xerox
4 years ago
parent
4f46cd8ab3
commit
1b719187d5
@ -0,0 +1,161 @@
|
|||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|Win32">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Debug|x64">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>x64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|x64">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>x64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
</ItemGroup>
|
||||||
|
<PropertyGroup Label="Globals">
|
||||||
|
<VCProjectVersion>16.0</VCProjectVersion>
|
||||||
|
<Keyword>Win32Proj</Keyword>
|
||||||
|
<ProjectGuid>{ee860038-e3dd-4329-8d44-df8b9ecbe420}</ProjectGuid>
|
||||||
|
<RootNamespace>EfiBundler</RootNamespace>
|
||||||
|
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
|
<PlatformToolset>v142</PlatformToolset>
|
||||||
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
|
<PlatformToolset>v142</PlatformToolset>
|
||||||
|
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||||
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||||
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
|
<PlatformToolset>v142</PlatformToolset>
|
||||||
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||||
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
|
<PlatformToolset>v142</PlatformToolset>
|
||||||
|
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||||
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Label="Shared">
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<PropertyGroup Label="UserMacros" />
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<LinkIncremental>true</LinkIncremental>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<LinkIncremental>false</LinkIncremental>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<LinkIncremental>true</LinkIncremental>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<LinkIncremental>false</LinkIncremental>
|
||||||
|
</PropertyGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<ClCompile>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<SDLCheck>true</SDLCheck>
|
||||||
|
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<ConformanceMode>true</ConformanceMode>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<SubSystem>Console</SubSystem>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
</Link>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<ClCompile>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||||
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
|
<SDLCheck>true</SDLCheck>
|
||||||
|
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<ConformanceMode>true</ConformanceMode>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<SubSystem>Console</SubSystem>
|
||||||
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
</Link>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<ClCompile>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<SDLCheck>true</SDLCheck>
|
||||||
|
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<ConformanceMode>true</ConformanceMode>
|
||||||
|
<LanguageStandard>stdcpp17</LanguageStandard>
|
||||||
|
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||||
|
<ControlFlowGuard>false</ControlFlowGuard>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<SubSystem>Console</SubSystem>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
</Link>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<ClCompile>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||||
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
|
<SDLCheck>true</SDLCheck>
|
||||||
|
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<ConformanceMode>true</ConformanceMode>
|
||||||
|
<LanguageStandard>stdcpp17</LanguageStandard>
|
||||||
|
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||||
|
<Optimization>Disabled</Optimization>
|
||||||
|
<ControlFlowGuard>false</ControlFlowGuard>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<SubSystem>Console</SubSystem>
|
||||||
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
</Link>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClCompile Include="bundler.cpp" />
|
||||||
|
<ClCompile Include="main.cpp" />
|
||||||
|
<ClCompile Include="shellcode.cpp" />
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClInclude Include="bundler.h" />
|
||||||
|
<ClInclude Include="shellcode.h" />
|
||||||
|
<ClInclude Include="utils.h" />
|
||||||
|
</ItemGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||||
|
<ImportGroup Label="ExtensionTargets">
|
||||||
|
</ImportGroup>
|
||||||
|
</Project>
|
||||||
@ -0,0 +1,35 @@
|
|||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<ItemGroup>
|
||||||
|
<Filter Include="Source Files">
|
||||||
|
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||||
|
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||||
|
</Filter>
|
||||||
|
<Filter Include="Header Files">
|
||||||
|
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||||
|
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
|
||||||
|
</Filter>
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClInclude Include="utils.h">
|
||||||
|
<Filter>Header Files</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="shellcode.h">
|
||||||
|
<Filter>Header Files</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
<ClInclude Include="bundler.h">
|
||||||
|
<Filter>Header Files</Filter>
|
||||||
|
</ClInclude>
|
||||||
|
</ItemGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClCompile Include="main.cpp">
|
||||||
|
<Filter>Source Files</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="shellcode.cpp">
|
||||||
|
<Filter>Source Files</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
<ClCompile Include="bundler.cpp">
|
||||||
|
<Filter>Source Files</Filter>
|
||||||
|
</ClCompile>
|
||||||
|
</ItemGroup>
|
||||||
|
</Project>
|
||||||
@ -0,0 +1,11 @@
|
|||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<LocalDebuggerCommandArguments>C:\Users\xerox\Desktop\bootmgfw.efi C:\Users\xerox\Desktop\voyager.efi</LocalDebuggerCommandArguments>
|
||||||
|
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<LocalDebuggerCommandArguments>C:\Users\xerox\Desktop\bootmgfw.efi C:\Users\xerox\Desktop\voyager.efi</LocalDebuggerCommandArguments>
|
||||||
|
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
|
||||||
|
</PropertyGroup>
|
||||||
|
</Project>
|
||||||
@ -0,0 +1,92 @@
|
|||||||
|
#include "bundler.h"
|
||||||
|
|
||||||
|
namespace bundler
|
||||||
|
{
|
||||||
|
std::pair<std::uint32_t, std::uint32_t> add_section(std::vector<std::uint8_t>& image, const char* name, std::size_t size, std::uint32_t protect)
|
||||||
|
{
|
||||||
|
auto align = [](std::uint32_t size, std::uint32_t align, std::uint32_t addr) -> std::uint32_t
|
||||||
|
{
|
||||||
|
if (!(size % align))
|
||||||
|
return addr + size;
|
||||||
|
return addr + (size / align + 1) * align;
|
||||||
|
};
|
||||||
|
|
||||||
|
auto section_header = reinterpret_cast<PIMAGE_SECTION_HEADER>(
|
||||||
|
((std::uint64_t)&NT_HEADER(image.data())->OptionalHeader) +
|
||||||
|
NT_HEADER(image.data())->FileHeader.SizeOfOptionalHeader);
|
||||||
|
|
||||||
|
auto new_section = §ion_header[NT_HEADER(image.data())->FileHeader.NumberOfSections];
|
||||||
|
memset(new_section, NULL, sizeof(IMAGE_SECTION_HEADER));
|
||||||
|
memcpy(new_section->Name, name, 8);
|
||||||
|
|
||||||
|
new_section->Characteristics = protect;
|
||||||
|
section_header[NT_HEADER(image.data())->FileHeader.NumberOfSections].Misc.VirtualSize =
|
||||||
|
align(size, NT_HEADER(image.data())->OptionalHeader.SectionAlignment, NULL);
|
||||||
|
|
||||||
|
new_section->VirtualAddress = align(section_header[
|
||||||
|
NT_HEADER(image.data())->FileHeader.NumberOfSections - 1].Misc.VirtualSize,
|
||||||
|
NT_HEADER(image.data())->OptionalHeader.SectionAlignment, section_header[
|
||||||
|
NT_HEADER(image.data())->FileHeader.NumberOfSections - 1].VirtualAddress);
|
||||||
|
|
||||||
|
new_section->SizeOfRawData =
|
||||||
|
align(size, NT_HEADER(image.data())->OptionalHeader.FileAlignment, 0);
|
||||||
|
|
||||||
|
new_section->PointerToRawData =
|
||||||
|
align(section_header[NT_HEADER(image.data())->FileHeader.NumberOfSections - 1].SizeOfRawData,
|
||||||
|
NT_HEADER(image.data())->OptionalHeader.FileAlignment, section_header[NT_HEADER(image.data())->
|
||||||
|
FileHeader.NumberOfSections - 1].PointerToRawData);
|
||||||
|
|
||||||
|
NT_HEADER(image.data())->OptionalHeader.SizeOfImage = section_header[
|
||||||
|
NT_HEADER(image.data())->FileHeader.NumberOfSections].VirtualAddress +
|
||||||
|
section_header[NT_HEADER(image.data())->FileHeader.NumberOfSections].Misc.VirtualSize;
|
||||||
|
|
||||||
|
++NT_HEADER(image.data())->FileHeader.NumberOfSections;
|
||||||
|
auto raw_data_rva = new_section->PointerToRawData;
|
||||||
|
auto virt_data_rva = new_section->VirtualAddress;
|
||||||
|
auto raw_data_size = new_section->SizeOfRawData;
|
||||||
|
|
||||||
|
image.resize(raw_data_rva + raw_data_size);
|
||||||
|
memset(image.data() + raw_data_rva, NULL, raw_data_size);
|
||||||
|
return { raw_data_rva, virt_data_rva };
|
||||||
|
}
|
||||||
|
|
||||||
|
// module_base is .efi section base in this case...
|
||||||
|
std::uint32_t map_module(std::uint8_t* module_base, std::vector<std::uint8_t>& map_from)
|
||||||
|
{
|
||||||
|
// copy nt headers...
|
||||||
|
memcpy(module_base, map_from.data(), NT_HEADER(map_from.data())->OptionalHeader.SizeOfHeaders);
|
||||||
|
auto sections = reinterpret_cast<PIMAGE_SECTION_HEADER>(
|
||||||
|
(std::uint8_t*)&NT_HEADER(map_from.data())->OptionalHeader +
|
||||||
|
NT_HEADER(map_from.data())->FileHeader.SizeOfOptionalHeader);
|
||||||
|
|
||||||
|
// copy sections...
|
||||||
|
for (auto i = 0u; i < NT_HEADER(map_from.data())->FileHeader.NumberOfSections; ++i)
|
||||||
|
{
|
||||||
|
auto section = §ions[i];
|
||||||
|
memcpy(module_base + section->VirtualAddress, map_from.data() + section->PointerToRawData, section->SizeOfRawData);
|
||||||
|
}
|
||||||
|
|
||||||
|
return NT_HEADER(map_from.data())->OptionalHeader.AddressOfEntryPoint;
|
||||||
|
}
|
||||||
|
|
||||||
|
void bundle(std::vector<std::uint8_t>& bundle_into, std::vector<std::uint8_t>& bundle_module)
|
||||||
|
{
|
||||||
|
auto [trp_section_disk, trp_section_virt] = add_section(bundle_into, ".trp", sizeof shellcode::stub, SECTION_RWX);
|
||||||
|
auto [mod_section_disk, mod_section_virt] = add_section(bundle_into, ".efi", bundle_module.size(), SECTION_RWX);
|
||||||
|
bundler::map_module(bundle_into.data() + mod_section_disk, bundle_module);
|
||||||
|
|
||||||
|
std::printf("[+] added .trp section at rva -> 0x%x, size -> 0x%x\n", trp_section_virt, sizeof shellcode::stub);
|
||||||
|
std::printf("[+] added .efi section at rva -> 0x%x, size -> 0x%x\n", mod_section_virt, bundle_module.size());
|
||||||
|
|
||||||
|
// setup stub shellcode...
|
||||||
|
*reinterpret_cast<std::int32_t*>(&shellcode::stub[25]) = mod_section_virt - trp_section_virt;
|
||||||
|
*reinterpret_cast<std::int32_t*>(&shellcode::stub[45]) = trp_section_virt;
|
||||||
|
*reinterpret_cast<std::int32_t*>(&shellcode::stub[75]) = NT_HEADER(bundle_into.data())->OptionalHeader.AddressOfEntryPoint;
|
||||||
|
memcpy(bundle_into.data() + trp_section_disk, shellcode::stub, sizeof shellcode::stub);
|
||||||
|
std::printf("[+] added stub code to .trp section...\n");
|
||||||
|
|
||||||
|
// set entry point to .trp section...
|
||||||
|
NT_HEADER(bundle_into.data())->OptionalHeader.AddressOfEntryPoint = trp_section_virt;
|
||||||
|
std::printf("[+] changed base modules entry point to -> (.trp section base) 0x%x\n", trp_section_virt);
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -0,0 +1,15 @@
|
|||||||
|
#pragma once
|
||||||
|
#include "shellcode.h"
|
||||||
|
#define SECTION_RWX ((IMAGE_SCN_MEM_WRITE | \
|
||||||
|
IMAGE_SCN_CNT_CODE | \
|
||||||
|
IMAGE_SCN_CNT_UNINITIALIZED_DATA | \
|
||||||
|
IMAGE_SCN_MEM_EXECUTE | \
|
||||||
|
IMAGE_SCN_CNT_INITIALIZED_DATA | \
|
||||||
|
IMAGE_SCN_MEM_READ))
|
||||||
|
|
||||||
|
namespace bundler
|
||||||
|
{
|
||||||
|
std::pair<std::uint32_t, std::uint32_t> add_section(std::vector<std::uint8_t>& image, const char* name, std::size_t size, std::uint32_t protect);
|
||||||
|
std::uint32_t map_module(std::uint8_t* module_base, std::vector<std::uint8_t>& map_from);
|
||||||
|
void bundle(std::vector<std::uint8_t>& bundle_into, std::vector<std::uint8_t>& bundle_module);
|
||||||
|
}
|
||||||
@ -0,0 +1,38 @@
|
|||||||
|
#include "bundler.h"
|
||||||
|
|
||||||
|
int __cdecl main(int argc, char** argv)
|
||||||
|
{
|
||||||
|
if (argc < 2)
|
||||||
|
{
|
||||||
|
