Voyager/Voyager-2/Voyager-2 (2004-1709)/Hvax64.c

#include "Hvax64.h"

VOID* MapModule(PVOYAGER_T VoyagerData, UINT8* ImageBase)
{
	if (!VoyagerData || !ImageBase)
		return NULL;

	EFI_IMAGE_DOS_HEADER* dosHeaders = (EFI_IMAGE_DOS_HEADER*)ImageBase;
	if (dosHeaders->e_magic != EFI_IMAGE_DOS_SIGNATURE)
		return NULL;

	EFI_IMAGE_NT_HEADERS64* ntHeaders = (EFI_IMAGE_NT_HEADERS64*)(ImageBase + dosHeaders->e_lfanew);
	if (ntHeaders->Signature != EFI_IMAGE_NT_SIGNATURE)
		return NULL;

	// Map headers (no reason not too here, memory is unaccessable from guest lol)
	MemCopy(VoyagerData->ModuleBase, ImageBase, ntHeaders->OptionalHeader.SizeOfHeaders);

	// Map sections
	EFI_IMAGE_SECTION_HEADER* sections = (EFI_IMAGE_SECTION_HEADER*)((UINT8*)&ntHeaders->OptionalHeader + ntHeaders->FileHeader.SizeOfOptionalHeader);
	for (UINT32 i = 0; i < ntHeaders->FileHeader.NumberOfSections; ++i) 
	{
		EFI_IMAGE_SECTION_HEADER* section = &sections[i];
		if (section->SizeOfRawData)
		{
			MemCopy
			(
				VoyagerData->ModuleBase + section->VirtualAddress,
				ImageBase + section->PointerToRawData,
				section->SizeOfRawData
			);
		}
	}

	// set exported pointer to voyager context...
	EFI_IMAGE_EXPORT_DIRECTORY* ExportDir = (EFI_IMAGE_EXPORT_DIRECTORY*)(
		VoyagerData->ModuleBase + ntHeaders->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);

	UINT32* Address = (UINT32*)(VoyagerData->ModuleBase + ExportDir->AddressOfFunctions);
	UINT32* Name = (UINT32*)(VoyagerData->ModuleBase + ExportDir->AddressOfNames);
	UINT16* Ordinal = (UINT16*)(VoyagerData->ModuleBase + ExportDir->AddressOfNameOrdinals);

	for (UINT16 i = 0; i < ExportDir->AddressOfFunctions; i++)
	{
		if (AsciiStrStr(VoyagerData->ModuleBase + Name[i], "voyager_context"))
		{
			*(VOYAGER_T*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData;
			break; // DO NOT REMOVE? #Stink Code 2020...
		}
	}

	// Resolve relocations
	EFI_IMAGE_DATA_DIRECTORY* baseRelocDir = &ntHeaders->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC];
	if (baseRelocDir->VirtualAddress) 
	{
		EFI_IMAGE_BASE_RELOCATION* reloc = (EFI_IMAGE_BASE_RELOCATION*)(VoyagerData->ModuleBase + baseRelocDir->VirtualAddress);
		for (UINT32 currentSize = 0; currentSize < baseRelocDir->Size; ) 
		{
			UINT32 relocCount = (reloc->SizeOfBlock - sizeof(EFI_IMAGE_BASE_RELOCATION)) / sizeof(UINT16);
			UINT16* relocData = (UINT16*)((UINT8*)reloc + sizeof(EFI_IMAGE_BASE_RELOCATION));
			UINT8* relocBase = VoyagerData->ModuleBase + reloc->VirtualAddress;

			for (UINT32 i = 0; i < relocCount; ++i, ++relocData) 
			{
				UINT16 data = *relocData;
				UINT16 type = data >> 12;
				UINT16 offset = data & 0xFFF;

				switch (type) 
				{
				case EFI_IMAGE_REL_BASED_ABSOLUTE:
					break;
				case EFI_IMAGE_REL_BASED_DIR64: 
				{
					UINT64* rva = (UINT64*)(relocBase + offset);
					*rva = (UINT64)(VoyagerData->ModuleBase + (*rva - ntHeaders->OptionalHeader.ImageBase));
					break;
				}
				default:
					return NULL;
				}
			}

			currentSize += reloc->SizeOfBlock;
			reloc = (EFI_IMAGE_BASE_RELOCATION*)relocData;
		}
	}

	return VoyagerData->ModuleBase + ntHeaders->OptionalHeader.AddressOfEntryPoint;
}

VOID MakeVoyagerData
(
	PVOYAGER_T VoyagerData,
	VOID* HypervAlloc,
	UINT64 HypervAllocSize,
	VOID* PayLoadBase,
	UINT64 PayLoadSize
)
{
	VoyagerData->HypervModuleBase = HypervAlloc;
	VoyagerData->HypervModuleSize = HypervAllocSize;
	VoyagerData->ModuleBase = PayLoadBase;
	VoyagerData->ModuleSize = PayLoadSize;

	VOID* VCpuRunCall =
		FindPattern(
			HypervAlloc,
			HypervAllocSize,
			VCPU_RUN_HANDLER_SIG,
			VCPU_RUN_HANDLER_MASK
		);

	UINT64 VCpuRunCallRip = (UINT64)VCpuRunCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes
	UINT64 VCpuRunFunction = VCpuRunCallRip + *(INT32*)((UINT64)VCpuRunCall + 1); // + 1 to skip E8 (call) and read 4 bytes (RVA)
	VoyagerData->VCpuRunHandlerRVA = ((UINT64)PayLoadEntry(PayLoadBase)) - VCpuRunFunction;

	DBG_PRINT("VCpuRunCall -> 0x%p\n", VCpuRunCall);
	DBG_PRINT("VCpuRunCallRip -> 0x%p\n", VCpuRunCallRip);
	DBG_PRINT("VCpuRunFunction -> 0x%p\n", VCpuRunFunction);
	DBG_PRINT("VoyagerData->VCpuRunHandlerRVA -> 0x%p\n", VoyagerData->VCpuRunHandlerRVA);
}

VOID* HookVCpuRun(VOID* HypervBase, VOID* HypervSize, VOID* VCpuRunHook)
{
	VOID* VCpuRunCall =
		FindPattern(
			HypervBase,
			HypervSize,
			VCPU_RUN_HANDLER_SIG,
			VCPU_RUN_HANDLER_MASK
		);

	UINT64 VCpuRunCallRip = ((UINT64)VCpuRunCall) + 5; // + 5 bytes to next instructions address...
	UINT64 VCpuRunFunction = VCpuRunCallRip + *(INT32*)(((UINT64)VCpuRunCall) + 1); // + 1 to skip E8 (call) and read 4 bytes (RVA)
	INT32 NewVCpuRunRVA = ((INT64)VCpuRunHook) - VCpuRunCallRip;
	*(INT32*)((UINT64)VCpuRunCall + 1) = NewVCpuRunRVA;

	DBG_PRINT("VCpuRunCall -> 0x%p\n", VCpuRunCall);
	DBG_PRINT("VCpuRunCallRip -> 0x%p\n", VCpuRunCallRip);
	DBG_PRINT("VCpuRunFunction -> 0x%p\n", VCpuRunFunction);
	DBG_PRINT("NewVCpuRunRVA -> 0x%p\n", NewVCpuRunRVA);
	return VCpuRunFunction;
}
idk what i added 4 years ago			`#include "Hvax64.h"`
init commit 4 years ago
idk what i added 4 years ago			`VOID* MapModule(PVOYAGER_T VoyagerData, UINT8* ImageBase)`
init commit 4 years ago			`{`
added 1703 support, and all 2004-1709. 4 years ago			`if (!VoyagerData \|\| !ImageBase)`
			`return NULL;`

init commit 4 years ago			`EFI_IMAGE_DOS_HEADER* dosHeaders = (EFI_IMAGE_DOS_HEADER*)ImageBase;`
			`if (dosHeaders->e_magic != EFI_IMAGE_DOS_SIGNATURE)`
			`return NULL;`

			`EFI_IMAGE_NT_HEADERS64* ntHeaders = (EFI_IMAGE_NT_HEADERS64*)(ImageBase + dosHeaders->e_lfanew);`
added 1703 support, and all 2004-1709. 4 years ago			`if (ntHeaders->Signature != EFI_IMAGE_NT_SIGNATURE)`
			`return NULL;`
init commit 4 years ago
added 1703 support, and all 2004-1709. 4 years ago			`// Map headers (no reason not too here, memory is unaccessable from guest lol)`
init commit 4 years ago			`MemCopy(VoyagerData->ModuleBase, ImageBase, ntHeaders->OptionalHeader.SizeOfHeaders);`

			`// Map sections`
			`EFI_IMAGE_SECTION_HEADER* sections = (EFI_IMAGE_SECTION_HEADER)((UINT8)&ntHeaders->OptionalHeader + ntHeaders->FileHeader.SizeOfOptionalHeader);`
			`for (UINT32 i = 0; i < ntHeaders->FileHeader.NumberOfSections; ++i)`
			`{`
			`EFI_IMAGE_SECTION_HEADER* section = &sections[i];`
added 1703 support, and all 2004-1709. 4 years ago			`if (section->SizeOfRawData)`
			`{`
			`MemCopy`
			`(`
			`VoyagerData->ModuleBase + section->VirtualAddress,`
			`ImageBase + section->PointerToRawData,`
			`section->SizeOfRawData`
			`);`
			`}`
init commit 4 years ago			`}`

			`// set exported pointer to voyager context...`
			`EFI_IMAGE_EXPORT_DIRECTORY* ExportDir = (EFI_IMAGE_EXPORT_DIRECTORY*)(`
			`VoyagerData->ModuleBase + ntHeaders->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);`

			`UINT32* Address = (UINT32*)(VoyagerData->ModuleBase + ExportDir->AddressOfFunctions);`
			`UINT32* Name = (UINT32*)(VoyagerData->ModuleBase + ExportDir->AddressOfNames);`
			`UINT16* Ordinal = (UINT16*)(VoyagerData->ModuleBase + ExportDir->AddressOfNameOrdinals);`

			`for (UINT16 i = 0; i < ExportDir->AddressOfFunctions; i++)`
			`{`
vmexit hook finally working... had to adjust addresses 4 years ago			`if (AsciiStrStr(VoyagerData->ModuleBase + Name[i], "voyager_context"))`
init commit 4 years ago			`{`
idk what i added 4 years ago			`(VOYAGER_T)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData;`
added 1703 support, and all 2004-1709. 4 years ago			`break; // DO NOT REMOVE? #Stink Code 2020...`
init commit 4 years ago			`}`
			`}`

			`// Resolve relocations`
			`EFI_IMAGE_DATA_DIRECTORY* baseRelocDir = &ntHeaders->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC];`
			`if (baseRelocDir->VirtualAddress)`
			`{`
			`EFI_IMAGE_BASE_RELOCATION* reloc = (EFI_IMAGE_BASE_RELOCATION*)(VoyagerData->ModuleBase + baseRelocDir->VirtualAddress);`
			`for (UINT32 currentSize = 0; currentSize < baseRelocDir->Size; )`
			`{`
			`UINT32 relocCount = (reloc->SizeOfBlock - sizeof(EFI_IMAGE_BASE_RELOCATION)) / sizeof(UINT16);`
			`UINT16* relocData = (UINT16)((UINT8)reloc + sizeof(EFI_IMAGE_BASE_RELOCATION));`
			`UINT8* relocBase = VoyagerData->ModuleBase + reloc->VirtualAddress;`

			`for (UINT32 i = 0; i < relocCount; ++i, ++relocData)`
			`{`
			`UINT16 data = *relocData;`
			`UINT16 type = data >> 12;`
			`UINT16 offset = data & 0xFFF;`

			`switch (type)`
			`{`
			`case EFI_IMAGE_REL_BASED_ABSOLUTE:`
			`break;`
			`case EFI_IMAGE_REL_BASED_DIR64:`
			`{`
			`UINT64* rva = (UINT64*)(relocBase + offset);`
			`rva = (UINT64)(VoyagerData->ModuleBase + (rva - ntHeaders->OptionalHeader.ImageBase));`
			`break;`
			`}`
			`default:`
			`return NULL;`
			`}`
			`}`

			`currentSize += reloc->SizeOfBlock;`
			`reloc = (EFI_IMAGE_BASE_RELOCATION*)relocData;`
			`}`
			`}`

