From 05400259c7112a4a027d30ee1d9ce08258ac546a Mon Sep 17 00:00:00 2001 From: xerox Date: Tue, 22 Sep 2020 12:26:43 -0700 Subject: [PATCH] vmexit hook finally working... had to adjust addresses --- TheGoldenRecord/types.h | 8 +- TheGoldenRecord/vmexit_handler.cpp | 10 ++- Voyager 1/Hvix64.c | 29 ++---- Voyager 1/Hvix64.h | 6 +- Voyager 1/TheGoldenRecord.c | 136 ++++++++++++++--------------- Voyager 1/TheGoldenRecord.h | 6 +- Voyager 1/WinLoad.c | 22 +++-- 7 files changed, 101 insertions(+), 116 deletions(-) diff --git a/TheGoldenRecord/types.h b/TheGoldenRecord/types.h index b693a0d..396a2b8 100644 --- a/TheGoldenRecord/types.h +++ b/TheGoldenRecord/types.h @@ -31,16 +31,18 @@ typedef struct _context_t __m128 xmm4; __m128 xmm5; } context_t, *pcontext_t; -using vmexit_handler_t = void (__fastcall*)(pcontext_t* context, void* unknown1, void* unknown2, void* unknown3); +using vmexit_handler_t = void (__fastcall*)(pcontext_t* context, void* unknown); #pragma pack(push, 1) typedef struct _VOYAGER_DATA_T { - vmexit_handler_t vmexit_handler; + // RVA from golden record entry ---> back to original vmexit handler... + uintptr_t vmexit_handler_rva; uintptr_t hyperv_module_base; uintptr_t hyperv_module_size; uintptr_t record_base; uintptr_t record_size; } VOYAGER_DATA_T, *PVOYAGER_DATA_T; #pragma pack(pop) -__declspec(dllexport) inline PVOYAGER_DATA_T pvoyager_context = nullptr; \ No newline at end of file + +__declspec(dllexport) inline VOYAGER_DATA_T voyager_context; \ No newline at end of file diff --git a/TheGoldenRecord/vmexit_handler.cpp b/TheGoldenRecord/vmexit_handler.cpp index 1e9fc6a..0bb9df9 100644 --- a/TheGoldenRecord/vmexit_handler.cpp +++ b/TheGoldenRecord/vmexit_handler.cpp @@ -1,8 +1,12 @@ #include "types.h" -void vmexit_handler(pcontext_t* context, void* unknown1, void* unknown2, void* unknown3) +void vmexit_handler(pcontext_t* context, void* unknown) { DBG_PRINT("vmexit called....\n"); - DBG_PRINT("calling original vmexit handler....\n"); - pvoyager_context->vmexit_handler(context, unknown1, unknown2, unknown3); + + // when hyper-v gets remapped out of winload's context + // the linear virtual addresses change... thus an adjustment is required... + reinterpret_cast( + reinterpret_cast(&vmexit_handler) - + voyager_context.vmexit_handler_rva)(context, unknown); } \ No newline at end of file diff --git a/Voyager 1/Hvix64.c b/Voyager 1/Hvix64.c index 6b29a7b..b6dfc89 100644 --- a/Voyager 1/Hvix64.c +++ b/Voyager 1/Hvix64.c @@ -30,9 +30,9 @@ VOID* MapModule(PVOYAGER_DATA_T VoyagerData, UINT8* ImageBase) for (UINT16 i = 0; i < ExportDir->AddressOfFunctions; i++) { - if (AsciiStrStr(VoyagerData->ModuleBase + Name[i], "pvoyager_context")) + if (AsciiStrStr(VoyagerData->ModuleBase + Name[i], "voyager_context")) { - *(VOID**)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = VoyagerData; + *(VOYAGER_DATA_T*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData; break; // DO NOT REMOVE? Gorilla Code 2020... } } @@ -77,16 +77,15 @@ VOID* MapModule(PVOYAGER_DATA_T VoyagerData, UINT8* ImageBase) return VoyagerData->ModuleBase + ntHeaders->OptionalHeader.AddressOfEntryPoint; } -PVOYAGER_DATA_T MakeVoyagerData +VOID MakeVoyagerData ( + PVOYAGER_DATA_T VoyagerData, VOID* HypervAlloc, UINT64 HypervAllocSize, VOID* GoldenRecordAlloc, UINT64 GoldenRecordSize ) { - // the memory for the voyager data is allocated under the memory for the golden