std::printf("[!] invalid amount of parameters\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
std::vector<std::uint8_t> efi_module;
|
||||||
|
std::vector<std::uint8_t> bootmgfw;
|
||||||
|
|
||||||
|
impl::open_binary_file(argv[1], bootmgfw);
|
||||||
|
impl::open_binary_file(argv[2], efi_module);
|
||||||
|
|
||||||
|
if (efi_module.empty() || bootmgfw.empty())
|
||||||
|
{
|
||||||
|
std::printf("[!] unable to load efi module(s)...\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
efi_module.resize(NT_HEADER(efi_module.data())->OptionalHeader.SizeOfImage);
|
||||||
|
std::printf("bundling efi module, size -> 0x%x\n",
|
||||||
|
NT_HEADER(efi_module.data())->OptionalHeader.SizeOfImage);
|
||||||
|
|
||||||
|
bootmgfw.resize(NT_HEADER(bootmgfw.data())->OptionalHeader.SizeOfImage);
|
||||||
|
std::printf("bundling module into bootmgfw, size before patch -> 0x%x\n",
|
||||||
|
NT_HEADER(bootmgfw.data())->OptionalHeader.SizeOfImage);
|
||||||
|
|
||||||
|
bundler::bundle(bootmgfw, efi_module);
|
||||||
|
std::ofstream new_file("result.efi", std::ios::binary);
|
||||||
|
new_file.write((char*)bootmgfw.data(), bootmgfw.size());
|
||||||
|
new_file.close();
|
||||||
|
|
||||||
|
std::printf("bundled modules together....\n");
|
||||||
|
std::getchar();
|
||||||
|
}
|
||||||
@ -0,0 +1,57 @@
|
|||||||
|
#include "shellcode.h"
|
||||||
|
|
||||||
|
namespace shellcode
|
||||||
|
{
|
||||||
|
void* entry_stub(void* a, void* b)
|
||||||
|
{
|
||||||
|
// 0xDEADBEEF is replaced at runtime...
|
||||||
|
auto module_base = reinterpret_cast<std::uintptr_t>(&entry_stub) + 0xDEADBEEF;
|
||||||
|
auto bootmgfw_base = reinterpret_cast<std::uintptr_t>(&entry_stub) - 0xDEADBEEF;
|
||||||
|
NT_HEADER(bootmgfw_base)->OptionalHeader.AddressOfEntryPoint = 0xDEADBEEF;
|
||||||
|
|
||||||
|
// fix relocs of the module in .efi section...
|
||||||
|
auto base_reloc_dir = &NT_HEADER(module_base)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
|
||||||
|
if (base_reloc_dir->VirtualAddress)
|
||||||
|
{
|
||||||
|
auto reloc = reinterpret_cast<PIMAGE_BASE_RELOCATION>(module_base + base_reloc_dir->VirtualAddress);
|
||||||
|
for (auto current_size = 0u; current_size < base_reloc_dir->Size; )
|
||||||
|
{
|
||||||
|
std::uint32_t reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(std::uint16_t);
|
||||||
|
auto reloc_data = reinterpret_cast<std::uint16_t*>((std::uint8_t*)reloc + sizeof(IMAGE_BASE_RELOCATION));
|
||||||
|
auto reloc_base = reinterpret_cast<std::uint8_t*>(module_base) + reloc->VirtualAddress;
|
||||||
|
|
||||||
|
for (auto i = 0u; i < reloc_count; ++i, ++reloc_data)
|
||||||
|
{
|
||||||
|
std::uint16_t data = *reloc_data;
|
||||||
|
std::uint16_t type = data >> 12;
|
||||||
|
std::uint16_t offset = data & 0xFFF;
|
||||||
|
|
||||||
|
switch (type)
|
||||||
|
{
|
||||||
|
case IMAGE_REL_BASED_ABSOLUTE:
|
||||||
|
break;
|
||||||
|
case IMAGE_REL_BASED_DIR64:
|
||||||
|
{
|
||||||
|
auto rva = reinterpret_cast<std::uintptr_t*>(reloc_base + offset);
|
||||||
|
*rva = module_base + (*rva - NT_HEADER(module_base)->OptionalHeader.ImageBase);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
current_size += reloc->SizeOfBlock;
|
||||||
|
reloc = reinterpret_cast<PIMAGE_BASE_RELOCATION>(reloc_data);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// call our entry...
|
||||||
|
reinterpret_cast<void(__fastcall*)(void*, void*)>(
|
||||||
|
module_base + NT_HEADER(module_base)->OptionalHeader.AddressOfEntryPoint)(a, b);
|
||||||
|
|
||||||
|
// call the original entry...
|
||||||
|
return reinterpret_cast<void* (__fastcall*)(void*, void*)>(
|
||||||
|
bootmgfw_base + NT_HEADER(bootmgfw_base)->OptionalHeader.AddressOfEntryPoint)(a, b);
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -0,0 +1,84 @@
|
|||||||
|
#pragma once
|
||||||
|
#include <windows.h>
|
||||||
|
#include <psapi.h>
|
||||||
|
#include <tlhelp32.h>
|
||||||
|
#include <filesystem>
|
||||||
|
#include <string_view>
|
||||||
|
#include <iterator>
|
||||||
|
#include <fstream>
|
||||||
|
#include <string>
|
||||||
|
#include <map>
|
||||||
|
#include <vector>
|
||||||
|
#include <ntstatus.h>
|
||||||
|
#include <winternl.h>
|
||||||
|
#include <array>
|
||||||
|
#include <algorithm>
|
||||||
|
#include <string_view>
|
||||||
|
|
||||||
|
#define NT_HEADER(x) reinterpret_cast<PIMAGE_NT_HEADERS>( std::uint64_t(x) + reinterpret_cast<PIMAGE_DOS_HEADER>(x)->e_lfanew )
|
||||||
|
namespace impl
|
||||||
|
{
|
||||||
|
using uq_handle = std::unique_ptr<void, decltype(&CloseHandle)>;
|
||||||
|
|
||||||
|
__forceinline std::uint32_t get_process_id(const std::wstring_view process_name)
|
||||||
|
{
|
||||||
|
// open a system snapshot of all loaded processes
|
||||||
|
uq_handle snap_shot{ CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), &CloseHandle };
|
||||||
|
|
||||||
|
if (snap_shot.get() == INVALID_HANDLE_VALUE)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
PROCESSENTRY32W process_entry{ sizeof(PROCESSENTRY32W) };
|
||||||
|
|
||||||
|
// enumerate through processes
|
||||||
|
for (Process32FirstW(snap_shot.get(), &process_entry); Process32NextW(snap_shot.get(), &process_entry); )
|
||||||
|
if (std::wcscmp(process_name.data(), process_entry.szExeFile) == 0)
|
||||||
|
return process_entry.th32ProcessID;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
__forceinline void open_binary_file(const std::string& file, std::vector<std::uint8_t>& data)
|
||||||
|
{
|
||||||
|
std::ifstream fstr(file, std::ios::binary);
|
||||||
|
fstr.unsetf(std::ios::skipws);
|
||||||
|
fstr.seekg(0, std::ios::end);
|
||||||
|
|
||||||
|
const auto file_size = fstr.tellg();
|
||||||
|
|
||||||
|
fstr.seekg(NULL, std::ios::beg);
|
||||||
|
data.reserve(static_cast<std::uint32_t>(file_size));
|
||||||
|
data.insert(data.begin(), std::istream_iterator<std::uint8_t>(fstr), std::istream_iterator<std::uint8_t>());
|
||||||
|
}
|
||||||
|
|
||||||
|
__forceinline bool enable_privilege(const std::wstring_view privilege_name)
|
||||||
|
{
|
||||||
|
HANDLE token_handle = nullptr;
|
||||||
|
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token_handle))
|
||||||
|
{;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
LUID luid{};
|
||||||
|
if (!LookupPrivilegeValueW(nullptr, privilege_name.data(), &luid))
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
TOKEN_PRIVILEGES token_state{};
|
||||||
|
token_state.PrivilegeCount = 1;
|
||||||
|
token_state.Privileges[0].Luid = luid;
|
||||||
|
token_state.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
||||||
|
|
||||||
|
if (!AdjustTokenPrivileges(token_handle, FALSE, &token_state, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr))
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
CloseHandle(token_handle);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Reference in new issue