added 1909 signature/mask

merge-requests/1/merge
xerox 4 years ago
parent 05400259c7
commit b420c21f6f

@ -176,6 +176,7 @@
<ClCompile Include="vmexit_handler.cpp" /> <ClCompile Include="vmexit_handler.cpp" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="ia32.hpp" />
<ClInclude Include="types.h" /> <ClInclude Include="types.h" />
</ItemGroup> </ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

@ -19,5 +19,8 @@
<ClInclude Include="types.h"> <ClInclude Include="types.h">
<Filter>Header Files</Filter> <Filter>Header Files</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="ia32.hpp">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup> </ItemGroup>
</Project> </Project>

File diff suppressed because it is too large Load Diff

@ -44,5 +44,4 @@ typedef struct _VOYAGER_DATA_T
uintptr_t record_size; uintptr_t record_size;
} VOYAGER_DATA_T, *PVOYAGER_DATA_T; } VOYAGER_DATA_T, *PVOYAGER_DATA_T;
#pragma pack(pop) #pragma pack(pop)
__declspec(dllexport) inline VOYAGER_DATA_T voyager_context; __declspec(dllexport) inline VOYAGER_DATA_T voyager_context;

@ -1,9 +1,9 @@
#include "types.h" #include "types.h"
#include "ia32.hpp"
void vmexit_handler(pcontext_t* context, void* unknown) void vmexit_handler(pcontext_t* context, void* unknown)
{ {
DBG_PRINT("vmexit called....\n"); //DBG_PRINT("vmexit called....\n");
// when hyper-v gets remapped out of winload's context // when hyper-v gets remapped out of winload's context
// the linear virtual addresses change... thus an adjustment is required... // the linear virtual addresses change... thus an adjustment is required...
reinterpret_cast<vmexit_handler_t>( reinterpret_cast<vmexit_handler_t>(

@ -95,8 +95,8 @@ VOID MakeVoyagerData
FindPattern( FindPattern(
HypervAlloc, HypervAlloc,
HypervAllocSize, HypervAllocSize,
VMEXIT_HANDLER, VMEXIT_HANDLER_SIG,
"xxxxxxxxxxxxx?xxxx?x????x" VMEXIT_HANDLER_MASK
); );
/* /*
@ -110,6 +110,11 @@ VOID MakeVoyagerData
UINT64 VmExitHandlerCallRip = (UINT64)VmExitHandlerCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes UINT64 VmExitHandlerCallRip = (UINT64)VmExitHandlerCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes
UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA) UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA)
VoyagerData->VmExitHandlerRva = ((UINT64)GetGoldenRecordEntry(GoldenRecordAlloc)) - (UINT64)VmExitFunction; VoyagerData->VmExitHandlerRva = ((UINT64)GetGoldenRecordEntry(GoldenRecordAlloc)) - (UINT64)VmExitFunction;
DBG_PRINT("VmExitHandlerRva -> 0x%x\n", VoyagerData->VmExitHandlerRva);
DBG_PRINT("VmExitFunction -> 0x%p\n", VmExitFunction);
DBG_PRINT("VmExitHandlerCallRip -> 0x%p\n", VmExitHandlerCallRip);
DBG_PRINT("VmExitHandlerCall -> 0x%p\n", VmExitHandlerCall);
} }
VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook) VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook)
@ -118,8 +123,8 @@ VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook)
FindPattern( FindPattern(
HypervBase, HypervBase,
HypervSize, HypervSize,
VMEXIT_HANDLER, VMEXIT_HANDLER_SIG,
"xxxxxxxxxxxxx?xxxx?x????x" VMEXIT_HANDLER_MASK
); );
/* /*
@ -134,5 +139,7 @@ VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook)
UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA) UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA)
INT32 NewVmExitRVA = ((INT64)VmExitHook) - VmExitHandlerCallRip; INT32 NewVmExitRVA = ((INT64)VmExitHook) - VmExitHandlerCallRip;
*(INT32*)((UINT64)(VmExitHandlerCall + 1)) = NewVmExitRVA; *(INT32*)((UINT64)(VmExitHandlerCall + 1)) = NewVmExitRVA;
DBG_PRINT("NewVmExitRVA -> 0x%x\n", NewVmExitRVA);
return VmExitFunction; return VmExitFunction;
} }

