starting to add amd support, working on 2004-1709

merge-requests/1/merge
xerox 4 years ago
parent 0212765fab
commit 61cfcc870f

@ -2,9 +2,9 @@
namespace bundler
{
std::pair<std::uint32_t, std::uint32_t> add_section(std::vector<std::uint8_t>& image, const char* name, std::size_t size, std::uint32_t protect)
std::pair<std::u32_t, std::u32_t> add_section(std::vector<std::u8_t>& image, const char* name, std::size_t size, std::u32_t protect)
{
auto align = [](std::uint32_t size, std::uint32_t align, std::uint32_t addr) -> std::uint32_t
auto align = [](std::u32_t size, std::u32_t align, std::u32_t addr) -> std::u32_t
{
if (!(size % align))
return addr + size;
@ -12,7 +12,7 @@ namespace bundler
};
auto section_header = reinterpret_cast<PIMAGE_SECTION_HEADER>(
((UINT64)&NT_HEADER(image.data())->OptionalHeader) +
((u64)&NT_HEADER(image.data())->OptionalHeader) +
NT_HEADER(image.data())->FileHeader.SizeOfOptionalHeader);
auto new_section = &section_header[NT_HEADER(image.data())->FileHeader.NumberOfSections];
@ -51,12 +51,12 @@ namespace bundler
}
// module_base is .efi section base in this case...
std::uint32_t map_module(std::uint8_t* module_base, std::vector<std::uint8_t>& map_from)
std::u32_t map_module(std::u8_t* module_base, std::vector<std::u8_t>& map_from)
{
// copy nt headers...
memcpy(module_base, map_from.data(), NT_HEADER(map_from.data())->OptionalHeader.SizeOfHeaders);
auto sections = reinterpret_cast<PIMAGE_SECTION_HEADER>(
(UINT8*)&NT_HEADER(map_from.data())->OptionalHeader +
(u8*)&NT_HEADER(map_from.data())->OptionalHeader +
NT_HEADER(map_from.data())->FileHeader.SizeOfOptionalHeader);
// copy sections...
@ -69,7 +69,7 @@ namespace bundler
return NT_HEADER(map_from.data())->OptionalHeader.AddressOfEntryPoint;
}
void bundle(std::vector<std::uint8_t>& bundle_into, std::vector<std::uint8_t>& bundle_module)
void bundle(std::vector<std::u8_t>& bundle_into, std::vector<std::u8_t>& bundle_module)
{
auto [trp_section_disk, trp_section_virt] = add_section(bundle_into, ".trp", sizeof shellcode::stub, SECTION_RWX);
auto [mod_section_disk, mod_section_virt] = add_section(bundle_into, ".efi", bundle_module.size(), SECTION_RWX);

@ -9,7 +9,7 @@
namespace bundler
{
std::pair<std::uint32_t, std::uint32_t> add_section(std::vector<std::uint8_t>& image, const char* name, std::size_t size, std::uint32_t protect);
std::uint32_t map_module(std::uint8_t* module_base, std::vector<std::uint8_t>& map_from);
void bundle(std::vector<std::uint8_t>& bundle_into, std::vector<std::uint8_t>& bundle_module);
std::pair<std::u32_t, std::u32_t> add_section(std::vector<std::u8_t>& image, const char* name, std::size_t size, std::u32_t protect);
std::u32_t map_module(std::u8_t* module_base, std::vector<std::u8_t>& map_from);
void bundle(std::vector<std::u8_t>& bundle_into, std::vector<std::u8_t>& bundle_module);
}

@ -8,8 +8,8 @@ int __cdecl main(int argc, char** argv)
return -1;
}
std::vector<std::uint8_t> efi_module;
std::vector<std::uint8_t> bootmgfw;
std::vector<std::u8_t> efi_module;
std::vector<std::u8_t> bootmgfw;
impl::open_binary_file(argv[1], bootmgfw);
impl::open_binary_file(argv[2], efi_module);

@ -16,15 +16,15 @@ namespace shellcode
auto reloc = reinterpret_cast<PIMAGE_BASE_RELOCATION>(module_base + base_reloc_dir->VirtualAddress);
for (auto current_size = 0u; current_size < base_reloc_dir->Size; )
{
std::uint32_t reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(UINT16);
auto reloc_data = reinterpret_cast<std::uint16_t*>((UINT8*)reloc + sizeof(IMAGE_BASE_RELOCATION));
auto reloc_base = reinterpret_cast<std::uint8_t*>(module_base) + reloc->VirtualAddress;
std::u32_t reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(u16);
auto reloc_data = reinterpret_cast<std::u16_t*>((u8*)reloc + sizeof(IMAGE_BASE_RELOCATION));
auto reloc_base = reinterpret_cast<std::u8_t*>(module_base) + reloc->VirtualAddress;
for (auto i = 0u; i < reloc_count; ++i, ++reloc_data)
{
std::uint16_t data = *reloc_data;
std::uint16_t type = data >> 12;
std::uint16_t offset = data & 0xFFF;
std::u16_t data = *reloc_data;
std::u16_t type = data >> 12;
std::u16_t offset = data & 0xFFF;
switch (type)
{

@ -15,12 +15,12 @@
#include <algorithm>
#include <string_view>
#define NT_HEADER(x) reinterpret_cast<PIMAGE_NT_HEADERS>( uint64_t(x) + reinterpret_cast<PIMAGE_DOS_HEADER>(x)->e_lfanew )
#define NT_HEADER(x) reinterpret_cast<PIMAGE_NT_HEADERS>( u64_t(x) + reinterpret_cast<PIMAGE_DOS_HEADER>(x)->e_lfanew )
namespace impl
{
using uq_handle = std::unique_ptr<void, decltype(&CloseHandle)>;
__forceinline uint32_t get_process_id(const std::wstring_view process_name)
__forceinline u32_t get_process_id(const std::wstring_view process_name)
{
// open a system snapshot of all loaded processes
uq_handle snap_shot{ CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), &CloseHandle };
@ -40,7 +40,7 @@ namespace impl
return 0;
}
__forceinline void open_binary_file(const std::string& file, std::vector<uint8_t>& data)
__forceinline void open_binary_file(const std::string& file, std::vector<u8_t>& data)
{
std::ifstream fstr(file, std::ios::binary);
fstr.unsetf(std::ios::skipws);
@ -49,8 +49,8 @@ namespace impl
const auto file_size = fstr.tellg();
fstr.seekg(NULL, std::ios::beg);
data.reserve(static_cast<uint32_t>(file_size));
data.insert(data.begin(), std::istream_iterator<uint8_t>(fstr), std::istream_iterator<uint8_t>());
data.reserve(static_cast<u32_t>(file_size));
data.insert(data.begin(), std::istream_iterator<u8_t>(fstr), std::istream_iterator<u8_t>());
}
__forceinline bool enable_privilege(const std::wstring_view privilege_name)

@ -1,87 +0,0 @@
;
; PayLoad(AMD).inf
;
[Version]
Signature="$WINDOWS NT$"
Class=Sample ; TODO: edit Class
ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
Provider=%ManufacturerName%
CatalogFile=PayLoad(AMD).cat
DriverVer= ; TODO: set DriverVer in stampinf property pages
PnpLockDown=1
[DestinationDirs]
DefaultDestDir = 12
PayLoad(AMD)_Device_CoInstaller_CopyFiles = 11
; ================= Class section =====================
[ClassInstall32]
Addreg=SampleClassReg
[SampleClassReg]
HKR,,,0,%ClassName%
HKR,,Icon,,-5
[SourceDisksNames]
1 = %DiskName%,,,""
[SourceDisksFiles]
PayLoad(AMD).sys = 1,,
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
;*****************************************
; Install Section
;*****************************************
[Manufacturer]
%ManufacturerName%=Standard,NT$ARCH$
[Standard.NT$ARCH$]
%PayLoad(AMD).DeviceDesc%=PayLoad(AMD)_Device, Root\PayLoad(AMD) ; TODO: edit hw-id
[PayLoad(AMD)_Device.NT]
CopyFiles=Drivers_Dir
[Drivers_Dir]
PayLoad(AMD).sys
;-------------- Service installation
[PayLoad(AMD)_Device.NT.Services]
AddService = PayLoad(AMD),%SPSVCINST_ASSOCSERVICE%, PayLoad(AMD)_Service_Inst
; -------------- PayLoad(AMD) driver install sections
[PayLoad(AMD)_Service_Inst]
DisplayName = %PayLoad(AMD).SVCDESC%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\PayLoad(AMD).sys
;
;--- PayLoad(AMD)_Device Coinstaller installation ------
;
[PayLoad(AMD)_Device.NT.CoInstallers]
AddReg=PayLoad(AMD)_Device_CoInstaller_AddReg
CopyFiles=PayLoad(AMD)_Device_CoInstaller_CopyFiles
[PayLoad(AMD)_Device_CoInstaller_AddReg]
HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
[PayLoad(AMD)_Device_CoInstaller_CopyFiles]
WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
[PayLoad(AMD)_Device.NT.Wdf]
KmdfService = PayLoad(AMD), PayLoad(AMD)_wdfsect
[PayLoad(AMD)_wdfsect]
KmdfLibraryVersion = $KMDFVERSION$
[Strings]
SPSVCINST_ASSOCSERVICE= 0x00000002
ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
ClassName="Samples" ; TODO: edit ClassName
DiskName = "PayLoad(AMD) Installation Disk"
PayLoad(AMD).DeviceDesc = "PayLoad(AMD) Device"
PayLoad(AMD).SVCDESC = "PayLoad(AMD) Service"

@ -1 +0,0 @@
#pragma once

@ -43,7 +43,7 @@
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>TheGoldenRecord</RootNamespace>
<WindowsTargetPlatformVersion>10.0.19041.0</WindowsTargetPlatformVersion>
<ProjectName>PayLoad (Intel)</ProjectName>
<ProjectName>PayLoad</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">

File diff suppressed because it is too large Load Diff

@ -40,14 +40,15 @@ using vmexit_handler_t = void(__fastcall*)(pcontext_t context, void* unknown);
#endif
#pragma pack(push, 1)
typedef struct _VOYAGER_DATA_T
typedef struct _voyager_t
{
// RVA from golden record entry ---> back to original vmexit handler...
uintptr_t vmexit_handler_rva;
uintptr_t vcpu_run_rva;
uintptr_t hyperv_module_base;
uintptr_t hyperv_module_size;
uintptr_t record_base;
uintptr_t record_size;
} VOYAGER_DATA_T, *PVOYAGER_DATA_T;
} voyager_t, *pvoyager_t;
#pragma pack(pop)
__declspec(dllexport) inline VOYAGER_DATA_T voyager_context;
__declspec(dllexport) inline voyager_t voyager_context;

@ -1,5 +1,6 @@
#include "types.h"
#include "ia32.hpp"
#define VMEXIT_KEY 0xDEADBEEFDEADBEEF
#if WINVER > 1803
@ -36,5 +37,5 @@ void vmexit_handler(pcontext_t context, void* unknown)
// the linear virtual addresses change... thus an adjustment is required...
reinterpret_cast<vmexit_handler_t>(
reinterpret_cast<uintptr_t>(&vmexit_handler) -
voyager_context.vmexit_handler_rva)(context, unknown);
voyager_context.vcpu_run_rva)(context, unknown);
}

@ -0,0 +1,13 @@
c:\users\xerox\desktop\voyager\payload (intel)\x64\release\vc142.pdb
c:\users\xerox\desktop\voyager\payload (intel)\x64\release\vmexit_handler.obj
c:\users\xerox\desktop\voyager\x64\release\payload(intel).dll
c:\users\xerox\desktop\voyager\x64\release\payload(intel).lib
c:\users\xerox\desktop\voyager\x64\release\payload(intel).exp
c:\users\xerox\desktop\voyager\x64\release\payload(intel).pdb
c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\cl.command.1.tlog
c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\cl.read.1.tlog
c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\cl.write.1.tlog
c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\link.command.1.tlog
c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\link.read.1.tlog
c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\link.write.1.tlog
c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\payload (intel).write.1u.tlog

@ -0,0 +1,12 @@
c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\vc142.pdb
c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\vmexit_handler.obj
c:\users\xerox\desktop\voyager\voyager-1\x64\release\payload.dll
c:\users\xerox\desktop\voyager\voyager-1\x64\release\payload.lib
c:\users\xerox\desktop\voyager\voyager-1\x64\release\payload.exp
c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\cl.command.1.tlog
c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\cl.read.1.tlog
c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\cl.write.1.tlog
c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\link.command.1.tlog
c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\link.read.1.tlog
c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\link.write.1.tlog
c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\payload.write.1u.tlog

@ -0,0 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<Project>
<ProjectOutputs>C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.dll</ProjectOutputs>
<ContentFiles></ContentFiles>
<SatelliteDlls></SatelliteDlls>
<NonRecipeFileRefs></NonRecipeFileRefs>
</Project>

@ -0,0 +1,7 @@
 Building 'PayLoad' with toolset 'WindowsKernelModeDriver10.0' and the 'Universal' target platform.
vmexit_handler.cpp
Creating library C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.lib and object C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.exp
PayLoad.vcxproj -> C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.dll
Driver is 'Universal'.
Inf2Cat task was skipped as there were no inf files to process

@ -0,0 +1,2 @@
PlatformToolSet=WindowsKernelModeDriver10.0:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.19041.0:
Release|x64|C:\Users\xerox\Desktop\voyager\Voyager-1\|

@ -25,4 +25,4 @@ extern SHITHOOK BootMgfwShitHook;
typedef EFI_STATUS(EFIAPI* IMG_ARCH_START_BOOT_APPLICATION)(VOID*, VOID*, UINT32, UINT8, VOID*);
EFI_STATUS EFIAPI RestoreBootMgfw(VOID);
EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE ImageHandle);
EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs);
EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs);

@ -33,7 +33,7 @@ EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer(VOID* a1, VOID* a2, VOID* a
{
if (!AsciiStrCmp(&pSection->Name, ".reloc"))
{
VOYAGER_DATA_T VoyagerData;
voyager_t VoyagerData;
MakeVoyagerData
(
&VoyagerData,
@ -95,7 +95,7 @@ EFI_STATUS EFIAPI HvBlImgLoadPEImageEx(VOID* DeviceId, VOID* MemoryType, CHAR16*
{
if (!AsciiStrCmp(&pSection->Name, ".reloc"))
{
VOYAGER_DATA_T VoyagerData;
voyager_t VoyagerData;
MakeVoyagerData
(
&VoyagerData,

@ -1,6 +1,6 @@
#include "Hvix64.h"
VOID* MapModule(PVOYAGER_DATA_T VoyagerData, UINT8* ImageBase)
VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase)
{
EFI_IMAGE_DOS_HEADER* dosHeaders = (EFI_IMAGE_DOS_HEADER*)ImageBase;
if (dosHeaders->e_magic != EFI_IMAGE_DOS_SIGNATURE)
@ -32,7 +32,7 @@ VOID* MapModule(PVOYAGER_DATA_T VoyagerData, UINT8* ImageBase)
{
if (AsciiStrStr(VoyagerData->ModuleBase + Name[i], "voyager_context"))
{
*(VOYAGER_DATA_T*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData;
*(voyager_t*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData;
break;
}
}
@ -79,7 +79,7 @@ VOID* MapModule(PVOYAGER_DATA_T VoyagerData, UINT8* ImageBase)
VOID MakeVoyagerData
(
PVOYAGER_DATA_T VoyagerData,
pvoyager_t VoyagerData,
VOID* HypervAlloc,
UINT64 HypervAllocSize,
VOID* PayLoadBase,

@ -11,7 +11,7 @@ static_assert(sizeof(VMEXIT_HANDLER_SIG) == 26, "signature is invalid length!");
// AllocBase is the base address of the extra memory allocated below where hyper-v is
// AllocSize is the size of the extra allocated memory... This size == module size...
//
VOID* MapModule(PVOYAGER_DATA_T VoyagerData, UINT8* ImageBase);
VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase);
//
// sig scan hv.exe for vmexit call and replace the relative call (RVA) with
@ -26,7 +26,7 @@ VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook);
//
VOID MakeVoyagerData
(
PVOYAGER_DATA_T VoyagerData,
pvoyager_t VoyagerData,
VOID* HypervAlloc,
UINT64 HypervAllocSize,
VOID* PayLoadBase,

@ -3,14 +3,14 @@
extern unsigned char PayLoad[3072];
#pragma pack(push, 1)
typedef struct _VOYAGER_DATA_T
typedef struct _voyager_t
{
UINT64 VmExitHandlerRva;
UINT64 HypervModuleBase;
UINT64 HypervModuleSize;
UINT64 ModuleBase;
UINT64 ModuleSize;
} VOYAGER_DATA_T, * PVOYAGER_DATA_T;
} voyager_t, * pvoyager_t;
#pragma pack(pop)
UINT32 PayLoadSize(VOID);

@ -24,7 +24,7 @@
<ProjectGuid>{C4B6B437-62DF-4166-9023-44CFC8A52258}</ProjectGuid>
<RootNamespace>HyperMe</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
<ProjectName>Voyager (1703-1511)</ProjectName>
<ProjectName>Voyager-1 (1703-1511)</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">

Some files were not shown because too many files have changed in this diff Show More

Loading…
Cancel
Save