record... - PVOYAGER_DATA_T VoyagerData = (UINT64)GoldenRecordAlloc + GoldenRecordSize; VoyagerData->HypervModuleBase = HypervAlloc; VoyagerData->HypervModuleSize = HypervAllocSize; VoyagerData->ModuleBase = GoldenRecordAlloc; @@ -100,11 +99,6 @@ PVOYAGER_DATA_T MakeVoyagerData "xxxxxxxxxxxxx?xxxx?x????x" ); - DBG_PRINT("VmExitHandler Call Signature Result -> 0x%p\n", VmExitHandler); - - if (!VmExitHandler) - return NULL; - /* .text:FFFFF80000237436 mov rcx, [rsp+arg_18] ; rcx = pointer to stack that contians all register values .text:FFFFF8000023743B mov rdx, [rsp+arg_28] @@ -115,12 +109,7 @@ PVOYAGER_DATA_T MakeVoyagerData UINT64 VmExitHandlerCall = ((UINT64)VmExitHandler) + 19; // + 19 bytes to -> call vmexit_c_handler UINT64 VmExitHandlerCallRip = (UINT64)VmExitHandlerCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA) - VoyagerData->VmExitHandler = VmExitFunction; - - DBG_PRINT("VmExitHandlerCall -> 0x%p\n", VmExitHandlerCall); - DBG_PRINT("VmExitHandlerCallRip -> 0x%p\n", VmExitHandlerCallRip); - DBG_PRINT("VmExitFunction -> 0x%p\n", VmExitFunction); - return VoyagerData; + VoyagerData->VmExitHandlerRva = ((UINT64)GetGoldenRecordEntry(GoldenRecordAlloc)) - (UINT64)VmExitFunction; } VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook) @@ -133,8 +122,6 @@ VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook) "xxxxxxxxxxxxx?xxxx?x????x" ); - DBG_PRINT("VmExitHandler Call Signature Result -> 0x%p\n", VmExitHandler); - /* .text:FFFFF80000237436 mov rcx, [rsp+arg_18] ; rcx = pointer to stack that contians all register values .text:FFFFF8000023743B mov rdx, [rsp+arg_28] @@ -147,11 +134,5 @@ VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook) UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA) INT32 NewVmExitRVA = ((INT64)VmExitHook) - VmExitHandlerCallRip; *(INT32*)((UINT64)(VmExitHandlerCall + 1)) = NewVmExitRVA; - - DBG_PRINT("VmExitHandlerCall -> 0x%p\n", VmExitHandlerCall); - DBG_PRINT("VmExitHandlerCallRip -> 0x%p\n", VmExitHandlerCallRip); - DBG_PRINT("VmExitFunction -> 0x%p\n", VmExitFunction); - DBG_PRINT("NewVmExitRVA -> 0x%x\n", NewVmExitRVA); - return VmExitFunction; } \ No newline at end of file diff --git a/Voyager 1/Hvix64.h b/Voyager 1/Hvix64.h index 46f2ab9..95c4c04 100644 --- a/Voyager 1/Hvix64.h +++ b/Voyager 1/Hvix64.h @@ -17,11 +17,11 @@ VOID* MapModule(PVOYAGER_DATA_T VoyagerData, UINT8* ImageBase); VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook); // -// Given hyper-v's base address and size, sig scan it for vmexit handler, then construct "VOYAGER_DATA_T" -// using memory already allocated under hyper-v and under the memory allocated for the golden record... +// creates a structure with all the data needed to be passed to the golden record... // -PVOYAGER_DATA_T MakeVoyagerData +VOID MakeVoyagerData ( + PVOYAGER_DATA_T VoyagerData, VOID* HypervAlloc, UINT64 HypervAllocSize, VOID* GoldenRecordAlloc, diff --git a/Voyager 1/TheGoldenRecord.c b/Voyager 1/TheGoldenRecord.c index 49e51e7..71462ca 100644 --- a/Voyager 1/TheGoldenRecord.c +++ b/Voyager 1/TheGoldenRecord.c @@ -44,18 +44,18 @@ unsigned char GoldenRecord[3072] = 0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5D, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E, 0x52, 0x69, 0x63, 0x68, 0x6B, 0xDE, 0x5F, 0x8E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x05, 0x00, - 0xB2, 0x81, 0x69, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xFD, 0x47, 0x6A, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0x00, 0x22, 0x20, 0x0B, 0x02, 0x0E, 0x1B, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x60, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x64, 0xAF, 0x00, 0x00, + 0x00, 0x60, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x2B, 0x34, 0x00, 0x00, 0x01, 0x00, 0x60, 0x01, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, - 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x6D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, @@ -66,20 +66,20 @@ unsigned char GoldenRecord[3072] = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00, - 0x75, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, + 0x35, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x68, 0x2E, 0x72, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x34, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, + 0x74, 0x61, 0x00, 0x00, 0x30, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, - 0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, + 0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0xC8, 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, 0x2E, 0x65, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x72, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, + 0x74, 0x61, 0x00, 0x00, 0x6D, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -113,38 +113,32 @@ unsigned char GoldenRecord[3072] = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x4C, 0x24, 0x20, 0x4C, 0x89, 0x44, - 0x24, 0x18, 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C, 0x24, 0x08, - 0x56, 0x48, 0x83, 0xEC, 0x30, 0x48, 0x8D, 0x05, 0xE0, 0x00, 0x00, 0x00, - 0x66, 0xBA, 0xF8, 0x02, 0x48, 0x8B, 0xF0, 0xB9, 0x13, 0x00, 0x00, 0x00, - 0xF3, 0x6E, 0x48, 0x83, 0x3D, 0xCA, 0x1F, 0x00, 0x00, 0x00, 0x74, 0x15, - 0x48, 0x8D, 0x05, 0xE1, 0x00, 0x00, 0x00, 0x66, 0xBA, 0xF8, 0x02, 0x48, - 0x8B, 0xF0, 0xB9, 0x2E, 0x00, 0x00, 0x00, 0xF3, 0x6E, 0xC7, 0x44, 0x24, - 0x20, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x20, 0xFF, - 0xC0, 0x89, 0x44, 0x24, 0x20, 0x83, 0x7C, 0x24, 0x20, 0x08, 0x73, 0x16, - 0x8B, 0x44, 0x24, 0x20, 0x48, 0x8D, 0x0D, 0x8D, 0x1F, 0x00, 0x00, 0x66, - 0xBA, 0xF8, 0x02, 0x0F, 0xB6, 0x04, 0x01, 0xEE, 0xEB, 0xD9, 0xC7, 0x44, - 0x24, 0x24, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x24, - 0xFF, 0xC0, 0x89, 0x44, 0x24, 0x24, 0x83, 0x7C, 0x24, 0x24, 0x08, 0x73, - 0x16, 0x8B, 0x44, 0x24, 0x24, 0x48, 0x8B, 0x0D, 0x5C, 0x1F, 0x00, 0x00, - 0x66, 0xBA, 0xF8, 0x02, 0x0F, 0xB6, 0x04, 0x01, 0xEE, 0xEB, 0xD9, 0x48, - 0x8D, 0x05, 0x9A, 0x00, 0x00, 0x00, 0x66, 0xBA, 0xF8, 0x02, 0x48, 0x8B, - 0xF0, 0xB9, 0x25, 0x00, 0x00, 0x00, 0xF3, 0x6E, 0x48, 0x8B, 0x05, 0x35, - 0x1F, 0x00, 0x00, 0x48, 0x8B, 0x00, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C, - 0x8B, 0x4C, 0x24, 0x58, 0x4C, 0x8B, 0x44, 0x24, 0x50, 0x48, 0x8B, 0x54, - 0x24, 0x48, 0x48, 0x8B, 0x4C, 0x24, 0x40, 0xFF, 0x54, 0x24, 0x28, 0x48, - 0x83, 0xC4, 0x30, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, - 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x76, 0x6D, 0x65, 0x78, - 0x69, 0x74, 0x20, 0x63, 0x61, 0x6C, 0x6C, 0x65, 0x64, 0x2E, 0x2E, 0x2E, - 0x2E, 0x0A, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, - 0xCC, 0xCC, 0xCC, 0xCC, 0x70, 0x6F, 0x69, 0x6E, 0x74, 0x65, 0x72, 0x20, - 0x74, 0x6F, 0x20, 0x76, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x20, 0x63, - 0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x20, 0x69, 0x73, 0x20, 0x6E, 0x6F, - 0x74, 0x20, 0x6E, 0x75, 0x6C, 0x6C, 0x70, 0x74, 0x72, 0x2E, 0x2E, 0x2E, - 0x0A, 0x00, 0xCC, 0xCC, 0x63, 0x61, 0x6C, 0x6C, 0x69, 0x6E, 0x67, 0x20, + 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C, + 0x24, 0x08, 0x56, 0x48, 0x83, 0xEC, 0x40, 0x48, 0x8D, 0x05, 0xAA, 0x00, + 0x00, 0x00, 0x66, 0xBA, 0xF8, 0x02, 0x48, 0x8B, 0xF0, 0xB9, 0x13, 0x00, + 0x00, 0x00, 0xF3, 0x6E, 0x48, 0x83, 0x3D, 0xD4, 0x1F, 0x00, 0x00, 0x00, + 0x74, 0x15, 0x48, 0x8D, 0x05, 0xAB, 0x00, 0x00, 0x00, 0x66, 0xBA, 0xF8, + 0x02, 0x48, 0x8B, 0xF0, 0xB9, 0x26, 0x00, 0x00, 0x00, 0xF3, 0x6E, 0x48, + 0x8D, 0x05, 0xC6, 0x00, 0x00, 0x00, 0x66, 0xBA, 0xF8, 0x02, 0x48, 0x8B, + 0xF0, 0xB9, 0x25, 0x00, 0x00, 0x00, 0xF3, 0x6E, 0x48, 0x8D, 0x05, 0xA1, + 0xFF, 0xFF, 0xFF, 0x48, 0x89, 0x44, 0x24, 0x28, 0xC7, 0x44, 0x24, 0x20, + 0x00, 0x00, 0x00, 0x00, 0xEB, 0x0A, 0x8B, 0x44, 0x24, 0x20, 0xFF, 0xC0, + 0x89, 0x44, 0x24, 0x20, 0x83, 0x7C, 0x24, 0x20, 0x08, 0x73, 0x10, 0x8B, + 0x44, 0x24, 0x20, 0x66, 0xBA, 0xF8, 0x02, 0x0F, 0xB6, 0x44, 0x04, 0x28, + 0xEE, 0xEB, 0xDF, 0x48, 0x8D, 0x05, 0x6A, 0xFF, 0xFF, 0xFF, 0x48, 0x2B, + 0x05, 0x63, 0x1F, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8B, + 0x54, 0x24, 0x58, 0x48, 0x8B, 0x4C, 0x24, 0x50, 0xFF, 0x54, 0x24, 0x30, + 0x48, 0x83, 0xC4, 0x40, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, + 0xCC, 0xCC, 0xCC, 0xCC, 0x76, 0x6D, 0x65, 0x78, 0x69, 0x74, 0x20, 0x63, + 0x61, 0x6C, 0x6C, 0x65, 0x64, 0x2E, 0x2E, 0x2E, 0x2E, 0x0A, 0x00, 0xCC, + 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x6F, 0x72, 0x69, 0x67, 0x69, 0x6E, 0x61, 0x6C, 0x20, 0x76, 0x6D, 0x65, - 0x78, 0x69, 0x74, 0x20, 0x68, 0x61, 0x6E, 0x64, 0x6C, 0x65, 0x72, 0x2E, - 0x2E, 0x2E, 0x2E, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x78, 0x69, 0x74, 0x20, 0x68, 0x61, 0x6E, 0x64, 0x6C, 0x65, 0x72, 0x20, + 0x69, 0x73, 0x20, 0x6E, 0x6F, 0x74, 0x20, 0x6E, 0x75, 0x6C, 0x6C, 0x21, + 0x0A, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, + 0x63, 0x61, 0x6C, 0x6C, 0x69, 0x6E, 0x67, 0x20, 0x6F, 0x72, 0x69, 0x67, + 0x69, 0x6E, 0x61, 0x6C, 0x20, 0x76, 0x6D, 0x65, 0x78, 0x69, 0x74, 0x20, + 0x68, 0x61, 0x6E, 0x64, 0x6C, 0x65, 0x72, 0x2E, 0x2E, 0x2E, 0x2E, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -156,32 +150,38 @@ unsigned char GoldenRecord[3072] = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0xB2, 0x81, 0x69, 0x5F, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x5E, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, - 0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB2, 0x81, 0x69, 0x5F, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xFD, 0x47, 0x6A, 0x5F, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, + 0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFD, 0x47, 0x6A, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, - 0x98, 0x20, 0x00, 0x00, 0x98, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53, - 0x15, 0x24, 0xC8, 0xF1, 0xA0, 0x02, 0xC2, 0x40, 0x8E, 0xEB, 0x6B, 0xB2, - 0x6C, 0x94, 0x11, 0xDD, 0x02, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55, - 0x73, 0x65, 0x72, 0x73, 0x5C, 0x78, 0x65, 0x72, 0x6F, 0x78, 0x5C, 0x73, - 0x6F, 0x75, 0x72, 0x63, 0x65, 0x5C, 0x72, 0x65, 0x70, 0x6F, 0x73, 0x5C, - 0x56, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x20, 0x31, 0x5C, 0x78, 0x36, - 0x34, 0x5C, 0x52, 0x65, 0x6C, 0x65, 0x61, 0x73, 0x65, 0x5C, 0x54, 0x68, - 0x65, 0x47, 0x6F, 0x6C, 0x64, 0x65, 0x6E, 0x52, 0x65, 0x63, 0x6F, 0x72, - 0x64, 0x2E, 0x70, 0x64, 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, - 0x74, 0x24, 0x6D, 0x6E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, - 0x75, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x73, 0x00, - 0x00, 0x20, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, 0xF0, 0x00, 0x00, 0x00, - 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x7A, 0x7A, 0x7A, 0x64, 0x62, - 0x67, 0x00, 0x00, 0x00, 0x28, 0x21, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, - 0x2E, 0x78, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, - 0x08, 0x00, 0x00, 0x00, 0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x40, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x70, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x72, 0x00, 0x00, 0x00, - 0x2E, 0x65, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x02, 0x19, 0x04, 0x00, - 0x02, 0x16, 0x00, 0x06, 0x19, 0x52, 0x15, 0x60, 0x00, 0x00, 0x00, 0x00, + 0x94, 0x20, 0x00, 0x00, 0x94, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53, + 0x81, 0x50, 0x3F, 0x70, 0x94, 0x55, 0xE7, 0x4B, 0xAE, 0x3B, 0x1D, 0x5A, + 0x58, 0x81, 0x93, 0xE4, 0x01, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55, + 0x73, 0x65, 0x72, 0x73, 0x5C, 0x78, 0x65, 0x72, 0x6F, 0x78, 0x5C, 0x44, + 0x65, 0x73, 0x6B, 0x74, 0x6F, 0x70, 0x5C, 0x76, 0x6F, 0x79, 0x61, 0x67, + 0x65, 0x72, 0x2D, 0x31, 0x5C, 0x78, 0x36, 0x34, 0x5C, 0x52, 0x65, 0x6C, + 0x65, 0x61, 0x73, 0x65, 0x5C, 0x54, 0x68, 0x65, 0x47, 0x6F, 0x6C, 0x64, + 0x65, 0x6E, 0x52, 0x65, 0x63, 0x6F, 0x72, 0x64, 0x2E, 0x70, 0x64, 0x62, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, + 0xC0, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E, + 0x00, 0x00, 0x00, 0x00, 0xC0, 0x10, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00, + 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x73, 0x00, 0x00, 0x20, 0x00, 0x00, + 0x38, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, + 0x38, 0x20, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, + 0x74, 0x61, 0x24, 0x7A, 0x7A, 0x7A, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00, + 0x24, 0x21, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x78, 0x64, 0x61, + 0x74, 0x61, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, + 0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, + 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, + 0x00, 0x50, 0x00, 0x00, 0x6D, 0x00, 0x00, 0x00, 0x2E, 0x65, 0x64, 0x61, + 0x74, 0x61, 0x00, 0x00, 0x02, 0x0F, 0x04, 0x00, 0x02, 0x16, 0x00, 0x06, + 0x0F, 0x72, 0x0B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -199,7 +199,7 @@ unsigned char GoldenRecord[3072] = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0xF1, 0x10, 0x00, 0x00, 0x28, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xB6, 0x10, 0x00, 0x00, 0x24, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -247,10 +247,10 @@ unsigned char GoldenRecord[3072] = 0x2C, 0x50, 0x00, 0x00, 0x30, 0x50, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x46, 0x50, 0x00, 0x00, 0x00, 0x00, 0x54, 0x68, 0x65, 0x47, 0x6F, 0x6C, 0x64, 0x65, 0x6E, 0x52, 0x65, 0x63, 0x6F, 0x72, 0x64, 0x2E, 0x64, 0x6C, - 0x6C, 0x00, 0x3F, 0x70, 0x76, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x5F, - 0x63, 0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x40, 0x40, 0x33, 0x50, 0x45, - 0x41, 0x55, 0x5F, 0x56, 0x4F, 0x59, 0x41, 0x47, 0x45, 0x52, 0x5F, 0x44, - 0x41, 0x54, 0x41, 0x5F, 0x54, 0x40, 0x40, 0x45, 0x41, 0x00, 0x00, 0x00, + 0x6C, 0x00, 0x3F, 0x76, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x5F, 0x63, + 0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x40, 0x40, 0x33, 0x55, 0x5F, 0x56, + 0x4F, 0x59, 0x41, 0x47, 0x45, 0x52, 0x5F, 0x44, 0x41, 0x54, 0x41, 0x5F, + 0x54, 0x40, 0x40, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, diff --git a/Voyager 1/TheGoldenRecord.h b/Voyager 1/TheGoldenRecord.h index 3f3869b..a5d81a7 100644 --- a/Voyager 1/TheGoldenRecord.h +++ b/Voyager 1/TheGoldenRecord.h @@ -5,13 +5,13 @@ extern unsigned char GoldenRecord[3072]; #pragma pack(push, 1) typedef struct _VOYAGER_DATA_T { - VOID* VmExitHandler; + UINT64 VmExitHandlerRva; UINT64 HypervModuleBase; UINT64 HypervModuleSize; UINT64 ModuleBase; UINT64 ModuleSize; -} _VOYAGER_DATA, * PVOYAGER_DATA_T; +} VOYAGER_DATA_T, * PVOYAGER_DATA_T; #pragma pack(pop) UINT32 GetGoldenRecordSize(VOID); -VOID* GetGoldenRecordEntry(VOID); \ No newline at end of file +VOID* GetGoldenRecordEntry(VOID* ModuleBase); \ No newline at end of file diff --git a/Voyager 1/WinLoad.c b/Voyager 1/WinLoad.c index 35bae24..424ba12 100644 --- a/Voyager 1/WinLoad.c +++ b/Voyager 1/WinLoad.c @@ -46,35 +46,33 @@ EFI_STATUS EFIAPI BlLdrLoadImage(VOID* Arg1, CHAR16* ModulePath, CHAR16* ModuleN { if (!AsciiStrCmp(&pSection->Name, ".reloc")) { - PVOYAGER_DATA_T VoyagerData = MakeVoyagerData + VOYAGER_DATA_T VoyagerData; + MakeVoyagerData ( - // hyper-v allocation... + &VoyagerData, TableEntry->ModuleBase, TableEntry->SizeOfImage, - - // space for golden record is going to be in .reloc section after .reloc data (dont overwrite anything) TableEntry->ModuleBase + pSection->VirtualAddress + pSection->Misc.VirtualSize, GetGoldenRecordSize() ); - VOID* VmExitHook = MapModule(VoyagerData, GoldenRecord); - // this makes hyper-v not load/work + VOID* VmExitHook = MapModule(&VoyagerData, GoldenRecord); VOID* VmExitFunction = HookVmExit ( - VoyagerData->HypervModuleBase, - VoyagerData->HypervModuleSize, + VoyagerData.HypervModuleBase, + VoyagerData.HypervModuleSize, VmExitHook ); pSection->Characteristics = SECTION_RWX; - pSection->Misc.VirtualSize += GetGoldenRecordSize() + sizeof(_VOYAGER_DATA); + pSection->Misc.VirtualSize += GetGoldenRecordSize(); DBG_PRINT("VmExitHook (PayLoad Entry Point) -> 0x%p\n", VmExitHook); } } // This fixes the allocation size to include whatever we want... dont ask me why this works it just does... LOL - HypervNtHeader->OptionalHeader.SizeOfImage += GetGoldenRecordSize() + sizeof(_VOYAGER_DATA); - TableEntry->SizeOfImage += GetGoldenRecordSize() + sizeof(_VOYAGER_DATA); + HypervNtHeader->OptionalHeader.SizeOfImage += GetGoldenRecordSize(); + TableEntry->SizeOfImage += GetGoldenRecordSize(); } DBG_PRINT("[%s] Image Base -> 0x%p, Image Size -> 0x%x\n", __FUNCTION__, (*lplpTableEntry)->ModuleBase, (*lplpTableEntry)->SizeOfImage); @@ -96,7 +94,7 @@ UINT64 EFIAPI BlImgAllocateImageBuffer(VOID** imageBuffer, UINTN imageSize, UINT if (HyperVloading && !ExtendedAllocation && ++AllocationCount == 2) { ExtendedAllocation = TRUE; - imageSize += GetGoldenRecordSize() + sizeof(_VOYAGER_DATA); + imageSize += GetGoldenRecordSize(); // allocate the entire hyper-v module as rwx... memoryType = BL_MEMORY_ATTRIBUTE_RWX;