "HypervisorEnforcedCodeIntegrity"
    condition:
        any of them
}

Scripts 1

agent.py21.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""UEFI bootkit persistence analysis agent for detecting firmware implants,
ESP modifications, Secure Boot bypasses, and UEFI variable manipulation."""

import argparse
import struct
import hashlib
import os
import sys
import subprocess
import re
import math
import json
from collections import Counter
from pathlib import Path

DISCLAIMER = """
==========================================================================
  AUTHORIZED USE ONLY -- This tool is intended for authorized firmware
  security assessments, incident response, and defensive security research.
  Analyzing UEFI firmware and boot components requires appropriate system
  access and authorization. Unauthorized firmware modification or Secure
  Boot key manipulation may render systems unbootable or violate policy.
==========================================================================
"""


# ---------------------------------------------------------------------------
# Known Bootkit Signatures and IOCs
# ---------------------------------------------------------------------------

KNOWN_BOOTKITS = {
    "BlackLotus": {
        "description": "First in-the-wild UEFI bootkit bypassing Secure Boot on fully patched Windows 11",
        "cve": "CVE-2022-21894",
        "persistence": "ESP-based (modifies bootmgfw.efi, enrolls attacker MOK)",
        "esp_indicators": ["system32/", "grubx64.efi"],
        "registry_indicators": {
            r"SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity": {
                "Enabled": 0
            }
        },
        "mitre": "T1542.003",
    },
    "LoJax": {
        "description": "First SPI flash firmware implant found in the wild (APT28/Fancy Bear)",
        "cve": None,
        "persistence": "SPI flash (injects DXE driver into firmware volume)",
        "firmware_indicators": ["rpcnetp.exe", "autoche.exe"],
        "dxe_modifications": True,
        "mitre": "T1542.001",
    },
    "MoonBounce": {
        "description": "SPI flash implant modifying CORE_DXE module to hook GetVariable()",
        "cve": None,
        "persistence": "SPI flash (modifies CORE_DXE firmware module)",
        "firmware_indicators": ["CORE_DXE modification", "GetVariable hook"],
        "dxe_modifications": True,
        "mitre": "T1542.001",
    },
    "CosmicStrand": {
        "description": "Firmware rootkit modifying CORE_DXE to hook kernel initialization",
        "cve": None,
        "persistence": "SPI flash (patches CORE_DXE)",
        "firmware_indicators": ["CORE_DXE modification", "kernel callback shellcode"],
        "dxe_modifications": True,
        "mitre": "T1542.001",
    },
    "ESPecter": {
        "description": "ESP-based bootkit that patches winload.efi to disable DSE",
        "cve": None,
        "persistence": "ESP-based (modifies Windows Boot Manager)",
        "esp_indicators": ["modified winload.efi", "unsigned kernel driver"],
        "mitre": "T1542.003",
    },
    "MosaicRegressor": {
        "description": "Multi-component UEFI implant using NTFS file drops via READY_TO_BOOT callbacks",
        "cve": None,
        "persistence": "SPI flash (READY_TO_BOOT callback for NTFS drops)",
        "firmware_indicators": ["fTA variable", "READY_TO_BOOT callback"],
        "dxe_modifications": True,
        "mitre": "T1542.001",
    },
    "Bootkitty": {
        "description": "First UEFI bootkit targeting Linux systems",
        "cve": None,
        "persistence": "ESP-based (modifies GRUB bootloader)",
        "esp_indicators": ["modified grubx64.efi"],
        "mitre": "T1542.003",
    },
}

# UEFI Secure Boot variable GUIDs
SECUREBOOT_GUID = "8BE4DF61-93CA-11D2-AA0D-00E098032B8C"
IMAGE_SECURITY_GUID = "D719B2CB-3D3A-4596-A3BC-DAD00E67656F"

# Standard UEFI firmware volume GUIDs
KNOWN_FV_GUIDS = {
    "8C8CE578-8A3D-4F1C-9935-896185C32DD3": "Firmware File System (FFS) v2",
    "5473C07A-3DCB-4DCA-BD6F-1E9689E7349A": "Firmware File System (FFS) v3",
    "04ADEEAD-61FF-4D31-B6BA-64F8BF901F5A": "Apple ROM section",
    "16B45DA2-7D70-4AEA-A58D-760E9ECB841D": "DXE Core volume",
}


