![]() ![]() ![]() With this module (which you can install with “Install-Module UEFIv2”) you can specify “-all” to get the full list: That one is owned by Microsoft and I can no longer update it, so I published this new module as UEFIv2.) (Note that there is an older UEFI package published at. ![]() So using that source as a guide, I converted this to PowerShell and posted a new PowerShell module to the PowerShell Gallery: That function returns the full list in a buffer that you just need to walk through to extract the values. So how do they do it? They call an NtEnumerateSystemEnvironmentValuesEx function in NTDLL.DLL. I suppose that makes sense, as hackers initially looked at UEFI as a potential way to exploit a system (and they found ways in some firmware implementations, which should have been fixed by now). My research took me to a place I wouldn’t have expected: The Mimikatz source code. So I started doing some more research to see if there was any way to do that – it’s obviously possible as the UEFI specs describe it, a UEFI shell can easily do it, and Linux does it (via a file system). If you remember, Windows has API calls to get and set UEFI variable values, but not to enumerate them. Grr.) But the recent activity reminded me that there was one thing I couldn’t figure out how to do at the time: Enumerate all the available UEFI variables from within Windows. (Someone then copied the entire article and posted it on their site. Last year, I published a blog that got into a fair amount of depth on UEFI that was surprisingly popular, both at the time I posted it and again last month after an open source newsletter included a link to it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |