I had some extra time, so I decided to see if I could help myself understand some of how the new isbootsecure works. I used the command line utility dumpbin like this:
dumpbin isbootsecure.exe /imports
I think the imports is just telling what libraries are being imported from Windows.
This is the output:
Microsoft (R) COFF/PE Dumper Version 14.16.27051.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file isbootsecure.exe
File Type: EXECUTABLE IMAGE
Section contains the following imports:
USER32.dll
402078 Import Address Table
4027A4 Import Name Table
0 time date stamp
0 Index of first forwarder reference
309 wvsprintfA
307 wsprintfA
KERNEL32.dll
40202C Import Address Table
402758 Import Name Table
0 time date stamp
0 Index of first forwarder reference
1F6 GetModuleHandleA
211 GetNumberOfConsoleInputEvents
220 GetProcAddress
23B GetStdHandle
1E6 GetLastError
28C GlobalFree
4B5 lstrlenA
35D ReadConsoleInputA
3C1 SetConsoleTitleA
48D WriteFile
1DA GetFirmwareEnvironmentVariableA
1A9 GetCurrentProcess
16F GetCommandLineA
110 FileTimeToSystemTime
104 ExitProcess
78 CreateFileA
43 CloseHandle
285 GlobalAlloc
ADVAPI32.dll
402000 Import Address Table
40272C Import Name Table
0 time date stamp
0 Index of first forwarder reference
190 LookupPrivilegeValueA
1F1 OpenProcessToken
1E AdjustTokenPrivileges
CRYPT32.dll
402010 Import Address Table
40273C Import Name Table
0 time date stamp
0 Index of first forwarder reference
E2 CryptVerifyMessageSignature
1C CertCreateCertificateContext
3F CertFreeCertificateContext
52 CertNameToStrA
CRYPTUI.dll
402024 Import Address Table
402750 Import Name Table
0 time date stamp
0 Index of first forwarder reference
11 CryptUIDlgViewContext
Summary
1000 .data
1000 .rdata
1000 .rsrc
1000 .text
Just judging by the output my guess is that GetFirmwareEnvironmentVariableA function is the one doing some of the important work. I tried opening the file with Steve Miller's dependency walker, but it was like it was locking up.
dumpbin isbootsecure.exe /imports
I think the imports is just telling what libraries are being imported from Windows.
This is the output:
Microsoft (R) COFF/PE Dumper Version 14.16.27051.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file isbootsecure.exe
File Type: EXECUTABLE IMAGE
Section contains the following imports:
USER32.dll
402078 Import Address Table
4027A4 Import Name Table
0 time date stamp
0 Index of first forwarder reference
309 wvsprintfA
307 wsprintfA
KERNEL32.dll
40202C Import Address Table
402758 Import Name Table
0 time date stamp
0 Index of first forwarder reference
1F6 GetModuleHandleA
211 GetNumberOfConsoleInputEvents
220 GetProcAddress
23B GetStdHandle
1E6 GetLastError
28C GlobalFree
4B5 lstrlenA
35D ReadConsoleInputA
3C1 SetConsoleTitleA
48D WriteFile
1DA GetFirmwareEnvironmentVariableA
1A9 GetCurrentProcess
16F GetCommandLineA
110 FileTimeToSystemTime
104 ExitProcess
78 CreateFileA
43 CloseHandle
285 GlobalAlloc
ADVAPI32.dll
402000 Import Address Table
40272C Import Name Table
0 time date stamp
0 Index of first forwarder reference
190 LookupPrivilegeValueA
1F1 OpenProcessToken
1E AdjustTokenPrivileges
CRYPT32.dll
402010 Import Address Table
40273C Import Name Table
0 time date stamp
0 Index of first forwarder reference
E2 CryptVerifyMessageSignature
1C CertCreateCertificateContext
3F CertFreeCertificateContext
52 CertNameToStrA
CRYPTUI.dll
402024 Import Address Table
402750 Import Name Table
0 time date stamp
0 Index of first forwarder reference
11 CryptUIDlgViewContext
Summary
1000 .data
1000 .rdata
1000 .rsrc
1000 .text
Just judging by the output my guess is that GetFirmwareEnvironmentVariableA function is the one doing some of the important work. I tried opening the file with Steve Miller's dependency walker, but it was like it was locking up.