Created
September 3, 2017 17:49
-
-
Save mattifestation/991a0bea355ec1dc19402cef1b0e3b6f to your computer and use it in GitHub Desktop.
A basic "dbx" UEFI variable parser to dump blacklisted UEFI bootloader hashes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SignatureOwner | SHA256Hash | |
---|---|---|
00000000-0000-0000-0000-000000000000 | 6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 80B4D96931BF0D02FD91A61E19D14F1DA452E66DB2408CA8604D411F92659F0A | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | F52F83A3FA9CFBD6920F722824DBE4034534D25B8507246B3B957DAC6E1BCE7A | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | C5D9D8A186E2C82D09AFAA2A6F7F2E73870D3E64F72C4E08EF67796A840F0FBD | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 363384D14D1F2E0B7815626484C459AD57A318EF4396266048D058C5A19BBF76 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 1AEC84B84B6C65A51220A9BE7181965230210D62D6D33C48999C6B295A2B0A06 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | E6CA68E94146629AF03F69C2F86E6BEF62F930B37C6FBCC878B78DF98C0334E5 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | C3A99A460DA464A057C3586D83CEF5F4AE08B7103979ED8932742DF0ED530C66 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 58FB941AEF95A25943B3FB5F2510A0DF3FE44C58C95E0AB80487297568AB9771 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 5391C3A2FB112102A6AA1EDC25AE77E19F5D6F09CD09EEB2509922BFCD5992EA | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | D626157E1D6A718BC124AB8DA27CBB65072CA03A7B6B257DBDCBBD60F65EF3D1 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | D063EC28F67EBA53F1642DBF7DFF33C6A32ADD869F6013FE162E2C32F1CBE56D | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 29C6EB52B43C3AA18B2CD8ED6EA8607CEF3CFAE1BAFE1165755CF2E614844A44 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 90FBE70E69D633408D3E170C6832DBB2D209E0272527DFB63D49D29572A6F44C | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 075EEA060589548BA060B2FEED10DA3C20C7FE9B17CD026B94E8A683B8115238 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 07E6C6A858646FB1EFC67903FE28B116011F2367FE92E6BE2B36999EFF39D09E | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 09DF5F4E511208EC78B96D12D08125FDB603868DE39F6F72927852599B659C26 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 0BBB4392DAAC7AB89B30A4AC657531B97BFAAB04F90B0DAFE5F9B6EB90A06374 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 0C189339762DF336AB3DD006A463DF715A39CFB0F492465C600E6C6BD7BD898C | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 0D0DBECA6F29ECA06F331A7D72E4884B12097FB348983A2A14A0D73F4F10140F | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 0DC9F3FB99962148C3CA833632758D3ED4FC8D0B0007B95B31E6528F2ACD5BFC | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 106FACEACFECFD4E303B74F480A08098E2D0802B936F8EC774CE21F31686689C | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 174E3A0B5B43C6A607BBD3404F05341E3DCF396267CE94F8B50E2E23A9DA920C | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 18333429FF0562ED9F97033E1148DCEEE52DBE2E496D5410B5CFD6C864D2D10F | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 2B99CF26422E92FE365FBF4BC30D27086C9EE14B7A6FFF44FB2F6B9001699939 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 2BBF2CA7B8F1D91F27EE52B6FB2A5DD049B85A2B9B529C5D6662068104B055F8 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 2C73D93325BA6DCBE589D4A4C63C5B935559EF92FBF050ED50C4E2085206F17D | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 2E70916786A6F773511FA7181FAB0F1D70B557C6322EA923B2A8D3B92B51AF7D | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 306628FA5477305728BA4A467DE7D0387A54F569D3769FCE5E75EC89D28D1593 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 3608EDBAF5AD0F41A414A1777ABF2FAF5E670334675EC3995E6935829E0CAAD2 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 3841D221368D1583D75C0A02E62160394D6C4E0A6760B6F607B90362BC855B02 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 3FCE9B9FDF3EF09D5452B0F95EE481C2B7F06D743A737971558E70136ACE3E73 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 4397DACA839E7F63077CB50C92DF43BC2D2FB2A8F59F26FC7A0E4BD4D9751692 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 