Windows boot from UEFI to kernel

May 20, 2019 by Mathieu
Categories: Technical -
Tags: Reverse Engineering - Windows Kernel - Windows boot - UEFI - Demo - Reven -


Getting full visibility into the Windows 10 OS’ boot mechanisms is challenging. REVEN opens up a new world of possibilities with its timeless analysis technology!

We used REVEN to record the Windows OS’ boot process, all the way from before the UEFI firmware transfers control to the boot process, to the kernel finally taking over. This not only enables exploring code before a kernel debugger could even connect, but also brings the entire feature set of REVEN at hand: full symbols, memory history, framebuffer…

In the following video, we take a quick look at this trace to get a glimpse of the kind of information we can obtain - where the earliest disk writes are, where the GDT is setup, or what functions are responsible for writing the arguments that will be passed when starting the kernel.

To go further

For more information about Reven, have a look at the following:

  • this blog entry from Mathieu, introduces Timeless Analysis technology and REVEN’s features through the analysis of VLC Exploit Arbitrary Code Execution (CVE-2018-11529).

  • this white paper from Luc, presents an updated analysis of PatchGuard on Windows 10 RS4.

Or directly contact us at contact@tetrane.com

Next post: Analysis of the Uroburos malware with REVEN
Previous post: Full visibility of a Windows Kernel Bug with Timeless Analysis (CVE-2018-8410)