148 lines
4.7 KiB
148 lines
4.7 KiB
#pragma once
|
|
#include "PayLoad.h"
|
|
#include "Hv.h"
|
|
#include "ShitHook.h"
|
|
#include "PagingTables.h"
|
|
|
|
extern SHITHOOK HvLoadImageHook;
|
|
extern SHITHOOK HvLoadAllocImageHook;
|
|
extern SHITHOOK HvLoadImageBufferHook;
|
|
extern SHITHOOK TransferControlShitHook;
|
|
|
|
#define HV_ALLOCATE_IMAGE_BUFFER_SIG "\xE8\x00\x00\x00\x00\x8B\xF8\x85\xC0\x79\x0A"
|
|
#define HV_ALLOCATE_IMAGE_BUFFER_MASK "x????xxxxxx"
|
|
static_assert(sizeof(HV_ALLOCATE_IMAGE_BUFFER_SIG) == sizeof(HV_ALLOCATE_IMAGE_BUFFER_MASK), "signature and mask do not match size!");
|
|
|
|
#define HV_LOAD_PE_IMG_FROM_BUFFER_SIG "\xE8\x00\x00\x00\x00\x44\x8B\xAD"
|
|
#define HV_LOAD_PE_IMG_FROM_BUFFER_MASK "x????xxx"
|
|
static_assert(sizeof(HV_LOAD_PE_IMG_FROM_BUFFER_SIG) == sizeof(HV_LOAD_PE_IMG_FROM_BUFFER_MASK), "signature and mask do not match size!");
|
|
|
|
#define HV_LOAD_PE_IMG_SIG "\x48\x89\x44\x24\x00\xE8\x00\x00\x00\x00\x44\x8B\xF0\x85\xC0\x0F\x88\x00\x00\x00\x00\x4C\x8D\x45"
|
|
#define HV_LOAD_PE_IMG_MASK "xxxx?x????xxxxxxx????xxx"
|
|
static_assert(sizeof(HV_LOAD_PE_IMG_SIG) == sizeof(HV_LOAD_PE_IMG_MASK), "signature and mask do not match size...");
|
|
|
|
// 1703-1511
|
|
//
|
|
// winload.HvlpTransferToHypervisor is used to transfer control to hyper-v...
|
|
// on 2004-1709, this function is going to be inside of hvloader.dll...
|
|
#define TRANS_TO_HV_SIG "\x48\x8B\x51\x10\x48\x8B\x49\x18\xE8"
|
|
#define TRANS_TO_HV_MASK "xxxxxxxxx"
|
|
static_assert(sizeof(TRANS_TO_HV_SIG) == sizeof(TRANS_TO_HV_MASK), "signature and mask do not match size...");
|
|
|
|
typedef EFI_STATUS(EFIAPI* ALLOCATE_IMAGE_BUFFER)(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType,
|
|
UINT32 attributes, VOID* unused, UINT32 Value);
|
|
|
|
typedef EFI_STATUS(EFIAPI* HV_LDR_LOAD_IMAGE_BUFFER)(VOID* a1, VOID* a2, VOID* a3, VOID* a4, UINT64* ImageBase,
|
|
UINT32* ImageSize, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14, VOID* a15);
|
|
|
|
typedef EFI_STATUS(EFIAPI* HV_LDR_LOAD_IMAGE)(VOID* DeviceId, VOID* MemoryType, CHAR16* Path, VOID** ImageBase, UINT32* ImageSize,
|
|
VOID* Hash, VOID* Flags, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13);
|
|
|
|
/// <summary>
|
|
/// hook on hvloader.BlImgAllocateImageBuffer, hooked to extend the
|
|
/// allocation size....
|
|
/// </summary>
|
|
/// <param name="imageBuffer">pass by ref pointer to allocations base...</param>
|
|
/// <param name="imageSize">size of allocation...</param>
|
|
/// <param name="memoryType"></param>
|
|
/// <param name="attributes"></param>
|
|
/// <param name="unused"></param>
|
|
/// <param name="flags"></param>
|
|
/// <returns></returns>
|
|
UINT64 EFIAPI HvBlImgAllocateImageBuffer
|
|
(
|
|
VOID** imageBuffer,
|
|
UINTN imageSize,
|
|
UINT32 memoryType,
|
|
UINT32 attributes,
|
|
VOID* unused,
|
|
UINT32 Value
|
|
);
|
|
|
|
/// <summary>
|
|
/// hook on hvloader.BlImgLoadPEImageEx... hyper-v is loaded into memory
|
|
/// by this function so im hooking it to extend it/inject into it.
|
|
/// </summary>
|
|
/// <param name="DeviceId"></param>
|
|
/// <param name="MemoryType"></param>
|
|
/// <param name="Path"></param>
|
|
/// <param name="ImageBase"></param>
|
|
/// <param name="ImageSize"></param>
|
|
/// <param name="Hash"></param>
|
|
/// <param name="Flags"></param>
|
|
/// <param name="a8"></param>
|
|
/// <param name="a9"></param>
|
|
/// <param name="a10"></param>
|
|
/// <param name="a11"></param>
|
|
/// <param name="a12"></param>
|
|
/// <param name="a13"></param>
|
|
/// <returns></returns>
|
|
EFI_STATUS EFIAPI HvBlImgLoadPEImageEx
|
|
(
|
|
VOID* DeviceId,
|
|
VOID* MemoryType,
|
|
CHAR16* Path,
|
|
UINT64* ImageBase,
|
|
UINT32* ImageSize,
|
|
VOID* Hash,
|
|
VOID* Flags,
|
|
VOID* a8,
|
|
VOID* a9,
|
|
VOID* a10,
|
|
VOID* a11,
|
|
VOID* a12,
|
|
VOID* a13
|
|
);
|
|
|
|
/// <summary>
|
|
/// for some reason 1703 hvloader.BlImgLoadPEImageFromSourceBuffer is called
|
|
/// to load hyper-v into memory... Hooking this like i hook hvloader.BlImgLoadPEImageEx...
|
|
/// </summary>
|
|
/// <param name="a1"></param>
|
|
/// <param name="a2"></param>
|
|
/// <param name="a3"></param>
|
|
/// <param name="a4"></param>
|
|
/// <param name="ImageBase"></param>
|
|
/// <param name="ImageSize"></param>
|
|
/// <param name="a7"></param>
|
|
/// <param name="a8"></param>
|
|
/// <param name="a9"></param>
|
|
/// <param name="a10"></param>
|
|
/// <param name="a11"></param>
|
|
/// <param name="a12"></param>
|
|
/// <param name="a13"></param>
|
|
/// <param name="a14"></param>
|
|
/// <param name="a15"></param>
|
|
/// <returns></returns>
|
|
EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer
|
|
(
|
|
VOID* a1,
|
|
VOID* a2,
|
|
VOID* a3,
|
|
VOID* a4,
|
|
UINT64* ImageBase,
|
|
UINT32* ImageSize,
|
|
VOID* a7,
|
|
VOID* a8,
|
|
VOID* a9,
|
|
VOID* a10,
|
|
VOID* a11,
|
|
VOID* a12,
|
|
VOID* a13,
|
|
VOID* a14,
|
|
VOID* a15
|
|
);
|
|
|
|
/// <summary>
|
|
/// called when the hypervisor is started...
|
|
/// </summary>
|
|
/// <param name="Pml4PhysicalAddress">the physical address of hyper-v's pml4...</param>
|
|
/// <param name="Unknown"></param>
|
|
/// <param name="AssemblyStub">assembly stub to set CR3...</param>
|
|
VOID TransferToHyperV
|
|
(
|
|
UINT64 Pml4PhysicalAddress,
|
|
VOID* Unknown,
|
|
VOID* AssemblyStub,
|
|
VOID* Unknown2
|
|
); |