The bn-uefi-helper from zznop

Derive protocol var names and types from params for boot services function calls

Analyze calls to gBS->LocateProtocol (and other APIs) to derive the protocol names and types from GUIDs and assign the protocol name and type to the variable.

Add remaining types from EDK-II

Ideally, for this to happen, BN will need to support bitfields. Related issue: Vector35/binaryninja-api#694

UDK EDK2: EFI_BOOT_SERVICES offset mismatch in EFI_SYSTEM_TABLE struct (__packed attribute not set)

First, thanks for this great plugin. It helps a lot.

While reversing an EFI binary build with UEFI Development Kit I realize there is an offset mismatch
of EFI_BOOT_SERVICES in EFI_SYSTEM_TABLE struct. This plugin tells me it should have an offset of 0x70
But in edk2 it is 0x60.

How to reproduce:

Build HelloWorld.efi and compare UefiBootServicesTableLibConstructor() in MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.c

Source code:

EFI_STATUS
EFIAPI
UefiBootServicesTableLibConstructor (
  IN EFI_HANDLE        ImageHandle,
  IN EFI_SYSTEM_TABLE  *SystemTable
  )
{
  //
  // Cache the Image Handle
  //
  gImageHandle = ImageHandle;
  ASSERT (gImageHandle != NULL);

  //
  // Cache pointer to the EFI System Table
  //
  gST = SystemTable;
  ASSERT (gST != NULL);

  //
  // Cache pointer to the EFI Boot Services Table
  //
  gBS = SystemTable->BootServices;
  ASSERT (gBS != NULL);

  return EFI_SUCCESS;
}

HLIL:

000007b9  EFI_STATUS UefiBootServicesTableLibConstructor(EFI_HANDLE ImageHandle, struct EFI_SYSTEM_TABLE* SystemTable)

000007d7      data_46a0 = ImageHandle
000007fa      if (sub_75b() != 0 && data_46a0 == 0)
0000081f          sub_668(0x2d28)  {"/home/sylv/work/…"}
0000082f      data_46a8 = SystemTable
00000852      if (sub_75b() != 0 && data_46a8 == 0)
00000877          sub_668(0x2d28)  {"/home/sylv/work/…"}
0000088b      data_46b0 = SystemTable->StdErr
000008ae      if (sub_75b() != 0 && data_46b0 == 0)
000008d3          sub_668(0x2d28)  {"/home/sylv/work/…"}
000008db      return 0

LLIL snipped:

  20 @ 00000879  rax = [rbp + 0x18 {arg_10}].q
  21 @ 0000087d  rdx = [rax + 0x60 {EFI_SYSTEM_TABLE::StdErr}].q
  22 @ 00000881  rax = 0x46b0
  23 @ 0000088b  [rax {data_46b0}].q = rdx
  24 @ 0000088e  rax = 0x75b
  25 @ 00000898  call(rax)
  26 @ 0000089c  if (al == 0) then 36 @ 0x8d5 else 40 @ 0x89e

Relatet types in binary ninja:

struct EFI_SYSTEM_TABLE
{
    struct EFI_TABLE_HEADER Hdr;
    CHAR16* FirmwareVendor;
    UINT32 FirmwareRevision;
    EFI_HANDLE ConsoleInHandle;
    struct EFI_SIMPLE_TEXT_INPUT_PROTOCOL* ConIn;
    EFI_HANDLE ConsoleOutHandle;
    struct EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL* ConOut;
    EFI_HANDLE StandardErrorHandle;
    struct EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL* StdErr;
    struct EFI_RUNTIME_SERVICES* RuntimeServices;
    struct EFI_BOOT_SERVICES* BootServices;
    UINTN NumberOfTableEntries;
    struct EFI_CONFIGURATION_TABLE* ConfigurationTable;
};

struct EFI_TABLE_HEADER
{
    UINT64 Signature;
    UINT32 Revision;
    // 4 byte empty
    UINT32 HeaderSize;
    // 4 byte empty
    UINT32 CRC32;
    // 4 byte empty
    UINT32 Reserved;
};

It is probably related to EFI_TABLE_HEADER size, but I haven't investigated it yet.

Thanks!

zznop / bn-uefi-helper Goto Github PK

bn-uefi-helper's Introduction

bn-uefi-helper's People

Contributors

Stargazers

Watchers

Forkers

bn-uefi-helper's Issues

Derive protocol var names and types from params for boot services function calls

Add remaining types from EDK-II

UDK EDK2: EFI_BOOT_SERVICES offset mismatch in EFI_SYSTEM_TABLE struct (__packed attribute not set)

Loader for Terse Executables

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent