idk what i added

Efi Bundler/Efi Bundler.sln

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.30503.244
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Efi Bundler", "Efi Bundler.vcxproj", "{EE860038-E3DD-4329-8D44-DF8B9ECBE420}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x64.ActiveCfg = Debug|x64
+		{EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x64.Build.0 = Debug|x64
+		{EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x86.ActiveCfg = Debug|Win32
+		{EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Debug|x86.Build.0 = Debug|Win32
+		{EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x64.ActiveCfg = Release|x64
+		{EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x64.Build.0 = Release|x64
+		{EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x86.ActiveCfg = Release|Win32
+		{EE860038-E3DD-4329-8D44-DF8B9ECBE420}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {6F313696-ED35-4BFB-B825-E3E8861D12E3}
+	EndGlobalSection
+EndGlobal

Efi Bundler/bundler.cpp

@@ -2,9 +2,9 @@
 
 namespace bundler
 {
-	std::pair<std::u32_t, std::u32_t> add_section(std::vector<std::u8_t>& image, const char* name, std::size_t size, std::u32_t protect)
+	std::pair<std::uint32_t, std::uint32_t> add_section(std::vector<std::uint8_t>& image, const char* name, std::size_t size, std::uint32_t protect)
 	{
-		auto align = [](std::u32_t size, std::u32_t align, std::u32_t addr) -> std::u32_t
+		auto align = [](std::uint32_t size, std::uint32_t align, std::uint32_t addr) -> std::uint32_t
 		{
 			if (!(size % align))
 				return addr + size;
@@ -12,7 +12,7 @@ namespace bundler
 		};
 
 		auto section_header = reinterpret_cast<PIMAGE_SECTION_HEADER>(
-			((u64)&NT_HEADER(image.data())->OptionalHeader) +
+			((std::uint64_t)&NT_HEADER(image.data())->OptionalHeader) +
 				NT_HEADER(image.data())->FileHeader.SizeOfOptionalHeader);
 
 		auto new_section = &section_header[NT_HEADER(image.data())->FileHeader.NumberOfSections];
@@ -51,12 +51,12 @@ namespace bundler
 	}
 
 	// module_base is .efi section base in this case...
-	std::u32_t map_module(std::u8_t* module_base, std::vector<std::u8_t>& map_from)
+	std::uint32_t map_module(std::uint8_t* module_base, std::vector<std::uint8_t>& map_from)
 	{
 		// copy nt headers...
 		memcpy(module_base, map_from.data(), NT_HEADER(map_from.data())->OptionalHeader.SizeOfHeaders);
 		auto sections = reinterpret_cast<PIMAGE_SECTION_HEADER>(
-			(u8*)&NT_HEADER(map_from.data())->OptionalHeader +
+			(std::uint8_t*)&NT_HEADER(map_from.data())->OptionalHeader +
 				NT_HEADER(map_from.data())->FileHeader.SizeOfOptionalHeader);
 
 		// copy sections...
@@ -69,7 +69,7 @@ namespace bundler
 		return NT_HEADER(map_from.data())->OptionalHeader.AddressOfEntryPoint;
 	}
 
-	void bundle(std::vector<std::u8_t>& bundle_into, std::vector<std::u8_t>& bundle_module)
+	void bundle(std::vector<std::uint8_t>& bundle_into, std::vector<std::uint8_t>& bundle_module)
 	{
 		auto [trp_section_disk, trp_section_virt] = add_section(bundle_into, ".trp", sizeof shellcode::stub, SECTION_RWX);
 		auto [mod_section_disk, mod_section_virt] = add_section(bundle_into, ".efi", bundle_module.size(), SECTION_RWX);

Efi Bundler/bundler.h

@@ -9,7 +9,7 @@
 
 namespace bundler
 {
-	std::pair<std::u32_t, std::u32_t> add_section(std::vector<std::u8_t>& image, const char* name, std::size_t size, std::u32_t protect);
-	std::u32_t map_module(std::u8_t* module_base, std::vector<std::u8_t>& map_from);
-	void bundle(std::vector<std::u8_t>& bundle_into, std::vector<std::u8_t>& bundle_module);
+	std::pair<std::uint32_t, std::uint32_t> add_section(std::vector<std::uint8_t>& image, const char* name, std::size_t size, std::uint32_t protect);
+	std::uint32_t map_module(std::uint8_t* module_base, std::vector<std::uint8_t>& map_from);
+	void bundle(std::vector<std::uint8_t>& bundle_into, std::vector<std::uint8_t>& bundle_module);
 }

Efi Bundler/main.cpp

@@ -8,8 +8,8 @@ int __cdecl main(int argc, char** argv)
 		return -1;
 	}
 
-	std::vector<std::u8_t> efi_module;
-	std::vector<std::u8_t> bootmgfw;
+	std::vector<std::uint8_t> efi_module;
+	std::vector<std::uint8_t> bootmgfw;
 
 	impl::open_binary_file(argv[1], bootmgfw);
 	impl::open_binary_file(argv[2], efi_module);

Efi Bundler/shellcode.cpp

@@ -16,15 +16,15 @@ namespace shellcode
 			auto reloc = reinterpret_cast<PIMAGE_BASE_RELOCATION>(module_base + base_reloc_dir->VirtualAddress);
 			for (auto current_size = 0u; current_size < base_reloc_dir->Size; )
 			{
-				std::u32_t reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(u16);
-				auto reloc_data = reinterpret_cast<std::u16_t*>((u8*)reloc + sizeof(IMAGE_BASE_RELOCATION));
-				auto reloc_base = reinterpret_cast<std::u8_t*>(module_base) + reloc->VirtualAddress;
+				std::uint32_t reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(std::uint16_t);
+				auto reloc_data = reinterpret_cast<std::uint16_t*>((std::uint8_t*)reloc + sizeof(IMAGE_BASE_RELOCATION));
+				auto reloc_base = reinterpret_cast<std::uint8_t*>(module_base) + reloc->VirtualAddress;
 
 				for (auto i = 0u; i < reloc_count; ++i, ++reloc_data)
 				{
-					std::u16_t data = *reloc_data;
-					std::u16_t type = data >> 12;
-					std::u16_t offset = data & 0xFFF;
+					std::uint16_t data = *reloc_data;
+					std::uint16_t type = data >> 12;
+					std::uint16_t offset = data & 0xFFF;
 
 					switch (type)
 					{

Efi Bundler/utils.h

@@ -15,12 +15,12 @@
 #include <algorithm>
 #include <string_view>
 
-#define NT_HEADER(x) reinterpret_cast<PIMAGE_NT_HEADERS>( u64_t(x) + reinterpret_cast<PIMAGE_DOS_HEADER>(x)->e_lfanew )
+#define NT_HEADER(x) reinterpret_cast<PIMAGE_NT_HEADERS>( std::uint64_t(x) + reinterpret_cast<PIMAGE_DOS_HEADER>(x)->e_lfanew )
 namespace impl
 {
 	using uq_handle = std::unique_ptr<void, decltype(&CloseHandle)>;
 
-	__forceinline u32_t get_process_id(const std::wstring_view process_name)
+	__forceinline std::uint32_t get_process_id(const std::wstring_view process_name)
 	{
 		// open a system snapshot of all loaded processes
 		uq_handle snap_shot{ CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), &CloseHandle };
@@ -40,7 +40,7 @@ namespace impl
 		return 0;
 	}
 
-	__forceinline void open_binary_file(const std::string& file, std::vector<u8_t>& data)
+	__forceinline void open_binary_file(const std::string& file, std::vector<std::uint8_t>& data)
 	{
 		std::ifstream fstr(file, std::ios::binary);
 		fstr.unsetf(std::ios::skipws);
@@ -49,8 +49,8 @@ namespace impl
 		const auto file_size = fstr.tellg();
 
 		fstr.seekg(NULL, std::ios::beg);
-		data.reserve(static_cast<u32_t>(file_size));
-		data.insert(data.begin(), std::istream_iterator<u8_t>(fstr), std::istream_iterator<u8_t>());
+		data.reserve(static_cast<std::uint32_t>(file_size));
+		data.insert(data.begin(), std::istream_iterator<std::uint8_t>(fstr), std::istream_iterator<std::uint8_t>());
 	}
 
 	__forceinline bool enable_privilege(const std::wstring_view privilege_name)

Usermode Example/Example.sln

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.30503.244
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Example", "Example.vcxproj", "{09B41831-3164-48AD-8660-23457D82B73B}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{09B41831-3164-48AD-8660-23457D82B73B}.Debug|x64.ActiveCfg = Debug|x64
+		{09B41831-3164-48AD-8660-23457D82B73B}.Debug|x64.Build.0 = Debug|x64
+		{09B41831-3164-48AD-8660-23457D82B73B}.Debug|x86.ActiveCfg = Debug|Win32
+		{09B41831-3164-48AD-8660-23457D82B73B}.Debug|x86.Build.0 = Debug|Win32
+		{09B41831-3164-48AD-8660-23457D82B73B}.Release|x64.ActiveCfg = Release|x64
+		{09B41831-3164-48AD-8660-23457D82B73B}.Release|x64.Build.0 = Release|x64
+		{09B41831-3164-48AD-8660-23457D82B73B}.Release|x86.ActiveCfg = Release|Win32
+		{09B41831-3164-48AD-8660-23457D82B73B}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {E132D109-7F0D-4125-B737-B5D83E6FBCA8}
+	EndGlobalSection
+EndGlobal

Voyager-1/PayLoad/x64/Release/PayLoad(Intel).Build.CppClean.log

@@ -1,13 +0,0 @@
-c:\users\xerox\desktop\voyager\payload (intel)\x64\release\vc142.pdb
-c:\users\xerox\desktop\voyager\payload (intel)\x64\release\vmexit_handler.obj
-c:\users\xerox\desktop\voyager\x64\release\payload(intel).dll
-c:\users\xerox\desktop\voyager\x64\release\payload(intel).lib
-c:\users\xerox\desktop\voyager\x64\release\payload(intel).exp
-c:\users\xerox\desktop\voyager\x64\release\payload(intel).pdb
-c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\cl.command.1.tlog
-c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\cl.read.1.tlog
-c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\cl.write.1.tlog
-c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\link.command.1.tlog
-c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\link.read.1.tlog
-c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\link.write.1.tlog
-c:\users\xerox\desktop\voyager\payload (intel)\x64\release\payload (intel).tlog\payload (intel).write.1u.tlog

Voyager-1/PayLoad/x64/Release/PayLoad.Build.CppClean.log

@@ -1,12 +0,0 @@
-c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\vc142.pdb
-c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\vmexit_handler.obj
-c:\users\xerox\desktop\voyager\voyager-1\x64\release\payload.dll
-c:\users\xerox\desktop\voyager\voyager-1\x64\release\payload.lib
-c:\users\xerox\desktop\voyager\voyager-1\x64\release\payload.exp
-c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\cl.command.1.tlog
-c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\cl.read.1.tlog
-c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\cl.write.1.tlog
-c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\link.command.1.tlog
-c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\link.read.1.tlog
-c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\link.write.1.tlog
-c:\users\xerox\desktop\voyager\voyager-1\payload\x64\release\payload.tlog\payload.write.1u.tlog

Voyager-1/PayLoad/x64/Release/PayLoad.dll.recipe

@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project>
-  <ProjectOutputs>C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.dll</ProjectOutputs>
-  <ContentFiles></ContentFiles>
-  <SatelliteDlls></SatelliteDlls>
-  <NonRecipeFileRefs></NonRecipeFileRefs>
-</Project>

Voyager-1/PayLoad/x64/Release/PayLoad.log

@@ -1,7 +0,0 @@
-  Building 'PayLoad' with toolset 'WindowsKernelModeDriver10.0' and the 'Universal' target platform.
-  vmexit_handler.cpp
-     Creating library C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.lib and object C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.exp
-  PayLoad.vcxproj -> C:\Users\xerox\Desktop\voyager\Voyager-1\x64\Release\PayLoad.dll
-  Driver is 'Universal'.
-  Inf2Cat task was skipped as there were no inf files to process
-  

Voyager-1/PayLoad/x64/Release/PayLoad.tlog/PayLoad.lastbuildstate

@@ -1,2 +0,0 @@
-PlatformToolSet=WindowsKernelModeDriver10.0:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.19041.0:
-Release|x64|C:\Users\xerox\Desktop\voyager\Voyager-1\|

Voyager-2/PayLoad/vmexit_handler.cpp

@@ -5,17 +5,20 @@ svm::pgs_base_struct vcpu_run(svm::pguest_context context)
 {
 	while (1)
 	{
+		DBG_PRINT("before vcpu_run\n");
 		__svm_clgi();
-		svm::pgs_base_struct result = reinterpret_cast<svm::vcpu_run_t>(
-			reinterpret_cast<uintptr_t>(&vcpu_run) -
-				svm::voyager_context.vcpu_run_rva)(context);
+		svm::pgs_base_struct result = 
+			reinterpret_cast<svm::vcpu_run_t>(
+				reinterpret_cast<uintptr_t>(&vcpu_run) -
+					svm::voyager_context.vcpu_run_rva)(context);
 		__svm_stgi();
+		DBG_PRINT("after vcpu_run\n");
 
 		// gs:0 + 0x103B0 ] + 0x198 ] + 0xE80 ] = pointer to vmcb...
 		auto vmcb = *reinterpret_cast<svm::pvmcb*>(
 			*reinterpret_cast<uintptr_t*>(
-				reinterpret_cast<uintptr_t>(
-					result->pvcpu_context) + 0x198) + 0xE80);
+				*reinterpret_cast<uintptr_t*>(
+					__readgsqword(0) + 0x103B0) + 0x198) + 0xE80);
 
 		if (vmcb->exitcode == VMEXIT_CPUID && context->rcx == VMEXIT_KEY)
 		{

Voyager-2/Voyager-2 (2004-1709)/BootMgfw.c

@@ -138,8 +138,8 @@ EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath)
 	if (EFI_ERROR((Result = gBS->HandleProtocol(BootMgfwPath, &gEfiLoadedImageProtocolGuid, (VOID**)&BootMgfw))))
 		return Result;
 
-	Print(L"Image Base -> 0x%p\n", BootMgfw->ImageBase);
-	Print(L"Image Size -> 0x%x\n", BootMgfw->ImageSize);
+	DBG_PRINT("Image Base -> 0x%p\n", BootMgfw->ImageBase);
+	DBG_PRINT("Image Size -> 0x%x\n", BootMgfw->ImageSize);
 	VOID* ArchStartBootApplication = 
 		FindPattern(
 			BootMgfw->ImageBase, 
@@ -148,10 +148,7 @@ EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath)
 			START_BOOT_APPLICATION_MASK
 		);
 
-	if (!ArchStartBootApplication)
-		return EFI_ABORTED;
-
-	DBG_PRINT(L"ArchStartBootApplication -> 0x%p\n", ArchStartBootApplication);
+	DBG_PRINT("ArchStartBootApplication -> 0x%p\n", ArchStartBootApplication);
 	MakeShitHook(&BootMgfwShitHook, ArchStartBootApplication, &ArchStartBootApplicationHook, TRUE);
 	return Result;
 }
@@ -181,6 +178,7 @@ EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase,
 	}
 	else
 	{
+		DBG_PRINT("some signature for winload found nothing (0), aborting...\n");
 		Print(L"nullptr detected, aborting...\n");
 		Print(L"Please submit a screenshot of this...\n");
 	}

Voyager-2/Voyager-2 (2004-1709)/Hvax64.c

@@ -1,6 +1,6 @@
-#include "Hvix64.h"
+#include "Hvax64.h"
 
-VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase)
+VOID* MapModule(PVOYAGER_T VoyagerData, UINT8* ImageBase)
 {
 	if (!VoyagerData || !ImageBase)
 		return NULL;
@@ -44,7 +44,7 @@ VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase)
 	{
 		if (AsciiStrStr(VoyagerData->ModuleBase + Name[i], "voyager_context"))
 		{
-			*(voyager_t*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData;
+			*(VOYAGER_T*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData;
 			break; // DO NOT REMOVE? #Stink Code 2020...
 		}
 	}
@@ -91,69 +91,52 @@ VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase)
 
 VOID MakeVoyagerData
 (
-	pvoyager_t VoyagerData,
+	PVOYAGER_T VoyagerData,
 	VOID* HypervAlloc,
 	UINT64 HypervAllocSize,
 	VOID* PayLoadBase,
 	UINT64 PayLoadSize
 )
 {
-	if (!VoyagerData || !HypervAlloc || !HypervAllocSize || !PayLoadBase || !PayLoadSize)
-		return;
-
 	VoyagerData->HypervModuleBase = HypervAlloc;
 	VoyagerData->HypervModuleSize = HypervAllocSize;
 	VoyagerData->ModuleBase = PayLoadBase;
 	VoyagerData->ModuleSize = PayLoadSize;
 
-	VOID* VmExitHandler =
+	VOID* VCpuRunCall =
 		FindPattern(
 			HypervAlloc,
 			HypervAllocSize,
-			VMEXIT_HANDLER_SIG,
-			VMEXIT_HANDLER_MASK
+			VCPU_RUN_HANDLER_SIG,
+			VCPU_RUN_HANDLER_MASK
 		);
 
-	/*
-		.text:FFFFF80000237436                 mov     rcx, [rsp+arg_18] ; rcx = pointer to stack that contians all register values
-		.text:FFFFF8000023743B                 mov     rdx, [rsp+arg_28]
-		.text:FFFFF80000237440                 call    vmexit_c_handler	 ; RIP relative call
-		.text:FFFFF80000237445                 jmp     loc_FFFFF80000237100
-	*/
-
-	UINT64 VmExitHandlerCall = ((UINT64)VmExitHandler) + 19; // + 19 bytes to -> call vmexit_c_handler
-	UINT64 VmExitHandlerCallRip = (UINT64)VmExitHandlerCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes
-	UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA)
-	VoyagerData->VmExitHandlerRva = ((UINT64)PayLoadEntry(PayLoadBase)) - (UINT64)VmExitFunction;
+	UINT64 VCpuRunCallRip = (UINT64)VCpuRunCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes
+	UINT64 VCpuRunFunction = VCpuRunCallRip + *(INT32*)((UINT64)VCpuRunCall + 1); // + 1 to skip E8 (call) and read 4 bytes (RVA)
+	VoyagerData->VCpuRunHandlerRVA = ((UINT64)PayLoadEntry(PayLoadBase)) - VCpuRunFunction;
+
+	DBG_PRINT("VCpuRunCallRip -> 0x%p\n", VCpuRunCallRip);
+	DBG_PRINT("VCpuRunFunction -> 0x%p\n", VCpuRunFunction);
+	DBG_PRINT("VoyagerData->VCpuRunHandlerRVA -> 0x%p\n", VoyagerData->VCpuRunHandlerRVA);
 }
 
-VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook)
+VOID* HookVCpuRun(VOID* HypervBase, VOID* HypervSize, VOID* VCpuRunHook)
 {
-	if (!HypervBase || !HypervSize || !VmExitHook)
-		return NULL;
-
-	VOID* VmExitHandler =
+	VOID* VCpuRunCall =
 		FindPattern(
 			HypervBase,
 			HypervSize,
-			VMEXIT_HANDLER_SIG,
-			VMEXIT_HANDLER_MASK
+			VCPU_RUN_HANDLER_SIG,
+			VCPU_RUN_HANDLER_MASK
 		);
 
-	if (!VmExitHandler)
-		return NULL;
+	UINT64 VCpuRunCallRip = (UINT64)VCpuRunCall + 5; // + 5 bytes to next instructions address...
+	UINT64 VCpuRunFunction = VCpuRunCallRip + *(INT32*)((UINT64)VCpuRunCall + 1); // + 1 to skip E8 (call) and read 4 bytes (RVA)
+	INT32 NewVCpuRunRVA = ((INT64)VCpuRunHook) - VCpuRunCallRip;
+	*(INT32*)((UINT64)VCpuRunCall + 1) = NewVCpuRunRVA;
 
-	/*
-		.text:FFFFF80000237436                 mov     rcx, [rsp+arg_18] ; rcx = pointer to stack that contians all register values
-		.text:FFFFF8000023743B                 mov     rdx, [rsp+arg_28]
-		.text:FFFFF80000237440                 call    vmexit_c_handler	 ; RIP relative call
-		.text:FFFFF80000237445                 jmp     loc_FFFFF80000237100
-	*/
-
-	UINT64 VmExitHandlerCall = ((UINT64)VmExitHandler) + 19; // + 19 bytes to -> call vmexit_c_handler
-	UINT64 VmExitHandlerCallRip = (UINT64)VmExitHandlerCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes
-	UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA)
-	INT32 NewVmExitRVA = ((INT64)VmExitHook) - VmExitHandlerCallRip;
-	*(INT32*)((UINT64)(VmExitHandlerCall + 1)) = NewVmExitRVA;
-	return VmExitFunction;
+	DBG_PRINT("VCpuRunCallRip -> 0x%p\n", VCpuRunCallRip);
+	DBG_PRINT("VCpuRunFunction -> 0x%p\n", VCpuRunFunction);
+	DBG_PRINT("NewVCpuRunRVA -> 0x%p\n", NewVCpuRunRVA);
+	return VCpuRunFunction;
 }

Voyager-2/Voyager-2 (2004-1709)/Hvax64.h

@@ -0,0 +1,35 @@
+#pragma once
+#include "PayLoad.h"
+
+#if WINVER == 2004
+#define VCPU_RUN_HANDLER_SIG "\xE8\x00\x00\x00\x00\x0F\x01\xDC"
+#define VCPU_RUN_HANDLER_MASK "x????xxx"
+#endif
+
+static_assert(sizeof(VCPU_RUN_HANDLER_SIG) == sizeof(VCPU_RUN_HANDLER_MASK), "signature does not match mask size!");
+
+//
+// AllocBase is the base address of the extra memory allocated below where hyper-v is
+// AllocSize is the size of the extra allocated memory... This size == module size...
+//
+VOID* MapModule(PVOYAGER_T VoyagerData, UINT8* ImageBase);
+
+//
+// sig scan hv.exe for vmexit call and replace the relative call (RVA) with 
+// an RVA to the vmexit handler hook (which is the golden records entry point)...
+//
+// returns a pointer to the original vmexit function address...
+//
+VOID* HookVCpuRun(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook);
+
+//
+// creates a structure with all the data needed to be passed to the golden record...
+//
+VOID MakeVoyagerData
+(
+	PVOYAGER_T VoyagerData,
+	VOID* HypervAlloc,
+	UINT64 HypervAllocSize,
+	VOID* PayLoadBase,
+	UINT64 PayLoadSize
+);

Voyager-2/Voyager-2 (2004-1709)/Hvix64.h

@@ -1,54 +0,0 @@
-#pragma once
-#include "PayLoad.h"
-
-#if WINVER == 2004
-#define VMEXIT_HANDLER_SIG "\x65\xC6\x04\x25\x6D\x00\x00\x00\x00\x48\x8B\x4C\x24\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
-#define VMEXIT_HANDLER_MASK "xxxxxxxxxxxxx?xxxx?x????x"
-#elif WINVER == 1909
-#define VMEXIT_HANDLER_SIG "\x48\x8B\x4C\x24\x00\xEB\x07\xE8\x00\x00\x00\x00\xEB\xF2\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
-#define VMEXIT_HANDLER_MASK "xxxx?xxx????xxxxxx?x????x"
-#elif WINVER == 1903
-#define VMEXIT_HANDLER_SIG "\x48\x8B\x4C\x24\x00\xEB\x07\xE8\x00\x00\x00\x00\xEB\xF2\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
-#define VMEXIT_HANDLER_MASK "xxxx?xxx????xxxxxx?x????x"
-#elif WINVER == 1809
-#define VMEXIT_HANDLER_SIG "\x48\x8B\x4C\x24\x00\xEB\x07\xE8\x00\x00\x00\x00\xEB\xF2\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
-#define VMEXIT_HANDLER_MASK "xxxx?xxx????xxxxxx?x????x"
-#elif WINVER == 1803
-#define VMEXIT_HANDLER_SIG "\xF2\x80\x3D\xFC\x12\x46\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
-#define VMEXIT_HANDLER_MASK "xxxxxxx?xx????xxxx?x????x"
-#elif WINVER == 1709
-#define VMEXIT_HANDLER_SIG "\xD0\x80\x3D\x78\x0A\x47\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
-#define VMEXIT_HANDLER_MASK "xxxxxx??xx????xxxx?x????x"
-#elif WINVER == 1703
-#define VMEXIT_HANDLER_SIG "\xD0\x80\x3D\x74\xCC\x47\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
-#define VMEXIT_HANDLER_MASK "xxxxxx??xx????xxxx?x????x"
-#endif
-
-static_assert(sizeof(VMEXIT_HANDLER_SIG) == sizeof(VMEXIT_HANDLER_MASK), "signature does not match mask size!");
-static_assert(sizeof(VMEXIT_HANDLER_SIG) == 26, "signature is invalid length!");
-
-//
-// AllocBase is the base address of the extra memory allocated below where hyper-v is
-// AllocSize is the size of the extra allocated memory... This size == module size...
-//
-VOID* MapModule(pvoyager_t VoyagerData, UINT8* ImageBase);
-
-//
-// sig scan hv.exe for vmexit call and replace the relative call (RVA) with 
-// an RVA to the vmexit handler hook (which is the golden records entry point)...
-//
-// returns a pointer to the original vmexit function address...
-//
-VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook);
-
-//
-// creates a structure with all the data needed to be passed to the golden record...
-//
-VOID MakeVoyagerData
-(
-	pvoyager_t VoyagerData,
-	VOID* HypervAlloc,
-	UINT64 HypervAllocSize,
-	VOID* PayLoadBase,
-	UINT64 PayLoadSize
-);

