MilkBox - PoC of dumping EFI runtime drivers.
You can watch it here.
rtd - Locate runtime drivers (should be performed firstly)
wd - Write dump to binary file, dump location - "C:\MilkBox\"
ud - Uninstall driver
ex - Exit from program
The MilkBox driver is compiled by any WDK designed for Windows 10 and above. The client is compiled with MSVC v143 or higher.
Since the driver is test signed only, you will need to disable DSE (Driver Signature Enforcement) while the driver is in use. PoC was only tested on a virtual machine. Although theoretically everything should be fine, but be careful if you use the driver on a physical machine.
Alex Ionescu, Satoshi Tandasat (for some tricks with physical memory which I implemented too).
0x00Alchemist (2023 - 2024)