bundler works, able to replace bootmgfw on disk..

4 years ago · 6e26985d98
parent 7b7cd7a9a7
commit 6e26985d98
7 changed files with 183 additions and 59 deletions
--- a/Bundler/shellcode.cpp
+++ b/Bundler/shellcode.cpp
@ -16,7 +16,7 @@ namespace shellcode
 			auto reloc = reinterpret_cast<PIMAGE_BASE_RELOCATION>(module_base + base_reloc_dir->VirtualAddress);
 			for (auto current_size = 0u; current_size < base_reloc_dir->Size; )
 			{
-				auto reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(UINT16);
+				std::uint32_t reloc_count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(UINT16);
 				auto reloc_data = reinterpret_cast<std::uint16_t*>((UINT8*)reloc + sizeof(IMAGE_BASE_RELOCATION));
 				auto reloc_base = reinterpret_cast<std::uint8_t*>(module_base) + reloc->VirtualAddress;

@ -28,6 +28,8 @@ namespace shellcode

 					switch (type)
 					{
+					case IMAGE_REL_BASED_ABSOLUTE:
+						break;
 					case IMAGE_REL_BASED_DIR64:
 					{
 						auto rva = reinterpret_cast<std::uintptr_t*>(reloc_base + offset);
--- a/(1703-1511)/BootMgfw.c
+++ b/(1703-1511)/BootMgfw.c
@ -1,7 +1,7 @@
 #include "BootMgfw.h"

 SHITHOOK BootMgfwShitHook;
-EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtocol)
+EFI_STATUS EFIAPI RestoreBootMgfw(VOID)
 {
 	UINTN HandleCount = NULL;
 	EFI_STATUS Result;
@ -33,11 +33,83 @@ EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtoco
 			return Result;
 		}

-		// if we found the correct file (\\efi\\microsoft\\boot\\bootmgfw.efi)
-		if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGR_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY)))
+		if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGFW_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY)))
 		{
-			VolumeHandle->Close(BootMgfwHandle);
-			*BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGR_PATH);
+			EFI_FILE_PROTOCOL* BootMgfwFile = NULL;
+			EFI_DEVICE_PATH* BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_PATH);
+
+			if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, NULL))))
+			{
+				DBG_PRINT("error opening bootmgfw... reason -> %r\n", Result);
+				return Result;
+			}
+
+			if (EFI_ERROR((Result = BootMgfwFile->Delete(BootMgfwFile))))
+			{
+				DBG_PRINT("error deleting bootmgfw... reason -> %r\n", Result);
+				return Result;
+			}
+
+			BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_BACKUP_PATH);
+			if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, NULL))))
+			{
+				DBG_PRINT("failed to open backup file... reason -> %r\n", Result);
+				return Result;
+			}
+
+			EFI_FILE_INFO* FileInfoPtr = NULL;
+			UINTN FileInfoSize = NULL;
+			if (EFI_ERROR((Result = BootMgfwFile->GetInfo(BootMgfwFile, &gEfiFileInfoGuid, &FileInfoSize, NULL))))
+			{
+				if (Result == EFI_BUFFER_TOO_SMALL)
+				{
+					gBS->AllocatePool(EfiBootServicesData, FileInfoSize, &FileInfoPtr);
+					if (EFI_ERROR(Result = BootMgfwFile->GetInfo(BootMgfwFile, &gEfiFileInfoGuid, &FileInfoSize, FileInfoPtr)))
+					{
+						DBG_PRINT("get backup file information failed... reason -> %r\n", Result);
+						return Result;
+					}
+				}
+				else
+				{
+					DBG_PRINT("Failed to get file information... reason -> %r\n", Result);
+					return Result;
+				}
+			}
+			VOID* BootMgfwBuffer = NULL;
+			gBS->AllocatePool(EfiBootServicesData, FileInfoPtr->FileSize, &BootMgfwBuffer);
+
+			UINTN BootMgfwSize = FileInfoPtr->FileSize;
+			if (EFI_ERROR((Result = BootMgfwFile->Read(BootMgfwFile, &BootMgfwSize, BootMgfwBuffer))))
+			{
+				DBG_PRINT("Failed to read backup file into buffer... reason -> %r\n", Result);
+				return Result;
+			}
+
+			if (EFI_ERROR((Result = BootMgfwFile->Delete(BootMgfwFile))))
+			{
+				DBG_PRINT("unable to delete backup file... reason -> %r\n", Result);
+				return Result;
+			}
+
+			BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_PATH);
+			if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_CREATE | EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, EFI_FILE_SYSTEM))))
+			{
+				DBG_PRINT("unable to create new bootmgfw on disk... reason -> %r\n", Result);
+				return Result;
+			}
+
+			BootMgfwSize = FileInfoPtr->FileSize;
+			if (EFI_ERROR((Result = BootMgfwFile->Write(BootMgfwFile, &BootMgfwSize, BootMgfwBuffer))))
+			{
+				DBG_PRINT("unable to write to newly created bootmgfw.efi... reason -> %r\n", Result);
+				return Result;
+			}
+
+			VolumeHandle->Close(VolumeHandle);
+			BootMgfwFile->Close(BootMgfwFile);
+			gBS->FreePool(FileInfoPtr);
+			gBS->FreePool(BootMgfwBuffer);
 			return EFI_SUCCESS;
 		}