Voyager-2/Voyager-2 (2004-1709)/PayLoad.c

@@ -44,18 +44,18 @@ unsigned char PayLoad[3072] =
 	0x6A, 0xDE, 0x5F, 0x8E, 0xDC, 0xAF, 0x5D, 0x8F, 0x6A, 0xDE, 0x5F, 0x8E,
 	0x52, 0x69, 0x63, 0x68, 0x6B, 0xDE, 0x5F, 0x8E, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x05, 0x00,
-	0x13, 0xB9, 0x72, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x91, 0x48, 0x75, 0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0xF0, 0x00, 0x22, 0x20, 0x0B, 0x02, 0x0E, 0x1B, 0x00, 0x02, 0x00, 0x00,
 	0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
 	0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00,
 	0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00,
 	0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x60, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0xD4, 0x8A, 0x00, 0x00,
+	0x00, 0x60, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0xD4, 0x9E, 0x00, 0x00,
 	0x01, 0x00, 0x60, 0x01, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00,
-	0x6C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00,
 	0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00,
@@ -66,10 +66,10 @@ unsigned char PayLoad[3072] =
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00,
-	0xA2, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
+	0x50, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
 	0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x68, 0x2E, 0x72, 0x64, 0x61,
-	0x74, 0x61, 0x00, 0x00, 0x1C, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00,
+	0x74, 0x61, 0x00, 0x00, 0x34, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00,
 	0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48,
 	0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00,
@@ -79,7 +79,7 @@ unsigned char PayLoad[3072] =
 	0x0C, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
 	0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, 0x2E, 0x65, 0x64, 0x61,
-	0x74, 0x61, 0x00, 0x00, 0x6C, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00,
+	0x74, 0x61, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00,
 	0x00, 0x02, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x40,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -113,20 +113,35 @@ unsigned char PayLoad[3072] =
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x10, 0x48, 0x89, 0x4C,
-	0x24, 0x08, 0x48, 0x83, 0xEC, 0x58, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x48,
-	0x8B, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0xB8, 0x02, 0x44, 0x00, 0x00,
-	0x0F, 0x78, 0x44, 0x24, 0x28, 0x48, 0x83, 0x7C, 0x24, 0x28, 0x0A, 0x75,
-	0x4F, 0x48, 0x8B, 0x44, 0x24, 0x20, 0x48, 0xB9, 0xEF, 0xBE, 0xAD, 0xDE,
-	0xEF, 0xBE, 0xAD, 0xDE, 0x48, 0x39, 0x48, 0x08, 0x75, 0x3A, 0x48, 0x8B,
-	0x44, 0x24, 0x20, 0x48, 0xC7, 0x00, 0xEE, 0xFF, 0xC0, 0x00, 0xB8, 0x1E,
-	0x68, 0x00, 0x00, 0x0F, 0x78, 0x44, 0x24, 0x38, 0xB8, 0x0C, 0x44, 0x00,
-	0x00, 0x0F, 0x78, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48,
-	0x8B, 0x4C, 0x24, 0x38, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0xB9, 0x1E,
-	0x68, 0x00, 0x00, 0x0F, 0x79, 0xC8, 0xEB, 0x21, 0x48, 0x8D, 0x05, 0x7D,
-	0xFF, 0xFF, 0xFF, 0x48, 0x2B, 0x05, 0x76, 0x1F, 0x00, 0x00, 0x48, 0x89,
-	0x44, 0x24, 0x40, 0x48, 0x8B, 0x54, 0x24, 0x68, 0x48, 0x8B, 0x4C, 0x24,
-	0x60, 0xFF, 0x54, 0x24, 0x40, 0x48, 0x83, 0xC4, 0x58, 0xC3, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x56, 0x48, 0x83,
+	0xEC, 0x20, 0x48, 0x8B, 0xD9, 0x48, 0x8D, 0x35, 0x0C, 0x01, 0x00, 0x00,
+	0xB9, 0x11, 0x00, 0x00, 0x00, 0xBA, 0xF8, 0x02, 0x00, 0x00, 0xF3, 0x6E,
+	0x0F, 0x01, 0xDD, 0x48, 0x8D, 0x05, 0xD6, 0xFF, 0xFF, 0xFF, 0x48, 0x8B,
+	0xCB, 0x48, 0x2B, 0x05, 0xCC, 0x1F, 0x00, 0x00, 0xFF, 0xD0, 0x4C, 0x8B,
+	0xC0, 0x0F, 0x01, 0xDC, 0xBA, 0xF8, 0x02, 0x00, 0x00, 0x48, 0x8D, 0x35,
+	0xF8, 0x00, 0x00, 0x00, 0xB9, 0x10, 0x00, 0x00, 0x00, 0xF3, 0x6E, 0x65,
+	0x48, 0x8B, 0x14, 0x25, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x8A, 0xB0,
+	0x03, 0x01, 0x00, 0x48, 0x8B, 0x91, 0x98, 0x01, 0x00, 0x00, 0x48, 0x8B,
+	0x8A, 0x80, 0x0E, 0x00, 0x00, 0xE9, 0x8D, 0x00, 0x00, 0x00, 0x48, 0xB8,
+	0xEF, 0xBE, 0xAD, 0xDE, 0xEF, 0xBE, 0xAD, 0xDE, 0x48, 0x39, 0x43, 0x08,
+	0x0F, 0x85, 0x84, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x81, 0xC8, 0x00, 0x00,
+	0x00, 0x48, 0x8D, 0x35, 0x8C, 0x00, 0x00, 0x00, 0x48, 0x89, 0x81, 0x78,
+	0x05, 0x00, 0x00, 0xBA, 0xF8, 0x02, 0x00, 0x00, 0x48, 0xC7, 0x81, 0xF8,
+	0x05, 0x00, 0x00, 0xEE, 0xFF, 0xC0, 0x00, 0xB9, 0x11, 0x00, 0x00, 0x00,
+	0xF3, 0x6E, 0x0F, 0x01, 0xDD, 0x48, 0x8D, 0x05, 0x44, 0xFF, 0xFF, 0xFF,
+	0x48, 0x8B, 0xCB, 0x48, 0x2B, 0x05, 0x3A, 0x1F, 0x00, 0x00, 0xFF, 0xD0,
+	0x4C, 0x8B, 0xC0, 0x0F, 0x01, 0xDC, 0xBA, 0xF8, 0x02, 0x00, 0x00, 0x48,
+	0x8D, 0x35, 0x66, 0x00, 0x00, 0x00, 0xB9, 0x10, 0x00, 0x00, 0x00, 0xF3,
+	0x6E, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B,
+	0x88, 0xB0, 0x03, 0x01, 0x00, 0x48, 0x8B, 0x81, 0x98, 0x01, 0x00, 0x00,
+	0x48, 0x8B, 0x88, 0x80, 0x0E, 0x00, 0x00, 0x48, 0x83, 0x79, 0x70, 0x72,
+	0x0F, 0x84, 0x68, 0xFF, 0xFF, 0xFF, 0x48, 0x8B, 0x5C, 0x24, 0x30, 0x49,
+	0x8B, 0xC0, 0x48, 0x83, 0xC4, 0x20, 0x5E, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC,
+	0xCC, 0xCC, 0xCC, 0xCC, 0x62, 0x65, 0x66, 0x6F, 0x72, 0x65, 0x20, 0x76,
+	0x63, 0x70, 0x75, 0x5F, 0x72, 0x75, 0x6E, 0x0A, 0x00, 0xCC, 0xCC, 0xCC,
+	0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
+	0x61, 0x66, 0x74, 0x65, 0x72, 0x20, 0x76, 0x63, 0x70, 0x75, 0x5F, 0x72,
+	0x75, 0x6E, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -141,47 +156,32 @@ unsigned char PayLoad[3072] =
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x13, 0xB9, 0x72, 0x5F, 0x00, 0x00, 0x00, 0x00,
-	0x02, 0x00, 0x00, 0x00, 0x56, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00,
-	0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0xB9, 0x72, 0x5F,
-	0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
-	0x90, 0x20, 0x00, 0x00, 0x90, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53,
-	0xD4, 0x11, 0x42, 0x7D, 0x4D, 0x15, 0x9E, 0x40, 0xAD, 0x44, 0xBC, 0xDA,
-	0x99, 0x36, 0xE3, 0xCF, 0x01, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55,
+	0x00, 0x00, 0x00, 0x00, 0x91, 0x48, 0x75, 0x5F, 0x00, 0x00, 0x00, 0x00,
+	0x02, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00,
+	0x38, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x91, 0x48, 0x75, 0x5F,
+	0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00,
+	0x94, 0x20, 0x00, 0x00, 0x94, 0x06, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53,
+	0xCE, 0x74, 0x7C, 0x88, 0x8C, 0xD6, 0x6B, 0x49, 0x87, 0x35, 0x71, 0x34,
+	0xAF, 0x3B, 0x11, 0xC5, 0x01, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x55,
 	0x73, 0x65, 0x72, 0x73, 0x5C, 0x78, 0x65, 0x72, 0x6F, 0x78, 0x5C, 0x44,
 	0x65, 0x73, 0x6B, 0x74, 0x6F, 0x70, 0x5C, 0x76, 0x6F, 0x79, 0x61, 0x67,
-	0x65, 0x72, 0x5C, 0x78, 0x36, 0x34, 0x5C, 0x52, 0x65, 0x6C, 0x65, 0x61,
-	0x73, 0x65, 0x5C, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61, 0x64, 0x28, 0x49,
-	0x6E, 0x74, 0x65, 0x6C, 0x29, 0x2E, 0x70, 0x64, 0x62, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0xA2, 0x00, 0x00, 0x00,
-	0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x20, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61,
-	0x74, 0x61, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, 0xD8, 0x00, 0x00, 0x00,
-	0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x7A, 0x7A, 0x7A, 0x64, 0x62,
-	0x67, 0x00, 0x00, 0x00, 0x10, 0x21, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00,
-	0x2E, 0x78, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00,
-	0x28, 0x00, 0x00, 0x00, 0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x40, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x2E, 0x70, 0x64, 0x61,
-	0x74, 0x61, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x6C, 0x00, 0x00, 0x00,
-	0x2E, 0x65, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x02, 0x0E, 0x03, 0x00,
-	0x01, 0x16, 0x00, 0x06, 0x0E, 0xA2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x65, 0x72, 0x5C, 0x56, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x2D, 0x32,
+	0x5C, 0x78, 0x36, 0x34, 0x5C, 0x52, 0x65, 0x6C, 0x65, 0x61, 0x73, 0x65,
+	0x5C, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61, 0x64, 0x2E, 0x70, 0x64, 0x62,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
+	0x20, 0x01, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E,
+	0x00, 0x00, 0x00, 0x00, 0x20, 0x11, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00,
+	0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x73, 0x00, 0x00, 0x20, 0x00, 0x00,
+	0x38, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00,
+	0x38, 0x20, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61,
+	0x74, 0x61, 0x24, 0x7A, 0x7A, 0x7A, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00,
+	0x24, 0x21, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x2E, 0x78, 0x64, 0x61,
+	0x74, 0x61, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00,
+	0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00,
+	0x0C, 0x00, 0x00, 0x00, 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00,
+	0x00, 0x50, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00, 0x2E, 0x65, 0x64, 0x61,
+	0x74, 0x61, 0x00, 0x00, 0x02, 0x0A, 0x06, 0x00, 0x02, 0x16, 0x00, 0x06,
+	0x0A, 0x34, 0x06, 0x00, 0x0A, 0x32, 0x06, 0x60, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -199,7 +199,7 @@ unsigned char PayLoad[3072] =
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
-	0xA2, 0x10, 0x00, 0x00, 0x10, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x18, 0x11, 0x00, 0x00, 0x24, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -245,12 +245,12 @@ unsigned char PayLoad[3072] =
 	0x00, 0x00, 0x00, 0x00, 0x32, 0x50, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
 	0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x50, 0x00, 0x00,
 	0x2C, 0x50, 0x00, 0x00, 0x30, 0x50, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00,
-	0x45, 0x50, 0x00, 0x00, 0x00, 0x00, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61,
-	0x64, 0x28, 0x49, 0x6E, 0x74, 0x65, 0x6C, 0x29, 0x2E, 0x64, 0x6C, 0x6C,
-	0x00, 0x3F, 0x76, 0x6F, 0x79, 0x61, 0x67, 0x65, 0x72, 0x5F, 0x63, 0x6F,
-	0x6E, 0x74, 0x65, 0x78, 0x74, 0x40, 0x40, 0x33, 0x55, 0x5F, 0x56, 0x4F,
-	0x59, 0x41, 0x47, 0x45, 0x52, 0x5F, 0x44, 0x41, 0x54, 0x41, 0x5F, 0x54,
-	0x40, 0x40, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x3E, 0x50, 0x00, 0x00, 0x00, 0x00, 0x50, 0x61, 0x79, 0x4C, 0x6F, 0x61,
+	0x64, 0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x3F, 0x76, 0x6F, 0x79, 0x61, 0x67,
+	0x65, 0x72, 0x5F, 0x63, 0x6F, 0x6E, 0x74, 0x65, 0x78, 0x74, 0x40, 0x73,
+	0x76, 0x6D, 0x40, 0x40, 0x33, 0x55, 0x5F, 0x76, 0x6F, 0x79, 0x61, 0x67,
+	0x65, 0x72, 0x5F, 0x74, 0x40, 0x31, 0x40, 0x41, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

