Forked from mattifestation/UEFISecDatabaseParser.ps1
Last active
February 14, 2024 09:02
-
-
Save out0xb2/f8e0bae94214889a89ac67fceb37f8c0 to your computer and use it in GitHub Desktop.
Parses signature data from the pk, kek, db, and dbx UEFI variables.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Write-Host "Checking for Administrator permission..." | |
| if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
| Write-Warning "Insufficient permissions to run this script. Open the PowerShell console as administrator and run this script again." | |
| Break | |
| } else { | |
| Write-Host "Running as administrator — continuing execution..." -ForegroundColor Green | |
| } | |
| $patchfile = $args[0] | |
| if ($patchfile -eq $null) { | |
| $patchfile = ".\dbx-2023-JulyKB.bin" | |
| Write-Host "Patchfile not specified, using latest $patchfile`n" | |
| } | |
| $patchfile = (gci $patchfile).FullName | |
| Import-Module -Force .\Get-UEFIDatabaseSignatures.ps1 | |
| # Print computer info | |
| $computer = gwmi Win32_ComputerSystem | |
| $bios = gwmi Win32_BIOS | |
| "Manufacturer: " + $computer.Manufacturer | |
| "Model: " + $computer.Model | |
| $biosinfo = $bios.Manufacturer , $bios.Name , $bios.SMBIOSBIOSVersion , $bios.Version -join ", " | |
| "BIOS: " + $biosinfo + "`n" | |
| $DbxRaw = Get-SecureBootUEFI dbx | |
| $DbxFound = $DbxRaw | Get-UEFIDatabaseSignatures | |
| $DbxBytesRequired = [IO.File]::ReadAllBytes($patchfile) | |
| $DbxRequired = Get-UEFIDatabaseSignatures -BytesIn $DbxBytesRequired | |
| # Flatten into an array of required EfiSignatureData data objects | |
| $RequiredArray = foreach ($EfiSignatureList in $DbxRequired) { | |
| Write-Verbose $EfiSignatureList | |
| foreach ($RequiredSignatureData in $EfiSignatureList.SignatureList) { | |
| Write-Verbose $RequiredSignatureData | |
| $RequiredSignatureData.SignatureData | |
| } | |
| } | |
| Write-Information "Required `n" $RequiredArray | |
| # Flatten into an array of EfiSignatureData data objects (read from dbx) | |
| $FoundArray = foreach ($EfiSignatureList in $DbxFound) { | |
| Write-Verbose $EfiSignatureList | |
| foreach ($FoundSignatureData in $EfiSignatureList.SignatureList) { | |
| Write-Verbose $FoundSignatureData | |
| $FoundSignatureData.SignatureData | |
| } | |
| } | |
| Write-Information "Found `n" $FoundArray | |
| $successes = 0 | |
| $failures = 0 | |
| $requiredCount = $RequiredArray.Count | |
| foreach ($RequiredSig in $RequiredArray) { | |
| if ($FoundArray -contains $RequiredSig) { | |
| Write-Information "FOUND: $RequiredSig" | |
| $successes++ | |
| } else { | |
| Write-Error "!!! NOT FOUND`n$RequiredSig`n!!!`n" | |
| $failures++ | |
| } | |
| $i = $successes + $failures | |
| Write-Progress -Activity 'Checking if all patches applied' -Status "Checking element $i of $requiredCount" -PercentComplete ($i/$requiredCount *100) | |
| } | |
| if ($failures -ne 0) { | |
| Write-Error "!!! FAIL: $failures failures detected!" | |
| # $DbxRaw.Bytes | sc -encoding Byte dbx_found.bin | |
| } elseif ($successes -ne $RequiredArray.Count) { | |
| Write-Error "!!! Unexpected: $successes != $requiredCount expected successes!" | |
| } elseif ($successes -eq 0) { | |
| Write-Error "!!! Unexpected failure: no successes detected, check command-line usage." | |
| } else { | |
| Write-Host "SUCCESS: dbx.bin patch appears to be successfully applied" | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-UefiDatabaseSignatures { | |
| <# | |
| .SYNOPSIS | |
| Parses UEFI Signature Databases into logical Powershell objects | |
| .DESCRIPTION | |
| Original Author: Matthew Graeber (@mattifestation) | |
| Modified By: Jeremiah Cox (@int0x6) | |
| Additional Source: https://gist.github.com/mattifestation/991a0bea355ec1dc19402cef1b0e3b6f | |
| License: BSD 3-Clause | |
| .PARAMETER Variable | |
| Specifies a UEFI variable, an instance of which is returned by calling the Get-SecureBootUEFI cmdlet. Only 'db' and 'dbx' are supported. | |
| .PARAMETER BytesIn | |
| Specifies a byte array consisting of the PK, KEK, db, or dbx UEFI vairable contents. | |
| .EXAMPLE | |
| $DbxBytes = [IO.File]::ReadAllBytes('.\dbx.bin') | |
| Get-UEFIDatabaseSignatures -BytesIn $DbxBytes | |
| .EXAMPLE | |
| Get-SecureBootUEFI -Name db | Get-UEFIDatabaseSignatures | |
| .EXAMPLE | |
| Get-SecureBootUEFI -Name dbx | Get-UEFIDatabaseSignatures | |
| .EXAMPLE | |
| Get-SecureBootUEFI -Name pk | Get-UEFIDatabaseSignatures | |
| .EXAMPLE | |
| Get-SecureBootUEFI -Name kek | Get-UEFIDatabaseSignatures | |
| .INPUTS | |
| Microsoft.SecureBoot.Commands.UEFIEnvironmentVariable | |
| Accepts the output of Get-SecureBootUEFI over the pipeline. | |
| .OUTPUTS | |
| UefiSignatureDatabase | |
| Outputs an array of custom powershell objects describing a UEFI Signature Database. "77fa9abd-0359-4d32-bd60-28f4e78f784b" refers to Microsoft as the owner. | |
| #> | |
| [CmdletBinding()] | |
| param ( | |
| [Parameter(Mandatory, ValueFromPipeline, ParameterSetName = 'UEFIVariable')] | |
| [ValidateScript({ ($_.GetType().Fullname -eq 'Microsoft.SecureBoot.Commands.UEFIEnvironmentVariable') -and (($_.Name -eq 'kek') -or ($_.Name -eq 'pk') -or ($_.Name -eq 'db') -or ($_.Name -eq 'dbx')) })] | |
| $Variable, | |
| [Parameter(Mandatory, ParameterSetName = 'ByteArray')] | |
| [Byte[]] | |
| [ValidateNotNullOrEmpty()] | |
| $BytesIn | |
| ) | |
| $SignatureTypeMapping = @{ | |
| 'C1C41626-504C-4092-ACA9-41F936934328' = 'EFI_CERT_SHA256_GUID' # Most often used for dbx | |
| 'A5C059A1-94E4-4AA7-87B5-AB155C2BF072' = 'EFI_CERT_X509_GUID' # Most often used for db | |
| } | |
| $Bytes = $null | |
| if ($Variable) { | |
| $Bytes = $Variable.Bytes | |
| } else { | |
| $Bytes = $BytesIn | |
| } | |
| try { | |
| $MemoryStream = New-Object -TypeName IO.MemoryStream -ArgumentList @(,$Bytes) | |
| $BinaryReader = New-Object -TypeName IO.BinaryReader -ArgumentList $MemoryStream, ([Text.Encoding]::Unicode) | |
| } catch { | |
| throw $_ | |
| return | |
| } | |
| # What follows will be an array of EFI_SIGNATURE_LIST structs | |
| while ($BinaryReader.PeekChar() -ne -1) { | |
| $SignatureType = $SignatureTypeMapping[([Guid][Byte[]] $BinaryReader.ReadBytes(16)).Guid] | |
| $SignatureListSize = $BinaryReader.ReadUInt32() | |
| $SignatureHeaderSize = $BinaryReader.ReadUInt32() | |
| $SignatureSize = $BinaryReader.ReadUInt32() | |
| $SignatureHeader = $BinaryReader.ReadBytes($SignatureHeaderSize) | |
| # 0x1C is the size of the EFI_SIGNATURE_LIST header | |
| $SignatureCount = ($SignatureListSize - 0x1C) / $SignatureSize | |
| $SignatureList = 1..$SignatureCount | ForEach-Object { | |
| $SignatureDataBytes = $BinaryReader.ReadBytes($SignatureSize) | |
| $SignatureOwner = [Guid][Byte[]] $SignatureDataBytes[0..15] | |
| switch ($SignatureType) { | |
| 'EFI_CERT_SHA256_GUID' { | |
| $SignatureData = ([Byte[]] $SignatureDataBytes[0x10..0x2F] | ForEach-Object { $_.ToString('X2') }) -join '' | |
| } | |
| 'EFI_CERT_X509_GUID' { | |
| $SignatureData = New-Object Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @(,([Byte[]] $SignatureDataBytes[16..($SignatureDataBytes.Count - 1)])) | |
| } | |
| } | |
| [PSCustomObject] @{ | |
| PSTypeName = 'EFI.SignatureData' | |
| SignatureOwner = $SignatureOwner | |
| SignatureData = $SignatureData | |
| } | |
| } | |
| [PSCustomObject] @{ | |
| PSTypeName = 'EFI.SignatureList' | |
| SignatureType = $SignatureType | |
| SignatureList = $SignatureList | |
| } | |
| } | |
| } |
I modified Get-UEFIDatabaseSignatures.ps1 to make my life a bit easier-- It can accept a filename as input, and doesn't need SplitDbxContent.ps1 anymore.
function Get-UefiDatabaseSignatures {
<#
.SYNOPSIS
Parses UEFI Signature Databases into logical Powershell objects
.DESCRIPTION
Original Author: Matthew Graeber (@mattifestation)
Modified By: Jeremiah Cox (@int0x6)
Modified By: Joel Roth (@nafai)
Additional Source: https://gist.github.com/mattifestation/991a0bea355ec1dc19402cef1b0e3b6f
Additional Source: https://www.powershellgallery.com/packages/SplitDbxContent/1.0
License: BSD 3-Clause
.PARAMETER Variable
Specifies a UEFI variable, an instance of which is returned by calling the Get-SecureBootUEFI cmdlet. Only 'db' and 'dbx' are supported.
.PARAMETER BytesIn
Specifies a byte array consisting of the PK, KEK, db, or dbx UEFI vairable contents.
.EXAMPLE
$DbxBytes = [IO.File]::ReadAllBytes('.\dbx.bin')
Get-UEFIDatabaseSignatures -BytesIn $DbxBytes
.EXAMPLE
Get-UEFIDatabaseSignatures -Filename ".\DBXUpdate-20230314.x64.bin"
.EXAMPLE
Get-SecureBootUEFI -Name db | Get-UEFIDatabaseSignatures
.EXAMPLE
Get-SecureBootUEFI -Name dbx | Get-UEFIDatabaseSignatures
.EXAMPLE
Get-SecureBootUEFI -Name pk | Get-UEFIDatabaseSignatures
.EXAMPLE
Get-SecureBootUEFI -Name kek | Get-UEFIDatabaseSignatures
.INPUTS
Microsoft.SecureBoot.Commands.UEFIEnvironmentVariable
Accepts the output of Get-SecureBootUEFI over the pipeline.
.OUTPUTS
UefiSignatureDatabase
Outputs an array of custom powershell objects describing a UEFI Signature Database. "77fa9abd-0359-4d32-bd60-28f4e78f784b" refers to Microsoft as the owner.
#>
[CmdletBinding()]
param (
[Parameter(Mandatory, ValueFromPipeline, ParameterSetName = 'UEFIVariable')]
[ValidateScript({ ($_.GetType().Fullname -eq 'Microsoft.SecureBoot.Commands.UEFIEnvironmentVariable') -and ($_.Name -in "kek","pk","db","dbx") })]
$Variable,
[Parameter(Mandatory, ParameterSetName = 'ByteArray')]
[Byte[]]
[ValidateNotNullOrEmpty()]
$BytesIn,
[Parameter(Mandatory, ParameterSetName = 'File')]
[string]
[ValidateScript({ (Resolve-Path "$_").where({Test-Path $_}).Path })]
$Filename
)
$SignatureTypeMapping = @{
'C1C41626-504C-4092-ACA9-41F936934328' = 'EFI_CERT_SHA256_GUID' # Most often used for dbx
'A5C059A1-94E4-4AA7-87B5-AB155C2BF072' = 'EFI_CERT_X509_GUID' # Most often used for db
}
$Bytes = $null
if ($Filename)
{
$Bytes = Get-Content -Encoding Byte $Filename -ErrorAction Stop
}
elseif ($Variable)
{
$Bytes = $Variable.Bytes
}
else
{
$Bytes = $BytesIn
}
# Modified from Split-Dbx
if (($Bytes[40] -eq 0x30) -and ($Bytes[41] -eq 0x82 ))
{
Write-Debug "Removing signature."
# Signature is known to be ASN size plus header of 4 bytes
$sig_length = $Bytes[42] * 256 + $Bytes[43] + 4
if ($sig_length -gt ($Bytes.Length + 40)) {
Write-Error "Signature longer than file size!" -ErrorAction Stop
}
## Unsigned db store
[System.Byte[]]$Bytes = @($Bytes[($sig_length+40)..($Bytes.Length - 1)].Clone())
}
else
{
Write-Debug "Signature not found. Assuming it's already split."
}
try
{
$MemoryStream = New-Object -TypeName IO.MemoryStream -ArgumentList @(,$Bytes)
$BinaryReader = New-Object -TypeName IO.BinaryReader -ArgumentList $MemoryStream, ([Text.Encoding]::Unicode)
}
catch
{
throw $_
return
}
# What follows will be an array of EFI_SIGNATURE_LIST structs
while ($BinaryReader.PeekChar() -ne -1) {
$SignatureType = $SignatureTypeMapping[([Guid][Byte[]] $BinaryReader.ReadBytes(16)).Guid]
$SignatureListSize = $BinaryReader.ReadUInt32()
$SignatureHeaderSize = $BinaryReader.ReadUInt32()
$SignatureSize = $BinaryReader.ReadUInt32()
$SignatureHeader = $BinaryReader.ReadBytes($SignatureHeaderSize)
# 0x1C is the size of the EFI_SIGNATURE_LIST header
$SignatureCount = ($SignatureListSize - 0x1C) / $SignatureSize
$SignatureList = 1..$SignatureCount | ForEach-Object {
$SignatureDataBytes = $BinaryReader.ReadBytes($SignatureSize)
$SignatureOwner = [Guid][Byte[]] $SignatureDataBytes[0..15]
switch ($SignatureType) {
'EFI_CERT_SHA256_GUID' {
$SignatureData = ([Byte[]] $SignatureDataBytes[0x10..0x2F] | ForEach-Object { $_.ToString('X2') }) -join ''
}
'EFI_CERT_X509_GUID' {
$SignatureData = New-Object Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @(,([Byte[]] $SignatureDataBytes[16..($SignatureDataBytes.Count - 1)]))
}
}
[PSCustomObject] @{
PSTypeName = 'EFI.SignatureData'
SignatureOwner = $SignatureOwner
SignatureData = $SignatureData
}
}
[PSCustomObject] @{
PSTypeName = 'EFI.SignatureList'
SignatureType = $SignatureType
SignatureList = $SignatureList
}
}
}
Are the DBX updates cumulative, do each dbx update need to be checked?
To my knowledge, you should only need to check against the latest update. Sometimes the remove and entry and replace it with a newer signature.
Trying to find information about the Time parameter but description in documentation is too vague.
For now the timestamp 2010-03-06T19:17:21Z looks like a magic number.
Anyone has an explanation on this?
Yes, it is a magic number embedded in the script that is creating the files provided by Microsoft. The parameter supplied to the Powershell cmdlet must match what is already embedded in the files. I think it was the date the I authored the original script that they're still using. So long as "-AppendWrite" mode is being used, its value is meaningless, it just has to match. If -AppendWrite is dropped, well, that probably means that the world is ending, but then they would need to provide a larger value that was used by the BIOS vendor.
So I always thought they were cumulative as well, however, I have found
that to not be the case.
So I split the latest file, check against it, apply it if it is found to be
not installed, then work my way down.
For instance May 2023 is applied first, then the stuff from 2022, 2021 and
2020 last. (I have found the 2020 dbx will “technically” fail on some older
model Dells. Only one certificate fails so it is still worth applying.
After each that is successfully applied I put a key in the registry so I
can query against it later for Asset Management purposes.
If I do not apply each UEFI update, Nessus and products like it, will
continue to flag the finding.
I did modify the scripts to make sure the output of the scripts were global
variables to make it easier to work out the detection, application, and
etc.
Hope this helps.
…On Mon, Aug 14, 2023 at 9:37 PM Jeremiah Cox ***@***.***> wrote:
***@***.**** commented on this gist.
------------------------------
Are the DBX updates cumulative, do each dbx update need to be checked?
To my knowledge, you should only need to check against the latest update.
Sometimes the remove and entry and replace it with a newer signature.
—
Reply to this email directly, view it on GitHub
<https://gist.github.com/out0xb2/f8e0bae94214889a89ac67fceb37f8c0#gistcomment-4661159>
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AF2YNMOZ5UWNYVKDSMKFWN3XVLOHXBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTANRYGM4DGMRVU52HE2LHM5SXFJTDOJSWC5DF>
.
You are receiving this email because you commented on the thread.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>
.
From a security standpoint, it should only be necessary to install the latest, but products like Nessus do not understand these complexities, so you have to waste precious dbx space.
I've put together the scripts on this page along with some modifications and additional scripts to enable easy (only two clicks required) checking of the UEFI Secure Boot variables. I've also added checks for the new 2023 Microsoft signing certificates that are being added to the DB in phases beginning with this month's cumulative update. I've put the scripts and files here.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Looking at the documentation of the Set-SecureBootUEFI, I'm not sure it matters as long as it matches a certain format. See link below.
I have not tested this at this point. I will test on the next needed update.
I also found that, in PowerShell, if you use the Get-Date, you can format the date to match the format like this.
Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"
https://learn.microsoft.com/en-us/powershell/module/secureboot/set-securebootuefi?view=windowsserver2022-ps#-time