1) Note the Windows binary in ACPI memory. This is a lovely "Windows Platform Binary Table" (WPBT) rootkit that most OEM vendors now shove in your systems.
https://twitter.com/aionescu/status/1382435211116486656
2) Most OS developers assume they have the standard 5 UEFI runtime DXEs mapped (PcRtc, MonotonicCounterRuntime, ResetSystemRuntime, VariableSmmRuntime, CapsuleRuntime) because that's what Windows captures in the HAL.
There's a lot more in there, including SPI, PCH, and SMM DXEs.
There's a lot more in there, including SPI, PCH, and SMM DXEs.
3) The UEFI Memory Map is "supposed" to mark EFI Boot Services memory as recoverable by the OS, and wipe it before transferring control to the UEFI Runtime environment (during ExitBootServices). The chunk of interestingly duplicated EFI Boot Services modules are not "normal".
4) The random EFI Boot Services module in the middle of the UEFI Reserved Range is even more unexpected.
5) Don't forget the INTEL ACPI DEBUG buffers, the FBPT, the SMM Communications Buffer and Region Table, the BGRT, the TCG2 Final Events Table, the IGD OpRegion, and more.
5) Don't forget the INTEL ACPI DEBUG buffers, the FBPT, the SMM Communications Buffer and Region Table, the BGRT, the TCG2 Final Events Table, the IGD OpRegion, and more.
6) Remember folks, not a single piece of this shows up in any kind of memory dump you take, including even in a Windows "full" kernel dump, because this "isn't memory". I believe some tools are insane enough to have an "MMIO Dump" mode where you might catch this (or just crash).
• • •
Missing some Tweet in this thread? You can try to
force a refresh