			`return VoyagerData->ModuleBase + ntHeaders->OptionalHeader.AddressOfEntryPoint;`
			`}`

vmexit hook finally working... had to adjust addresses 4 years ago			`VOID MakeVoyagerData`
init commit 4 years ago			`(`
idk what i added 4 years ago			`PVOYAGER_T VoyagerData,`
init commit 4 years ago			`VOID* HypervAlloc,`
			`UINT64 HypervAllocSize,`
added 1703 support, and all 2004-1709. 4 years ago			`VOID* PayLoadBase,`
			`UINT64 PayLoadSize`
init commit 4 years ago			`)`
			`{`
			`VoyagerData->HypervModuleBase = HypervAlloc;`
			`VoyagerData->HypervModuleSize = HypervAllocSize;`
added 1703 support, and all 2004-1709. 4 years ago			`VoyagerData->ModuleBase = PayLoadBase;`
			`VoyagerData->ModuleSize = PayLoadSize;`
init commit 4 years ago
idk what i added 4 years ago			`VOID* VCpuRunCall =`
init commit 4 years ago			`FindPattern(`
			`HypervAlloc,`
			`HypervAllocSize,`
idk what i added 4 years ago			`VCPU_RUN_HANDLER_SIG,`
			`VCPU_RUN_HANDLER_MASK`
init commit 4 years ago			`);`

idk what i added 4 years ago			`UINT64 VCpuRunCallRip = (UINT64)VCpuRunCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes`
			`UINT64 VCpuRunFunction = VCpuRunCallRip + (INT32)((UINT64)VCpuRunCall + 1); // + 1 to skip E8 (call) and read 4 bytes (RVA)`
			`VoyagerData->VCpuRunHandlerRVA = ((UINT64)PayLoadEntry(PayLoadBase)) - VCpuRunFunction;`

hyper-v hook for win10-2004 amd working! 4 years ago			`DBG_PRINT("VCpuRunCall -> 0x%p\n", VCpuRunCall);`
idk what i added 4 years ago			`DBG_PRINT("VCpuRunCallRip -> 0x%p\n", VCpuRunCallRip);`
			`DBG_PRINT("VCpuRunFunction -> 0x%p\n", VCpuRunFunction);`
			`DBG_PRINT("VoyagerData->VCpuRunHandlerRVA -> 0x%p\n", VoyagerData->VCpuRunHandlerRVA);`
init commit 4 years ago			`}`

idk what i added 4 years ago			`VOID* HookVCpuRun(VOID* HypervBase, VOID* HypervSize, VOID* VCpuRunHook)`
init commit 4 years ago			`{`
idk what i added 4 years ago			`VOID* VCpuRunCall =`
init commit 4 years ago			`FindPattern(`
			`HypervBase,`
			`HypervSize,`
idk what i added 4 years ago			`VCPU_RUN_HANDLER_SIG,`
			`VCPU_RUN_HANDLER_MASK`
init commit 4 years ago			`);`

hyper-v hook for win10-2004 amd working! 4 years ago			`UINT64 VCpuRunCallRip = ((UINT64)VCpuRunCall) + 5; // + 5 bytes to next instructions address...`
			`UINT64 VCpuRunFunction = VCpuRunCallRip + (INT32)(((UINT64)VCpuRunCall) + 1); // + 1 to skip E8 (call) and read 4 bytes (RVA)`
idk what i added 4 years ago			`INT32 NewVCpuRunRVA = ((INT64)VCpuRunHook) - VCpuRunCallRip;`
			`(INT32)((UINT64)VCpuRunCall + 1) = NewVCpuRunRVA;`
added 1703 support, and all 2004-1709. 4 years ago
hyper-v hook for win10-2004 amd working! 4 years ago			`DBG_PRINT("VCpuRunCall -> 0x%p\n", VCpuRunCall);`
idk what i added 4 years ago			`DBG_PRINT("VCpuRunCallRip -> 0x%p\n", VCpuRunCallRip);`
			`DBG_PRINT("VCpuRunFunction -> 0x%p\n", VCpuRunFunction);`
			`DBG_PRINT("NewVCpuRunRVA -> 0x%p\n", NewVCpuRunRVA);`
			`return VCpuRunFunction;`
init commit 4 years ago			`}`