blockedlist format unclear, newer findings missing

[orangecms]

The blockedlist chipsec/modules/tools/uefi/blockedlist.json is a JSON file. Looking at it, the structure is unclear; compare the following:

{
  "HT_UEFI_Rootkit": {
    "description": "HackingTeam UEFI Rootkit (https://www.mcafee.com/enterprise/en-us/threat-center/advanced-threat-research/uefi-rootkit.html)",
    "match": {
      "rkloader"      : { "guid": "F50258A9-2F4D-4DA9-861E-BDA84D07A44C" },
      "rkloader_name" : { "name": "rkloader" },
      "Ntfs"          : { "guid": "F50248A9-2F4D-4DE9-86AE-BDA84D07A41C" },
      "app"           : { "guid": "EAEA9AEC-C9C1-46E2-9D52-432AD25A9B0B" }
    }
  }
}

and

{
  "MR_UEFI_Rootkit": {
    "description": "MosaicRegressor UEFI Rootkit (https://securelist.com/mosaicregressor/98849/)",
    "match": {
      "SmmInterfaceBase" : { "name": "SmmInterfaceBase", "guid": "F50258A9-2F4D-4DA9-861E-BDA84D07A44C" },
      "Ntfs"             : { "name": "Ntfs", "guid": "F50248A9-2F4D-4DE9-86AE-BDA84D07A41C" },
      "SmmReset"         : { "name": "SmmReset", "guid": "EAEA9AEC-C9C1-46E2-9D52-432AD25A9B0C" },
      "SmmAccessSub"     : { "name": "SmmAccessSub", "guid": "EAEA9AEC-C9C1-46E2-9D52-432AD25A9B0B" }
    }
  }
}

Suggestion: Always have both name and guid in every entry under match. That makes the structure uniform.

Originally, I just wanted to add Black Lotus: https://github.com/binarly-io/FwHunt/blob/main/rules/Threats/BlackLotusBootkit.yml

There are some more known malicious binaries that should be added; see the Threats directory in Binarly's repository.

[frinzell]

The logic is that any criteria listed in the bracket is treated as an AND. To flag a match, all criteria have to match. Name, GUID, hash, etc. The downside is if you're off on one, the tool won't flag it. Sometimes less is more but the ability is there to refine the search. If you are looking at adding support, please feel free to submit a PR. We can work through any gotchas as needed. The more checks the better. :) Hope this helps!