lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 4 Jun 2017 18:09:21 +0200
From:   Pali Rohár <>
To:     Darren Hart <>,,
        Rafael Wysocki <>,
        Andy Lutomirski <>,
Subject: Binary MOF buffer in WMI is finally decoded!


As already mentioned in RFC: WMI Enhancements thread [1], I looked at 
binary MOF buffer used by WMI which is included in ACPI DSDT table.

That binary MOF buffer contains description of WMI methods and 
structures used by ACPI-WMI. It also contains mapping from human 
readable function names to ACPI-WMI magical numbers used for calling WMI 
methods via ACPI.

Basically in that binary MOF buffer is description of structures used as 
input and output arguments for WMI methods/function calls.

Until now, there were not information nor any parser of those binary MOF 
files (.bmf file). There is some Microsoft proprietary tool which can 
compile text MOF file to binary and vice versa.

I was able to decode that binary MOF format and wrote simple bmfparse 
tool. It is available in git repository [2]. Currently parsing of 
function parameters is not implemented yet.

Binary MOF format is compressed by prehistoric DS-01 algorithm 
(modification of LZ-77) which was used as compression algorithm for 
FAT-16. Maybe you remember DMSDOS or DoubleSpace... After decompression, 
the whole format is so shitty, probably half of data are just lengths of 
sub structures and sub-sub-... structures.

I hope this bmfparse program would help in writing new wmi drivers for 
Linux or inspection of available WMI methods.

Probably we could implement parser of BMOF in kernel and allow 
validation of function parameters or usage of human readable names of 
WMI methods?

[1] -
[2] -

Pali Rohár

Download attachment "signature.asc " of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists