Practical Firmware Implants

2 Day u_short 16 CPE Hour Training: August 2020



In recent years as firmware based attacks are becoming more and more frequent, there is a growing need for understanding the motivation, capabilities and complexities of such attacks. How do they work? How hard is it to create an implant? What are the attackers considerations and thoughts when creating firmware implants?

This is a two day crash course in UEFI development for security practitioners in which we will spend most of our time working hands-on understanding how system firmware works, basic development and coding, firmware implantation strategies, attack and defense tactics and more.

Hands on labs will help you learn about and better understand:

  • Hardware and UEFI boot process
  • The UEFI EDK build environment
  • How to build your own UEFI BIOS and test it
  • EFI Shell application development
  • DXE Driver development
  • Debugging and troubleshooting your code
  • Understand UEFI Implant benefits and caveats
  • Build your own UEFI implant
  • How to perform an Evil-Maid attack on common UEFI BIOS based systems

Suggested Combo: Finding Firmware Implants

When You Finish This Class

  • You will have a foundation to build on when it comes to UEFI and BIOS
  • You will know and understand how to build a firmware implant and the challenges involved
  • You will have a foundation of how to search and detect firmware implants

Who Should Attend

This course is designed for those who have a basic understanding of C/C++ and who would like to start exploring the world of UEFI and BIOS security.

Course Outline

Day 1:

  • Background and overview of UEFI and Boot process
  • Hands-On: Development and debug environment
  • Driver and Application development
  • Hands-On: Hello world exercise
  • Firmware image structure and tools
  • Hands-On: Integrating your driver into the firmware image

Day 2:

  • Firmware implant and payloads, background and techniques
  • Hands-On: building custom implant and payload of your choice
  • Flash chip basics, System Firmware reading and writing and tool selection.
  • Hands-On: Evil Maid - implanting a system firmware image and flashing it
  • Overview and summary


  • Basic programming experience
  • Basic understand of Hardware hacking techniques such as: SPI chip flashing and UART

System Requirements

  • An Intel based laptop with 6th Gen CPU and later
  • Minimum 8GB of RAM
  • 50GB of free storage space
  • Oracle VirtualBox 6.0 and later
  • Be able to boot from USB 3.1 Type A storage device (optional)
Mickey Shkatov, Jesse Michael

Mickey Shkatov, &
Jesse Michael, Eclypsium

Mickey Shkatov has been performing security research and product security validation since 2010. He has also presented multiple times at DEF CON, Black Hat, PacSec, CanSecWest, BruCon, Hackito Ergo Sum, and BSides Portland

Eclypsium Principal Researcher Jesse Michael is an experienced security researcher focused on vulnerability detection and mitigation who has worked at all layers of modern computing environments from exploiting worldwide corporate network infrastructure down to hunting vulnerabilities inside processors at the hardware design level. His primary areas of expertise include reverse engineering embedded firmware and exploit development. He has also presented multiple times at DEF CON, PacSec, Hackito Ergo Sum, and BSides Portland.