diff --git a/Efi Bundler/Efi Bundler.sln b/Efi Bundler/Efi Bundler.sln new file mode 100644 index 0000000..a0f17f7 --- /dev/null +++ b/Efi Bundler/Efi Bundler.sln @@ -0,0 +1,31 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.30503.244 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Efi Bundler", "Efi Bundler.vcxproj", "{EE860038-E3DD-4329-8D44-DF8B9ECBE420}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x64.ActiveCfg = Debug|x64 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x64.Build.0 = Debug|x64 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x86.ActiveCfg = Debug|Win32 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x86.Build.0 = Debug|Win32 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x64.ActiveCfg = Release|x64 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x64.Build.0 = Release|x64 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x86.ActiveCfg = Release|Win32 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x86.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {6F313696-ED35-4BFB-B825-E3E8861D12E3} + EndGlobalSection +EndGlobal diff --git a/Efi Bundler/bundler.cpp b/Efi Bundler/bundler.cpp index 71c482e..3d9dc6b 100644 --- a/Efi Bundler/bundler.cpp +++ b/Efi Bundler/bundler.cpp @@ -2,9 +2,9 @@ namespace bundler { - std::pair add_section(std::vector& image, const char* name, std::size_t size, std::u32_t protect) + std::pair add_section(std::vector& image, const char* name, std::size_t size, std::uint32_t protect) { - auto align = [](std::u32_t size, std::u32_t align, std::u32_t addr) -> std::u32_t + auto align = [](std::uint32_t size, std::uint32_t align, std::uint32_t addr) -> std::uint32_t { if (!(size % align)) return addr + size; @@ -12,7 +12,7 @@ namespace bundler }; auto section_header = reinterpret_cast( - ((u64)&NT_HEADER(image.data())->OptionalHeader) + + ((std::uint64_t)&NT_HEADER(image.data())->OptionalHeader) + NT_HEADER(image.data())->FileHeader.SizeOfOptionalHeader); auto new_section = §ion_header[NT_HEADER(image.data())->FileHeader.NumberOfSections]; @@ -51,12 +51,12 @@ namespace bundler } // module_base is .efi section base in this case... - std::u32_t map_module(std::u8_t* module_base, std::vector& map_from) + std::uint32_t map_module(std::uint8_t* module_base, std::vector& map_from) { // copy nt headers... memcpy(module_base, map_from.data(), NT_HEADER(map_from.data())->OptionalHeader.SizeOfHeaders); auto sections = reinterpret_cast( - (u8*)&NT_HEADER(map_from.data())->OptionalHeader + + (std::uint8_t*)&NT_HEADER(map_from.data())->OptionalHeader + NT_HEADER(map_from.data())->FileHeader.SizeOfOptionalHeader); // copy sections... @@ -69,7 +69,7 @@ namespace bundler return NT_HEADER(map_from.data())->OptionalHeader.AddressOfEntryPoint; } - void bundle(std::vector& bundle_into, std::vector& bundle_module) + void bundle(std::vector& bundle_into, std::vector& bundle_module) { auto [trp_section_disk, trp_section_virt] = add_section(bundle_into, ".trp", sizeof shellcode::stub, SECTION_RWX); auto [mod_section_disk, mod_section_virt] = add_section(bundle_into, ".efi", bundle_module.size(), SECTION_RWX); diff --git a/Efi Bundler/bundler.h b/Efi Bundler/bundler.h index 5f00b7b..986d710 100644 --- a/Efi Bundler/bundler.h +++ b/Efi Bundler/bundler.h @@ -9,7 +9,7 @@ namespace bundler { - std::pair add_section(std::vector& image, const char* name, std::size_t size, std::u32_t protect); - std::u32_t map_module(std::u8_t* module_base, std::vector& map_from); - void bundle(std::vector& bundle_into, std::vector& bundle_module); + std::pair add_section(std::vector& image, const char* name, std::size_t size, std::uint32_t protect); + std::uint32_t map_module(std::uint8_t* module_base, std::vector& map_from); + void bundle(std::vector& bundle_into, std::vector& bundle_module); } diff --git a/Efi Bundler/main.cpp b/Efi Bundler/main.cpp index 67b3936..172bff7 100644 --- a/Efi Bundler/main.cpp +++ b/Efi Bundler/main.cpp @@ -8,8 +8,8 @@ int __cdecl main(int argc, char** argv) return -1; } - std::vector efi_module; - std::vector bootmgfw; + std::vector efi_module; + std::vector bootmgfw; impl::open_binary_file(argv[1], bootmgfw); impl::open_binary_file(argv[2], efi_module); diff --git a/Efi Bundler/shellcode.cpp b/Efi Bundler/shellcode.cpp index 65eeafa..c1d6626 100644 --- a/Efi Bundler/shellcode.cpp +++ b/Efi Bundler/shellcode.cpp @@ -16,15 +16,15 @@ namespace shellcode auto reloc = reinterpret_cast(module_base + base_reloc_dir->VirtualAddress); for (auto current_size = 0u; current_size < base_reloc_dir->Size; ) { - std::u32_t reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(u16); - auto reloc_data = reinterpret_cast((u8*)reloc + sizeof(IMAGE_BASE_RELOCATION)); - auto reloc_base = reinterpret_cast(module_base) + reloc->VirtualAddress; + std::uint32_t reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(std::uint16_t); + auto reloc_data = reinterpret_cast((std::uint8_t*)reloc + sizeof(IMAGE_BASE_RELOCATION)); + auto reloc_base = reinterpret_cast(module_base) + reloc->VirtualAddress; for (auto i = 0u; i < reloc_count; ++i, ++reloc_data) { - std::u16_t data = *reloc_data; - std::u16_t type = data >> 12; - std::u16_t offset = data & 0xFFF; + std::uint16_t data = *reloc_data; + std::uint16_t type = data >> 12; + std::uint16_t offset = data & 0xFFF; switch (type) { diff --git a/Efi Bundler/utils.h b/Efi Bundler/utils.h index 86cc529..19f9f1c 100644 --- a/Efi Bundler/utils.h +++ b/Efi Bundler/utils.h @@ -15,12 +15,12 @@ #include #include -#define NT_HEADER(x) reinterpret_cast( u64_t(x) + reinterpret_cast(x)->e_lfanew ) +#define NT_HEADER(x) reinterpret_cast( std::uint64_t(x) + reinterpret_cast(x)->e_lfanew ) namespace impl { using uq_handle = std::unique_ptr; - __forceinline u32_t get_process_id(const std::wstring_view process_name) + __forceinline std::uint32_t get_process_id(const std::wstring_view process_name) { // open a system snapshot of all loaded processes uq_handle snap_shot{ CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), &CloseHandle }; @@ -40,7 +40,7 @@ namespace impl return 0; } - __forceinline void open_binary_file(const std::string& file, std::vector& data) + __forceinline void open_binary_file(const std::string& file, std::vector& data) { std::ifstream fstr(file, std::ios::binary); fstr.unsetf(std::ios::skipws); @@ -49,8 +49,8 @@ namespace impl const auto file_size = fstr.tellg(); fstr.seekg(NULL, std::ios::beg); - data.reserve(static_cast(file_size)); - data.insert(data.begin(), std::istream_iterator(fstr), std::istream_iterator()); + data.reserve(static_cast(file_size)); + data.insert(data.begin(), std::istream_iterator(fstr), std::istream_iterator()); } __forceinline bool enable_privilege(const std::wstring_view privilege_name) diff --git a/Usermode Example/Example.sln b/Usermode Example/Example.sln new file mode 100644 index 0000000..70996b7 --- /dev/null +++ b/Usermode Example/Example.sln @@ -0,0 +1,31 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.30503.244 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Example", "Example.vcxproj", "{09B41831-3164-48AD-8660-23457D82B73B}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {09B41831-3164-48AD-8660-23457D82B73B}.Debug|x64.ActiveCfg = Debug|x64 + {09B41831-3164-48AD-8660-23457D82B73B}.Debug|x64.Build.0 = Debug|x64 + {09B41831-3164-48AD-8660-23457D82B73B}.Debug|x86.ActiveCfg = Debug|Win32 + {09B41831-3164-48AD-8660-23457D82B73B}.Debug|x86.Build.0 = Debug|Win32 + {09B41831-3164-48AD-8660-23457D82B73B}.Release|x64.ActiveCfg = Release|x64 + {09B41831-3164-48AD-8660-23457D82B73B}.Release|x64.Build.0 = Release|x64 + {09B41831-3164-48AD-8660-23457D82B73B}.Release|x86.ActiveCfg = Release|Win32 + {09B41831-3164-48AD-8660-23457D82B73B}.Release|x86.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {E132D109-7F0D-4125-B737-B5D83E6FBCA8} + EndGlobalSection +EndGlobal diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad(Intel).Build.CppClean.log b/Voyager-1/PayLoad/x64/Release/PayLoad(Intel).Build.CppClean.log deleted file mode 100644 index f02782a..0000000 --- a/Voyager-1/PayLoad/x64/Release/PayLoad(Intel).Build.CppClean.log +++ /dev/null @@ -1,13 +0,0 @@ -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\vc142.pdb -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\vmexit_handler.obj -c:\users\xerox\desktop\voyager\x64\release\payload(intel).dll -c:\users\xerox\desktop\voyager\x64\release\payload(intel).lib -c:\users\xerox\desktop\voyager\x64\release\payload(intel).exp -c:\users\xerox\desktop\voyager\x64\release\payload(intel).pdb -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\cl.command.1.tlog -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\cl.read.1.tlog -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\cl.write.1.tlog -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\link.command.1.tlog -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\link.read.1.tlog -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\link.write.1.tlog -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\payload (intel).write.1u.tlog diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.Build.CppClean.log b/Voyager-1/PayLoad/x64/Release/PayLoad.Build.CppClean.log deleted file mode 100644 index 7c0f721..0000000 --- a/Voyager-1/PayLoad/x64/Release/PayLoad.Build.CppClean.log +++ /dev/null @@ -1,12 +0,0 @@ -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\vc142.pdb -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\vmexit_handler.obj -c:\users\xerox\desktop\voyager\voyager-1\x64\release\payload.dll -c:\users\xerox\desktop\voyager\voyager-1\x64\release\payload.lib -c:\users\xerox\desktop\voyager\voyager-1\x64\release\payload.exp -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\cl.command.1.tlog -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\cl.read.1.tlog -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\cl.write.1.tlog -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\link.command.1.tlog -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\link.read.1.tlog -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\link.write.1.tlog -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\payload.write.1u.tlog diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.dll.recipe b/Voyager-1/PayLoad/x64/Release/PayLoad.dll.recipe deleted file mode 100644 index 65cc69c..0000000 --- a/Voyager-1/PayLoad/x64/Release/PayLoad.dll.recipe +++ /dev/null @@ -1,7 +0,0 @@ - - - C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.dll - - - - \ No newline at end of file diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.log b/Voyager-1/PayLoad/x64/Release/PayLoad.log deleted file mode 100644 index c4594d2..0000000 --- a/Voyager-1/PayLoad/x64/Release/PayLoad.log +++ /dev/null @@ -1,7 +0,0 @@ - Building 'PayLoad' with toolset 'WindowsKernelModeDriver10.0' and the 'Universal' target platform. - vmexit_handler.cpp - Creating library C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.lib and object C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.exp - PayLoad.vcxproj -> C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.dll - Driver is 'Universal'. - Inf2Cat task was skipped as there were no inf files to process - diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/CL.command.1.tlog b/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/CL.command.1.tlog deleted file mode 100644 index 98fcd94..0000000 Binary files a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/CL.command.1.tlog and /dev/null differ diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/CL.read.1.tlog b/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/CL.read.1.tlog deleted file mode 100644 index e19719f..0000000 Binary files a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/CL.read.1.tlog and /dev/null differ diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/CL.write.1.tlog b/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/CL.write.1.tlog deleted file mode 100644 index eedb50e..0000000 Binary files a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/CL.write.1.tlog and /dev/null differ diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/PayLoad.lastbuildstate b/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/PayLoad.lastbuildstate deleted file mode 100644 index 197bfa6..0000000 --- a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/PayLoad.lastbuildstate +++ /dev/null @@ -1,2 +0,0 @@ -PlatformToolSet=WindowsKernelModeDriver10.0:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.19041.0: -Release|x64|C:\Users\xerox\Desktop\voyager\Voyager-1\| diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/PayLoad.write.1u.tlog b/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/PayLoad.write.1u.tlog deleted file mode 100644 index 35e2fe5..0000000 Binary files a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/PayLoad.write.1u.tlog and /dev/null differ diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.command.1.tlog b/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.command.1.tlog deleted file mode 100644 index 6ac0c0e..0000000 Binary files a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.command.1.tlog and /dev/null differ diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.read.1.tlog b/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.read.1.tlog deleted file mode 100644 index 3080020..0000000 Binary files a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.read.1.tlog and /dev/null differ diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.write.1.tlog b/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.write.1.tlog deleted file mode 100644 index 86f2e3a..0000000 Binary files a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.write.1.tlog and /dev/null differ diff --git a/Voyager-1/PayLoad/x64/Release/vc142.pdb b/Voyager-1/PayLoad/x64/Release/vc142.pdb deleted file mode 100644 index 775a9b9..0000000 Binary files a/Voyager-1/PayLoad/x64/Release/vc142.pdb and /dev/null differ diff --git a/Voyager-1/PayLoad/x64/Release/vmexit_handler.obj b/Voyager-1/PayLoad/x64/Release/vmexit_handler.obj deleted file mode 100644 index ba44297..0000000 Binary files a/Voyager-1/PayLoad/x64/Release/vmexit_handler.obj and /dev/null differ diff --git a/Voyager-2/PayLoad/vmexit_handler.cpp b/Voyager-2/PayLoad/vmexit_handler.cpp index d1ac45f..48b6ec1 100644 --- a/Voyager-2/PayLoad/vmexit_handler.cpp +++ b/Voyager-2/PayLoad/vmexit_handler.cpp @@ -5,17 +5,20 @@ svm::pgs_base_struct vcpu_run(svm::pguest_context context) { while (1) { + DBG_PRINT("before vcpu_run\n"); __svm_clgi(); - svm::pgs_base_struct result = reinterpret_cast( - reinterpret_cast(&vcpu_run) - - svm::voyager_context.vcpu_run_rva)(context); + svm::pgs_base_struct result = + reinterpret_cast( + reinterpret_cast(&vcpu_run) - + svm::voyager_context.vcpu_run_rva)(context); __svm_stgi(); + DBG_PRINT("after vcpu_run\n"); // gs:0 + 0x103B0 ] + 0x198 ] + 0xE80 ] = pointer to vmcb... auto vmcb = *reinterpret_cast( *reinterpret_cast( - reinterpret_cast( - result->pvcpu_context) + 0x198) + 0xE80); + *reinterpret_cast( + __readgsqword(0) + 0x103B0) + 0x198) + 0xE80); if (vmcb->exitcode == VMEXIT_CPUID && context->rcx == VMEXIT_KEY) { diff --git a/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c b/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c index 8cd770f..17141bf 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c +++ b/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c @@ -138,8 +138,8 @@ EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath) if (EFI_ERROR((Result = gBS->HandleProtocol(BootMgfwPath, &gEfiLoadedImageProtocolGuid, (VOID**)&BootMgfw)))) return Result; - Print(L"Image Base -> 0x%p\n", BootMgfw->ImageBase); - Print(L"Image Size -> 0x%x\n", BootMgfw->ImageSize); + DBG_PRINT("Image Base -> 0x%p\n", BootMgfw->ImageBase); + DBG_PRINT("Image Size -> 0x%x\n", BootMgfw->ImageSize); VOID* ArchStartBootApplication = FindPattern( BootMgfw->ImageBase, @@ -148,10 +148,7 @@ EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath) START_BOOT_APPLICATION_MASK ); - if (!ArchStartBootApplication) - return EFI_ABORTED; - - DBG_PRINT(L"ArchStartBootApplication -> 0x%p\n", ArchStartBootApplication); + DBG_PRINT("ArchStartBootApplication -> 0x%p\n", ArchStartBootApplication); MakeShitHook(&BootMgfwShitHook, ArchStartBootApplication, &ArchStartBootApplicationHook, TRUE); return Result; } @@ -181,6 +178,7 @@ EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, } else { + DBG_PRINT("some signature for winload found nothing (0), aborting...\n"); Print(L"nullptr detected, aborting...\n"); Print(L"Please submit a screenshot of this...\n"); } diff --git a/Voyager-2/Voyager-2 (2004-1709)/Hvix64.c b/Voyager-2/Voyager-2 (2004-1709)/Hvax64.c similarity index 60% rename from Voyager-2/Voyager-2 (2004-1709)/Hvix64.c rename to Voyager-2/Voyager-2 (2004-1709)/Hvax64.c index 27bbba9..b06f0b5 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/Hvix64.c +++ b/Voyager-2/Voyager-2 (2004-1709)/Hvax64.c @@ -1,6 +1,6 @@ -#include "Hvix64.h" +#include "Hvax64.h" -VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase) +VOID* MapModule(PVOYAGER_T VoyagerData, UINT8* ImageBase) { if (!VoyagerData || !ImageBase) return NULL; @@ -44,7 +44,7 @@ VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase) { if (AsciiStrStr(VoyagerData->ModuleBase + Name[i], "voyager_context")) { - *(voyager_t*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData; + *(VOYAGER_T*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData; break; // DO NOT REMOVE? #Stink Code 2020... } } @@ -91,69 +91,52 @@ VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase) VOID MakeVoyagerData ( - pvoyager_t VoyagerData, + PVOYAGER_T VoyagerData, VOID* HypervAlloc, UINT64 HypervAllocSize, VOID* PayLoadBase, UINT64 PayLoadSize ) { - if (!VoyagerData || !HypervAlloc || !HypervAllocSize || !PayLoadBase || !PayLoadSize) - return; - VoyagerData->HypervModuleBase = HypervAlloc; VoyagerData->HypervModuleSize = HypervAllocSize; VoyagerData->ModuleBase = PayLoadBase; VoyagerData->ModuleSize = PayLoadSize; - VOID* VmExitHandler = + VOID* VCpuRunCall = FindPattern( HypervAlloc, HypervAllocSize, - VMEXIT_HANDLER_SIG, - VMEXIT_HANDLER_MASK + VCPU_RUN_HANDLER_SIG, + VCPU_RUN_HANDLER_MASK ); - /* - .text:FFFFF80000237436 mov rcx, [rsp+arg_18] ; rcx = pointer to stack that contians all register values - .text:FFFFF8000023743B mov rdx, [rsp+arg_28] - .text:FFFFF80000237440 call vmexit_c_handler ; RIP relative call - .text:FFFFF80000237445 jmp loc_FFFFF80000237100 - */ - - UINT64 VmExitHandlerCall = ((UINT64)VmExitHandler) + 19; // + 19 bytes to -> call vmexit_c_handler - UINT64 VmExitHandlerCallRip = (UINT64)VmExitHandlerCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes - UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA) - VoyagerData->VmExitHandlerRva = ((UINT64)PayLoadEntry(PayLoadBase)) - (UINT64)VmExitFunction; + UINT64 VCpuRunCallRip = (UINT64)VCpuRunCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes + UINT64 VCpuRunFunction = VCpuRunCallRip + *(INT32*)((UINT64)VCpuRunCall + 1); // + 1 to skip E8 (call) and read 4 bytes (RVA) + VoyagerData->VCpuRunHandlerRVA = ((UINT64)PayLoadEntry(PayLoadBase)) - VCpuRunFunction; + + DBG_PRINT("VCpuRunCallRip -> 0x%p\n", VCpuRunCallRip); + DBG_PRINT("VCpuRunFunction -> 0x%p\n", VCpuRunFunction); + DBG_PRINT("VoyagerData->VCpuRunHandlerRVA -> 0x%p\n", VoyagerData->VCpuRunHandlerRVA); } -VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook) +VOID* HookVCpuRun(VOID* HypervBase, VOID* HypervSize, VOID* VCpuRunHook) { - if (!HypervBase || !HypervSize || !VmExitHook) - return NULL; - - VOID* VmExitHandler = + VOID* VCpuRunCall = FindPattern( HypervBase, HypervSize, - VMEXIT_HANDLER_SIG, - VMEXIT_HANDLER_MASK + VCPU_RUN_HANDLER_SIG, + VCPU_RUN_HANDLER_MASK ); - if (!VmExitHandler) - return NULL; + UINT64 VCpuRunCallRip = (UINT64)VCpuRunCall + 5; // + 5 bytes to next instructions address... + UINT64 VCpuRunFunction = VCpuRunCallRip + *(INT32*)((UINT64)VCpuRunCall + 1); // + 1 to skip E8 (call) and read 4 bytes (RVA) + INT32 NewVCpuRunRVA = ((INT64)VCpuRunHook) - VCpuRunCallRip; + *(INT32*)((UINT64)VCpuRunCall + 1) = NewVCpuRunRVA; - /* - .text:FFFFF80000237436 mov rcx, [rsp+arg_18] ; rcx = pointer to stack that contians all register values - .text:FFFFF8000023743B mov rdx, [rsp+arg_28] - .text:FFFFF80000237440 call vmexit_c_handler ; RIP relative call - .text:FFFFF80000237445 jmp loc_FFFFF80000237100 - */ - - UINT64 VmExitHandlerCall = ((UINT64)VmExitHandler) + 19; // + 19 bytes to -> call vmexit_c_handler - UINT64 VmExitHandlerCallRip = (UINT64)VmExitHandlerCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes - UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA) - INT32 NewVmExitRVA = ((INT64)VmExitHook) - VmExitHandlerCallRip; - *(INT32*)((UINT64)(VmExitHandlerCall + 1)) = NewVmExitRVA; - return VmExitFunction; + DBG_PRINT("VCpuRunCallRip -> 0x%p\n", VCpuRunCallRip); + DBG_PRINT("VCpuRunFunction -> 0x%p\n", VCpuRunFunction); + DBG_PRINT("NewVCpuRunRVA -> 0x%p\n", NewVCpuRunRVA); + return VCpuRunFunction; } \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (2004-1709)/Hvax64.h b/Voyager-2/Voyager-2 (2004-1709)/Hvax64.h new file mode 100644 index 0000000..6d4a97c --- /dev/null +++ b/Voyager-2/Voyager-2 (2004-1709)/Hvax64.h @@ -0,0 +1,35 @@ +#pragma once +#include "PayLoad.h" + +#if WINVER == 2004 +#define VCPU_RUN_HANDLER_SIG "\xE8\x00\x00\x00\x00\x0F\x01\xDC" +#define VCPU_RUN_HANDLER_MASK "x????xxx" +#endif + +static_assert(sizeof(VCPU_RUN_HANDLER_SIG) == sizeof(VCPU_RUN_HANDLER_MASK), "signature does not match mask size!"); + +// +// AllocBase is the base address of the extra memory allocated below where hyper-v is +// AllocSize is the size of the extra allocated memory... This size == module size... +// +VOID* MapModule(PVOYAGER_T VoyagerData, UINT8* ImageBase); + +// +// sig scan hv.exe for vmexit call and replace the relative call (RVA) with +// an RVA to the vmexit handler hook (which is the golden records entry point)... +// +// returns a pointer to the original vmexit function address... +// +VOID* HookVCpuRun(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook); + +// +// creates a structure with all the data needed to be passed to the golden record... +// +VOID MakeVoyagerData +( + PVOYAGER_T VoyagerData, + VOID* HypervAlloc, + UINT64 HypervAllocSize, + VOID* PayLoadBase, + UINT64 PayLoadSize +); \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (2004-1709)/Hvix64.h b/Voyager-2/Voyager-2 (2004-1709)/Hvix64.h deleted file mode 100644 index 0eed407..0000000 --- a/Voyager-2/Voyager-2 (2004-1709)/Hvix64.h +++ /dev/null @@ -1,54 +0,0 @@ -#pragma once -#include "PayLoad.h" - -#if WINVER == 2004 -#define VMEXIT_HANDLER_SIG "\x65\xC6\x04\x25\x6D\x00\x00\x00\x00\x48\x8B\x4C\x24\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" -#define VMEXIT_HANDLER_MASK "xxxxxxxxxxxxx?xxxx?x????x" -#elif WINVER == 1909 -#define VMEXIT_HANDLER_SIG "\x48\x8B\x4C\x24\x00\xEB\x07\xE8\x00\x00\x00\x00\xEB\xF2\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" -#define VMEXIT_HANDLER_MASK "xxxx?xxx????xxxxxx?x????x" -#elif WINVER == 1903 -#define VMEXIT_HANDLER_SIG "\x48\x8B\x4C\x24\x00\xEB\x07\xE8\x00\x00\x00\x00\xEB\xF2\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" -#define VMEXIT_HANDLER_MASK "xxxx?xxx????xxxxxx?x????x" -#elif WINVER == 1809 -#define VMEXIT_HANDLER_SIG "\x48\x8B\x4C\x24\x00\xEB\x07\xE8\x00\x00\x00\x00\xEB\xF2\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" -#define VMEXIT_HANDLER_MASK "xxxx?xxx????xxxxxx?x????x" -#elif WINVER == 1803 -#define VMEXIT_HANDLER_SIG "\xF2\x80\x3D\xFC\x12\x46\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" -#define VMEXIT_HANDLER_MASK "xxxxxxx?xx????xxxx?x????x" -#elif WINVER == 1709 -#define VMEXIT_HANDLER_SIG "\xD0\x80\x3D\x78\x0A\x47\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" -#define VMEXIT_HANDLER_MASK "xxxxxx??xx????xxxx?x????x" -#elif WINVER == 1703 -#define VMEXIT_HANDLER_SIG "\xD0\x80\x3D\x74\xCC\x47\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" -#define VMEXIT_HANDLER_MASK "xxxxxx??xx????xxxx?x????x" -#endif - -static_assert(sizeof(VMEXIT_HANDLER_SIG) == sizeof(VMEXIT_HANDLER_MASK), "signature does not match mask size!"); -static_assert(sizeof(VMEXIT_HANDLER_SIG) == 26, "signature is invalid length!"); - -// -// AllocBase is the base address of the extra memory allocated below where hyper-v is -// AllocSize is the size of the extra allocated memory... This size == module size... -// -VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase); - -// -// sig scan hv.exe for vmexit call and replace the relative call (RVA) with -// an RVA to the vmexit handler hook (which is the golden records entry point)... -// -// returns a pointer to the original vmexit function address... -// -VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook); - -// -// creates a structure with all the data needed to be passed to the golden record... -// -VOID MakeVoyagerData -( - pvoyager_t VoyagerData, - VOID* HypervAlloc, - UINT64 HypervAllocSize, - VOID* PayLoadBase, - UINT64 PayLoadSize -); \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c index 35bca80..b2bdcd8 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c +++ b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c @@ -44,18 +44,18 @@ unsigned char PayLoad[3072] = 0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5D, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E, 0x52, 0x69, 0x63, 0x68, 0x6B, 0xDE, 0x5F, 0x8E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x05, 0x00, - 0x13, 0xB9, 0x72, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x91, 0x48, 0x75, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0x00, 0x22, 0x20, 0x0B, 0x02, 0x0E, 0x1B, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x60, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0xD4, 0x8A, 0x00, 0x00, + 0x00, 0x60, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0xD4, 0x9E, 0x00, 0x00, 0x01, 0x00, 0x60, 0x01, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, - 0x6C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, @@ -66,10 +66,10 @@ unsigned char PayLoad[3072] = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00, - 0xA2, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, + 0x50, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x68, 0x2E, 0x72, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x1C, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, + 0x74, 0x61, 0x00, 0x00, 0x34, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, 0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, @@ -79,7 +79,7 @@ unsigned char PayLoad[3072] = 0x0C, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, 0x2E, 0x65, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x6C, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, + 0x74, 0x61, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -113,20 +113,35 @@ unsigned char PayLoad[3072] = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C, - 0x24, 0x08, 0x48, 0x83, 0xEC, 0x58, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x48, - 0x8B, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0xB8, 0x02, 0x44, 0x00, 0x00, - 0x0F, 0x78, 0x44, 0x24, 0x28, 0x48, 0x83, 0x7C, 0x24, 0x28, 0x0A, 0x75, - 0x4F, 0x48, 0x8B, 0x44, 0x24, 0x20, 0x48, 0xB9, 0xEF, 0xBE, 0xAD, 0xDE, - 0xEF, 0xBE, 0xAD, 0xDE, 0x48, 0x39, 0x48, 0x08, 0x75, 0x3A, 0x48, 0x8B, - 0x44, 0x24, 0x20, 0x48, 0xC7, 0x00, 0xEE, 0xFF, 0xC0, 0x00, 0xB8, 0x1E, - 0x68, 0x00, 0x00, 0x0F, 0x78, 0x44, 0x24, 0x38, 0xB8, 0x0C, 0x44, 0x00, - 0x00, 0x0F, 0x78, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, - 0x8B, 0x4C, 0x24, 0x38, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0xB9, 0x1E, - 0x68, 0x00, 0x00, 0x0F, 0x79, 0xC8, 0xEB, 0x21, 0x48, 0x8D, 0x05, 0x7D, - 0xFF, 0xFF, 0xFF, 0x48, 0x2B, 0x05, 0x76, 0x1F, 0x00, 0x00, 0x48, 0x89, - 0x44, 0x24, 0x40, 0x48, 0x8B, 0x54, 0x24, 0x68, 0x48, 0x8B, 0x4C, 0x24, - 0x60, 0xFF, 0x54, 0x24, 0x40, 0x48, 0x83, 0xC4, 0x58, 0xC3, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x56, 0x48, 0x83, + 0xEC, 0x20, 0x48, 0x8B, 0xD9, 0x48, 0x8D, 0x35, 0x0C, 0x01, 0x00, 0x00, + 0xB9, 0x11, 0x00, 0x00, 0x00, 0xBA, 0xF8, 0x02, 0x00, 0x00, 0xF3, 0x6E, + 0x0F, 0x01, 0xDD, 0x48, 0x8D, 0x05, 0xD6, 0xFF, 0xFF, 0xFF, 0x48, 0x8B, + 0xCB, 0x48, 0x2B, 0x05, 0xCC, 0x1F, 0x00, 0x00, 0xFF, 0xD0, 0x4C, 0x8B, + 0xC0, 0x0F, 0x01, 0xDC, 0xBA, 0xF8, 0x02, 0x00, 0x00, 0x48, 0x8D, 0x35, + 0xF8, 0x00, 0x00, 0x00, 0xB9, 0x10, 0x00, 0x00, 0x00, 0xF3, 0x6E, 0x65, + 0x48, 0x8B, 0x14, 0x25, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x8A, 0xB0, + 0x03, 0x01, 0x00, 0x48, 0x8B, 0x91, 0x98, 0x01, 0x00, 0x00, 0x48, 0x8B, + 0x8A, 0x80, 0x0E, 0x00, 0x00, 0xE9, 0x8D, 0x00, 0x00, 0x00, 0x48, 0xB8, + 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0x48, 0x39, 0x43, 0x08, + 0x0F, 0x85, 0x84, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x81, 0xC8, 0x00, 0x00, + 0x00, 0x48, 0x8D, 0x35, 0x8C, 0x00, 0x00, 0x00, 0x48, 0x89, 0x81, 0x78, + 0x05, 0x00, 0x00, 0xBA, 0xF8, 0x02, 0x00, 0x00, 0x48, 0xC7, 0x81, 0xF8, + 0x05, 0x00, 0x00, 0xEE, 0xFF, 0xC0, 0x00, 0xB9, 0x11, 0x00, 0x00, 0x00, + 0xF3, 0x6E, 0x0F, 0x01, 0xDD, 0x48, 0x8D, 0x05, 0x44, 0xFF, 0xFF, 0xFF, + 0x48, 0x8B, 0xCB, 0x48, 0x2B, 0x05, 0x3A, 0x1F, 0x00, 0x00, 0xFF, 0xD0, + 0x4C, 0x8B, 0xC0, 0x0F, 0x01, 0xDC, 0xBA, 0xF8, 0x02, 0x00, 0x00, 0x48, + 0x8D, 0x35, 0x66, 0x00, 0x00, 0x00, 0xB9, 0x10, 0x00, 0x00, 0x00, 0xF3, + 0x6E, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, + 0x88, 0xB0, 0x03, 0x01, 0x00, 0x48, 0x8B, 0x81, 0x98, 0x01, 0x00, 0x00, + 0x48, 0x8B, 0x88, 0x80, 0x0E, 0x00, 0x00, 0x48, 0x83, 0x79, 0x70, 0x72, + 0x0F, 0x84, 0x68, 0xFF, 0xFF, 0xFF, 0x48, 0x8B, 0x5C, 0x24, 0x30, 0x49, + 0x8B, 0xC0, 0x48, 0x83, 0xC4, 0x20, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, + 0xCC, 0xCC, 0xCC, 0xCC, 0x62, 0x65, 0x66, 0x6F, 0x72, 0x65, 0x20, 0x76, + 0x63, 0x70, 0x75, 0x5F, 0x72, 0x75, 0x6E, 0x0A, 0x00, 0xCC, 0xCC, 0xCC, + 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, + 0x61, 0x66, 0x74, 0x65, 0x72, 0x20, 0x76, 0x63, 0x70, 0x75, 0x5F, 0x72, + 0x75, 0x6E, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -141,47 +156,32 @@ unsigned char PayLoad[3072] = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x13, 0xB9, 0x72, 0x5F, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x56, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, - 0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0xB9, 0x72, 0x5F, - 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, - 0x90, 0x20, 0x00, 0x00, 0x90, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53, - 0xD4, 0x11, 0x42, 0x7D, 0x4D, 0x15, 0x9E, 0x40, 0xAD, 0x44, 0xBC, 0xDA, - 0x99, 0x36, 0xE3, 0xCF, 0x01, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55, + 0x00, 0x00, 0x00, 0x00, 0x91, 0x48, 0x75, 0x5F, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, + 0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x91, 0x48, 0x75, 0x5F, + 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, + 0x94, 0x20, 0x00, 0x00, 0x94, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53, + 0xCE, 0x74, 0x7C, 0x88, 0x8C, 0xD6, 0x6B, 0x49, 0x87, 0x35, 0x71, 0x34, + 0xAF, 0x3B, 0x11, 0xC5, 0x01, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55, 0x73, 0x65, 0x72, 0x73, 0x5C, 0x78, 0x65, 0x72, 0x6F, 0x78, 0x5C, 0x44, 0x65, 0x73, 0x6B, 0x74, 0x6F, 0x70, 0x5C, 0x76, 0x6F, 0x79, 0x61, 0x67, - 0x65, 0x72, 0x5C, 0x78, 0x36, 0x34, 0x5C, 0x52, 0x65, 0x6C, 0x65, 0x61, - 0x73, 0x65, 0x5C, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61, 0x64, 0x28, 0x49, - 0x6E, 0x74, 0x65, 0x6C, 0x29, 0x2E, 0x70, 0x64, 0x62, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0xA2, 0x00, 0x00, 0x00, - 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x20, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, 0xD8, 0x00, 0x00, 0x00, - 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x7A, 0x7A, 0x7A, 0x64, 0x62, - 0x67, 0x00, 0x00, 0x00, 0x10, 0x21, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, - 0x2E, 0x78, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, - 0x28, 0x00, 0x00, 0x00, 0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x40, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x70, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x6C, 0x00, 0x00, 0x00, - 0x2E, 0x65, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x02, 0x0E, 0x03, 0x00, - 0x01, 0x16, 0x00, 0x06, 0x0E, 0xA2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x65, 0x72, 0x5C, 0x56, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x2D, 0x32, + 0x5C, 0x78, 0x36, 0x34, 0x5C, 0x52, 0x65, 0x6C, 0x65, 0x61, 0x73, 0x65, + 0x5C, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61, 0x64, 0x2E, 0x70, 0x64, 0x62, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, + 0x20, 0x01, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E, + 0x00, 0x00, 0x00, 0x00, 0x20, 0x11, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, + 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x73, 0x00, 0x00, 0x20, 0x00, 0x00, + 0x38, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, + 0x38, 0x20, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, + 0x74, 0x61, 0x24, 0x7A, 0x7A, 0x7A, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00, + 0x24, 0x21, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x2E, 0x78, 0x64, 0x61, + 0x74, 0x61, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, + 0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, + 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, + 0x00, 0x50, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00, 0x2E, 0x65, 0x64, 0x61, + 0x74, 0x61, 0x00, 0x00, 0x02, 0x0A, 0x06, 0x00, 0x02, 0x16, 0x00, 0x06, + 0x0A, 0x34, 0x06, 0x00, 0x0A, 0x32, 0x06, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -199,7 +199,7 @@ unsigned char PayLoad[3072] = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0xA2, 0x10, 0x00, 0x00, 0x10, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x18, 0x11, 0x00, 0x00, 0x24, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -245,12 +245,12 @@ unsigned char PayLoad[3072] = 0x00, 0x00, 0x00, 0x00, 0x32, 0x50, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x50, 0x00, 0x00, 0x2C, 0x50, 0x00, 0x00, 0x30, 0x50, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, - 0x45, 0x50, 0x00, 0x00, 0x00, 0x00, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61, - 0x64, 0x28, 0x49, 0x6E, 0x74, 0x65, 0x6C, 0x29, 0x2E, 0x64, 0x6C, 0x6C, - 0x00, 0x3F, 0x76, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x5F, 0x63, 0x6F, - 0x6E, 0x74, 0x65, 0x78, 0x74, 0x40, 0x40, 0x33, 0x55, 0x5F, 0x56, 0x4F, - 0x59, 0x41, 0x47, 0x45, 0x52, 0x5F, 0x44, 0x41, 0x54, 0x41, 0x5F, 0x54, - 0x40, 0x40, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x3E, 0x50, 0x00, 0x00, 0x00, 0x00, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61, + 0x64, 0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x3F, 0x76, 0x6F, 0x79, 0x61, 0x67, + 0x65, 0x72, 0x5F, 0x63, 0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x40, 0x73, + 0x76, 0x6D, 0x40, 0x40, 0x33, 0x55, 0x5F, 0x76, 0x6F, 0x79, 0x61, 0x67, + 0x65, 0x72, 0x5F, 0x74, 0x40, 0x31, 0x40, 0x41, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, diff --git a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h index 1430a93..172565f 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h +++ b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h @@ -3,14 +3,14 @@ extern unsigned char PayLoad[3072]; #pragma pack(push, 1) -typedef struct _voyager_t +typedef struct _VOYAGER_T { - UINT64 VmExitHandlerRva; + UINT64 VCpuRunHandlerRVA; UINT64 HypervModuleBase; UINT64 HypervModuleSize; UINT64 ModuleBase; UINT64 ModuleSize; -} voyager_t, * pvoyager_t; +} VOYAGER_T, *PVOYAGER_T; #pragma pack(pop) UINT32 PayLoadSize(VOID); diff --git a/Voyager-2/Voyager-2 (2004-1709)/UefiMain.c b/Voyager-2/Voyager-2 (2004-1709)/UefiMain.c index 24dc87c..aec8ad7 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/UefiMain.c +++ b/Voyager-2/Voyager-2 (2004-1709)/UefiMain.c @@ -22,11 +22,14 @@ EFI_STATUS EFIAPI UefiMain DBG_PRINT("unable to restore bootmgfw... reason -> %r\n", Result); return Result; } + DBG_PRINT("restored bootmgfw on disk...\n"); if (EFI_ERROR((Result = InstallBootMgfwHooks(ImageHandle)))) { DBG_PRINT("Failed to install bootmgfw hooks... reason -> %r\n", Result); return Result; } + + DBG_PRINT("installed bootmgfw hooks...\n"); return EFI_SUCCESS; } \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj b/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj index bd8f39f..c99bbf3 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj +++ b/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj @@ -24,7 +24,7 @@ {540d433f-c2df-49a6-895c-f5c74b014777} HyperMe 10.0 - Voyager-1 (2004-1709) + Voyager-2 (2004-1709) @@ -175,7 +175,7 @@ - + @@ -184,7 +184,7 @@ - + diff --git a/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj.filters b/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj.filters index 555200b..bb0d0ac 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj.filters +++ b/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj.filters @@ -26,10 +26,10 @@ Source Files - + Source Files - + Source Files @@ -40,9 +40,6 @@ Header Files - - Header Files - Header Files @@ -52,5 +49,8 @@ Header Files + + Header Files + \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (2004-1709)/WinLoad.c b/Voyager-2/Voyager-2 (2004-1709)/WinLoad.c index d36e964..e6bc338 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/WinLoad.c +++ b/Voyager-2/Voyager-2 (2004-1709)/WinLoad.c @@ -48,7 +48,7 @@ EFI_STATUS EFIAPI BlLdrLoadImage(VOID* Arg1, CHAR16* ModulePath, CHAR16* ModuleN { if (!AsciiStrCmp(&pSection->Name, ".reloc")) { - voyager_t VoyagerData; + VOYAGER_T VoyagerData; MakeVoyagerData ( &VoyagerData, @@ -59,24 +59,19 @@ EFI_STATUS EFIAPI BlLdrLoadImage(VOID* Arg1, CHAR16* ModulePath, CHAR16* ModuleN ); DBG_PRINT(".reloc section base address -> 0x%p\n", TableEntry->ModuleBase + pSection->VirtualAddress); - DBG_PRINT(".reloc section end (aka golden record base address) -> 0x%p\n", TableEntry->ModuleBase + pSection->VirtualAddress + pSection->Misc.VirtualSize); + DBG_PRINT(".reloc section end (aka payload base address) -> 0x%p\n", TableEntry->ModuleBase + pSection->VirtualAddress + pSection->Misc.VirtualSize); - VOID* VmExitHook = MapModule(&VoyagerData, PayLoad); - if (!VmExitHook) - return Result; - - VOID* VmExitFunction = HookVmExit + VOID* VCpuRunHook = MapModule(&VoyagerData, PayLoad); + VOID* VmExitFunction = HookVCpuRun ( VoyagerData.HypervModuleBase, VoyagerData.HypervModuleSize, - VmExitHook + VCpuRunHook ); - if (!VmExitFunction) - return Result; pSection->Characteristics = SECTION_RWX; pSection->Misc.VirtualSize += PayLoadSize(); - DBG_PRINT("VmExitHook (PayLoad Entry Point) -> 0x%p\n", VmExitHook); + DBG_PRINT("vcpu_run hook (payload entry point) -> 0x%p\n", VCpuRunHook); } } diff --git a/Voyager-2/Voyager-2 (2004-1709)/WinLoad.h b/Voyager-2/Voyager-2 (2004-1709)/WinLoad.h index bf75013..56e5588 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/WinLoad.h +++ b/Voyager-2/Voyager-2 (2004-1709)/WinLoad.h @@ -1,6 +1,6 @@ #pragma once #include "Utils.h" -#include "Hvix64.h" +#include "Hvax64.h" #include "PayLoad.h" extern SHITHOOK WinLoadImageShitHook;