@ -1,6 +1,25 @@
#pragma once #pragma once
#include "TheGoldenRecord.h" #include "TheGoldenRecord.h"
#define VMEXIT_HANDLER "\x65\xC6\x04\x25\x6D\x00\x00\x00\x00\x48\x8B\x4C\x24\x20\x48\x8B\x54\x24\x30\xE8\x6B\xBF\xFE\xFF\xE9"
#if WINVER == 2004
#define VMEXIT_HANDLER_SIG "\x65\xC6\x04\x25\x6D\x00\x00\x00\x00\x48\x8B\x4C\x24\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
#define VMEXIT_HANDLER_MASK "xxxxxxxxxxxxx?xxxx?x????x"
#elif WINVER == 1909
#define VMEXIT_HANDLER_SIG "\x48\x8B\x4C\x24\x00\xEB\x07\xE8\x00\x00\x00\x00\xEB\xF2\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
#define VMEXIT_HANDLER_MASK "xxxx?xxx????xxxxxx?x????x"
#elif WINVER == 1903
#define VMEXIT_HANDLER_SIG
#define VMEXIT_HANDLER_MASK
#elif WINVER == 1809
#define VMEXIT_HANDLER_SIG
#define VMEXIT_HANDLER_MASK
#elif WINVER == 1803
#define VMEXIT_HANDLER_SIG
#define VMEXIT_HANDLER_MASK
#endif
static_assert(sizeof(VMEXIT_HANDLER_SIG) == sizeof(VMEXIT_HANDLER_MASK), "signature does not match mask size!");
static_assert(sizeof(VMEXIT_HANDLER_SIG) == 26, "signature is invalid length!");
// //
// AllocBase is the base address of the extra memory allocated below where hyper-v is // AllocBase is the base address of the extra memory allocated below where hyper-v is