47CC086127E2069A86E03A6BEF2CD410F8C55A6D6BDB362168C31B2CE32A5ADF | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 518831FE7382B514D03E15C621228B8AB65479BD0CBFA3C5C1D0F48D9C306135 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 5AE949EA8855EB93E439DBC65BDA2E42852C2FDF6789FA146736E3C3410F2B5C | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 6B1D138078E4418AA68DEB7BB35E066092CF479EEB8CE4CD12E7D072CCB42F66 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 6C8854478DD559E29351B826C06CB8BFEF2B94AD3538358772D193F82ED1CA11 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 6F1428FF71C9DB0ED5AF1F2E7BBFCBAB647CC265DDF5B293CDB626F50A3A785E | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 71F2906FD222497E54A34662AB2497FCC81020770FF51368E9E3D9BFCBFD6375 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 726B3EB654046A30F3F83D9B96CE03F670E9A806D1708A0371E62DC49D2C23C1 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 72E0BD1867CF5D9D56AB158ADF3BDDBC82BF32A8D8AA1D8C5E2F6DF29428D6D8 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 7827AF99362CFAF0717DADE4B1BFE0438AD171C15ADDC248B75BF8CAA44BB2C5 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 81A8B965BB84D3876B9429A95481CC955318CFAA1412D808C8A33BFD33FFF0E4 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 82DB3BCEB4F60843CE9D97C3D187CD9B5941CD3DE8100E586F2BDA5637575F67 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 895A9785F617CA1D7ED44FC1A1470B71F3F1223862D9FF9DCC3AE2DF92163DAF | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 8AD64859F195B5F58DAFAA940B6A6167ACD67A886E8F469364177221C55945B9 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 8BF434B49E00CCF71502A2CD900865CB01EC3B3DA03C35BE505FDF7BD563F521 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 8D8EA289CFE70A1C07AB7365CB28EE51EDD33CF2506DE888FBADD60EBF80481C | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 9998D363C491BE16BD74BA10B94D9291001611736FDCA643A36664BC0F315A42 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 9E4A69173161682E55FDE8FEF560EB88EC1FFEDCAF04001F66C0CAF707B2B734 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | A6B5151F3655D3A2AF0D472759796BE4A4200E5495A7D869754C4848857408A7 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | A7F32F508D4EB0FEAD9A087EF94ED1BA0AEC5DE6F7EF6FF0A62B93BEDF5D458D | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | AD6826E1946D26D3EAF3685C88D97D85DE3B4DCB3D0EE2AE81C70560D13C5720 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | AEEBAE3151271273ED95AA2E671139ED31A98567303A332298F83709A9D55AA1 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | AFE2030AFB7D2CDA13F9FA333A02E34F6751AFEC11B010DBCD441FDF4C4002B3 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | B54F1EE636631FAD68058D3B0937031AC1B90CCB17062A391CCA68AFDBE40D55 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | B8F078D983A24AC433216393883514CD932C33AF18E7DD70884C8235F4275736 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | B97A0889059C035FF1D54B6DB53B11B9766668D9F955247C028B2837D7A04CD9 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | BC87A668E81966489CB508EE805183C19E6ACD24CF17799CA062D2E384DA0EA7 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | C409BDAC4775ADD8DB92AA22B5B718FB8C94A1462C1FE9A416B95D8A3388C2FC | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | C617C1A8B1EE2A811C28B5A81B4C83D7C98B5B0C27281D610207EBE692C2967F | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | C90F336617B8E7F983975413C997F10B73EB267FD8A10CB9E3BDBFC667ABDB8B | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | CB6B858B40D3A098765815B592C1514A49604FAFD60819DA88D7A76E9778FEF7 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | CE3BFABE59D67CE8AC8DFD4A16F7C43EF9C224513FBC655957D735FA29F540CE | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | D8CBEB9735F5672B367E4F96CDC74969615D17074AE96C724D42CE0216F8F3FA | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | E92C22EB3B5642D65C1EC2CAF247D2594738EEBB7FB3841A44956F59E2B0D1FA | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | FDDD6E3D29EA84C7743DAD4A1BDBC700B5FEC1B391F932409086ACC71DD6DBD8 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | FE63A84F782CC9D3FCF2CCF9FC11FBD03760878758D26285ED12669BDC6E6D01 