diff --git a/Efi Bundler/Efi Bundler.vcxproj b/Efi Bundler/Efi Bundler.vcxproj new file mode 100644 index 0000000..399fcff --- /dev/null +++ b/Efi Bundler/Efi Bundler.vcxproj @@ -0,0 +1,161 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 16.0 + Win32Proj + {ee860038-e3dd-4329-8d44-df8b9ecbe420} + EfiBundler + 10.0 + + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + Application + true + v142 + Unicode + + + Application + false + v142 + true + Unicode + + + + + + + + + + + + + + + + + + + + + true + + + false + + + true + + + false + + + + Level3 + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + Level3 + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + Level3 + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + stdcpp17 + false + false + + + Console + true + + + + + Level3 + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + stdcpp17 + false + Disabled + false + + + Console + true + true + true + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/Efi Bundler/Efi Bundler.vcxproj.filters b/Efi Bundler/Efi Bundler.vcxproj.filters new file mode 100644 index 0000000..4fc8d9a --- /dev/null +++ b/Efi Bundler/Efi Bundler.vcxproj.filters @@ -0,0 +1,35 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd + + + + + Header Files + + + Header Files + + + Header Files + + + + + Source Files + + + Source Files + + + Source Files + + + \ No newline at end of file diff --git a/Efi Bundler/Efi Bundler.vcxproj.user b/Efi Bundler/Efi Bundler.vcxproj.user new file mode 100644 index 0000000..545fb0f --- /dev/null +++ b/Efi Bundler/Efi Bundler.vcxproj.user @@ -0,0 +1,11 @@ + + + + C:\Users\xerox\Desktop\bootmgfw.efi C:\Users\xerox\Desktop\voyager.efi + WindowsLocalDebugger + + + C:\Users\xerox\Desktop\bootmgfw.efi C:\Users\xerox\Desktop\voyager.efi + WindowsLocalDebugger + + \ No newline at end of file diff --git a/Efi Bundler/bundler.cpp b/Efi Bundler/bundler.cpp new file mode 100644 index 0000000..5d28d8a --- /dev/null +++ b/Efi Bundler/bundler.cpp @@ -0,0 +1,92 @@ +#include "bundler.h" + +namespace bundler +{ + std::pair add_section(std::vector& image, const char* name, std::size_t size, std::uint32_t protect) + { + auto align = [](std::uint32_t size, std::uint32_t align, std::uint32_t addr) -> std::uint32_t + { + if (!(size % align)) + return addr + size; + return addr + (size / align + 1) * align; + }; + + auto section_header = reinterpret_cast( + ((UINT64)&NT_HEADER(image.data())->OptionalHeader) + + NT_HEADER(image.data())->FileHeader.SizeOfOptionalHeader); + + auto new_section = §ion_header[NT_HEADER(image.data())->FileHeader.NumberOfSections]; + memset(new_section, NULL, sizeof(IMAGE_SECTION_HEADER)); + memcpy(new_section->Name, name, 8); + + new_section->Characteristics = protect; + section_header[NT_HEADER(image.data())->FileHeader.NumberOfSections].Misc.VirtualSize = + align(size, NT_HEADER(image.data())->OptionalHeader.SectionAlignment, NULL); + + new_section->VirtualAddress = align(section_header[ + NT_HEADER(image.data())->FileHeader.NumberOfSections - 1].Misc.VirtualSize, + NT_HEADER(image.data())->OptionalHeader.SectionAlignment, section_header[ + NT_HEADER(image.data())->FileHeader.NumberOfSections - 1].VirtualAddress); + + new_section->SizeOfRawData = + align(size, NT_HEADER(image.data())->OptionalHeader.FileAlignment, 0); + + new_section->PointerToRawData = + align(section_header[NT_HEADER(image.data())->FileHeader.NumberOfSections - 1].SizeOfRawData, + NT_HEADER(image.data())->OptionalHeader.FileAlignment, section_header[NT_HEADER(image.data())-> + FileHeader.NumberOfSections - 1].PointerToRawData); + + NT_HEADER(image.data())->OptionalHeader.SizeOfImage = section_header[ + NT_HEADER(image.data())->FileHeader.NumberOfSections].VirtualAddress + + section_header[NT_HEADER(image.data())->FileHeader.NumberOfSections].Misc.VirtualSize; + + ++NT_HEADER(image.data())->FileHeader.NumberOfSections; + auto raw_data_rva = new_section->PointerToRawData; + auto virt_data_rva = new_section->VirtualAddress; + auto raw_data_size = new_section->SizeOfRawData; + + image.resize(raw_data_rva + raw_data_size); + memset(image.data() + raw_data_rva, NULL, raw_data_size); + return { raw_data_rva, virt_data_rva }; + } + + // module_base is .efi section base in this case... + std::uint32_t map_module(std::uint8_t* module_base, std::vector& map_from) + { + // copy nt headers... + memcpy(module_base, map_from.data(), NT_HEADER(map_from.data())->OptionalHeader.SizeOfHeaders); + auto sections = reinterpret_cast( + (UINT8*)&NT_HEADER(map_from.data())->OptionalHeader + + NT_HEADER(map_from.data())->FileHeader.SizeOfOptionalHeader); + + // copy sections... + for (auto i = 0u; i < NT_HEADER(map_from.data())->FileHeader.NumberOfSections; ++i) + { + auto section = §ions[i]; + memcpy(module_base + section->VirtualAddress, map_from.data() + section->PointerToRawData, section->SizeOfRawData); + } + + return NT_HEADER(map_from.data())->OptionalHeader.AddressOfEntryPoint; + } + + void bundle(std::vector& bundle_into, std::vector& bundle_module) + { + auto [trp_section_disk, trp_section_virt] = add_section(bundle_into, ".trp", sizeof shellcode::stub, SECTION_RWX); + auto [mod_section_disk, mod_section_virt] = add_section(bundle_into, ".efi", bundle_module.size(), SECTION_RWX); + bundler::map_module(bundle_into.data() + mod_section_disk, bundle_module); + + std::printf("[+] added .trp section at rva -> 0x%x, size -> 0x%x\n", trp_section_virt, sizeof shellcode::stub); + std::printf("[+] added .efi section at rva -> 0x%x, size -> 0x%x\n", mod_section_virt, bundle_module.size()); + + // setup stub shellcode... + *reinterpret_cast(&shellcode::stub[25]) = mod_section_virt - trp_section_virt; + *reinterpret_cast(&shellcode::stub[45]) = trp_section_virt; + *reinterpret_cast(&shellcode::stub[75]) = NT_HEADER(bundle_into.data())->OptionalHeader.AddressOfEntryPoint; + memcpy(bundle_into.data() + trp_section_disk, shellcode::stub, sizeof shellcode::stub); + std::printf("[+] added stub code to .trp section...\n"); + + // set entry point to .trp section... + NT_HEADER(bundle_into.data())->OptionalHeader.AddressOfEntryPoint = trp_section_virt; + std::printf("[+] changed base modules entry point to -> (.trp section base) 0x%x\n", trp_section_virt); + } +} \ No newline at end of file diff --git a/Efi Bundler/bundler.h b/Efi Bundler/bundler.h new file mode 100644 index 0000000..986d710 --- /dev/null +++ b/Efi Bundler/bundler.h @@ -0,0 +1,15 @@ +#pragma once +#include "shellcode.h" +#define SECTION_RWX ((IMAGE_SCN_MEM_WRITE | \ + IMAGE_SCN_CNT_CODE | \ + IMAGE_SCN_CNT_UNINITIALIZED_DATA | \ + IMAGE_SCN_MEM_EXECUTE | \ + IMAGE_SCN_CNT_INITIALIZED_DATA | \ + IMAGE_SCN_MEM_READ)) + +namespace bundler +{ + std::pair add_section(std::vector& image, const char* name, std::size_t size, std::uint32_t protect); + std::uint32_t map_module(std::uint8_t* module_base, std::vector& map_from); + void bundle(std::vector& bundle_into, std::vector& bundle_module); +} diff --git a/Efi Bundler/main.cpp b/Efi Bundler/main.cpp new file mode 100644 index 0000000..172bff7 --- /dev/null +++ b/Efi Bundler/main.cpp @@ -0,0 +1,38 @@ +#include "bundler.h" + +int __cdecl main(int argc, char** argv) +{ + if (argc < 2) + { + std::printf("[!] invalid amount of parameters\n"); + return -1; + } + + std::vector efi_module; + std::vector bootmgfw; + + impl::open_binary_file(argv[1], bootmgfw); + impl::open_binary_file(argv[2], efi_module); + + if (efi_module.empty() || bootmgfw.empty()) + { + std::printf("[!] unable to load efi module(s)...\n"); + return -1; + } + + efi_module.resize(NT_HEADER(efi_module.data())->OptionalHeader.SizeOfImage); + std::printf("bundling efi module, size -> 0x%x\n", + NT_HEADER(efi_module.data())->OptionalHeader.SizeOfImage); + + bootmgfw.resize(NT_HEADER(bootmgfw.data())->OptionalHeader.SizeOfImage); + std::printf("bundling module into bootmgfw, size before patch -> 0x%x\n", + NT_HEADER(bootmgfw.data())->OptionalHeader.SizeOfImage); + + bundler::bundle(bootmgfw, efi_module); + std::ofstream new_file("result.efi", std::ios::binary); + new_file.write((char*)bootmgfw.data(), bootmgfw.size()); + new_file.close(); + + std::printf("bundled modules together....\n"); + std::getchar(); +} \ No newline at end of file diff --git a/Efi Bundler/shellcode.cpp b/Efi Bundler/shellcode.cpp new file mode 100644 index 0000000..d695595 --- /dev/null +++ b/Efi Bundler/shellcode.cpp @@ -0,0 +1,55 @@ +#include "shellcode.h" + +namespace shellcode +{ + void* entry_stub(void* a, void* b) + { + // 0xDEADBEEF is replaced at runtime... + auto module_base = reinterpret_cast(&entry_stub) + 0xDEADBEEF; + auto bootmgfw_base = reinterpret_cast(&entry_stub) - 0xDEADBEEF; + NT_HEADER(bootmgfw_base)->OptionalHeader.AddressOfEntryPoint = 0xDEADBEEF; + + // fix relocs of the module in .efi section... + auto base_reloc_dir = &NT_HEADER(module_base)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]; + if (base_reloc_dir->VirtualAddress) + { + auto reloc = reinterpret_cast(module_base + base_reloc_dir->VirtualAddress); + for (auto current_size = 0u; current_size < base_reloc_dir->Size; ) + { + auto reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(UINT16); + auto reloc_data = reinterpret_cast((UINT8*)reloc + sizeof(IMAGE_BASE_RELOCATION)); + auto reloc_base = reinterpret_cast(module_base) + reloc->VirtualAddress; + + for (auto i = 0u; i < reloc_count; ++i, ++reloc_data) + { + std::uint16_t data = *reloc_data; + std::uint16_t type = data >> 12; + std::uint16_t offset = data & 0xFFF; + + switch (type) + { + case IMAGE_REL_BASED_DIR64: + { + auto rva = reinterpret_cast(reloc_base + offset); + *rva = module_base + (*rva - NT_HEADER(module_base)->OptionalHeader.ImageBase); + break; + } + default: + break; + } + } + + current_size += reloc->SizeOfBlock; + reloc = reinterpret_cast(reloc_data); + } + } + + // call our entry... + reinterpret_cast( + module_base + NT_HEADER(module_base)->OptionalHeader.AddressOfEntryPoint)(a, b); + + // call the original entry... + return reinterpret_cast( + bootmgfw_base + NT_HEADER(bootmgfw_base)->OptionalHeader.AddressOfEntryPoint)(a, b); + } +} \ No newline at end of file diff --git a/Efi Bundler/shellcode.h b/Efi Bundler/shellcode.h new file mode 100644 index 0000000..ba7d1c1 --- /dev/null +++ b/Efi Bundler/shellcode.h @@ -0,0 +1,76 @@ +#pragma once +#include +#include +#include "utils.h" + +namespace shellcode +{ + void* entry_stub(void* a, void* b); + // void* entry_stub(void* a, void* b) + // + 75, Real entry point RVA + // + 25, RVA to bundled module base... (gunna be a section base address) + // + 45, RVA to bootmgfw base address... (number is positive, assembly subtracts this number) + inline char stub[] = + { + 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C, 0x24, 0x08, + 0x48, 0x81, 0xEC, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x05, + 0xE8, 0xFF, 0xFF, 0xFF, 0xB9, 0xEF, 0xBE, 0xAD, 0xDE, 0x48, + 0x03, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8D, 0x05, + 0xD4, 0xFF, 0xFF, 0xFF, 0xB9, 0xEF, 0xBE, 0xAD, 0xDE, 0x48, + 0x2B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, + 0x24, 0x48, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, 0x4C, 0x24, + 0x48, 0xC7, 0x44, 0x01, 0x28, 0xEF, 0xBE, 0xAD, 0xDE, 0x48, + 0x8B, 0x44, 0x24, 0x28, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, + 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0xB9, + 0x08, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC9, 0x05, 0x48, 0x8D, + 0x84, 0x08, 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, + 0x60, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x83, 0x38, 0x00, 0x0F, + 0x84, 0x4E, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x60, + 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, + 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x40, 0xC7, 0x44, + 0x24, 0x3C, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, + 0x60, 0x8B, 0x40, 0x04, 0x39, 0x44, 0x24, 0x3C, 0x0F, 0x83, + 0x1D, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x8B, + 0x40, 0x04, 0x48, 0x83, 0xE8, 0x08, 0x33, 0xD2, 0xB9, 0x02, + 0x00, 0x00, 0x00, 0x48, 0xF7, 0xF1, 0x48, 0x89, 0x44, 0x24, + 0x70, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x48, 0x83, 0xC0, 0x08, + 0x48, 0x89, 0x44, 0x24, 0x50, 0x48, 0x8B, 0x44, 0x24, 0x40, + 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, + 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x78, 0xC7, 0x44, + 0x24, 0x38, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x18, 0x8B, 0x44, + 0x24, 0x38, 0xFF, 0xC0, 0x89, 0x44, 0x24, 0x38, 0x48, 0x8B, + 0x44, 0x24, 0x50, 0x48, 0x83, 0xC0, 0x02, 0x48, 0x89, 0x44, + 0x24, 0x50, 0x8B, 0x44, 0x24, 0x38, 0x48, 0x3B, 0x44, 0x24, + 0x70, 0x0F, 0x83, 0x89, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, + 0x24, 0x50, 0x0F, 0xB7, 0x00, 0x66, 0x89, 0x44, 0x24, 0x20, + 0x0F, 0xB7, 0x44, 0x24, 0x20, 0xC1, 0xF8, 0x0C, 0x66, 0x89, + 0x44, 0x24, 0x30, 0x0F, 0xB7, 0x44, 0x24, 0x20, 0x25, 0xFF, + 0x0F, 0x00, 0x00, 0x66, 0x89, 0x44, 0x24, 0x34, 0x0F, 0xB7, + 0x44, 0x24, 0x30, 0x89, 0x44, 0x24, 0x58, 0x83, 0x7C, 0x24, + 0x58, 0x0A, 0x74, 0x02, 0xEB, 0x49, 0x0F, 0xB7, 0x44, 0x24, + 0x34, 0x48, 0x8B, 0x4C, 0x24, 0x78, 0x48, 0x03, 0xC8, 0x48, + 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8B, 0x44, + 0x24, 0x28, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, 0x4C, 0x24, + 0x68, 0x48, 0x8B, 0x54, 0x24, 0x28, 0x48, 0x8B, 0x44, 0x02, + 0x30, 0x48, 0x8B, 0x09, 0x48, 0x2B, 0xC8, 0x48, 0x8B, 0xC1, + 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, + 0xC1, 0x48, 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x89, 0x01, 0xE9, + 0x50, 0xFF, 0xFF, 0xFF, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x8B, + 0x40, 0x04, 0x8B, 0x4C, 0x24, 0x3C, 0x03, 0xC8, 0x8B, 0xC1, + 0x89, 0x44, 0x24, 0x3C, 0x48, 0x8B, 0x44, 0x24, 0x50, 0x48, + 0x89, 0x44, 0x24, 0x40, 0xE9, 0xD1, 0xFE, 0xFF, 0xFF, 0x48, + 0x8B, 0x44, 0x24, 0x28, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, + 0x4C, 0x24, 0x28, 0x8B, 0x44, 0x01, 0x28, 0x48, 0x8B, 0x4C, + 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, + 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x94, 0x24, + 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x8C, 0x24, 0xA0, 0x00, + 0x00, 0x00, 0xFF, 0x94, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, + 0x8B, 0x44, 0x24, 0x48, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, + 0x4C, 0x24, 0x48, 0x8B, 0x44, 0x01, 0x28, 0x48, 0x8B, 0x4C, + 0x24, 0x48, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, + 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x94, 0x24, + 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x8C, 0x24, 0xA0, 0x00, + 0x00, 0x00, 0xFF, 0x94, 0x24, 0x88, 0x00, 0x00, 0x00, 0x48, + 0x81, 0xC4, 0x98, 0x00, 0x00, 0x00, 0xC3 + }; +} \ No newline at end of file diff --git a/Efi Bundler/utils.h b/Efi Bundler/utils.h new file mode 100644 index 0000000..b31ad4f --- /dev/null +++ b/Efi Bundler/utils.h @@ -0,0 +1,84 @@ +#pragma once +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define NT_HEADER(x) reinterpret_cast( uint64_t(x) + reinterpret_cast(x)->e_lfanew ) +namespace impl +{ + using uq_handle = std::unique_ptr; + + __forceinline uint32_t get_process_id(const std::wstring_view process_name) + { + // open a system snapshot of all loaded processes + uq_handle snap_shot{ CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), &CloseHandle }; + + if (snap_shot.get() == INVALID_HANDLE_VALUE) + { + return 