@ -44,13 +44,13 @@ unsigned char GoldenRecord[3072] =
0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5D, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E, 0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5D, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E,
0x52, 0x69, 0x63, 0x68, 0x6B, 0xDE, 0x5F, 0x8E, 0x00, 0x00, 0x00, 0x00, 0x52, 0x69, 0x63, 0x68, 0x6B, 0xDE, 0x5F, 0x8E, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x05, 0x00,
0xFD, 0x47, 0x6A, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF4, 0xE7, 0x6A, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xF0, 0x00, 0x22, 0x20, 0x0B, 0x02, 0x0E, 0x1B, 0x00, 0x02, 0x00, 0x00, 0xF0, 0x00, 0x22, 0x20, 0x0B, 0x02, 0x0E, 0x1B, 0x00, 0x02, 0x00, 0x00,
0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00,
0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00,
0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x60, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x2B, 0x34, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x64, 0x8F, 0x00, 0x00,
0x01, 0x00, 0x60, 0x01, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x60, 0x01, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@ -66,10 +66,10 @@ unsigned char GoldenRecord[3072] =
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00,
0x35, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x68, 0x2E, 0x72, 0x64, 0x61, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x68, 0x2E, 0x72, 0x64, 0x61,
0x74, 0x61, 0x00, 0x00, 0x30, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x74, 0x61, 0x00, 0x00, 0x20, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00,
0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48,
0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00,
@ -114,31 +114,10 @@ unsigned char GoldenRecord[3072] =
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C,
0x24, 0x08, 0x56, 0x48, 0x83, 0xEC, 0x40, 0x48, 0x8D, 0x05, 0xAA, 0x00, 0x24, 0x08, 0x48, 0x83, 0xEC, 0x38, 0x48, 0x8D, 0x05, 0xEB, 0xFF, 0xFF,
0x00, 0x00, 0x66, 0xBA, 0xF8, 0x02, 0x48, 0x8B, 0xF0, 0xB9, 0x13, 0x00, 0xFF, 0x48, 0x2B, 0x05, 0xE4, 0x1F, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24,
0x00, 0x00, 0xF3, 0x6E, 0x48, 0x83, 0x3D, 0xD4, 0x1F, 0x00, 0x00, 0x00, 0x20, 0x48, 0x8B, 0x54, 0x24, 0x48, 0x48, 0x8B, 0x4C, 0x24, 0x40, 0xFF,
0x74, 0x15, 0x48, 0x8D, 0x05, 0xAB, 0x00, 0x00, 0x00, 0x66, 0xBA, 0xF8, 0x54, 0x24, 0x20, 0x48, 0x83, 0xC4, 0x38, 0xC3, 0x00, 0x00, 0x00, 0x00,
0x02, 0x48, 0x8B, 0xF0, 0xB9, 0x26, 0x00, 0x00, 0x00, 0xF3, 0x6E, 0x48,
0x8D, 0x05, 0xC6, 0x00, 0x00, 0x00, 0x66, 0xBA, 0xF8, 0x02, 0x48, 0x8B,
0xF0, 0xB9, 0x25, 0x00, 0x00, 0x00, 0xF3, 0x6E, 0x48, 0x8D, 0x05, 0xA1,
0xFF, 0xFF, 0xFF, 0x48, 0x89, 0x44, 0x24, 0x28, 0xC7, 0x44, 0x24, 0x20,
0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x20, 0xFF, 0xC0,
0x89, 0x44, 0x24, 0x20, 0x83, 0x7C, 0x24, 0x20, 0x08, 0x73, 0x10, 0x8B,
0x44, 0x24, 0x20, 0x66, 0xBA, 0xF8, 0x02, 0x0F, 0xB6, 0x44, 0x04, 0x28,
0xEE, 0xEB, 0xDF, 0x48, 0x8D, 0x05, 0x6A, 0xFF, 0xFF, 0xFF, 0x48, 0x2B,
0x05, 0x63, 0x1F, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8B,
0x54, 0x24, 0x58, 0x48, 0x8B, 0x4C, 0x24, 0x50, 0xFF, 0x54, 0x24, 0x30,
0x48, 0x83, 0xC4, 0x40, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0x76, 0x6D, 0x65, 0x78, 0x69, 0x74, 0x20, 0x63,
0x61, 0x6C, 0x6C, 0x65, 0x64, 0x2E, 0x2E, 0x2E, 0x2E, 0x0A, 0x00, 0xCC,
0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x6F, 0x72, 0x69, 0x67, 0x69, 0x6E, 0x61, 0x6C, 0x20, 0x76, 0x6D, 0x65,
0x78, 0x69, 0x74, 0x20, 0x68, 0x61, 0x6E, 0x64, 0x6C, 0x65, 0x72, 0x20,
0x69, 0x73, 0x20, 0x6E, 0x6F, 0x74, 0x20, 0x6E, 0x75, 0x6C, 0x6C, 0x21,
0x0A, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
0x63, 0x61, 0x6C, 0x6C, 0x69, 0x6E, 0x67, 0x20, 0x6F, 0x72, 0x69, 0x67,
0x69, 0x6E, 0x61, 0x6C, 0x20, 0x76, 0x6D, 0x65, 0x78, 0x69, 0x74, 0x20,
0x68, 0x61, 0x6E, 0x64, 0x6C, 0x65, 0x72, 0x2E, 0x2E, 0x2E, 0x2E, 0x0A,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@ -156,32 +135,53 @@ unsigned char GoldenRecord[3072] =
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xFD, 0x47, 0x6A, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xF4, 0xE7, 0x6A, 0x5F, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00,
0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFD, 0x47, 0x6A, 0x5F, 0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF4, 0xE7, 0x6A, 0x5F,
0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
0x94, 0x20, 0x00, 0x00, 0x94, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53, 0x94, 0x20, 0x00, 0x00, 0x94, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53,
0x81, 0x50, 0x3F, 0x70, 0x94, 0x55, 0xE7, 0x4B, 0xAE, 0x3B, 0x1D, 0x5A, 0xA4, 0x3E, 0xC7, 0x7A, 0x06, 0xD4, 0x85, 0x42, 0xB6, 0x5B, 0xEF, 0x6F,
0x58, 0x81, 0x93, 0xE4, 0x01, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55, 0x7E, 0x70, 0x62, 0x84, 0x08, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55,
0x73, 0x65, 0x72, 0x73, 0x5C, 0x78, 0x65, 0x72, 0x6F, 0x78, 0x5C, 0x44, 0x73, 0x65, 0x72, 0x73, 0x5C, 0x78, 0x65, 0x72, 0x6F, 0x78, 0x5C, 0x44,
0x65, 0x73, 0x6B, 0x74, 0x6F, 0x70, 0x5C, 0x76, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x73, 0x6B, 0x74, 0x6F, 0x70, 0x5C, 0x76, 0x6F, 0x79, 0x61, 0x67,
0x65, 0x72, 0x2D, 0x31, 0x5C, 0x78, 0x36, 0x34, 0x5C, 0x52, 0x65, 0x6C, 0x65, 0x72, 0x2D, 0x31, 0x5C, 0x78, 0x36, 0x34, 0x5C, 0x52, 0x65, 0x6C,
0x65, 0x61, 0x73, 0x65, 0x5C, 0x54, 0x68, 0x65, 0x47, 0x6F, 0x6C, 0x64, 0x65, 0x61, 0x73, 0x65, 0x5C, 0x54, 0x68, 0x65, 0x47, 0x6F, 0x6C, 0x64,
0x65, 0x6E, 0x52, 0x65, 0x63, 0x6F, 0x72, 0x64, 0x2E, 0x70, 0x64, 0x62, 0x65, 0x6E, 0x52, 0x65, 0x63, 0x6F, 0x72, 0x64, 0x2E, 0x70, 0x64, 0x62,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0xC0, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E, 0x34, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E,
0x00, 0x00, 0x00, 0x00, 0xC0, 0x10, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00,
0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x73, 0x00, 0x00, 0x20, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00,
0x38, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0xDC, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x7A,
0x38, 0x20, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, 0x7A, 0x7A, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00, 0x14, 0x21, 0x00, 0x00,
0x74, 0x61, 0x24, 0x7A, 0x7A, 0x7A, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x78, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00,
0x24, 0x21, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x78, 0x64, 0x61, 0x00, 0x30, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x2E, 0x62, 0x73, 0x73,
0x74, 0x61, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00,
0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00,
0x0C, 0x00, 0x00, 0x00, 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x6D, 0x00, 0x00, 0x00, 0x2E, 0x65, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00,
0x00, 0x50, 0x00, 0x00, 0x6D, 0x00, 0x00, 0x00, 0x2E, 0x65, 0x64, 0x61, 0x02, 0x0E, 0x03, 0x00, 0x01, 0x16, 0x00, 0x06, 0x0E, 0x62, 0x00, 0x00,
0x74, 0x61, 0x00, 0x00, 0x02, 0x0F, 0x04, 0x00, 0x02, 0x16, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0F, 0x72, 0x0B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@ -199,7 +199,7 @@ unsigned char GoldenRecord[3072] =
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0xB6, 0x10, 0x00, 0x00, 0x24, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34, 0x10, 0x00, 0x00, 0x14, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

@ -1,5 +1,12 @@
#pragma once #pragma once
#include "Utils.h" #include "Utils.h"
//
// this payload gets mapped into hyper-v's context by extending .reloc section
// and making .reloc RWX, when hyper-v gets remapped out of winload's context
// our module will be remapped with hyper-v, linear virtual address's will change
// but RVA's will be the same... do not shithook hyper-v whilst its in winload!
//
extern unsigned char GoldenRecord[3072]; extern unsigned char GoldenRecord[3072];
#pragma pack(push, 1) #pragma pack(push, 1)

@ -1,5 +1,6 @@
#pragma once #pragma once
#include "ShitHook.h" #include "ShitHook.h"
#define WINVER 1909 // can be 1909, 1903, 1809, or 1803
#define PORT_NUM 0x2F8 #define PORT_NUM 0x2F8
#define BL_MEMORY_ATTRIBUTE_RWX 0x424000 #define BL_MEMORY_ATTRIBUTE_RWX 0x424000
#define SECTION_RWX (EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_MEM_WRITE | EFI_IMAGE_SCN_MEM_EXECUTE) #define SECTION_RWX (EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_MEM_WRITE | EFI_IMAGE_SCN_MEM_EXECUTE)

@ -9,10 +9,6 @@
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions> <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter> </Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClCompile Include="UefiMain.c"> <ClCompile Include="UefiMain.c">

@ -2,7 +2,6 @@
SHITHOOK WinLoadImageShitHook; SHITHOOK WinLoadImageShitHook;
SHITHOOK WinLoadAllocateImageHook; SHITHOOK WinLoadAllocateImageHook;
SHITHOOK VmExitHandlerShitHook;
BOOLEAN HookedHyperV = FALSE; BOOLEAN HookedHyperV = FALSE;
BOOLEAN HyperVloading = FALSE; BOOLEAN HyperVloading = FALSE;
@ -10,6 +9,7 @@ BOOLEAN ExtendedAllocation = FALSE;
UINT64 AllocationCount = 0; UINT64 AllocationCount = 0;
CHAR8 ModuleNameStr[0x100]; CHAR8 ModuleNameStr[0x100];
// thank you cr4sh! ::::)
EFI_STATUS EFIAPI BlLdrLoadImage(VOID* Arg1, CHAR16* ModulePath, CHAR16* ModuleName, VOID* Arg4, VOID* Arg5, VOID* Arg6, VOID* Arg7, PPLDR_DATA_TABLE_ENTRY lplpTableEntry, EFI_STATUS EFIAPI BlLdrLoadImage(VOID* Arg1, CHAR16* ModulePath, CHAR16* ModuleName, VOID* Arg4, VOID* Arg5, VOID* Arg6, VOID* Arg7, PPLDR_DATA_TABLE_ENTRY lplpTableEntry,
VOID* Arg9, VOID* Arg10, VOID* Arg11, VOID* Arg12, VOID* Arg13, VOID* Arg14, VOID* Arg15, VOID* Arg16) VOID* Arg9, VOID* Arg10, VOID* Arg11, VOID* Arg12, VOID* Arg13, VOID* Arg14, VOID* Arg15, VOID* Arg16)
{ {
@ -70,7 +70,6 @@ EFI_STATUS EFIAPI BlLdrLoadImage(VOID* Arg1, CHAR16* ModulePath, CHAR16* ModuleN
} }
} }
// This fixes the allocation size to include whatever we want... dont ask me why this works it just does... LOL
HypervNtHeader->OptionalHeader.SizeOfImage += GetGoldenRecordSize(); HypervNtHeader->OptionalHeader.SizeOfImage += GetGoldenRecordSize();
TableEntry->SizeOfImage += GetGoldenRecordSize(); TableEntry->SizeOfImage += GetGoldenRecordSize();
} }
@ -103,5 +102,7 @@ UINT64 EFIAPI BlImgAllocateImageBuffer(VOID** imageBuffer, UINTN imageSize, UINT
DisableShitHook(&WinLoadAllocateImageHook); DisableShitHook(&WinLoadAllocateImageHook);
UINT64 Result = ((ALLOCATE_IMAGE_BUFFER)WinLoadAllocateImageHook.Address)(imageBuffer, imageSize, memoryType, attributes, unused, flags); UINT64 Result = ((ALLOCATE_IMAGE_BUFFER)WinLoadAllocateImageHook.Address)(imageBuffer, imageSize, memoryType, attributes, unused, flags);
EnableShitHook(&WinLoadAllocateImageHook); EnableShitHook(&WinLoadAllocateImageHook);
DBG_PRINT("Allocated memory -> 0x%p, size -> 0x%x\n", *imageBuffer, imageSize);
return Result; return Result;
} }
Loading…
Cancel
Save