vmexit hook finally working... had to adjust addresses

merge-requests/1/merge
xerox 4 years ago
parent 40090957c4
commit 05400259c7

@ -31,16 +31,18 @@ typedef struct _context_t
__m128 xmm4;
__m128 xmm5;
} context_t, *pcontext_t;
using vmexit_handler_t = void (__fastcall*)(pcontext_t* context, void* unknown1, void* unknown2, void* unknown3);
using vmexit_handler_t = void (__fastcall*)(pcontext_t* context, void* unknown);
#pragma pack(push, 1)
typedef struct _VOYAGER_DATA_T
{
vmexit_handler_t vmexit_handler;
// RVA from golden record entry ---> back to original vmexit handler...
uintptr_t vmexit_handler_rva;
uintptr_t hyperv_module_base;
uintptr_t hyperv_module_size;
uintptr_t record_base;
uintptr_t record_size;
} VOYAGER_DATA_T, *PVOYAGER_DATA_T;
#pragma pack(pop)
__declspec(dllexport) inline PVOYAGER_DATA_T pvoyager_context = nullptr;
__declspec(dllexport) inline VOYAGER_DATA_T voyager_context;

@ -1,8 +1,12 @@
#include "types.h"
void vmexit_handler(pcontext_t* context, void* unknown1, void* unknown2, void* unknown3)
void vmexit_handler(pcontext_t* context, void* unknown)
{
DBG_PRINT("vmexit called....\n");
DBG_PRINT("calling original vmexit handler....\n");
pvoyager_context->vmexit_handler(context, unknown1, unknown2, unknown3);
// when hyper-v gets remapped out of winload's context
// the linear virtual addresses change... thus an adjustment is required...
reinterpret_cast<vmexit_handler_t>(
reinterpret_cast<uintptr_t>(&vmexit_handler) -
voyager_context.vmexit_handler_rva)(context, unknown);
}

@ -30,9 +30,9 @@ VOID* MapModule(PVOYAGER_DATA_T VoyagerData, UINT8* ImageBase)
for (UINT16 i = 0; i < ExportDir->AddressOfFunctions; i++)
{
if (AsciiStrStr(VoyagerData->ModuleBase + Name[i], "pvoyager_context"))
if (AsciiStrStr(VoyagerData->ModuleBase + Name[i], "voyager_context"))
{
*(VOID**)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = VoyagerData;
*(VOYAGER_DATA_T*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData;
break; // DO NOT REMOVE? Gorilla Code 2020...
}
}
@ -77,16 +77,15 @@ VOID* MapModule(PVOYAGER_DATA_T VoyagerData, UINT8* ImageBase)
return VoyagerData->ModuleBase + ntHeaders->OptionalHeader.AddressOfEntryPoint;
}
PVOYAGER_DATA_T MakeVoyagerData
VOID MakeVoyagerData
(
PVOYAGER_DATA_T VoyagerData,
VOID* HypervAlloc,
UINT64 HypervAllocSize,
VOID* GoldenRecordAlloc,
UINT64 GoldenRecordSize
)
{
// the memory for the voyager data is allocated under the memory for the golden record...
PVOYAGER_DATA_T VoyagerData = (UINT64)GoldenRecordAlloc + GoldenRecordSize;
VoyagerData->HypervModuleBase = HypervAlloc;
VoyagerData->HypervModuleSize = HypervAllocSize;
VoyagerData->ModuleBase = GoldenRecordAlloc;
@ -100,11 +99,6 @@ PVOYAGER_DATA_T MakeVoyagerData
"xxxxxxxxxxxxx?xxxx?x????x"
);
DBG_PRINT("VmExitHandler Call Signature Result -> 0x%p\n", VmExitHandler);
if (!VmExitHandler)
return NULL;
/*
.text:FFFFF80000237436 mov rcx, [rsp+arg_18] ; rcx = pointer to stack that contians all register values
.text:FFFFF8000023743B mov rdx, [rsp+arg_28]
@ -115,12 +109,7 @@ PVOYAGER_DATA_T MakeVoyagerData
UINT64 VmExitHandlerCall = ((UINT64)VmExitHandler) + 19; // + 19 bytes to -> call vmexit_c_handler
UINT64 VmExitHandlerCallRip = (UINT64)VmExitHandlerCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes
UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA)
VoyagerData->VmExitHandler = VmExitFunction;
DBG_PRINT("VmExitHandlerCall -> 0x%p\n", VmExitHandlerCall);
DBG_PRINT("VmExitHandlerCallRip -> 0x%p\n", VmExitHandlerCallRip);
DBG_PRINT("VmExitFunction -> 0x%p\n", VmExitFunction);
return VoyagerData;
VoyagerData->VmExitHandlerRva = ((UINT64)GetGoldenRecordEntry(GoldenRecordAlloc)) - (UINT64)VmExitFunction;
}
VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook)
@ -133,8 +122,6 @@ VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook)
"xxxxxxxxxxxxx?xxxx?x????x"
);
DBG_PRINT("VmExitHandler Call Signature Result -> 0x%p\n", VmExitHandler);
/*
.text:FFFFF80000237436 mov rcx, [rsp+arg_18] ; rcx = pointer to stack that contians all register values
.text:FFFFF8000023743B mov rdx, [rsp+arg_28]
@ -147,11 +134,5 @@ VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook)
UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA)
INT32 NewVmExitRVA = ((INT64)VmExitHook) - VmExitHandlerCallRip;
*(INT32*)((UINT64)(VmExitHandlerCall + 1)) = NewVmExitRVA;
DBG_PRINT("VmExitHandlerCall -> 0x%p\n", VmExitHandlerCall);
DBG_PRINT("VmExitHandlerCallRip -> 0x%p\n", VmExitHandlerCallRip);
DBG_PRINT("VmExitFunction -> 0x%p\n", VmExitFunction);
DBG_PRINT("NewVmExitRVA -> 0x%x\n", NewVmExitRVA);
return VmExitFunction;
}

@ -17,11 +17,11 @@ VOID* MapModule(PVOYAGER_DATA_T VoyagerData, UINT8* ImageBase);
VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook);
//
// Given hyper-v's base address and size, sig scan it for vmexit handler, then construct "VOYAGER_DATA_T"
// using memory already allocated under hyper-v and under the memory allocated for the golden record...
// creates a structure with all the data needed to be passed to the golden record...
//
PVOYAGER_DATA_T MakeVoyagerData
VOID MakeVoyagerData
(
PVOYAGER_DATA_T VoyagerData,
VOID* HypervAlloc,
UINT64 HypervAllocSize,
VOID* GoldenRecordAlloc,

@ -44,18 +44,18 @@ unsigned char GoldenRecord[3072] =
0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5D, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E,
0x52, 0x69, 0x63, 0x68, 0x6B, 0xDE, 0x5F, 0x8E, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x05, 0x00,
0xB2, 0x81, 0x69, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xFD, 0x47, 0x6A, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xF0, 0x00, 0x22, 0x20, 0x0B, 0x02, 0x0E, 0x1B, 0x00, 0x02, 0x00, 0x00,
0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00,
0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00,
0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x60, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x64, 0xAF, 0x00, 0x00,
0x00, 0x60, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x2B, 0x34, 0x00, 0x00,
0x01, 0x00, 0x60, 0x01, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00,
0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x6D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00,
0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00,
@ -66,20 +66,20 @@ unsigned char GoldenRecord[3072] =
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00,
0x75, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
0x35, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x68, 0x2E, 0x72, 0x64, 0x61,
0x74, 0x61, 0x00, 0x00, 0x34, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00,
0x74, 0x61, 0x00, 0x00, 0x30, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00,
0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48,
0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00,
0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x40, 0x00, 0x00, 0xC8, 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00,
0x0C, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, 0x2E, 0x65, 0x64, 0x61,
0x74, 0x61, 0x00, 0x00, 0x72, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00,
0x74, 0x61, 0x00, 0x00, 0x6D, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00,
0x00, 0x02, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x40,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@ -113,38 +113,32 @@ unsigned char GoldenRecord[3072] =
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x4C, 0x24, 0x20, 0x4C, 0x89, 0x44,
0x24, 0x18, 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C, 0x24, 0x08,
0x56, 0x48, 0x83, 0xEC, 0x30, 0x48, 0x8D, 0x05, 0xE0, 0x00, 0x00, 0x00,
0x66, 0xBA, 0xF8, 0x02, 0x48, 0x8B, 0xF0, 0xB9, 0x13, 0x00, 0x00, 0x00,
0xF3, 0x6E, 0x48, 0x83, 0x3D, 0xCA, 0x1F, 0x00, 0x00, 0x00, 0x74, 0x15,
0x48, 0x8D, 0x05, 0xE1, 0x00, 0x00, 0x00, 0x66, 0xBA, 0xF8, 0x02, 0x48,
0x8B, 0xF0, 0xB9, 0x2E, 0x00, 0x00, 0x00, 0xF3, 0x6E, 0xC7, 0x44, 0x24,
0x20, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x20, 0xFF,
0xC0, 0x89, 0x44, 0x24, 0x20, 0x83, 0x7C, 0x24, 0x20, 0x08, 0x73, 0x16,
0x8B, 0x44, 0x24, 0x20, 0x48, 0x8D, 0x0D, 0x8D, 0x1F, 0x00, 0x00, 0x66,
0xBA, 0xF8, 0x02, 0x0F, 0xB6, 0x04, 0x01, 0xEE, 0xEB, 0xD9, 0xC7, 0x44,
0x24, 0x24, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x24,
0xFF, 0xC0, 0x89, 0x44, 0x24, 0x24, 0x83, 0x7C, 0x24, 0x24, 0x08, 0x73,
0x16, 0x8B, 0x44, 0x24, 0x24, 0x48, 0x8B, 0x0D, 0x5C, 0x1F, 0x00, 0x00,
0x66, 0xBA, 0xF8, 0x02, 0x0F, 0xB6, 0x04, 0x01, 0xEE, 0xEB, 0xD9, 0x48,
0x8D, 0x05, 0x9A, 0x00, 0x00, 0x00, 0x66, 0xBA, 0xF8, 0x02, 0x48, 0x8B,
0xF0, 0xB9, 0x25, 0x00, 0x00, 0x00, 0xF3, 0x6E, 0x48, 0x8B, 0x05, 0x35,
0x1F, 0x00, 0x00, 0x48, 0x8B, 0x00, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C,
0x8B, 0x4C, 0x24, 0x58, 0x4C, 0x8B, 0x44, 0x24, 0x50, 0x48, 0x8B, 0x54,
0x24, 0x48, 0x48, 0x8B, 0x4C, 0x24, 0x40, 0xFF, 0x54, 0x24, 0x28, 0x48,
0x83, 0xC4, 0x30, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x76, 0x6D, 0x65, 0x78,
0x69, 0x74, 0x20, 0x63, 0x61, 0x6C, 0x6C, 0x65, 0x64, 0x2E, 0x2E, 0x2E,
0x2E, 0x0A, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0x70, 0x6F, 0x69, 0x6E, 0x74, 0x65, 0x72, 0x20,
0x74, 0x6F, 0x20, 0x76, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x20, 0x63,
0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x20, 0x69, 0x73, 0x20, 0x6E, 0x6F,
0x74, 0x20, 0x6E, 0x75, 0x6C, 0x6C, 0x70, 0x74, 0x72, 0x2E, 0x2E, 0x2E,
0x0A, 0x00, 0xCC, 0xCC, 0x63, 0x61, 0x6C, 0x6C, 0x69, 0x6E, 0x67, 0x20,
0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C,
0x24, 0x08, 0x56, 0x48, 0x83, 0xEC, 0x40, 0x48, 0x8D, 0x05, 0xAA, 0x00,
0x00, 0x00, 0x66, 0xBA, 0xF8, 0x02, 0x48, 0x8B, 0xF0, 0xB9, 0x13, 0x00,
0x00, 0x00, 0xF3, 0x6E, 0x48, 0x83, 0x3D, 0xD4, 0x1F, 0x00, 0x00, 0x00,
0x74, 0x15, 0x48, 0x8D, 0x05, 0xAB, 0x00, 0x00, 0x00, 0x66, 0xBA, 0xF8,
0x02, 0x48, 0x8B, 0xF0, 0xB9, 0x26, 0x00, 0x00, 0x00, 0xF3, 0x6E, 0x48,
0x8D, 0x05, 0xC6, 0x00, 0x00, 0x00, 0x66, 0xBA, 0xF8, 0x02, 0x48, 0x8B,
0xF0, 0xB9, 0x25, 0x00, 0x00, 0x00, 0xF3, 0x6E, 0x48, 0x8D, 0x05, 0xA1,
0xFF, 0xFF, 0xFF, 0x48, 0x89, 0x44, 0x24, 0x28, 0xC7, 0x44, 0x24, 0x20,
0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x20, 0xFF, 0xC0,
0x89, 0x44, 0x24, 0x20, 0x83, 0x7C, 0x24, 0x20, 0x08, 0x73, 0x10, 0x8B,
0x44, 0x24, 0x20, 0x66, 0xBA, 0xF8, 0x02, 0x0F, 0xB6, 0x44, 0x04, 0x28,
0xEE, 0xEB, 0xDF, 0x48, 0x8D, 0x05, 0x6A, 0xFF, 0xFF, 0xFF, 0x48, 0x2B,
0x05, 0x63, 0x1F, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8B,
0x54, 0x24, 0x58, 0x48, 0x8B, 0x4C, 0x24, 0x50, 0xFF, 0x54, 0x24, 0x30,
0x48, 0x83, 0xC4, 0x40, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0x76, 0x6D, 0x65, 0x78, 0x69, 0x74, 0x20, 0x63,
0x61, 0x6C, 0x6C, 0x65, 0x64, 0x2E, 0x2E, 0x2E, 0x2E, 0x0A, 0x00, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x6F, 0x72, 0x69, 0x67, 0x69, 0x6E, 0x61, 0x6C, 0x20, 0x76, 0x6D, 0x65,
0x78, 0x69, 0x74, 0x20, 0x68, 0x61, 0x6E, 0x64, 0x6C, 0x65, 0x72, 0x2E,
0x2E, 0x2E, 0x2E, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x78, 0x69, 0x74, 0x20, 0x68, 0x61, 0x6E, 0x64, 0x6C, 0x65, 0x72, 0x20,
0x69, 0x73, 0x20, 0x6E, 0x6F, 0x74, 0x20, 0x6E, 0x75, 0x6C, 0x6C, 0x21,
0x0A, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x63, 0x61, 0x6C, 0x6C, 0x69, 0x6E, 0x67, 0x20, 0x6F, 0x72, 0x69, 0x67,
0x69, 0x6E, 0x61, 0x6C, 0x20, 0x76, 0x6D, 0x65, 0x78, 0x69, 0x74, 0x20,
0x68, 0x61, 0x6E, 0x64, 0x6C, 0x65, 0x72, 0x2E, 0x2E, 0x2E, 0x2E, 0x0A,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@ -156,32 +150,38 @@ unsigned char GoldenRecord[3072] =
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB2, 0x81, 0x69, 0x5F, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00, 0x5E, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00,
0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB2, 0x81, 0x69, 0x5F,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xFD, 0x47, 0x6A, 0x5F, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00,
0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFD, 0x47, 0x6A, 0x5F,
0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00,
0x98, 0x20, 0x00, 0x00, 0x98, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53,
0x15, 0x24, 0xC8, 0xF1, 0xA0, 0x02, 0xC2, 0x40, 0x8E, 0xEB, 0x6B, 0xB2,
0x6C, 0x94, 0x11, 0xDD, 0x02, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55,
0x73, 0x65, 0x72, 0x73, 0x5C, 0x78, 0x65, 0x72, 0x6F, 0x78, 0x5C, 0x73,
0x6F, 0x75, 0x72, 0x63, 0x65, 0x5C, 0x72, 0x65, 0x70, 0x6F, 0x73, 0x5C,
0x56, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x20, 0x31, 0x5C, 0x78, 0x36,
0x34, 0x5C, 0x52, 0x65, 0x6C, 0x65, 0x61, 0x73, 0x65, 0x5C, 0x54, 0x68,
0x65, 0x47, 0x6F, 0x6C, 0x64, 0x65, 0x6E, 0x52, 0x65, 0x63, 0x6F, 0x72,
0x64, 0x2E, 0x70, 0x64, 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x10, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78,
0x74, 0x24, 0x6D, 0x6E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00,
0x75, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x73, 0x00,
0x00, 0x20, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61,
0x74, 0x61, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, 0xF0, 0x00, 0x00, 0x00,
0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x7A, 0x7A, 0x7A, 0x64, 0x62,
0x67, 0x00, 0x00, 0x00, 0x28, 0x21, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00,
0x2E, 0x78, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00,
0x00, 0x40, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x70, 0x64, 0x61,
0x74, 0x61, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x72, 0x00, 0x00, 0x00,
0x2E, 0x65, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x02, 0x19, 0x04, 0x00,
0x02, 0x16, 0x00, 0x06, 0x19, 0x52, 0x15, 0x60, 0x00, 0x00, 0x00, 0x00,
0x94, 0x20, 0x00, 0x00, 0x94, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53,
0x81, 0x50, 0x3F, 0x70, 0x94, 0x55, 0xE7, 0x4B, 0xAE, 0x3B, 0x1D, 0x5A,
0x58, 0x81, 0x93, 0xE4, 0x01, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55,
0x73, 0x65, 0x72, 0x73, 0x5C, 0x78, 0x65, 0x72, 0x6F, 0x78, 0x5C, 0x44,
0x65, 0x73, 0x6B, 0x74, 0x6F, 0x70, 0x5C, 0x76, 0x6F, 0x79, 0x61, 0x67,
0x65, 0x72, 0x2D, 0x31, 0x5C, 0x78, 0x36, 0x34, 0x5C, 0x52, 0x65, 0x6C,
0x65, 0x61, 0x73, 0x65, 0x5C, 0x54, 0x68, 0x65, 0x47, 0x6F, 0x6C, 0x64,
0x65, 0x6E, 0x52, 0x65, 0x63, 0x6F, 0x72, 0x64, 0x2E, 0x70, 0x64, 0x62,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0xC0, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E,
0x00, 0x00, 0x00, 0x00, 0xC0, 0x10, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00,
0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x73, 0x00, 0x00, 0x20, 0x00, 0x00,
0x38, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00,
0x38, 0x20, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61,
0x74, 0x61, 0x24, 0x7A, 0x7A, 0x7A, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00,
0x24, 0x21, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x78, 0x64, 0x61,
0x74, 0x61, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00,
0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00,
0x0C, 0x00, 0x00, 0x00, 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00,
0x00, 0x50, 0x00, 0x00, 0x6D, 0x00, 0x00, 0x00, 0x2E, 0x65, 0x64, 0x61,
0x74, 0x61, 0x00, 0x00, 0x02, 0x0F, 0x04, 0x00, 0x02, 0x16, 0x00, 0x06,
0x0F, 0x72, 0x0B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@ -199,7 +199,7 @@ unsigned char GoldenRecord[3072] =
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0xF1, 0x10, 0x00, 0x00, 0x28, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB6, 0x10, 0x00, 0x00, 0x24, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@ -247,10 +247,10 @@ unsigned char GoldenRecord[3072] =
0x2C, 0x50, 0x00, 0x00, 0x30, 0x50, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00,
0x46, 0x50, 0x00, 0x00, 0x00, 0x00, 0x54, 0x68, 0x65, 0x47, 0x6F, 0x6C,
0x64, 0x65, 0x6E, 0x52, 0x65, 0x63, 0x6F, 0x72, 0x64, 0x2E, 0x64, 0x6C,
0x6C, 0x00, 0x3F, 0x70, 0x76, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x5F,
0x63, 0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x40, 0x40, 0x33, 0x50, 0x45,
0x41, 0x55, 0x5F, 0x56, 0x4F, 0x59, 0x41, 0x47, 0x45, 0x52, 0x5F, 0x44,
0x41, 0x54, 0x41, 0x5F, 0x54, 0x40, 0x40, 0x45, 0x41, 0x00, 0x00, 0x00,
0x6C, 0x00, 0x3F, 0x76, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x5F, 0x63,
0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x40, 0x40, 0x33, 0x55, 0x5F, 0x56,
0x4F, 0x59, 0x41, 0x47, 0x45, 0x52, 0x5F, 0x44, 0x41, 0x54, 0x41, 0x5F,
0x54, 0x40, 0x40, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

@ -5,13 +5,13 @@ extern unsigned char GoldenRecord[3072];
#pragma pack(push, 1)
typedef struct _VOYAGER_DATA_T
{
VOID* VmExitHandler;
UINT64 VmExitHandlerRva;
UINT64 HypervModuleBase;
UINT64 HypervModuleSize;
UINT64 ModuleBase;
UINT64 ModuleSize;
} _VOYAGER_DATA, * PVOYAGER_DATA_T;
} VOYAGER_DATA_T, * PVOYAGER_DATA_T;
#pragma pack(pop)
UINT32 GetGoldenRecordSize(VOID);
VOID* GetGoldenRecordEntry(VOID);
VOID* GetGoldenRecordEntry(VOID* ModuleBase);

@ -46,35 +46,33 @@ EFI_STATUS EFIAPI BlLdrLoadImage(VOID* Arg1, CHAR16* ModulePath, CHAR16* ModuleN
{
if (!AsciiStrCmp(&pSection->Name, ".reloc"))
{
PVOYAGER_DATA_T VoyagerData = MakeVoyagerData
VOYAGER_DATA_T VoyagerData;
MakeVoyagerData
(
// hyper-v allocation...
&VoyagerData,
TableEntry->ModuleBase,
TableEntry->SizeOfImage,
// space for golden record is going to be in .reloc section after .reloc data (dont overwrite anything)
TableEntry->ModuleBase + pSection->VirtualAddress + pSection->Misc.VirtualSize,
GetGoldenRecordSize()
);
VOID* VmExitHook = MapModule(VoyagerData, GoldenRecord);
// this makes hyper-v not load/work
VOID* VmExitHook = MapModule(&VoyagerData, GoldenRecord);
VOID* VmExitFunction = HookVmExit
(
VoyagerData->HypervModuleBase,
VoyagerData->HypervModuleSize,
VoyagerData.HypervModuleBase,
VoyagerData.HypervModuleSize,
VmExitHook
);
pSection->Characteristics = SECTION_RWX;
pSection->Misc.VirtualSize += GetGoldenRecordSize() + sizeof(_VOYAGER_DATA);
pSection->Misc.VirtualSize += GetGoldenRecordSize();
DBG_PRINT("VmExitHook (PayLoad Entry Point) -> 0x%p\n", VmExitHook);
}
}
// This fixes the allocation size to include whatever we want... dont ask me why this works it just does... LOL
HypervNtHeader->OptionalHeader.SizeOfImage += GetGoldenRecordSize() + sizeof(_VOYAGER_DATA);
TableEntry->SizeOfImage += GetGoldenRecordSize() + sizeof(_VOYAGER_DATA);
HypervNtHeader->OptionalHeader.SizeOfImage += GetGoldenRecordSize();
TableEntry->SizeOfImage += GetGoldenRecordSize();
}
DBG_PRINT("[%s] Image Base -> 0x%p, Image Size -> 0x%x\n", __FUNCTION__, (*lplpTableEntry)->ModuleBase, (*lplpTableEntry)->SizeOfImage);
@ -96,7 +94,7 @@ UINT64 EFIAPI BlImgAllocateImageBuffer(VOID** imageBuffer, UINTN imageSize, UINT
if (HyperVloading && !ExtendedAllocation && ++AllocationCount == 2)
{
ExtendedAllocation = TRUE;
imageSize += GetGoldenRecordSize() + sizeof(_VOYAGER_DATA);
imageSize += GetGoldenRecordSize();
// allocate the entire hyper-v module as rwx...
memoryType = BL_MEMORY_ATTRIBUTE_RWX;

Loading…
Cancel
Save