0; + } + + PROCESSENTRY32W process_entry{ sizeof(PROCESSENTRY32W) }; + + // enumerate through processes + for (Process32FirstW(snap_shot.get(), &process_entry); Process32NextW(snap_shot.get(), &process_entry); ) + if (std::wcscmp(process_name.data(), process_entry.szExeFile) == 0) + return process_entry.th32ProcessID; + + return 0; + } + + __forceinline void open_binary_file(const std::string& file, std::vector& data) + { + std::ifstream fstr(file, std::ios::binary); + fstr.unsetf(std::ios::skipws); + fstr.seekg(0, std::ios::end); + + const auto file_size = fstr.tellg(); + + fstr.seekg(NULL, std::ios::beg); + data.reserve(static_cast(file_size)); + data.insert(data.begin(), std::istream_iterator(fstr), std::istream_iterator()); + } + + __forceinline bool enable_privilege(const std::wstring_view privilege_name) + { + HANDLE token_handle = nullptr; + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token_handle)) + {; + return false; + } + + LUID luid{}; + if (!LookupPrivilegeValueW(nullptr, privilege_name.data(), &luid)) + { + return false; + } + + TOKEN_PRIVILEGES token_state{}; + token_state.PrivilegeCount = 1; + token_state.Privileges[0].Luid = luid; + token_state.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; + + if (!AdjustTokenPrivileges(token_handle, FALSE, &token_state, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr)) + { + return false; + } + + CloseHandle(token_handle); + + return true; + } +} \ No newline at end of file diff --git a/PayLoad (AMD)/PayLoad (AMD).vcxproj b/PayLoad (AMD)/PayLoad (AMD).vcxproj new file mode 100644 index 0000000..84e813e --- /dev/null +++ b/PayLoad (AMD)/PayLoad (AMD).vcxproj @@ -0,0 +1,158 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + Debug + ARM + + + Release + ARM + + + Debug + ARM64 + + + Release + ARM64 + + + + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF} + {1bc93793-694f-48fe-9372-81e2b05556fd} + v4.5 + 12.0 + Debug + Win32 + PayLoad__AMD_ + + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + KMDF + Universal + + + + + + + + + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/PayLoad (AMD)/PayLoad (AMD).vcxproj.filters b/PayLoad (AMD)/PayLoad (AMD).vcxproj.filters new file mode 100644 index 0000000..98c49c5 --- /dev/null +++ b/PayLoad (AMD)/PayLoad (AMD).vcxproj.filters @@ -0,0 +1,32 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {8E41214B-6785-4CFE-B992-037D68949A14} + inf;inv;inx;mof;mc; + + + + + Driver Files + + + + + Header Files + + + + + Source Files + + + \ No newline at end of file diff --git a/PayLoad (AMD)/PayLoad(AMD).inf b/PayLoad (AMD)/PayLoad(AMD).inf new file mode 100644 index 0000000..f63e41e --- /dev/null +++ b/PayLoad (AMD)/PayLoad(AMD).inf @@ -0,0 +1,87 @@ +; +; PayLoad(AMD).inf +; + +[Version] +Signature="$WINDOWS NT$" +Class=Sample ; TODO: edit Class +ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid +Provider=%ManufacturerName% +CatalogFile=PayLoad(AMD).cat +DriverVer= ; TODO: set DriverVer in stampinf property pages +PnpLockDown=1 + +[DestinationDirs] +DefaultDestDir = 12 +PayLoad(AMD)_Device_CoInstaller_CopyFiles = 11 + +; ================= Class section ===================== + +[ClassInstall32] +Addreg=SampleClassReg + +[SampleClassReg] +HKR,,,0,%ClassName% +HKR,,Icon,,-5 + +[SourceDisksNames] +1 = %DiskName%,,,"" + +[SourceDisksFiles] +PayLoad(AMD).sys = 1,, +WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames + +;***************************************** +; Install Section +;***************************************** + +[Manufacturer] +%ManufacturerName%=Standard,NT$ARCH$ + +[Standard.NT$ARCH$] +%PayLoad(AMD).DeviceDesc%=PayLoad(AMD)_Device, Root\PayLoad(AMD) ; TODO: edit hw-id + +[PayLoad(AMD)_Device.NT] +CopyFiles=Drivers_Dir + +[Drivers_Dir] +PayLoad(AMD).sys + +;-------------- Service installation +[PayLoad(AMD)_Device.NT.Services] +AddService = PayLoad(AMD),%SPSVCINST_ASSOCSERVICE%, PayLoad(AMD)_Service_Inst + +; -------------- PayLoad(AMD) driver install sections +[PayLoad(AMD)_Service_Inst] +DisplayName = %PayLoad(AMD).SVCDESC% +ServiceType = 1 ; SERVICE_KERNEL_DRIVER +StartType = 3 ; SERVICE_DEMAND_START +ErrorControl = 1 ; SERVICE_ERROR_NORMAL +ServiceBinary = %12%\PayLoad(AMD).sys + +; +;--- PayLoad(AMD)_Device Coinstaller installation ------ +; + +[PayLoad(AMD)_Device.NT.CoInstallers] +AddReg=PayLoad(AMD)_Device_CoInstaller_AddReg +CopyFiles=PayLoad(AMD)_Device_CoInstaller_CopyFiles + +[PayLoad(AMD)_Device_CoInstaller_AddReg] +HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" + +[PayLoad(AMD)_Device_CoInstaller_CopyFiles] +WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll + +[PayLoad(AMD)_Device.NT.Wdf] +KmdfService = PayLoad(AMD), PayLoad(AMD)_wdfsect +[PayLoad(AMD)_wdfsect] +KmdfLibraryVersion = $KMDFVERSION$ + +[Strings] +SPSVCINST_ASSOCSERVICE= 0x00000002 +ManufacturerName="" ;TODO: Replace with your manufacturer name +ClassName="Samples" ; TODO: edit ClassName +DiskName = "PayLoad(AMD) Installation Disk" +PayLoad(AMD).DeviceDesc = "PayLoad(AMD) Device" +PayLoad(AMD).SVCDESC = "PayLoad(AMD) Service" diff --git a/PayLoad (AMD)/main.cpp b/PayLoad (AMD)/main.cpp new file mode 100644 index 0000000..e69de29 diff --git a/PayLoad (AMD)/types.h b/PayLoad (AMD)/types.h new file mode 100644 index 0000000..6f70f09 --- /dev/null +++ b/PayLoad (AMD)/types.h @@ -0,0 +1 @@ +#pragma once diff --git a/PayLoad (Intel)/vmexit_handler.cpp b/PayLoad (Intel)/vmexit_handler.cpp index 1d2a33b..64594b9 100644 --- a/PayLoad (Intel)/vmexit_handler.cpp +++ b/PayLoad (Intel)/vmexit_handler.cpp @@ -20,7 +20,6 @@ void vmexit_handler(pcontext_t context, void* unknown) { if (guest_registers->rcx == VMEXIT_KEY) { - DBG_PRINT("got cpuid call...\n"); guest_registers->rax = 0xC0FFEE; // advance rip, no one better execute cpuid instruction diff --git a/Voyager (1703-1511)/BootMgfw.c b/Voyager (1703-1511)/BootMgfw.c index ed11860..2dc205e 100644 --- a/Voyager (1703-1511)/BootMgfw.c +++ b/Voyager (1703-1511)/BootMgfw.c @@ -1,7 +1,7 @@ #include "BootMgfw.h" SHITHOOK BootMgfwShitHook; -EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID) +EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtocol) { UINTN HandleCount = NULL; EFI_STATUS Result; @@ -14,8 +14,8 @@ EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID) // get all the handles to file systems... if (EFI_ERROR((Result = gBS->LocateHandleBuffer(ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &HandleCount, &Handles)))) { - Print(L"error getting file system handles -> 0x%p\n", Result); - return DevicePath; + DBG_PRINT("error getting file system handles -> 0x%p\n", Result); + return Result; } // for each handle to the file system, open a protocol with it... @@ -23,44 +23,47 @@ EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID) { if (EFI_ERROR((Result = gBS->OpenProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, (VOID**)&FileSystem, gImageHandle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL)))) { - Print(L"error opening protocol -> 0x%p\n", Result); - return DevicePath; + DBG_PRINT("error opening protocol -> 0x%p\n", Result); + return Result; } if (EFI_ERROR((Result = FileSystem->OpenVolume(FileSystem, &VolumeHandle)))) { - Print(L"error opening file system -> 0x%p\n", Result); - return DevicePath; + DBG_PRINT("error opening file system -> 0x%p\n", Result); + return Result; } // if we found the correct file (\\efi\\microsoft\\boot\\bootmgfw.efi) if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGR_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY))) - DevicePath = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGR_PATH); + { + VolumeHandle->Close(BootMgfwHandle); + *BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGR_PATH); + return EFI_SUCCESS; + } - VolumeHandle->Close(BootMgfwHandle); if (EFI_ERROR((Result = gBS->CloseProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, gImageHandle, NULL)))) { - Print(L"error closing protocol -> 0x%p\n", Result); - return DevicePath; + DBG_PRINT("error closing protocol -> 0x%p\n", Result); + return Result; } } - return DevicePath; + return EFI_ABORTED; } -EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath) +EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE ImageHandle) { EFI_STATUS Result = EFI_SUCCESS; EFI_LOADED_IMAGE* BootMgfw = NULL; - if (EFI_ERROR((Result = gBS->HandleProtocol(BootMgfwPath, &gEfiLoadedImageProtocolGuid, (VOID**)&BootMgfw)))) + if (EFI_ERROR(Result = gBS->HandleProtocol(ImageHandle, &gEfiLoadedImageProtocolGuid, (VOID**)&BootMgfw))) return Result; - Print(L"Image Base -> 0x%p\n", BootMgfw->ImageBase); - Print(L"Image Size -> 0x%x\n", BootMgfw->ImageSize); + DBG_PRINT("Module base -> 0x%p\n", BootMgfw->ImageBase); + DBG_PRINT("Module size -> 0x%x\n", BootMgfw->ImageSize); VOID* ArchStartBootApplication = FindPattern( - BootMgfw->ImageBase, + BootMgfw->ImageBase, BootMgfw->ImageSize, START_BOOT_APPLICATION_SIG, START_BOOT_APPLICATION_MASK @@ -69,9 +72,9 @@ EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath) if (!ArchStartBootApplication) return EFI_ABORTED; - Print(L"ArchStartBootApplication -> 0x%p\n", RESOLVE_RVA(ArchStartBootApplication, 5, 1)); + DBG_PRINT("ArchStartBootApplication -> 0x%p\n", RESOLVE_RVA(ArchStartBootApplication, 5, 1)); MakeShitHook(&BootMgfwShitHook, RESOLVE_RVA(ArchStartBootApplication, 5, 1), &ArchStartBootApplicationHook, TRUE); - return Result; + return EFI_SUCCESS; } EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs) diff --git a/Voyager (1703-1511)/BootMgfw.h b/Voyager (1703-1511)/BootMgfw.h index 1a1f19d..8efe6c3 100644 --- a/Voyager (1703-1511)/BootMgfw.h +++ b/Voyager (1703-1511)/BootMgfw.h @@ -10,6 +10,7 @@ #include #include #include +#include #include #include "WinLoad.h" @@ -20,6 +21,6 @@ static_assert(sizeof(START_BOOT_APPLICATION_SIG) == sizeof(START_BOOT_APPLICATIO #define WINDOWS_BOOTMGR_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi" extern SHITHOOK BootMgfwShitHook; typedef EFI_STATUS(EFIAPI* IMG_ARCH_START_BOOT_APPLICATION)(VOID*, VOID*, UINT32, UINT8, VOID*); -EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID); -EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath); +EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtocol); +EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE ImageHandle); EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs); \ No newline at end of file diff --git a/Voyager (1703-1511)/HvLoader.c b/Voyager (1703-1511)/HvLoader.c index ea4b77b..c5ec2c8 100644 --- a/Voyager (1703-1511)/HvLoader.c +++ b/Voyager (1703-1511)/HvLoader.c @@ -5,7 +5,6 @@ SHITHOOK HvLoadImageBufferHook; SHITHOOK HvLoadAllocImageHook; BOOLEAN ExtendedAllocation = FALSE; BOOLEAN HookedHyperV = FALSE; -CHAR8 ModulePathCString[0x100]; EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer(VOID* a1, VOID* a2, VOID* a3, VOID* a4, UINT64* ImageBase, UINT32* ImageSize, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14, VOID* a15) @@ -72,10 +71,6 @@ EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer(VOID* a1, VOID* a2, VOID* a EFI_STATUS EFIAPI HvBlImgLoadPEImageEx(VOID* DeviceId, VOID* MemoryType, CHAR16* Path, UINT64* ImageBase, UINT32* ImageSize, VOID* Hash, VOID* Flags, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13) { - UnicodeStrToAsciiStr(Path, ModulePathCString); - DBG_PRINT("LOADING FROM HVLOADER: "); - DBG_PRINT(ModulePathCString); - DisableShitHook(&HvLoadImageHook); EFI_STATUS Result = ((HV_LDR_LOAD_IMAGE)HvLoadImageHook.Address)(DeviceId, MemoryType, Path, ImageBase, ImageSize, Hash, Flags, a8, a9, a10, a11, a12, a13); diff --git a/Voyager (1703-1511)/Hvix64.c b/Voyager (1703-1511)/Hvix64.c index 435ce0e..6647767 100644 --- a/Voyager (1703-1511)/Hvix64.c +++ b/Voyager (1703-1511)/Hvix64.c @@ -33,7 +33,7 @@ VOID* MapModule(PVOYAGER_DATA_T VoyagerData, UINT8* ImageBase) if (AsciiStrStr(VoyagerData->ModuleBase + Name[i], "voyager_context")) { *(VOYAGER_DATA_T*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData; - break; // DO NOT REMOVE? :| + break; } } @@ -110,12 +110,6 @@ VOID MakeVoyagerData UINT64 VmExitHandlerCallRip = (UINT64)VmExitHandlerCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA) VoyagerData->VmExitHandlerRva = ((UINT64)PayLoadEntry(PayLoadBase)) - (UINT64)VmExitFunction; - - DBG_PRINT("VmExitHandler -> 0x%p\n", VmExitHandler); - DBG_PRINT("VmExitHandlerRva -> 0x%x\n", VoyagerData->VmExitHandlerRva); - DBG_PRINT("VmExitFunction -> 0x%p\n", VmExitFunction); - DBG_PRINT("VmExitHandlerCallRip -> 0x%p\n", VmExitHandlerCallRip); - DBG_PRINT("VmExitHandlerCall -> 0x%p\n", VmExitHandlerCall); } VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook) @@ -140,6 +134,5 @@ VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook) UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA) INT32 NewVmExitRVA = ((INT64)VmExitHook) - VmExitHandlerCallRip; *(INT32*)((UINT64)(VmExitHandlerCall + 1)) = NewVmExitRVA; - DBG_PRINT("NewVmExitRVA -> 0x%x\n", NewVmExitRVA); return VmExitFunction; } \ No newline at end of file diff --git a/Voyager (1703-1511)/UefiMain.c b/Voyager (1703-1511)/UefiMain.c index 3464bfb..10413ff 100644 --- a/Voyager (1703-1511)/UefiMain.c +++ b/Voyager (1703-1511)/UefiMain.c @@ -1,15 +1,12 @@ #include "BootMgfw.h" -CHAR8* gEfiCallerBaseName = "Voyager 1"; +CHAR8* gEfiCallerBaseName = "Voyager"; const UINT32 _gUefiDriverRevision = 0x200; EFI_STATUS EFIAPI UefiUnload( IN EFI_HANDLE ImageHandle ) -{ - Print(L"unloading module from memory...\n"); - return EFI_SUCCESS; -} +{ return EFI_SUCCESS; } EFI_STATUS EFIAPI UefiMain ( @@ -17,38 +14,29 @@ EFI_STATUS EFIAPI UefiMain IN EFI_SYSTEM_TABLE* SystemTable ) { - // get the file path to bootmgfw.efi so we can load it... - EFI_DEVICE_PATH* BootMgfwPath = GetBootMgfwPath(); - Print(L"BootMgfwPath -> %p\n", BootMgfwPath); + EFI_STATUS Result; + EFI_HANDLE BootMgfwHandle; + EFI_DEVICE_PATH* BootMgfwPath; - if (!BootMgfwPath) + if (EFI_ERROR((Result = GetBootMgfwPath(&BootMgfwPath)))) { - Print(L"unable to get bootmgfw file path....\n"); + Print(L"unable to get bootmgfw file path... reason -> %r\n", Result); return EFI_NOT_FOUND; } - EFI_STATUS Result; - EFI_HANDLE BootMgfwHandle; - - // load bootmgfw.efi into memory... if (EFI_ERROR((Result = gBS->LoadImage(TRUE, ImageHandle, BootMgfwPath, NULL, 0, &BootMgfwHandle)))) { - Print(L"failed to load bootmgfw.efi...\n"); + Print(L"failed to load bootmgfw.efi... reason -> %r\n", Result); return EFI_ABORTED; } - Print(L"Loaded bootmgfw.efi into memory...\n"); - - if (EFI_ERROR(InstallBootMgfwHooks(BootMgfwHandle))) + if (EFI_ERROR((Result = InstallBootMgfwHooks(BootMgfwHandle)))) { - Print(L"Failed to install bootmgfw hooks...\n"); + Print(L"Failed to install bootmgfw hooks... reason -> %r\n", Result); return EFI_ABORTED; } - Print(L"installed bootmgfw hooks...\n"); - - // start bootmgfw.efi... - if (EFI_ERROR(gBS->StartImage(BootMgfwHandle, NULL, NULL))) + if (EFI_ERROR((Result = gBS->StartImage(BootMgfwHandle, NULL, NULL)))) { Print(L"Failed to start bootmgfw.efi...\n"); return EFI_ABORTED; diff --git a/Voyager (2004-1709)/BootMgfw.c b/Voyager (2004-1709)/BootMgfw.c index 1a39864..61dcdda 100644 --- a/Voyager (2004-1709)/BootMgfw.c +++ b/Voyager (2004-1709)/BootMgfw.c @@ -1,7 +1,7 @@ #include "BootMgfw.h" SHITHOOK BootMgfwShitHook; -EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID) +EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtocol) { UINTN HandleCount = NULL; EFI_STATUS Result; @@ -14,8 +14,8 @@ EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID) // get all the handles to file systems... if (EFI_ERROR((Result = gBS->LocateHandleBuffer(ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &HandleCount, &Handles)))) { - Print(L"error getting file system handles -> 0x%p\n", Result); - return DevicePath; + DBG_PRINT("error getting file system handles -> 0x%p\n", Result); + return Result; } // for each handle to the file system, open a protocol with it... @@ -23,28 +23,31 @@ EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID) { if (EFI_ERROR((Result = gBS->OpenProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, (VOID**)&FileSystem, gImageHandle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL)))) { - Print(L"error opening protocol -> 0x%p\n", Result); - return DevicePath; + DBG_PRINT("error opening protocol -> 0x%p\n", Result); + return Result; } if (EFI_ERROR((Result = FileSystem->OpenVolume(FileSystem, &VolumeHandle)))) { - Print(L"error opening file system -> 0x%p\n", Result); - return DevicePath; + DBG_PRINT("error opening file system -> 0x%p\n", Result); + return Result; } // if we found the correct file (\\efi\\microsoft\\boot\\bootmgfw.efi) if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGR_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY))) - DevicePath = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGR_PATH); + { + VolumeHandle->Close(BootMgfwHandle); + *BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGR_PATH); + return EFI_SUCCESS; + } - VolumeHandle->Close(BootMgfwHandle); if (EFI_ERROR((Result = gBS->CloseProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, gImageHandle, NULL)))) { - Print(L"error closing protocol -> 0x%p\n", Result); - return DevicePath; + DBG_PRINT("error closing protocol -> 0x%p\n", Result); + return Result; } } - return DevicePath; + return EFI_ABORTED; } EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath) @@ -57,7 +60,6 @@ EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath) Print(L"Image Base -> 0x%p\n", BootMgfw->ImageBase); Print(L"Image Size -> 0x%x\n", BootMgfw->ImageSize); - VOID* ArchStartBootApplication = FindPattern( BootMgfw->ImageBase, @@ -69,7 +71,7 @@ EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath) if (!ArchStartBootApplication) return EFI_ABORTED; - Print(L"ArchStartBootApplication -> 0x%p\n", ArchStartBootApplication); + DBG_PRINT(L"ArchStartBootApplication -> 0x%p\n", ArchStartBootApplication); MakeShitHook(&BootMgfwShitHook, ArchStartBootApplication, &ArchStartBootApplicationHook, TRUE); return Result; } diff --git a/Voyager (2004-1709)/BootMgfw.h b/Voyager (2004-1709)/BootMgfw.h index d820b29..7d65b48 100644 --- a/Voyager (2004-1709)/BootMgfw.h +++ b/Voyager (2004-1709)/BootMgfw.h @@ -28,6 +28,6 @@ static_assert(sizeof(START_BOOT_APPLICATION_SIG) == sizeof(START_BOOT_APPLICATIO #define WINDOWS_BOOTMGR_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi" extern SHITHOOK BootMgfwShitHook; typedef EFI_STATUS(EFIAPI* IMG_ARCH_START_BOOT_APPLICATION)(VOID*, VOID*, UINT32, UINT8, VOID*); -EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID); +EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtocol); EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath); EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs); \ No newline at end of file diff --git a/Voyager (2004-1709)/Hvix64.h b/Voyager (2004-1709)/Hvix64.h index e9d4059..eae2cf3 100644 --- a/Voyager (2004-1709)/Hvix64.h +++ b/Voyager (2004-1709)/Hvix64.h @@ -22,7 +22,6 @@ #elif WINVER == 1703 #define VMEXIT_HANDLER_SIG "\xD0\x80\x3D\x74\xCC\x47\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9" #define VMEXIT_HANDLER_MASK "xxxxxx??xx????xxxx?x????x" -#elif WINVER == 1607 #endif static_assert(sizeof(VMEXIT_HANDLER_SIG) == sizeof(VMEXIT_HANDLER_MASK), "signature does not match mask size!"); diff --git a/Voyager (2004-1709)/UefiMain.c b/Voyager (2004-1709)/UefiMain.c index 3464bfb..4baa787 100644 --- a/Voyager (2004-1709)/UefiMain.c +++ b/Voyager (2004-1709)/UefiMain.c @@ -1,15 +1,13 @@ #include "BootMgfw.h" +#include -CHAR8* gEfiCallerBaseName = "Voyager 1"; +CHAR8* gEfiCallerBaseName = "Voyager"; const UINT32 _gUefiDriverRevision = 0x200; EFI_STATUS EFIAPI UefiUnload( IN EFI_HANDLE ImageHandle ) -{ - Print(L"unloading module from memory...\n"); - return EFI_SUCCESS; -} +{ return EFI_SUCCESS; } EFI_STATUS EFIAPI UefiMain ( @@ -17,37 +15,28 @@ EFI_STATUS EFIAPI UefiMain IN EFI_SYSTEM_TABLE* SystemTable ) { - // get the file path to bootmgfw.efi so we can load it... - EFI_DEVICE_PATH* BootMgfwPath = GetBootMgfwPath(); - Print(L"BootMgfwPath -> %p\n", BootMgfwPath); + EFI_STATUS Result; + EFI_HANDLE BootMgfwHandle; + EFI_DEVICE_PATH* BootMgfwPath; - if (!BootMgfwPath) + if (EFI_ERROR((Result = GetBootMgfwPath(&BootMgfwPath)))) { - Print(L"unable to get bootmgfw file path....\n"); + Print(L"unable to get bootmgfw file path... reason -> %r\n", Result); return EFI_NOT_FOUND; } - EFI_STATUS Result; - EFI_HANDLE BootMgfwHandle; - - // load bootmgfw.efi into memory... if (EFI_ERROR((Result = gBS->LoadImage(TRUE, ImageHandle, BootMgfwPath, NULL, 0, &BootMgfwHandle)))) { Print(L"failed to load bootmgfw.efi...\n"); return EFI_ABORTED; } - Print(L"Loaded bootmgfw.efi into memory...\n"); - if (EFI_ERROR(InstallBootMgfwHooks(BootMgfwHandle))) { Print(L"Failed to install bootmgfw hooks...\n"); return EFI_ABORTED; } - Print(L"installed bootmgfw hooks...\n"); - - // start bootmgfw.efi... if (EFI_ERROR(gBS->StartImage(BootMgfwHandle, NULL, NULL))) { Print(L"Failed to start bootmgfw.efi...\n"); diff --git a/Voyager.sln b/Voyager.sln index 0e9e5d9..6992653 100644 --- a/Voyager.sln +++ b/Voyager.sln @@ -7,9 +7,13 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PayLoad (Intel)", "PayLoad EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Example", "Usermode Example\Example.vcxproj", "{09B41831-3164-48AD-8660-23457D82B73B}" EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Voyager 1 (1703-1511)", "Voyager (1703-1511)\Voyager 1703.vcxproj", "{C4B6B437-62DF-4166-9023-44CFC8A52258}" +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Voyager (1703-1511)", "Voyager (1703-1511)\Voyager 1703.vcxproj", "{C4B6B437-62DF-4166-9023-44CFC8A52258}" EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Voyager 1 (2004-1709)", "Voyager (2004-1709)\Voyager 1.vcxproj", "{540D433F-C2DF-49A6-895C-F5C74B014777}" +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Voyager (2004-1709)", "Voyager (2004-1709)\Voyager 1.vcxproj", "{540D433F-C2DF-49A6-895C-F5C74B014777}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Efi Bundler", "Efi Bundler\Efi Bundler.vcxproj", "{EE860038-E3DD-4329-8D44-DF8B9ECBE420}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PayLoad (AMD)", "PayLoad (AMD)\PayLoad (AMD).vcxproj", "{C5122D8B-DEC8-458F-9342-3A4AC3152BEF}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution @@ -83,6 +87,42 @@ Global {540D433F-C2DF-49A6-895C-F5C74B014777}.Release|x64.Build.0 = Release|x64 {540D433F-C2DF-49A6-895C-F5C74B014777}.Release|x86.ActiveCfg = Release|Win32 {540D433F-C2DF-49A6-895C-F5C74B014777}.Release|x86.Build.0 = Release|Win32 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|ARM.ActiveCfg = Debug|Win32 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|ARM64.ActiveCfg = Debug|Win32 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x64.ActiveCfg = Debug|x64 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x64.Build.0 = Debug|x64 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x86.ActiveCfg = Debug|Win32 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x86.Build.0 = Debug|Win32 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|ARM.ActiveCfg = Release|Win32 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|ARM64.ActiveCfg = Release|Win32 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x64.ActiveCfg = Release|x64 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x64.Build.0 = Release|x64 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x86.ActiveCfg = Release|Win32 + {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x86.Build.0 = Release|Win32 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Debug|ARM.ActiveCfg = Debug|ARM + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Debug|ARM.Build.0 = Debug|ARM + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Debug|ARM.Deploy.0 = Debug|ARM + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Debug|ARM64.ActiveCfg = Debug|ARM64 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Debug|ARM64.Build.0 = Debug|ARM64 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Debug|ARM64.Deploy.0 = Debug|ARM64 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Debug|x64.ActiveCfg = Debug|x64 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Debug|x64.Build.0 = Debug|x64 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Debug|x64.Deploy.0 = Debug|x64 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Debug|x86.ActiveCfg = Debug|Win32 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Debug|x86.Build.0 = Debug|Win32 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Debug|x86.Deploy.0 = Debug|Win32 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Release|ARM.ActiveCfg = Release|ARM + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Release|ARM.Build.0 = Release|ARM + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Release|ARM.Deploy.0 = Release|ARM + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Release|ARM64.ActiveCfg = Release|ARM64 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Release|ARM64.Build.0 = Release|ARM64 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Release|ARM64.Deploy.0 = Release|ARM64 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Release|x64.ActiveCfg = Release|x64 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Release|x64.Build.0 = Release|x64 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Release|x64.Deploy.0 = Release|x64 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Release|x86.ActiveCfg = Release|Win32 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Release|x86.Build.0 = Release|Win32 + {C5122D8B-DEC8-458F-9342-3A4AC3152BEF}.Release|x86.Deploy.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE