all windows 10 x64 versions working

merge-requests/1/merge
xerox 4 years ago
parent dc4c5e3ff2
commit 1610415b07

@ -13,10 +13,8 @@
#include <Guid/GlobalVariable.h> #include <Guid/GlobalVariable.h>
#include "WinLoad.h" #include "WinLoad.h"
#if WINVER >= 1607
#define START_BOOT_APPLICATION_SIG "\xE8\x00\x00\x00\x00\x48\x8B\xCE\x8B\xD8\xE8\x00\x00\x00\x00\x41\x8B\xCF" #define START_BOOT_APPLICATION_SIG "\xE8\x00\x00\x00\x00\x48\x8B\xCE\x8B\xD8\xE8\x00\x00\x00\x00\x41\x8B\xCF"
#define START_BOOT_APPLICATION_MASK "x????xxxxxx????xxx" #define START_BOOT_APPLICATION_MASK "x????xxxxxx????xxx"
#endif
static_assert(sizeof(START_BOOT_APPLICATION_SIG) == sizeof(START_BOOT_APPLICATION_MASK), "signature and mask size's dont match..."); static_assert(sizeof(START_BOOT_APPLICATION_SIG) == sizeof(START_BOOT_APPLICATION_MASK), "signature and mask size's dont match...");
#define WINDOWS_BOOTMGR_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi" #define WINDOWS_BOOTMGR_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi"

@ -1,17 +1,86 @@
#include "HvLoader.h" #include "HvLoader.h"
SHITHOOK HvLoadImageHook; SHITHOOK HvLoadImageHook;
SHITHOOK HvLoadImageBufferHook;
SHITHOOK HvLoadAllocImageHook; SHITHOOK HvLoadAllocImageHook;
BOOLEAN ExtendedAllocation = FALSE; BOOLEAN ExtendedAllocation = FALSE;
BOOLEAN HookedHyperV = FALSE; BOOLEAN HookedHyperV = FALSE;
CHAR8 ModulePathCString[0x100];
EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer(VOID* a1, VOID* a2, VOID* a3, VOID* a4, UINT64* ImageBase, EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer(VOID* a1, VOID* a2, VOID* a3, VOID* a4, UINT64* ImageBase,
UINT32* ImageSize, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14, VOID* a15) UINT32* ImageSize, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14, VOID* a15)
{ {
DisableShitHook(&HvLoadImageHook); DisableShitHook(&HvLoadImageBufferHook);
EFI_STATUS Result = ((HV_LDR_LOAD_IMAGE)HvLoadImageHook.Address)(a1, a2, a3, a4, ImageBase, ImageSize, a7, a8, EFI_STATUS Result = ((HV_LDR_LOAD_IMAGE_BUFFER)HvLoadImageBufferHook.Address)(a1, a2, a3, a4, ImageBase, ImageSize, a7, a8,
a9, a10, a11, a12, a13, a14, a15); a9, a10, a11, a12, a13, a14, a15);
EnableShitHook(&HvLoadImageHook); if(!ExtendedAllocation && !HookedHyperV)
EnableShitHook(&HvLoadImageBufferHook);
if (ExtendedAllocation && !HookedHyperV)
{
HookedHyperV = TRUE;
EFI_IMAGE_DOS_HEADER* HypervDosHeader = *ImageBase;
if (HypervDosHeader->e_magic != EFI_IMAGE_DOS_SIGNATURE)
return NULL;
EFI_IMAGE_NT_HEADERS64* HypervNtHeader = (UINT64)HypervDosHeader + HypervDosHeader->e_lfanew;
if (HypervNtHeader->Signature != EFI_IMAGE_NT_SIGNATURE)
return NULL;
EFI_IMAGE_SECTION_HEADER* pSection = ((UINT64)&HypervNtHeader->OptionalHeader) +
HypervNtHeader->FileHeader.SizeOfOptionalHeader;
for (UINT16 i = 0; i < HypervNtHeader->FileHeader.NumberOfSections; i += 1, pSection += 1)
{
if (!AsciiStrCmp(&pSection->Name, ".reloc"))
{
VOYAGER_DATA_T VoyagerData;
MakeVoyagerData
(
&VoyagerData,
*ImageBase,
*ImageSize,
*ImageBase + pSection->VirtualAddress + pSection->Misc.VirtualSize,
PayLoadSize()
);
DBG_PRINT(".reloc section base address -> 0x%p\n", *ImageBase + pSection->VirtualAddress);
DBG_PRINT(".reloc section end (aka golden record base address) -> 0x%p\n", *ImageBase + pSection->VirtualAddress + pSection->Misc.VirtualSize);
VOID* VmExitHook = MapModule(&VoyagerData, PayLoad);
VOID* VmExitFunction = HookVmExit
(
VoyagerData.HypervModuleBase,
VoyagerData.HypervModuleSize,
VmExitHook
);
pSection->Characteristics = SECTION_RWX;
pSection->Misc.VirtualSize += PayLoadSize();
DBG_PRINT("VmExitHook (PayLoad Entry Point) -> 0x%p\n", VmExitHook);
}
}
HypervNtHeader->OptionalHeader.SizeOfImage += PayLoadSize();
*ImageSize += PayLoadSize();
}
DBG_PRINT("[HvLoader (Load Image)] ImageBase -> 0x%p, ImageSize -> 0x%p\n", *ImageBase, *ImageSize);
return Result;
}
EFI_STATUS EFIAPI HvBlImgLoadPEImageEx(VOID* DeviceId, VOID* MemoryType, CHAR16* Path, UINT64* ImageBase, UINT32* ImageSize,
VOID* Hash, VOID* Flags, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13)
{
UnicodeStrToAsciiStr(Path, ModulePathCString);
DBG_PRINT("LOADING FROM HVLOADER: ");
DBG_PRINT(ModulePathCString);
DisableShitHook(&HvLoadImageHook);
EFI_STATUS Result = ((HV_LDR_LOAD_IMAGE)HvLoadImageHook.Address)(DeviceId, MemoryType, Path, ImageBase, ImageSize, Hash, Flags, a8,
a9, a10, a11, a12, a13);
if(!ExtendedAllocation && !HookedHyperV)
EnableShitHook(&HvLoadImageHook);
if (ExtendedAllocation && !HookedHyperV) if (ExtendedAllocation && !HookedHyperV)
{ {
@ -68,7 +137,7 @@ EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer(VOID* a1, VOID* a2, VOID* a
UINT64 EFIAPI HvLoaderBlImgAllocateImageBuffer(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType, UINT32 attributes, VOID* unused, UINT32 flags) UINT64 EFIAPI HvLoaderBlImgAllocateImageBuffer(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType, UINT32 attributes, VOID* unused, UINT32 flags)
{ {
if (imageSize == HV_ALLOC_SIZE && !ExtendedAllocation) if (imageSize >= HV_ALLOC_SIZE && !ExtendedAllocation)
{ {
ExtendedAllocation = TRUE; ExtendedAllocation = TRUE;
imageSize += PayLoadSize(); imageSize += PayLoadSize();

@ -6,25 +6,33 @@
#if WINVER >= 1607 #if WINVER >= 1607
#define ALLOCATE_IMAGE_BUFFER_SIG "\xE8\x00\x00\x00\x00\x4C\x8B\x65\x60" #define ALLOCATE_IMAGE_BUFFER_SIG "\xE8\x00\x00\x00\x00\x4C\x8B\x65\x60"
#define ALLOCATE_IMAGE_BUFFER_MASK "x????xxxx" #define ALLOCATE_IMAGE_BUFFER_MASK "x????xxxx"
#elif WINVER == 1511
#define ALLOCATE_IMAGE_BUFFER_SIG "\xE8\x00\x00\x00\x00\x4C\x8B\x75\xC0"
#define ALLOCATE_IMAGE_BUFFER_MASK "x????xxxx"
#endif #endif
#if WINVER == 1703 #if WINVER == 1703
#define HV_LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x44\x8B\xAD" #define HV_LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x44\x8B\xAD"
#define HV_LOAD_PE_IMG_MASK "x????xxx" #define HV_LOAD_PE_IMG_MASK "x????xxx"
#elif WINVER == 1607 #elif WINVER <= 1607 // same for 1511
#define HV_LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x48\x8B\x4D\x80\x41\x8B\xD4" #define HV_LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x48\x8B\x7D\xF7"
#define HV_LOAD_PE_IMG_MASK "x????xxxxxxx" #define HV_LOAD_PE_IMG_MASK "x????xxxx"
#endif #endif
static_assert(sizeof(HV_LOAD_PE_IMG_SIG) == sizeof(HV_LOAD_PE_IMG_MASK), "signature and mask do not match size..."); static_assert(sizeof(HV_LOAD_PE_IMG_SIG) == sizeof(HV_LOAD_PE_IMG_MASK), "signature and mask do not match size...");
static_assert(sizeof(ALLOCATE_IMAGE_BUFFER_SIG) == sizeof(ALLOCATE_IMAGE_BUFFER_MASK), "signature and mask do not match size!"); static_assert(sizeof(ALLOCATE_IMAGE_BUFFER_SIG) == sizeof(ALLOCATE_IMAGE_BUFFER_MASK), "signature and mask do not match size!");
typedef EFI_STATUS(EFIAPI* ALLOCATE_IMAGE_BUFFER)(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType, UINT32 attributes, VOID* unused, UINT32 flags); typedef EFI_STATUS(EFIAPI* ALLOCATE_IMAGE_BUFFER)(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType, UINT32 attributes, VOID* unused, UINT32 flags);
typedef EFI_STATUS(EFIAPI* HV_LDR_LOAD_IMAGE)(VOID* a1, VOID* a2, VOID* a3, VOID* a4, UINT64* ImageBase, typedef EFI_STATUS(EFIAPI* HV_LDR_LOAD_IMAGE_BUFFER)(VOID* a1, VOID* a2, VOID* a3, VOID* a4, UINT64* ImageBase,
UINT32* ImageSize, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14, VOID* a15); UINT32* ImageSize, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14, VOID* a15);
typedef EFI_STATUS(EFIAPI* HV_LDR_LOAD_IMAGE)(VOID* DeviceId, VOID* MemoryType, CHAR16* Path, VOID** ImageBase, UINT32* ImageSize,
VOID* Hash, VOID* Flags, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13);
UINT64 EFIAPI HvLoaderBlImgAllocateImageBuffer(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType, UINT32 attributes, VOID* unused, UINT32 flags); UINT64 EFIAPI HvLoaderBlImgAllocateImageBuffer(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType, UINT32 attributes, VOID* unused, UINT32 flags);
EFI_STATUS EFIAPI HvBlImgLoadPEImageEx(VOID* DeviceId, VOID* MemoryType, CHAR16* Path, UINT64* ImageBase, UINT32* ImageSize,
VOID* Hash, VOID* Flags, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13);
EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer(VOID* a1, VOID* a2, VOID* a3, VOID* a4, UINT64* ImageBase, EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer(VOID* a1, VOID* a2, VOID* a3, VOID* a4, UINT64* ImageBase,
UINT32* ImageSize, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14, VOID* a15); UINT32* ImageSize, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14, VOID* a15);
extern SHITHOOK HvLoadImageHook; extern SHITHOOK HvLoadImageHook;
extern SHITHOOK HvLoadAllocImageHook; extern SHITHOOK HvLoadAllocImageHook;
extern SHITHOOK HvLoadImageBufferHook;

@ -1,14 +1,8 @@
#pragma once #pragma once
#include "PayLoad.h" #include "PayLoad.h"
#define HV_ALLOC_SIZE 0x1400000 #define HV_ALLOC_SIZE 0x1400000
#if WINVER == 1703 #define VMEXIT_HANDLER_SIG "\xD0\x80\x00\x00\x00\x00\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
#define VMEXIT_HANDLER_SIG "\xD0\x80\x3D\x74\xCC\x47\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" #define VMEXIT_HANDLER_MASK "xx????x?xx????xxxx?x????x"
#define VMEXIT_HANDLER_MASK "xxxxxx??xx????xxxx?x????x"
#elif WINVER == 1607
#define VMEXIT_HANDLER_SIG "\xD0\x80\x3D\xB4\x9F\x49\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
#define VMEXIT_HANDLER_MASK "xxxxxx??xx????xxxx?x????x"
#endif
static_assert(sizeof(VMEXIT_HANDLER_SIG) == sizeof(VMEXIT_HANDLER_MASK), "signature does not match mask size!"); static_assert(sizeof(VMEXIT_HANDLER_SIG) == sizeof(VMEXIT_HANDLER_MASK), "signature does not match mask size!");
static_assert(sizeof(VMEXIT_HANDLER_SIG) == 26, "signature is invalid length!"); static_assert(sizeof(VMEXIT_HANDLER_SIG) == 26, "signature is invalid length!");

@ -1,6 +1,6 @@
#pragma once #pragma once
#include "ShitHook.h" #include "ShitHook.h"
#define WINVER 1703 #define WINVER 1511
#define PORT_NUM 0x2F8 #define PORT_NUM 0x2F8
#define BL_MEMORY_ATTRIBUTE_RWX 0x424000 #define BL_MEMORY_ATTRIBUTE_RWX 0x424000
#define SECTION_RWX (EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_MEM_WRITE | EFI_IMAGE_SCN_MEM_EXECUTE) #define SECTION_RWX (EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_MEM_WRITE | EFI_IMAGE_SCN_MEM_EXECUTE)

@ -2,17 +2,20 @@
SHITHOOK WinLoadImageShitHook; SHITHOOK WinLoadImageShitHook;
CHAR8 ModulePathCStr[0x100]; CHAR8 ModulePathCStr[0x100];
BOOLEAN InstalledHvLoaderHook = FALSE;
EFI_STATUS EFIAPI BlImgLoadPEImageEx(VOID* a1, VOID* a2, CHAR16* ImagePath, UINT64* ImageBasePtr, UINT32* ImageSize, EFI_STATUS EFIAPI BlImgLoadPEImageEx(VOID* a1, VOID* a2, CHAR16* ImagePath, UINT64* ImageBasePtr, UINT32* ImageSize,
VOID* a6, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14) VOID* a6, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14)
{ {
UnicodeStrToAsciiStr(ImagePath, ModulePathCStr); UnicodeStrToAsciiStr(ImagePath, ModulePathCStr);
DBG_PRINT("LOADING FROM WINLOAD: ");
DBG_PRINT(ModulePathCStr); DBG_PRINT(ModulePathCStr);
DisableShitHook(&WinLoadImageShitHook); DisableShitHook(&WinLoadImageShitHook);
EFI_STATUS Result = ((LDR_LOAD_IMAGE)WinLoadImageShitHook.Address)(a1, a2, ImagePath, ImageBasePtr, ImageSize, a6, a7, a8, EFI_STATUS Result = ((LDR_LOAD_IMAGE)WinLoadImageShitHook.Address)(a1, a2, ImagePath, ImageBasePtr, ImageSize, a6, a7, a8,
a9, a10, a11, a12, a13, a14); a9, a10, a11, a12, a13, a14);
EnableShitHook(&WinLoadImageShitHook); if(!InstalledHvLoaderHook)
EnableShitHook(&WinLoadImageShitHook);
if (StrStr(ImagePath, L"hvloader.efi")) if (StrStr(ImagePath, L"hvloader.efi"))
{ {
@ -32,10 +35,22 @@ EFI_STATUS EFIAPI BlImgLoadPEImageEx(VOID* a1, VOID* a2, CHAR16* ImagePath, UINT
ALLOCATE_IMAGE_BUFFER_MASK ALLOCATE_IMAGE_BUFFER_MASK
); );
MakeShitHook(&HvLoadImageHook, RESOLVE_RVA(LoadImage, 5, 1), &HvBlImgLoadPEImageFromSourceBuffer, TRUE); if (!LoadImage || !AllocImage)
{
DBG_PRINT("Signatures FAILED!\n");
return Result;
}
#if WINVER == 1703
MakeShitHook(&HvLoadImageBufferHook, RESOLVE_RVA(LoadImage, 5, 1), &HvBlImgLoadPEImageFromSourceBuffer, TRUE);
#elif WINVER <= 1607 // 1511 is the same...
MakeShitHook(&HvLoadImageHook, RESOLVE_RVA(LoadImage, 5, 1), &HvBlImgLoadPEImageEx, TRUE);
#endif
MakeShitHook(&HvLoadAllocImageHook, RESOLVE_RVA(AllocImage, 5, 1), &HvLoaderBlImgAllocateImageBuffer, TRUE); MakeShitHook(&HvLoadAllocImageHook, RESOLVE_RVA(AllocImage, 5, 1), &HvLoaderBlImgAllocateImageBuffer, TRUE);
DBG_PRINT("LoadImageHook -> 0x%p\n", RESOLVE_RVA(LoadImage, 5, 1)); DBG_PRINT("LoadImageHook -> 0x%p\n", RESOLVE_RVA(LoadImage, 5, 1));
DBG_PRINT("AllocImage -> 0x%p\n", RESOLVE_RVA(AllocImage, 5, 1)); DBG_PRINT("AllocImage -> 0x%p\n", RESOLVE_RVA(AllocImage, 5, 1));
InstalledHvLoaderHook = TRUE;
} }
DBG_PRINT("[%s] Image Base -> 0x%p, Image Size -> 0x%p\n", __FUNCTION__, *ImageBasePtr, *ImageSize); DBG_PRINT("[%s] Image Base -> 0x%p, Image Size -> 0x%p\n", __FUNCTION__, *ImageBasePtr, *ImageSize);

@ -8,7 +8,7 @@ extern SHITHOOK WinLoadImageShitHook;
#if WINVER == 1703 #if WINVER == 1703
#define LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x85\xC0\x79\x45" #define LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x85\xC0\x79\x45"
#define LOAD_PE_IMG_MASK "x????xxxx" #define LOAD_PE_IMG_MASK "x????xxxx"
#elif WINVER == 1607 #elif WINVER <= 1607 // works for 1511
#define LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x48\x8B\x7D\xF7" #define LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x48\x8B\x7D\xF7"
#define LOAD_PE_IMG_MASK "x????xxxx" #define LOAD_PE_IMG_MASK "x????xxxx"
#endif #endif

Loading…
Cancel
Save