44CON LONDON 2015

A few weeks ago I publicly disclosed an Apple EFI firmware zero day.
It was a very powerful bug allowing direct access to the EFI firmware from the operating system. EFI rootkits are some of the most powerful and most interesting rootkits. Because they work at a very low level they can play a lot of tricks to hide themselves from forensics and persist for a long time.

EFI monsters are a bit like jaguars, stealthy and rarely seen by humans. This doesn't mean they do not exist. EFI monsters are most certainly part of spy agencies rootkits catalog.
Very few tools exist to chase them.

This talk is about introducing you to the EFI world so you can also start to chase these monsters. EFI world might look scary but it's a bit easier than you think and a lot of fun.

Reference blogpost:
https://reverse.put.as/2015/07/01/reversing-prince-harmings-kiss-of-death/

Plus content about EFI layout, where to seek rootkits and so on.
Essentially an introduction to EFI and how to find out potential rootkits there.