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | FECFB232D12E994B6D485D2C7167728AA5525984AD5CA61E7516221F079A1436 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | CA171D614A8D7E121C93948CD0FE55D39981F9D11AA96E03450A415227C2C65B | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 55B99B0DE53DBCFE485AA9C737CF3FB616EF3D91FAB599AA7CAB19EDA763B5BA | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 77DD190FA30D88FF5E3B011A0AE61E6209780C130B535ECB87E6F0888A0B6B2F | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | C83CB13922AD99F560744675DD37CC94DCAD5A1FCBA6472FEE341171D939E884 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 3B0287533E0CC3D0EC1AA823CBF0A941AAD8721579D1C499802DD1C3A636B8A9 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 939AEEF4F5FA51E23340C3F2E49048CE8872526AFDF752C3A7F3A3F2BC9F6049 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 64575BD912789A2E14AD56F6341F52AF6BF80CF94400785975E9F04E2D64D745 | |
77fa9abd-0359-4d32-bd60-28f4e78f784b | 45C7C8AE750ACFBB48FC37527D6412DD644DAED8913CCD8A24C94D856967DF8E |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-SecureBootUEFIDBXHash { | |
<# | |
.SYNOPSIS | |
Dumps SHA256 hashes of blacklisted UEFI bootloaders from the 'dbx' UEFI variable. | |
.DESCRIPTION | |
Author: Matthew Graeber (@mattifestation) | |
License: BSD 3-Clause | |
.PARAMETER DBXVariable | |
Specifies a UEFI variable, an instance of which is returned by calling the Get-SecureBootUEFI cmdlet. | |
.PARAMETER DBXBytes | |
Specifies a byte array consisting of the 'dbx' UEFI vairable contents. | |
.EXAMPLE | |
Get-SecureBootUEFI -Name dbx | Get-SecureBootUEFIDBXHash | |
.EXAMPLE | |
$DBXBytes = [IO.File]::ReadAllBytes('C:\Temp\dbx.bin') | |
Get-SecureBootUEFIDBXHash -DBXBytes $DBXBytes | |
.INPUTS | |
Microsoft.SecureBoot.Commands.UEFIEnvironmentVariable | |
Accepts the output of `Get-SecureBootUEFI -Name dbx` over the pipeline. | |
.OUTPUTS | |
UEFIDBXHash | |
Outputs a custom object consisting of banned SHA256 hashes and the respective "owner" of each hash. "77fa9abd-0359-4d32-bd60-28f4e78f784b" refers to Microsoft as the owner. | |
#> | |
param ( | |
[Parameter(Mandatory, ValueFromPipeline, ParameterSetName = 'UEFIVariable')] | |
[PSTypeName('Microsoft.SecureBoot.Commands.UEFIEnvironmentVariable')] | |
[ValidateScript({ $_.Name -eq 'dbx' })] | |
$DBXVariable, | |
[Parameter(Mandatory, ParameterSetName = 'ByteArray')] | |
[Byte[]] | |
[ValidateNotNullOrEmpty()] | |
$DBXBytes | |
) | |
# This obviously needs to be extended to support all possible EFI_SIGNATURE_LIST.SignatureTypes | |
# Only supporting EFI_CERT_SHA256_GUID for dbx is sufficient for this PoC though. | |
$SignatureTypeMapping = @{ | |
'c1c41626-504c-4092-aca9-41f936934328' = 'EFI_CERT_SHA256_GUID' | |
'A5C059A1-94E4-4AA7-87B5-AB155C2BF072' = 'EFI_CERT_X509_GUID' | |
} | |
$Bytes = $null | |
if ($DBXVariable) { | |
$Bytes = $DBXVariable.Bytes | |
} else { | |
$Bytes = $DBXBytes | |
} | |
$MemoryStream = New-Object -TypeName IO.MemoryStream -ArgumentList @(,$Bytes) | |
$BinaryReader = New-Object -TypeName IO.BinaryReader -ArgumentList $MemoryStream, ([Text.Encoding]::Unicode) | |
while ($BinaryReader.PeekChar() -ne -1) { | |
$SignatureType = [Guid][Byte[]] $BinaryReader.ReadBytes(16) | |
$SignatureName = $SignatureTypeMapping["$SignatureType"] | |
switch ($SignatureName) { | |
'EFI_CERT_SHA256_GUID' { | |
$SignatureListSize = $BinaryReader.ReadUInt32() | |
# This should always be zero | |
$SignatureHeaderSize = $BinaryReader.ReadUInt32() | |
# This should always be 0x30 for EFI_CERT_SHA256_GUID | |
# SignatureOwner GUID + 0x20 byte SHA256 hash | |
$SignatureSize = $BinaryReader.ReadUInt32() | |
# 0x1C is the size of the EFI_SIGNATURE_LIST header | |
$EFISignatureDataCount = ($SignatureListSize - 0x1C) / $SignatureSize | |
for ($i = 0; $i -lt $EFISignatureDataCount; $i++) { | |
$EFISignatureData = $BinaryReader.ReadBytes($SignatureSize) | |
$SignatureOwner = [Guid][Byte[]] $EFISignatureData[0..0x0F] | |
$Hash = ([Byte[]] $EFISignatureData[0x10..0x2F] | ForEach-Object { $_.ToString('X2') }) -join '' | |
[PSCustomObject] @{ | |
PSTypeName = 'UEFIDBXHash' | |
SignatureOwner = $SignatureOwner | |
SHA256Hash = $Hash | |
} | |
} | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment