0xbekoo

Proof-of-concept UEFI application that hooks keyboard input at firmware level, capturing keystrokes before any OS driver loads.

Overview

A proof-of-concept demonstrating keyboard capture at UEFI firmware level. By hooking EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL, the application intercepts all keystrokes before the OS or any hypervisor initializes its input stack.

Mechanism

Locates EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL via LocateHandleBuffer
Wraps the ReadKeyStrokeEx function pointer with a custom handler
Stores captured keystrokes in a pre-allocated runtime buffer
Buffer survives into the OS via UEFI runtime memory services

Research Value

Demonstrates that pre-OS input capture is feasible without any kernel-mode component, bypassing all OS-level security monitoring.

UEFI Keylogger

Overview

Mechanism

Research Value

< Back to Projects