Voyager-2/Voyager-2 (2004-1709)/PayLoad.h

@@ -3,14 +3,14 @@
 extern unsigned char PayLoad[3072];
 
 #pragma pack(push, 1)
-typedef struct _voyager_t
+typedef struct _VOYAGER_T
 {
-	UINT64 VmExitHandlerRva;
+	UINT64 VCpuRunHandlerRVA;
 	UINT64 HypervModuleBase;
 	UINT64 HypervModuleSize;
 	UINT64 ModuleBase;
 	UINT64 ModuleSize;
-} voyager_t, * pvoyager_t;
+} VOYAGER_T, *PVOYAGER_T;
 #pragma pack(pop)
 
 UINT32 PayLoadSize(VOID);

Voyager-2/Voyager-2 (2004-1709)/UefiMain.c

@@ -22,11 +22,14 @@ EFI_STATUS EFIAPI UefiMain
         DBG_PRINT("unable to restore bootmgfw... reason -> %r\n", Result);
         return Result;
     }
+    DBG_PRINT("restored bootmgfw on disk...\n");
 
     if (EFI_ERROR((Result = InstallBootMgfwHooks(ImageHandle))))
     {
         DBG_PRINT("Failed to install bootmgfw hooks... reason -> %r\n", Result);
         return Result;
     }
+
+    DBG_PRINT("installed bootmgfw hooks...\n");
     return EFI_SUCCESS;
 }

Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj

@@ -24,7 +24,7 @@
     <ProjectGuid>{540d433f-c2df-49a6-895c-f5c74b014777}</ProjectGuid>
     <RootNamespace>HyperMe</RootNamespace>
     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
-    <ProjectName>Voyager-1 (2004-1709)</ProjectName>
+    <ProjectName>Voyager-2 (2004-1709)</ProjectName>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
@@ -175,7 +175,7 @@
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="BootMgfw.c" />
-    <ClCompile Include="Hvix64.c" />
+    <ClCompile Include="Hvax64.c" />
     <ClCompile Include="ShitHook.c" />
     <ClCompile Include="PayLoad.c" />
     <ClCompile Include="UefiMain.c" />
@@ -184,7 +184,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="BootMgfw.h" />
-    <ClInclude Include="Hvix64.h" />
+    <ClInclude Include="Hvax64.h" />
     <ClInclude Include="ShitHook.h" />
     <ClInclude Include="PayLoad.h" />
     <ClInclude Include="Utils.h" />

Voyager-2/Voyager-2 (2004-1709)/Voyager-2 (2004-1709).vcxproj.filters

@@ -26,10 +26,10 @@
     <ClCompile Include="Utils.c">
       <Filter>Source Files</Filter>
     </ClCompile>
-    <ClCompile Include="Hvix64.c">
+    <ClCompile Include="PayLoad.c">
       <Filter>Source Files</Filter>
     </ClCompile>
-    <ClCompile Include="PayLoad.c">
+    <ClCompile Include="Hvax64.c">
       <Filter>Source Files</Filter>
     </ClCompile>
   </ItemGroup>
@@ -40,9 +40,6 @@
     <ClInclude Include="WinLoad.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="Hvix64.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
     <ClInclude Include="ShitHook.h">
       <Filter>Header Files</Filter>
     </ClInclude>
@@ -52,5 +49,8 @@
     <ClInclude Include="PayLoad.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="Hvax64.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
 </Project>

Voyager-2/Voyager-2 (2004-1709)/WinLoad.c

@@ -48,7 +48,7 @@ EFI_STATUS EFIAPI BlLdrLoadImage(VOID* Arg1, CHAR16* ModulePath, CHAR16* ModuleN
 		{
 			if (!AsciiStrCmp(&pSection->Name, ".reloc"))
 			{
-				voyager_t VoyagerData;
+				VOYAGER_T VoyagerData;
 				MakeVoyagerData
 				(
 					&VoyagerData,
@@ -59,24 +59,19 @@ EFI_STATUS EFIAPI BlLdrLoadImage(VOID* Arg1, CHAR16* ModulePath, CHAR16* ModuleN
 				);
 
 				DBG_PRINT(".reloc section base address -> 0x%p\n", TableEntry->ModuleBase + pSection->VirtualAddress);
-				DBG_PRINT(".reloc section end (aka golden record base address) -> 0x%p\n", TableEntry->ModuleBase + pSection->VirtualAddress + pSection->Misc.VirtualSize);
+				DBG_PRINT(".reloc section end (aka payload base address) -> 0x%p\n", TableEntry->ModuleBase + pSection->VirtualAddress + pSection->Misc.VirtualSize);
 
-				VOID* VmExitHook = MapModule(&VoyagerData, PayLoad);
-				if (!VmExitHook) 
-					return Result;
-
-				VOID* VmExitFunction = HookVmExit
+				VOID* VCpuRunHook = MapModule(&VoyagerData, PayLoad);
+				VOID* VmExitFunction = HookVCpuRun
 				(
 					VoyagerData.HypervModuleBase,
 					VoyagerData.HypervModuleSize,
-					VmExitHook
+					VCpuRunHook
 				);
-				if (!VmExitFunction) 
-					return Result;
 
 				pSection->Characteristics = SECTION_RWX;
 				pSection->Misc.VirtualSize += PayLoadSize();
-				DBG_PRINT("VmExitHook (PayLoad Entry Point) -> 0x%p\n", VmExitHook);
+				DBG_PRINT("vcpu_run hook (payload entry point) -> 0x%p\n", VCpuRunHook);
 			}
 		}
 

Voyager-2/Voyager-2 (2004-1709)/WinLoad.h

@@ -1,6 +1,6 @@
 #pragma once
 #include "Utils.h"
-#include "Hvix64.h"
+#include "Hvax64.h"
 #include "PayLoad.h"
 
 extern SHITHOOK WinLoadImageShitHook;