# ---------------------------------------------------------------------------
# ESP Partition Analysis
# ---------------------------------------------------------------------------

def scan_esp_partition(esp_mount_path):
    """Scan a mounted EFI System Partition for bootkit indicators."""
    findings = []
    if not os.path.isdir(esp_mount_path):
        return [{"severity": "ERROR", "message": f"ESP path not found: {esp_mount_path}"}]

    # Check for BlackLotus system32 directory
    system32_path = os.path.join(esp_mount_path, "system32")
    if os.path.exists(system32_path):
        findings.append({
            "severity": "CRITICAL",
            "indicator": "BlackLotus",
            "message": f"BlackLotus artifact: system32/ directory found on ESP at {system32_path}",
            "path": system32_path,
        })

    # Enumerate all EFI binaries
    efi_files = []
    for root, dirs, files in os.walk(esp_mount_path):
        for fname in files:
            if fname.lower().endswith(".efi"):
                full_path = os.path.join(root, fname)
                rel_path = os.path.relpath(full_path, esp_mount_path)
                file_hash = hash_file(full_path)
                file_size = os.path.getsize(full_path)
                efi_files.append({
                    "path": rel_path,
                    "full_path": full_path,
                    "sha256": file_hash,
                    "size": file_size,
                })

    # Check for unauthorized grubx64.efi (BlackLotus indicator)
    for ef in efi_files:
        if "grubx64.efi" in ef["path"].lower():
            # grubx64.efi on a Windows-only system is suspicious
            findings.append({
                "severity": "HIGH",
                "indicator": "BlackLotus/Bootkitty",
                "message": f"Suspicious grubx64.efi found: {ef['path']} ({ef['size']} bytes)",
                "sha256": ef["sha256"],
            })

    # Check for files outside standard EFI directories
    standard_dirs = {"efi", "boot", "microsoft", "ubuntu", "debian", "fedora", "grub"}
    for ef in efi_files:
        parts = Path(ef["path"]).parts
        top_dirs = {p.lower() for p in parts[:-1]}
        if not top_dirs.intersection(standard_dirs):
            findings.append({
                "severity": "MEDIUM",
                "indicator": "Unknown",
                "message": f"EFI binary in non-standard location: {ef['path']}",
                "sha256": ef["sha256"],
            })

    return findings, efi_files


def hash_file(file_path):
    """Compute SHA-256 hash of a file."""
    sha256 = hashlib.sha256()
    with open(file_path, "rb") as f:
        while True:
            chunk = f.read(65536)
            if not chunk:
                break
            sha256.update(chunk)
    return sha256.hexdigest()


# ---------------------------------------------------------------------------
# Firmware Analysis
# ---------------------------------------------------------------------------

EFI_FV_HEADER_MAGIC = b"_FVH"
PE_MAGIC = b"MZ"


def scan_firmware_dump(firmware_path):
    """Scan a raw firmware dump for EFI firmware volumes and PE/COFF executables."""
    if not os.path.isfile(firmware_path):
        return {"error": f"Firmware file not found: {firmware_path}"}

    file_size = os.path.getsize(firmware_path)
    with open(firmware_path, "rb") as f:
        data = f.read()

    firmware_hash = hashlib.sha256(data).hexdigest()
    results = {
        "file": os.path.basename(firmware_path),
        "size": file_size,
        "sha256": firmware_hash,
        "firmware_volumes": [],
        "pe_executables": [],
        "suspicious_strings": [],
    }

    # Find firmware volume headers (_FVH signature at offset 0x28 in FV header)
    offset = 0
    while offset < len(data) - 0x40:
        idx = data.find(EFI_FV_HEADER_MAGIC, offset)
        if idx == -1:
            break
        # FV header signature is at offset 0x28 from the start of the volume
        fv_start = idx - 0x28
        if fv_start >= 0:
            # Parse FV header length (8 bytes at offset 0x20)
            fv_length = struct.unpack_from("<Q", data, fv_start + 0x20)[0]
            # Extract GUID (16 bytes at offset 0x10)
            guid_bytes = data[fv_start + 0x10:fv_start + 0x20]
            guid_str = format_guid(guid_bytes)
            results["firmware_volumes"].append({
                "offset": f"0x{fv_start:08X}",
                "length": fv_length,
                "guid": guid_str,
                "description": KNOWN_FV_GUIDS.get(guid_str, "Unknown firmware volume"),
            })
        offset = idx + 4

    # Find PE/COFF executables (EFI binaries)
    offset = 0
    while offset < len(data) - 64:
        idx = data.find(PE_MAGIC, offset)
        if idx == -1:
            break
        # Verify PE header: check for "PE\0\0" at e_lfanew offset
        if idx + 0x3C < len(data):
            pe_offset = struct.unpack_from("<I", data, idx + 0x3C)[0]
            if idx + pe_offset + 4 < len(data):
                pe_sig = data[idx + pe_offset:idx + pe_offset + 4]
                if pe_sig == b"PE\x00\x00":
                    results["pe_executables"].append({
                        "offset": f"0x{idx:08X}",
                        "pe_header_offset": f"0x{idx + pe_offset:08X}",
                    })
        offset = idx + 2

    # Scan for suspicious strings in firmware
    suspicious_patterns = [
        (rb"rpcnetp", "LoJax dropper component"),
        (rb"autoche", "LoJax persistence component"),
        (rb"SmmAccessDxe", "Potential DXE driver modification target"),
        (rb"CORE_DXE", "Core DXE module (MoonBounce/CosmicStrand target)"),
        (rb"GetVariable", "UEFI runtime service (hooking target)"),
        (rb"SetVariable", "UEFI runtime service (variable manipulation)"),
        (rb"READY_TO_BOOT", "Boot event callback (MosaicRegressor indicator)"),
        (rb"\\EFI\\Microsoft\\Boot", "Windows boot path reference"),
        (rb"cmd\.exe", "Command shell reference in firmware (suspicious)"),
        (rb"powershell", "PowerShell reference in firmware (suspicious)"),
    ]
    for pattern, description in suspicious_patterns:
        matches = [m.start() for m in re.finditer(pattern, data, re.IGNORECASE)]
        if matches:
            results["suspicious_strings"].append({
                "pattern": pattern.decode("ascii", errors="replace"),
                "description": description,
                "occurrences": len(matches),
                "offsets": [f"0x{o:08X}" for o in matches[:5]],
            })

    return results


def format_guid(guid_bytes):
    """Format 16 raw GUID bytes into standard XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX form."""
    if len(guid_bytes) != 16:
        return guid_bytes.hex().upper()
    part1 = struct.unpack_from("<IHH", guid_bytes, 0)
    part2 = guid_bytes[8:16]
    return (f"{part1[0]:08X}-{part1[1]:04X}-{part1[2]:04X}-"
            f"{part2[0]:02X}{part2[1]:02X}-"
            f"{part2[2]:02X}{part2[3]:02X}{part2[4]:02X}"
            f"{part2[5]:02X}{part2[6]:02X}{part2[7]:02X}")


# ---------------------------------------------------------------------------
# Secure Boot Verification
# ---------------------------------------------------------------------------

def check_secure_boot_status():
    """Check Secure Boot status on the local system (Linux)."""
    results = {}
    # Try reading from efivarfs (Linux)
    efivar_path = "/sys/firmware/efi/efivars"
    if os.path.isdir(efivar_path):
        results["efi_available"] = True
        secureboot_var = os.path.join(
            efivar_path,
            f"SecureBoot-{SECUREBOOT_GUID.lower()}"
        )
        if os.path.exists(secureboot_var):
            with open(secureboot_var, "rb") as f:
                raw = f.read()
            # First 4 bytes are attributes, 5th byte is the value
            if len(raw) >= 5:
                value = raw[4]
                results["secure_boot_enabled"] = value == 1
                results["secure_boot_value"] = value
        setupmode_var = os.path.join(
            efivar_path,
            f"SetupMode-{SECUREBOOT_GUID.lower()}"
        )
        if os.path.exists(setupmode_var):
            with open(setupmode_var, "rb") as f:
                raw = f.read()
            if len(raw) >= 5:
                results["setup_mode"] = raw[4] == 1
    else:
        results["efi_available"] = False
        results["note"] = "Not a UEFI system or efivarfs not mounted"
    return results


# ---------------------------------------------------------------------------
# Chipsec Subprocess Interface
# ---------------------------------------------------------------------------

def run_chipsec_module(module_name, args=None):
    """Run a chipsec module via subprocess and return output."""
    cmd = ["python", "chipsec_main.py", "-m", module_name]
    if args:
        cmd.extend(["-a", args])
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
        return {
            "module": module_name,
            "stdout": result.stdout,
            "stderr": result.stderr,
            "rc": result.returncode,
            "passed": "PASSED" in result.stdout,
            "failed": "FAILED" in result.stdout or "WARNING" in result.stdout,
        }
    except FileNotFoundError:
        return {"module": module_name, "error": "chipsec not found in PATH", "rc": -1}
    except subprocess.TimeoutExpired:
        return {"module": module_name, "error": "chipsec module timed out", "rc": -2}


def run_chipsec_spi_dump(output_path):
    """Dump SPI flash contents via chipsec."""
    cmd = ["python", "chipsec_util.py", "spi", "dump", output_path]
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
        return {"stdout": result.stdout, "stderr": result.stderr, "rc": result.returncode}
    except FileNotFoundError:
        return {"error": "chipsec not found in PATH", "rc": -1}
    except subprocess.TimeoutExpired:
        return {"error": "SPI dump timed out", "rc": -2}


def run_firmware_security_audit():
    """Run a comprehensive set of chipsec security modules."""
    modules = [
        ("common.bios_wp", "BIOS region write protection"),
        ("common.spi_lock", "SPI flash controller lock"),
        ("common.spi_access", "SPI flash region access permissions"),
        ("common.spi_desc", "SPI flash descriptor security"),
        ("common.secureboot.variables", "Secure Boot variable configuration"),
        ("common.smm", "SMM protection (SMRAM range)"),
        ("common.bios_smi", "SMI suppression / BIOS write via SMI"),
    ]
    results = {}
    for module, description in modules:
        print(f"  Running: {module} ({description})...")
        result = run_chipsec_module(module)
        result["description"] = description
        results[module] = result
    return results


# ---------------------------------------------------------------------------
# Entropy Analysis for Firmware Regions
# ---------------------------------------------------------------------------

def firmware_entropy_map(firmware_path, block_size=4096):
    """Generate block-level entropy map to detect encrypted/compressed firmware regions."""
    results = []
    with open(firmware_path, "rb") as f:
        offset = 0
        while True:
            block = f.read(block_size)
            if not block:
                break
            counter = Counter(block)
            length = len(block)
            if length == 0:
                entropy = 0.0
            else:
                entropy = -sum(
                    (c / length) * math.log2(c / length)
                    for c in counter.values()
                )
            classification = "empty" if entropy < 1.0 else \
                            "code/data" if entropy < 5.0 else \
                            "compressed" if entropy < 7.5 else "encrypted/random"
            results.append({
                "offset": f"0x{offset:08X}",
                "entropy": round(entropy, 4),
                "classification": classification,
            })
            offset += len(block)
    return results


# ---------------------------------------------------------------------------
# Main Entry Point
# ---------------------------------------------------------------------------

def analyze_uefi_bootkit(target_path, target_type="firmware"):
    """Perform UEFI bootkit persistence analysis on a firmware dump or ESP mount point."""
    print("=" * 65)
    print("  UEFI Bootkit Persistence Analysis Agent")
    print("=" * 65)

    if target_type == "firmware" and os.path.isfile(target_path):
        print(f"\n[*] Analyzing firmware dump: {target_path}")
        print(f"[*] File size: {os.path.getsize(target_path)} bytes")
        print(f"[*] SHA-256: {hash_file(target_path)}")

        # Firmware volume and PE scan
        print("\n--- Firmware Structure Analysis ---")
        fw_results = scan_firmware_dump(target_path)
        print(f"  Firmware volumes found: {len(fw_results['firmware_volumes'])}")
        for fv in fw_results["firmware_volumes"]:
            print(f"    {fv['offset']}  GUID={fv['guid']}  Size={fv['length']}  [{fv['description']}]")
        print(f"  PE/COFF executables found: {len(fw_results['pe_executables'])}")
        for pe in fw_results["pe_executables"][:10]:
            print(f"    {pe['offset']}  (PE header at {pe['pe_header_offset']})")

        # Suspicious strings
        if fw_results["suspicious_strings"]:
            print("\n--- Suspicious Strings in Firmware ---")
            for ss in fw_results["suspicious_strings"]:
                print(f"  [!] {ss['description']}: \"{ss['pattern']}\" "
                      f"({ss['occurrences']} occurrences)")
                for off in ss["offsets"]:
                    print(f"      at {off}")

