UEFI Memory Forensics: A Framework for UEFI Threat Analysis
Kalanit Suzan Segal, Hadar Cochavi Gorelik, Oleg Brodt, Yuval Elbahar, Yuval Elovici, Asaf Shabtai
TL;DR
This paper addresses the lack of tooling for memory forensics in the pre-OS UEFI stage by introducing UEFI memory forensics, a framework comprising UefiMemDump for memory capture and UEFIDumpAnalysis for modular analysis. The approach enables detection of bootkit techniques such as function pointer and inline hooking, as well as malicious image loading, by analyzing UEFI service tables and loaded images in memory. Key contributions include a dual-implementation memory dumper (DXE driver and shell app), a modular analysis suite with data-structure parsing, hooking detection, and image carving, and an open-source release validated against modern threats like ThunderStrike, CosmicStrand, and Glupteba. The work demonstrates practical detection capabilities for firmware-level threats during the pre-OS phase and lays groundwork for extending below-OS security research through memory analysis of UEFI.
Abstract
Modern computing systems rely on the Unified Extensible Firmware Interface (UEFI), which has replaced the traditional BIOS as the firmware standard for the modern boot process. Despite the advancements, UEFI is increasingly targeted by threat actors seeking to exploit its execution environment and take advantage of its persistence mechanisms. While some security-related analysis of UEFI components has been performed--primarily via debugging and runtime behavior testing--to the best of our knowledge, no prior study has specifically addressed capturing and analyzing volatile UEFI runtime memory to detect malicious exploitation during the pre-OS phase. This gap in UEFI forensic tools limits the ability to conduct in-depth security analyses in pre-OS environments. Such a gap is especially surprising, given that memory forensics is widely regarded as foundational to modern incident response, reflected by the popularity of above-OS memory analysis frameworks, such as Rekall, Volatility, and MemProcFS. To address the lack of below-OS memory forensics, we introduce a framework for UEFI memory forensics. The proposed framework consists of two primary components: UefiMemDump, a memory acquisition tool, and UEFIDumpAnalysis, an extendable collection of analysis modules capable of detecting malicious activities such as function pointer hooking, inline hooking, and malicious image loading. Our proof-of-concept implementation demonstrates our framework's ability to detect modern UEFI threats, such as ThunderStrike, CosmicStrand, and Glupteba bootkits. By providing an open-source solution, our work enables researchers and practitioners to investigate firmware-level threats, develop additional analysis modules, and advance overall below-OS security through UEFI memory analysis.