Table of Contents

GitHub repo

GitHub repo is here

Introduction

In fact, most real UEFI firmwares are building using edk2. Thus, to simplify the analysis, we can match debug versions of UEFI images with release versions from real firmware using BinDiff.

debug-efi-elf-modules directory contains some UEFI images with debugging information that were obtained when building MdeModulePkg and OvmfPkg packages from edk2.

Software

IDA Pro

BinDiff with IDA Pro plugin

Usage

idb and i64 files generation

extract debug-efi-elf-modules directory from debug-efi-elf-modules.7z archive

directory from archive copy analyse_and_exit.py script to idc IDA directory (for example: C:\Program Files\IDA Pro 7.4\idc )

script to IDA directory (for example: ) check values in config.json file

file run the gen_idbs.py script to generate idb and i64 files after the script runs, you should see the IDA database files next to each .debug file

script to generate and files

Analysing release versions of UEFI images with BinDiff IDA plugin

Check here to get started with BinDiff IDA plugin .

If the plugin is installed:

open UEFI module in IDA

File - BinDiff choose .debug.idb or .debug.i64 file with similar name from debug-efi-elf-modules directory for example, for DxeCore X64 file choose debug-efi-elf-modules\X64\MdeModule\DxeCore.debug.i64 or debug-efi-elf-modules\X64\Ovmf\DxeCore.debug.i64 file

- you can import symbols and comments in Matched Functions window

also you can compare the flow of execution for each function

Conclusion

Using this method, you can significantly reduce the time for analysing UEFI images.