diff --git a/Voyager-2/PayLoad/types.h b/Voyager-2/PayLoad/types.h index 1659148..7d77fc4 100644 --- a/Voyager-2/PayLoad/types.h +++ b/Voyager-2/PayLoad/types.h @@ -1,14 +1,43 @@ -#pragma once +#pragma once #include #include #include #include #include -#define PORT_NUM 0x2F8 + +#define WINVER 1709 #define VMEXIT_KEY 0xDEADBEEFDEADBEEF + +#define PORT_NUM 0x2F8 #define DBG_PRINT(arg) \ __outbytestring(PORT_NUM, (unsigned char*)arg, sizeof arg); +#if WINVER == 2004 +#define offset_vmcb_base 0x103B0 +#define offset_vmcb_link 0x198 +#define offset_vmcb 0xE80 +#elif WINVER == 1909 +#define offset_vmcb_base 0x83B0 +#define offset_vmcb_link 0x190 +#define offset_vmcb 0xD00 +#elif WINVER == 1903 +#define offset_vmcb_base 0x83B0 +#define offset_vmcb_link 0x190 +#define offset_vmcb 0xD00 +#elif WINVER == 1809 +#define offset_vmcb_base 0x83B0 +#define offset_vmcb_link 0x198 +#define offset_vmcb 0xD00 +#elif WINVER == 1803 +#define offset_vmcb_base 0x82F0 +#define offset_vmcb_link 0x168 +#define offset_vmcb 0xCC0 +#elif WINVER == 1709 +#define offset_vmcb_base 0x82F0 +#define offset_vmcb_link 0x88 +#define offset_vmcb 0xC80 +#endif + using u8 = unsigned char; using u16 = unsigned short; using u32 = unsigned int; @@ -325,11 +354,11 @@ namespace svm u16 trattrib; // +0x092 u32 trlimit; // +0x094 u64 trbase; // +0x098 - u8 reserved_1[0x0cb - 0x0a0]; // +0x0a0 + u8 reserved_1[0x0cb - 0x0a0]; // +0x0a0 u8 cpl; // +0x0cb - u32 reserved_2; // +0x0cc + u32 reserved_2; // +0x0cc u64 efer; // +0x0d0 - u8 reserved_3[0x148 - 0x0d8]; // +0x0d8 + u8 reserved_3[0x148 - 0x0d8]; // +0x0d8 u64 cr4; // +0x148 u64 cr3; // +0x150 u64 cr0; // +0x158 @@ -337,7 +366,7 @@ namespace svm u64 dr6; // +0x168 u64 rflags; // +0x170 u64 rip; // +0x178 - u8 reserved_4[0x1d8 - 0x180]; // +0x180 + u8 reserved_4[0x1d8 - 0x180]; // +0x180 u64 rsp; // +0x1d8 u8 reserved5[0x1f8 - 0x1e0]; // +0x1e0 u64 rax; // +0x1f8 diff --git a/Voyager-2/PayLoad/vmexit_handler.cpp b/Voyager-2/PayLoad/vmexit_handler.cpp index 2f43d55..2243d1f 100644 --- a/Voyager-2/PayLoad/vmexit_handler.cpp +++ b/Voyager-2/PayLoad/vmexit_handler.cpp @@ -2,11 +2,11 @@ svm::pgs_base_struct vmexit_handler(void* unknown, svm::pguest_context context) { - // gs:0 + 0x103B0 ] + 0x198 ] + 0xE80 ] = pointer to vmcb... const auto vmcb = *reinterpret_cast( - *reinterpret_cast( - *reinterpret_cast( - __readgsqword(0) + 0x103B0) + 0x198) + 0xE80); + *reinterpret_cast( + *reinterpret_cast( + __readgsqword(0) + offset_vmcb_base) + + offset_vmcb_link) + offset_vmcb); if (vmcb->exitcode == VMEXIT_CPUID && context->rcx == VMEXIT_KEY) { @@ -16,6 +16,6 @@ svm::pgs_base_struct vmexit_handler(void* unknown, svm::pguest_context context) } return reinterpret_cast( - reinterpret_cast(&vmexit_handler) - + reinterpret_cast(&vmexit_handler) - svm::voyager_context.vcpu_run_rva)(unknown, context); } \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (2004-1709)/Hvax64.h b/Voyager-2/Voyager-2 (2004-1709)/Hvax64.h index e129c34..a60d2f3 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/Hvax64.h +++ b/Voyager-2/Voyager-2 (2004-1709)/Hvax64.h @@ -3,6 +3,7 @@ #define VCPU_RUN_HANDLER_SIG "\xE8\x00\x00\x00\x00\x48\x89\x04\x24\xE9" #define VCPU_RUN_HANDLER_MASK "x????xxxxx" + static_assert(sizeof(VCPU_RUN_HANDLER_SIG) == sizeof(VCPU_RUN_HANDLER_MASK), "signature does not match mask size!"); // diff --git a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c index 504ab5d..364a941 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c +++ b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c @@ -26,7 +26,7 @@ VOID* PayLoadEntry(VOID* ModuleBase) return (UINT64)ModuleBase + RecordNtHeaders->OptionalHeader.AddressOfEntryPoint; } -unsigned char PayLoad[3072] = +unsigned char PayLoad[2560] = { 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -44,13 +44,13 @@ unsigned char PayLoad[3072] = 0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5D, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E, 0x52, 0x69, 0x63, 0x68, 0x6B, 0xDE, 0x5F, 0x8E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x04, 0x00, - 0x09, 0x30, 0x76, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xAD, 0xAA, 0x76, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0x00, 0x22, 0x20, 0x0B, 0x02, 0x0E, 0x1B, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x50, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0xBD, 0xEB, 0x00, 0x00, + 0x00, 0x50, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x20, 0x8A, 0x00, 0x00, 0x01, 0x00, 0x60, 0x01, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -114,8 +114,8 @@ unsigned char PayLoad[3072] = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x00, 0x00, 0x00, - 0x00, 0x4C, 0x8B, 0x80, 0xB0, 0x03, 0x01, 0x00, 0x49, 0x8B, 0x80, 0x98, - 0x01, 0x00, 0x00, 0x4C, 0x8B, 0x80, 0x80, 0x0E, 0x00, 0x00, 0x49, 0x83, + 0x00, 0x4C, 0x8B, 0x80, 0xF0, 0x82, 0x00, 0x00, 0x49, 0x8B, 0x80, 0x88, + 0x00, 0x00, 0x00, 0x4C, 0x8B, 0x80, 0x80, 0x0C, 0x00, 0x00, 0x49, 0x83, 0x78, 0x70, 0x72, 0x75, 0x33, 0x48, 0xB8, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0x48, 0x39, 0x42, 0x08, 0x75, 0x23, 0x49, 0x8B, 0x80, 0xC8, 0x00, 0x00, 0x00, 0x49, 0x89, 0x80, 0x78, 0x05, 0x00, 0x00, 0x49, @@ -156,13 +156,13 @@ unsigned char PayLoad[3072] = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x09, 0x30, 0x76, 0x5F, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xAD, 0xAA, 0x76, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, - 0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x30, 0x76, 0x5F, + 0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAD, 0xAA, 0x76, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x94, 0x20, 0x00, 0x00, 0x94, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53, - 0x51, 0x03, 0x11, 0xDB, 0xF4, 0x60, 0xA2, 0x45, 0xAB, 0x86, 0x08, 0xEA, - 0xF0, 0xD5, 0x9A, 0x0A, 0x03, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55, + 0x35, 0xAA, 0x1D, 0x11, 0xD6, 0x5E, 0x2B, 0x42, 0x99, 0xE3, 0x79, 0xBA, + 0x66, 0x84, 0x9F, 0x18, 0x05, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55, 0x73, 0x65, 0x72, 0x73, 0x5C, 0x78, 0x65, 0x72, 0x6F, 0x78, 0x5C, 0x44, 0x65, 0x73, 0x6B, 0x74, 0x6F, 0x70, 0x5C, 0x76, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x5C, 0x56, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x2D, 0x32, diff --git a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h index 172565f..9bb7f81 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h +++ b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h @@ -1,6 +1,6 @@ #pragma once #include "Utils.h" -extern unsigned char PayLoad[3072]; +extern unsigned char PayLoad[2560]; #pragma pack(push, 1) typedef struct _VOYAGER_T diff --git a/Voyager-2/Voyager-2 (2004-1709)/Utils.h b/Voyager-2/Voyager-2 (2004-1709)/Utils.h index 7b582fe..8b25594 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/Utils.h +++ b/Voyager-2/Voyager-2 (2004-1709)/Utils.h @@ -1,6 +1,6 @@ #pragma once #include "ShitHook.h" -#define WINVER 2004 +#define WINVER 1709 #define PORT_NUM 0x2F8 #define BL_MEMORY_ATTRIBUTE_RWX 0x424000 #define SECTION_RWX (EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_MEM_WRITE | EFI_IMAGE_SCN_MEM_EXECUTE)