performing-firmware-malware-analysis

# Performing Firmware Malware Analysis ## When to Use - A compromised IoT device or router needs firmware analysis to identify implanted backdoors - Investigating UEFI/BIOS rootkits that persist across OS reinstallations - Analyzing firmware updates for supply chain compromise or malicious modifications - Extracting and examining embedded Linux filesystems from IoT device firmware images - Verifying firmware integrity after a suspected hardware or firmware-level compromise **Do not use** for standard operating system malware; use PE/ELF analysis tools for OS-level malware on conventional systems. ## Prerequisites - binwalk installed for firmware image analysis and extraction (`pip install binwalk`) - Ghidra with ARM/MIPS architecture support for embedded binary reverse engineering - UEFI Tool (UEFITool) for UEFI firmware parsing and analysis - Firmware Analysis Toolkit (FAT) or EMBA for automated firmware analysis - QEMU for emulating extracted firmware filesystems - Cross-compilation toolchains for ARM, MIPS, and other embedded architectures ## Workflow ### Step 1: Extract and Identify Firmware Components Analyze the firmware image structure and extract filesystems: ```bash # Identify embedded filesystems and compressed data binwalk firmware.bin # Extract all identified components binwalk -e firmware.bin # Recursive extraction with signature scanning binwalk -eM firmware.bin # Output typically includes: # - Bootloader (U-Boot, GRUB, custom) # - Kernel image (Linu...