        # Entropy analysis
        print("\n--- Firmware Entropy Analysis ---")
        emap = firmware_entropy_map(target_path, block_size=16384)
        region_counts = Counter(e["classification"] for e in emap)
        for classification, count in region_counts.most_common():
            print(f"  {classification}: {count} blocks")

    elif target_type == "esp" and os.path.isdir(target_path):
        print(f"\n[*] Analyzing ESP mount point: {target_path}")

        # ESP analysis
        print("\n--- ESP Partition Analysis ---")
        findings, efi_files = scan_esp_partition(target_path)
        print(f"  Total EFI binaries: {len(efi_files)}")
        for ef in efi_files:
            print(f"    {ef['path']}  ({ef['size']} bytes)  SHA-256={ef['sha256'][:16]}...")

        if findings:
            print("\n--- Bootkit Indicators ---")
            for f in findings:
                print(f"  [{f['severity']}] {f['message']}")
        else:
            print("\n  No bootkit indicators found on ESP.")

    else:
        print(f"\n[ERROR] Invalid target: {target_path} (type={target_type})")
        return

    # Known bootkit reference
    print("\n--- Known UEFI Bootkit Families ---")
    for name, info in KNOWN_BOOTKITS.items():
        print(f"  {name}: {info['description']}")
        print(f"    Persistence: {info['persistence']}")
        print(f"    MITRE: {info['mitre']}")

    print("\n[*] Analysis complete.")


if __name__ == "__main__":
    parser = argparse.ArgumentParser(
        description="UEFI bootkit persistence analysis agent for detecting firmware "
                    "implants, ESP modifications, Secure Boot bypasses, and UEFI "
                    "variable manipulation.",
        epilog="Authorized use only. Requires appropriate system access for firmware analysis.",
    )
    parser.add_argument(
        "target",
        help="Path to a firmware dump (.rom, .bin) or a mounted ESP directory",
    )
    parser.add_argument(
        "--type", "-t",
        choices=["firmware", "esp", "auto"],
        default="auto",
        help="Target type: 'firmware' for SPI flash dumps, 'esp' for mounted ESP "
             "partition, 'auto' to detect (default: auto)",
    )
    parser.add_argument(
        "--check-secureboot", "-s",
        action="store_true",
        help="Check Secure Boot status on the local system (Linux efivarfs)",
    )
    parser.add_argument(
        "--run-chipsec-audit", "-c",
        action="store_true",
        help="Run comprehensive chipsec firmware security audit modules",
    )
    parser.add_argument(
        "--baseline", "-b",
        type=str, default=None,
        help="Path to known-good firmware baseline for comparison",
    )
    parser.add_argument(
        "--json-output", "-j",
        action="store_true",
        help="Output results in JSON format instead of text",
    )
    parser.add_argument(
        "--list-bootkits",
        action="store_true",
        help="List all known UEFI bootkit families in the database and exit",
    )

    args = parser.parse_args()
    print(DISCLAIMER)

    if args.list_bootkits:
        print("Known UEFI Bootkit Families:")
        print("-" * 50)
        for name, info in KNOWN_BOOTKITS.items():
            print(f"\n  {name}")
            print(f"    {info['description']}")
            print(f"    Persistence: {info['persistence']}")
            print(f"    MITRE ATT&CK: {info['mitre']}")
            if info.get("cve"):
                print(f"    CVE: {info['cve']}")
        sys.exit(0)

    target_type = args.type
    if target_type == "auto":
        target_type = "esp" if os.path.isdir(args.target) else "firmware"

    analyze_uefi_bootkit(args.target, target_type)

    if args.check_secureboot:
        print("\n--- Local Secure Boot Status ---")
        sb_status = check_secure_boot_status()
        for k, v in sb_status.items():
            print(f"  {k}: {v}")

    if args.run_chipsec_audit:
        print("\n--- Chipsec Firmware Security Audit ---")
        audit_results = run_firmware_security_audit()
        for module, result in audit_results.items():
            status = "PASSED" if result.get("passed") else "FAILED" if result.get("failed") else "UNKNOWN"
            print(f"  [{status}] {module}: {result.get('description', '')}")
Keep exploring