Broadly speaking there are two cases.
Case 1:
The firmware came from the manufacturer with the backdoor included.
In this case you could step through the code line by and line and check it.
You could also monitor for strange behaviour. e.g. unexpected network connections.
But most of the time neither is option is a practical option.
Case 2:
Someone has updated the original firmware, with a new 'bad' version. In this case there is the possibility to compare the code back to the original. Which makes it much easier to locate something that shouldn't be there.
I have no idea why you are referencing a bug in Win32k.sys as an example of a firmware rootkit however. Maybe you are confused as to what firmware actually is?
↧