A team of researchers from Ben Gurion University of the Negev has pioneered a novel memory forensics framework for analyzing Unified Extensible Firmware Interface (UEFI) memory during the pre-operating system (pre-OS) phase.
Their study, published on January 28, 2025, introduces a groundbreaking approach to addressing the growing threat of UEFI-based malware, which has become a preferred target for persistent and advanced cyberattacks.
UEFI, replacing the legacy BIOS, is a crucial firmware standard in modern computing, offering security features like Secure Boot.
However, improper implementation has allowed attackers to bypass these mechanisms, as demonstrated in bootkits like ThunderStrike, CosmicStrand, and Glupteba.
The lack of tools for below-OS memory forensics has left a critical blind spot for analyzing threats that operate during system initialization.
To fill this gap, the researchers developed a framework consisting of two components: UefiMemDump, for capturing memory, and UEFIDumpAnalysis, for analyzing threats.
Capturing Volatile Memory Snapshots
The UefiMemDump module is a specialized memory acquisition utility designed to collect UEFI system memory snapshots during the boot process.
Available as both a Driver Execution Environment (DXE) driver and a UEFI shell application, it accommodates various platforms, including virtual and physical systems.
The tool performs memory mapping, identifies volatile and persistent regions, and writes memory snapshots to external storage.
Its implementation as a DXE driver enables memory acquisition at an earlier boot phase, whereas the UEFI shell application offers flexibility for forensic applications on physical systems without modifying the UEFI firmware.
However, the researchers caution that attackers could erase evidence before acquisition, highlighting a potential limitation of the tool.
Advanced Threat Detection
The companion analysis component, UEFIDumpAnalysis, is an extendable framework for examining memory dumps collected by UefiMemDump.
The tool parses core UEFI data structures such as system tables and loaded driver images to analyze and detect malicious activities.
Key detection modules include:
- Function Pointer Hooking Detection: This module scans UEFI service tables to detect unauthorized pointer changes redirecting execution flow to attacker-controlled locations. Anomalies outside legitimate memory regions are flagged as threats.
- Inline Hooking Detection: The module disassembles function prologues to identify injected code (e.g., jump or call instructions) redirecting execution to malicious payloads. It successfully detected tampering techniques used in stealthy bootkits, such as MoonBounce’s function hooking.
- UEFI Image Carving: By parsing metadata, this module extracts Portable Executable (PE) files loaded into memory for further analysis. This is particularly effective for bootkits hiding malware in the Extensible Firmware Interface System Partition (ESP), firmware (SPI), or option ROMs (OPROM).
The framework was tested against real-world UEFI malware like Glupteba and CosmicStrand, as well as proof-of-concept (PoC) bootkits, such as ThunderStrike.
Function Pointer Hooking Detection identified unauthorized modifications in critical service tables, linking the attacks to malicious memory regions.
Inline Hooking Detection flagged execution hijacks within functions like CreateEventEx, revealing stealthy malware manipulation.
Image Carving Module extracted malicious images from various sources for subsequent forensic analysis.
This dual-layer detection capability demonstrated the tool’s effectiveness in overcoming existing pre-boot analysis limitations.
By enabling detection of UEFI-level threats, the research marks a significant leap forward in firmware security.
However, areas such as preventing memory tampering during acquisition and improving inline hooking detection (to reduce false positives) remain open for further exploration.
Researchers also encourage the development of additional analysis modules by the cybersecurity community to expand its capabilities.
Are you from SOC/DFIR Teams? –Â Analyse Malware Files & Links with ANY.RUN Sandox ->Â Try for Free
