From 6e26985d98f0aa7d4f61f7d722ddcba117a391e3 Mon Sep 17 00:00:00 2001 From: xerox Date: Mon, 28 Sep 2020 21:30:35 -0700 Subject: [PATCH] bundler works, able to replace bootmgfw on disk.. --- Efi Bundler/shellcode.cpp | 4 +- Voyager (1703-1511)/BootMgfw.c | 82 +++++++++++++++++++++++++++++++--- Voyager (1703-1511)/BootMgfw.h | 6 ++- Voyager (1703-1511)/UefiMain.c | 28 +++--------- Voyager (2004-1709)/BootMgfw.c | 82 +++++++++++++++++++++++++++++++--- Voyager (2004-1709)/BootMgfw.h | 7 ++- Voyager (2004-1709)/UefiMain.c | 33 +++++--------- 7 files changed, 183 insertions(+), 59 deletions(-) diff --git a/Efi Bundler/shellcode.cpp b/Efi Bundler/shellcode.cpp index d695595..d64bcc1 100644 --- a/Efi Bundler/shellcode.cpp +++ b/Efi Bundler/shellcode.cpp @@ -16,7 +16,7 @@ namespace shellcode auto reloc = reinterpret_cast(module_base + base_reloc_dir->VirtualAddress); for (auto current_size = 0u; current_size < base_reloc_dir->Size; ) { - auto reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(UINT16); + std::uint32_t reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(UINT16); auto reloc_data = reinterpret_cast((UINT8*)reloc + sizeof(IMAGE_BASE_RELOCATION)); auto reloc_base = reinterpret_cast(module_base) + reloc->VirtualAddress; @@ -28,6 +28,8 @@ namespace shellcode switch (type) { + case IMAGE_REL_BASED_ABSOLUTE: + break; case IMAGE_REL_BASED_DIR64: { auto rva = reinterpret_cast(reloc_base + offset); diff --git a/Voyager (1703-1511)/BootMgfw.c b/Voyager (1703-1511)/BootMgfw.c index 2dc205e..0957ab2 100644 --- a/Voyager (1703-1511)/BootMgfw.c +++ b/Voyager (1703-1511)/BootMgfw.c @@ -1,7 +1,7 @@ #include "BootMgfw.h" SHITHOOK BootMgfwShitHook; -EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtocol) +EFI_STATUS EFIAPI RestoreBootMgfw(VOID) { UINTN HandleCount = NULL; EFI_STATUS Result; @@ -33,11 +33,83 @@ EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtoco return Result; } - // if we found the correct file (\\efi\\microsoft\\boot\\bootmgfw.efi) - if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGR_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY))) + if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGFW_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY))) { - VolumeHandle->Close(BootMgfwHandle); - *BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGR_PATH); + EFI_FILE_PROTOCOL* BootMgfwFile = NULL; + EFI_DEVICE_PATH* BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_PATH); + + if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, NULL)))) + { + DBG_PRINT("error opening bootmgfw... reason -> %r\n", Result); + return Result; + } + + if (EFI_ERROR((Result = BootMgfwFile->Delete(BootMgfwFile)))) + { + DBG_PRINT("error deleting bootmgfw... reason -> %r\n", Result); + return Result; + } + + BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_BACKUP_PATH); + if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, NULL)))) + { + DBG_PRINT("failed to open backup file... reason -> %r\n", Result); + return Result; + } + + EFI_FILE_INFO* FileInfoPtr = NULL; + UINTN FileInfoSize = NULL; + if (EFI_ERROR((Result = BootMgfwFile->GetInfo(BootMgfwFile, &gEfiFileInfoGuid, &FileInfoSize, NULL)))) + { + if (Result == EFI_BUFFER_TOO_SMALL) + { + gBS->AllocatePool(EfiBootServicesData, FileInfoSize, &FileInfoPtr); + if (EFI_ERROR(Result = BootMgfwFile->GetInfo(BootMgfwFile, &gEfiFileInfoGuid, &FileInfoSize, FileInfoPtr))) + { + DBG_PRINT("get backup file information failed... reason -> %r\n", Result); + return Result; + } + } + else + { + DBG_PRINT("Failed to get file information... reason -> %r\n", Result); + return Result; + } + } + VOID* BootMgfwBuffer = NULL; + gBS->AllocatePool(EfiBootServicesData, FileInfoPtr->FileSize, &BootMgfwBuffer); + + UINTN BootMgfwSize = FileInfoPtr->FileSize; + if (EFI_ERROR((Result = BootMgfwFile->Read(BootMgfwFile, &BootMgfwSize, BootMgfwBuffer)))) + { + DBG_PRINT("Failed to read backup file into buffer... reason -> %r\n", Result); + return Result; + } + + if (EFI_ERROR((Result = BootMgfwFile->Delete(BootMgfwFile)))) + { + DBG_PRINT("unable to delete backup file... reason -> %r\n", Result); + return Result; + } + + BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_PATH); + if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_CREATE | EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, EFI_FILE_SYSTEM)))) + { + DBG_PRINT("unable to create new bootmgfw on disk... reason -> %r\n", Result); + return Result; + } + + BootMgfwSize = FileInfoPtr->FileSize; + if (EFI_ERROR((Result = BootMgfwFile->Write(BootMgfwFile, &BootMgfwSize, BootMgfwBuffer)))) + { + DBG_PRINT("unable to write to newly created bootmgfw.efi... reason -> %r\n", Result); + return Result; + } + + VolumeHandle->Close(VolumeHandle); + BootMgfwFile->Close(BootMgfwFile); + gBS->FreePool(FileInfoPtr); + gBS->FreePool(BootMgfwBuffer); return EFI_SUCCESS; } diff --git a/Voyager (1703-1511)/BootMgfw.h b/Voyager (1703-1511)/BootMgfw.h index 8efe6c3..a8073a2 100644 --- a/Voyager (1703-1511)/BootMgfw.h +++ b/Voyager (1703-1511)/BootMgfw.h @@ -18,9 +18,11 @@ #define START_BOOT_APPLICATION_MASK "x????xxxxxx????xxx" static_assert(sizeof(START_BOOT_APPLICATION_SIG) == sizeof(START_BOOT_APPLICATION_MASK), "signature and mask size's dont match..."); -#define WINDOWS_BOOTMGR_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi" +#define WINDOWS_BOOTMGFW_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi" +#define WINDOWS_BOOTMGFW_BACKUP_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi.backup" + extern SHITHOOK BootMgfwShitHook; typedef EFI_STATUS(EFIAPI* IMG_ARCH_START_BOOT_APPLICATION)(VOID*, VOID*, UINT32, UINT8, VOID*); -EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtocol); +EFI_STATUS EFIAPI RestoreBootMgfw(VOID); EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE ImageHandle); EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs); \ No newline at end of file diff --git a/Voyager (1703-1511)/UefiMain.c b/Voyager (1703-1511)/UefiMain.c index 10413ff..a9d097c 100644 --- a/Voyager (1703-1511)/UefiMain.c +++ b/Voyager (1703-1511)/UefiMain.c @@ -15,31 +15,17 @@ EFI_STATUS EFIAPI UefiMain ) { EFI_STATUS Result; - EFI_HANDLE BootMgfwHandle; - EFI_DEVICE_PATH* BootMgfwPath; - - if (EFI_ERROR((Result = GetBootMgfwPath(&BootMgfwPath)))) - { - Print(L"unable to get bootmgfw file path... reason -> %r\n", Result); - return EFI_NOT_FOUND; - } - - if (EFI_ERROR((Result = gBS->LoadImage(TRUE, ImageHandle, BootMgfwPath, NULL, 0, &BootMgfwHandle)))) - { - Print(L"failed to load bootmgfw.efi... reason -> %r\n", Result); - return EFI_ABORTED; - } - - if (EFI_ERROR((Result = InstallBootMgfwHooks(BootMgfwHandle)))) + EFI_DEVICE_PATH_PROTOCOL* BootMgfwPath; + if (EFI_ERROR((Result = RestoreBootMgfw()))) { - Print(L"Failed to install bootmgfw hooks... reason -> %r\n", Result); - return EFI_ABORTED; + DBG_PRINT("unable to get bootmgfw path... reason -> %r\n", Result); + return Result; } - if (EFI_ERROR((Result = gBS->StartImage(BootMgfwHandle, NULL, NULL)))) + if (EFI_ERROR((Result = InstallBootMgfwHooks(ImageHandle)))) { - Print(L"Failed to start bootmgfw.efi...\n"); - return EFI_ABORTED; + DBG_PRINT("Failed to install bootmgfw hooks... reason -> %r\n", Result); + return Result; } return EFI_SUCCESS; } \ No newline at end of file diff --git a/Voyager (2004-1709)/BootMgfw.c b/Voyager (2004-1709)/BootMgfw.c index 61dcdda..c03a6d0 100644 --- a/Voyager (2004-1709)/BootMgfw.c +++ b/Voyager (2004-1709)/BootMgfw.c @@ -1,7 +1,7 @@ #include "BootMgfw.h" SHITHOOK BootMgfwShitHook; -EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtocol) +EFI_STATUS EFIAPI RestoreBootMgfw(VOID) { UINTN HandleCount = NULL; EFI_STATUS Result; @@ -33,11 +33,83 @@ EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtoco return Result; } - // if we found the correct file (\\efi\\microsoft\\boot\\bootmgfw.efi) - if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGR_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY))) + if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGFW_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY))) { - VolumeHandle->Close(BootMgfwHandle); - *BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGR_PATH); + EFI_FILE_PROTOCOL* BootMgfwFile = NULL; + EFI_DEVICE_PATH* BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_PATH); + + if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, NULL)))) + { + DBG_PRINT("error opening bootmgfw... reason -> %r\n", Result); + return Result; + } + + if (EFI_ERROR((Result = BootMgfwFile->Delete(BootMgfwFile)))) + { + DBG_PRINT("error deleting bootmgfw... reason -> %r\n", Result); + return Result; + } + + BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_BACKUP_PATH); + if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, NULL)))) + { + DBG_PRINT("failed to open backup file... reason -> %r\n", Result); + return Result; + } + + EFI_FILE_INFO* FileInfoPtr = NULL; + UINTN FileInfoSize = NULL; + if (EFI_ERROR((Result = BootMgfwFile->GetInfo(BootMgfwFile, &gEfiFileInfoGuid, &FileInfoSize, NULL)))) + { + if (Result == EFI_BUFFER_TOO_SMALL) + { + gBS->AllocatePool(EfiBootServicesData, FileInfoSize, &FileInfoPtr); + if (EFI_ERROR(Result = BootMgfwFile->GetInfo(BootMgfwFile, &gEfiFileInfoGuid, &FileInfoSize, FileInfoPtr))) + { + DBG_PRINT("get backup file information failed... reason -> %r\n", Result); + return Result; + } + } + else + { + DBG_PRINT("Failed to get file information... reason -> %r\n", Result); + return Result; + } + } + VOID* BootMgfwBuffer = NULL; + gBS->AllocatePool(EfiBootServicesData, FileInfoPtr->FileSize, &BootMgfwBuffer); + + UINTN BootMgfwSize = FileInfoPtr->FileSize; + if (EFI_ERROR((Result = BootMgfwFile->Read(BootMgfwFile, &BootMgfwSize, BootMgfwBuffer)))) + { + DBG_PRINT("Failed to read backup file into buffer... reason -> %r\n", Result); + return Result; + } + + if (EFI_ERROR((Result = BootMgfwFile->Delete(BootMgfwFile)))) + { + DBG_PRINT("unable to delete backup file... reason -> %r\n", Result); + return Result; + } + + BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_PATH); + if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_CREATE | EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, EFI_FILE_SYSTEM)))) + { + DBG_PRINT("unable to create new bootmgfw on disk... reason -> %r\n", Result); + return Result; + } + + BootMgfwSize = FileInfoPtr->FileSize; + if (EFI_ERROR((Result = BootMgfwFile->Write(BootMgfwFile, &BootMgfwSize, BootMgfwBuffer)))) + { + DBG_PRINT("unable to write to newly created bootmgfw.efi... reason -> %r\n", Result); + return Result; + } + + VolumeHandle->Close(VolumeHandle); + BootMgfwFile->Close(BootMgfwFile); + gBS->FreePool(FileInfoPtr); + gBS->FreePool(BootMgfwBuffer); return EFI_SUCCESS; } diff --git a/Voyager (2004-1709)/BootMgfw.h b/Voyager (2004-1709)/BootMgfw.h index 7d65b48..799970b 100644 --- a/Voyager (2004-1709)/BootMgfw.h +++ b/Voyager (2004-1709)/BootMgfw.h @@ -11,6 +11,7 @@ #include #include #include +#include #include "WinLoad.h" #if WINVER > 1709 @@ -25,9 +26,11 @@ #endif static_assert(sizeof(START_BOOT_APPLICATION_SIG) == sizeof(START_BOOT_APPLICATION_MASK), "signature and mask size's dont match..."); -#define WINDOWS_BOOTMGR_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi" +#define WINDOWS_BOOTMGFW_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi" +#define WINDOWS_BOOTMGFW_BACKUP_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi.backup" + extern SHITHOOK BootMgfwShitHook; typedef EFI_STATUS(EFIAPI* IMG_ARCH_START_BOOT_APPLICATION)(VOID*, VOID*, UINT32, UINT8, VOID*); -EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtocol); +EFI_STATUS EFIAPI RestoreBootMgfw(VOID); EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath); EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs); \ No newline at end of file diff --git a/Voyager (2004-1709)/UefiMain.c b/Voyager (2004-1709)/UefiMain.c index 4baa787..22c5830 100644 --- a/Voyager (2004-1709)/UefiMain.c +++ b/Voyager (2004-1709)/UefiMain.c @@ -1,5 +1,4 @@ #include "BootMgfw.h" -#include CHAR8* gEfiCallerBaseName = "Voyager"; const UINT32 _gUefiDriverRevision = 0x200; @@ -7,7 +6,9 @@ const UINT32 _gUefiDriverRevision = 0x200; EFI_STATUS EFIAPI UefiUnload( IN EFI_HANDLE ImageHandle ) -{ return EFI_SUCCESS; } +{ + return EFI_SUCCESS; +} EFI_STATUS EFIAPI UefiMain ( @@ -16,31 +17,17 @@ EFI_STATUS EFIAPI UefiMain ) { EFI_STATUS Result; - EFI_HANDLE BootMgfwHandle; - EFI_DEVICE_PATH* BootMgfwPath; - - if (EFI_ERROR((Result = GetBootMgfwPath(&BootMgfwPath)))) - { - Print(L"unable to get bootmgfw file path... reason -> %r\n", Result); - return EFI_NOT_FOUND; - } - - if (EFI_ERROR((Result = gBS->LoadImage(TRUE, ImageHandle, BootMgfwPath, NULL, 0, &BootMgfwHandle)))) - { - Print(L"failed to load bootmgfw.efi...\n"); - return EFI_ABORTED; - } - - if (EFI_ERROR(InstallBootMgfwHooks(BootMgfwHandle))) + EFI_DEVICE_PATH_PROTOCOL* BootMgfwPath; + if (EFI_ERROR((Result = RestoreBootMgfw()))) { - Print(L"Failed to install bootmgfw hooks...\n"); - return EFI_ABORTED; + DBG_PRINT("unable to get bootmgfw path... reason -> %r\n", Result); + return Result; } - if (EFI_ERROR(gBS->StartImage(BootMgfwHandle, NULL, NULL))) + if (EFI_ERROR((Result = InstallBootMgfwHooks(ImageHandle)))) { - Print(L"Failed to start bootmgfw.efi...\n"); - return EFI_ABORTED; + DBG_PRINT("Failed to install bootmgfw hooks... reason -> %r\n", Result); + return Result; } return EFI_SUCCESS; } \ No newline at end of file