--- a/(1703-1511)/BootMgfw.h
+++ b/(1703-1511)/BootMgfw.h
@ -18,9 +18,11 @@
 #define START_BOOT_APPLICATION_MASK "x????xxxxxx????xxx"

 static_assert(sizeof(START_BOOT_APPLICATION_SIG) == sizeof(START_BOOT_APPLICATION_MASK), "signature and mask size's dont match...");
-#define WINDOWS_BOOTMGR_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi"
+#define WINDOWS_BOOTMGFW_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi"
+#define WINDOWS_BOOTMGFW_BACKUP_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi.backup"
+
 extern SHITHOOK BootMgfwShitHook;
 typedef EFI_STATUS(EFIAPI* IMG_ARCH_START_BOOT_APPLICATION)(VOID*, VOID*, UINT32, UINT8, VOID*);
-EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtocol);
+EFI_STATUS EFIAPI RestoreBootMgfw(VOID);
 EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE ImageHandle);
 EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs);
--- a/(1703-1511)/UefiMain.c
+++ b/(1703-1511)/UefiMain.c
@ -15,31 +15,17 @@ EFI_STATUS EFIAPI UefiMain
 )
 {
    EFI_STATUS Result;
-    EFI_HANDLE BootMgfwHandle;
-    EFI_DEVICE_PATH* BootMgfwPath;
-
-    if (EFI_ERROR((Result = GetBootMgfwPath(&BootMgfwPath))))
-    {
-        Print(L"unable to get bootmgfw file path... reason -> %r\n", Result);
-        return EFI_NOT_FOUND;
-    }
-
-    if (EFI_ERROR((Result = gBS->LoadImage(TRUE, ImageHandle, BootMgfwPath, NULL, 0, &BootMgfwHandle))))
-    {
-        Print(L"failed to load bootmgfw.efi... reason -> %r\n", Result);
-        return EFI_ABORTED;
-    }
-
-    if (EFI_ERROR((Result = InstallBootMgfwHooks(BootMgfwHandle))))
+    EFI_DEVICE_PATH_PROTOCOL* BootMgfwPath;
+    if (EFI_ERROR((Result = RestoreBootMgfw())))
    {
-        Print(L"Failed to install bootmgfw hooks... reason -> %r\n", Result);
-        return EFI_ABORTED;
+        DBG_PRINT("unable to get bootmgfw path... reason -> %r\n", Result);
+        return Result;
    }

-    if (EFI_ERROR((Result = gBS->StartImage(BootMgfwHandle, NULL, NULL))))
+    if (EFI_ERROR((Result = InstallBootMgfwHooks(ImageHandle))))
    {
-        Print(L"Failed to start bootmgfw.efi...\n");
-        return EFI_ABORTED;
+        DBG_PRINT("Failed to install bootmgfw hooks... reason -> %r\n", Result);
+        return Result;
    }
    return EFI_SUCCESS;
 }
--- a/(2004-1709)/BootMgfw.c
+++ b/(2004-1709)/BootMgfw.c
@ -1,7 +1,7 @@
 #include "BootMgfw.h"

 SHITHOOK BootMgfwShitHook;
-EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtocol)
+EFI_STATUS EFIAPI RestoreBootMgfw(VOID)
 {
 	UINTN HandleCount = NULL;
 	EFI_STATUS Result;
@ -33,11 +33,83 @@ EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtoco
 			return Result;
 		}

-		// if we found the correct file (\\efi\\microsoft\\boot\\bootmgfw.efi)
-		if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGR_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY)))
+		if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGFW_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY)))
 		{
-			VolumeHandle->Close(BootMgfwHandle);
-			*BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGR_PATH);
+			EFI_FILE_PROTOCOL* BootMgfwFile = NULL;
+			EFI_DEVICE_PATH* BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_PATH);
+
+			if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, NULL))))
+			{
+				DBG_PRINT("error opening bootmgfw... reason -> %r\n", Result);
+				return Result;
+			}
+
+			if (EFI_ERROR((Result = BootMgfwFile->Delete(BootMgfwFile))))
+			{
+				DBG_PRINT("error deleting bootmgfw... reason -> %r\n", Result);
+				return Result;
+			}
+
+			BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_BACKUP_PATH);
+			if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, NULL))))
+			{
+				DBG_PRINT("failed to open backup file... reason -> %r\n", Result);
+				return Result;
+			}
+
+			EFI_FILE_INFO* FileInfoPtr = NULL;
+			UINTN FileInfoSize = NULL;
+			if (EFI_ERROR((Result = BootMgfwFile->GetInfo(BootMgfwFile, &gEfiFileInfoGuid, &FileInfoSize, NULL))))
+			{
+				if (Result == EFI_BUFFER_TOO_SMALL)
+				{
+					gBS->AllocatePool(EfiBootServicesData, FileInfoSize, &FileInfoPtr);
+					if (EFI_ERROR(Result = BootMgfwFile->GetInfo(BootMgfwFile, &gEfiFileInfoGuid, &FileInfoSize, FileInfoPtr)))
+					{
+						DBG_PRINT("get backup file information failed... reason -> %r\n", Result);
+						return Result;
+					}
+				}
+				else
+				{
+					DBG_PRINT("Failed to get file information... reason -> %r\n", Result);
+					return Result;
+				}
+			}
+			VOID* BootMgfwBuffer = NULL;
+			gBS->AllocatePool(EfiBootServicesData, FileInfoPtr->FileSize, &BootMgfwBuffer);
+
+			UINTN BootMgfwSize = FileInfoPtr->FileSize;
+			if (EFI_ERROR((Result = BootMgfwFile->Read(BootMgfwFile, &BootMgfwSize, BootMgfwBuffer))))
+			{
+				DBG_PRINT("Failed to read backup file into buffer... reason -> %r\n", Result);
+				return Result;
+			}
+
+			if (EFI_ERROR((Result = BootMgfwFile->Delete(BootMgfwFile))))
+			{
+				DBG_PRINT("unable to delete backup file... reason -> %r\n", Result);
+				return Result;
+			}
+
+			BootMgfwPathProtocol = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGFW_PATH);
+			if (EFI_ERROR((Result = EfiOpenFileByDevicePath(&BootMgfwPathProtocol, &BootMgfwFile, EFI_FILE_MODE_CREATE | EFI_FILE_MODE_WRITE | EFI_FILE_MODE_READ, EFI_FILE_SYSTEM))))
+			{
+				DBG_PRINT("unable to create new bootmgfw on disk... reason -> %r\n", Result);
+				return Result;
+			}
+
+			BootMgfwSize = FileInfoPtr->FileSize;
+			if (EFI_ERROR((Result = BootMgfwFile->Write(BootMgfwFile, &BootMgfwSize, BootMgfwBuffer))))
+			{
+				DBG_PRINT("unable to write to newly created bootmgfw.efi... reason -> %r\n", Result);
+				return Result;
+			}
+
+			VolumeHandle->Close(VolumeHandle);
+			BootMgfwFile->Close(BootMgfwFile);
+			gBS->FreePool(FileInfoPtr);
+			gBS->FreePool(BootMgfwBuffer);
 			return EFI_SUCCESS;
 		}

--- a/(2004-1709)/BootMgfw.h
+++ b/(2004-1709)/BootMgfw.h
@ -11,6 +11,7 @@
 #include <Protocol/LoadedImage.h>
 #include <IndustryStandard/PeImage.h>
 #include <Guid/GlobalVariable.h>
+#include <Library/ShellLib.h>
 #include "WinLoad.h"

 #if WINVER > 1709
@ -25,9 +26,11 @@
 #endif

 static_assert(sizeof(START_BOOT_APPLICATION_SIG) == sizeof(START_BOOT_APPLICATION_MASK), "signature and mask size's dont match...");
-#define WINDOWS_BOOTMGR_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi"
+#define WINDOWS_BOOTMGFW_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi"
+#define WINDOWS_BOOTMGFW_BACKUP_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi.backup"
+
 extern SHITHOOK BootMgfwShitHook;
 typedef EFI_STATUS(EFIAPI* IMG_ARCH_START_BOOT_APPLICATION)(VOID*, VOID*, UINT32, UINT8, VOID*);
-EFI_STATUS EFIAPI GetBootMgfwPath(EFI_DEVICE_PATH_PROTOCOL** BootMgfwPathProtocol);
+EFI_STATUS EFIAPI RestoreBootMgfw(VOID);
 EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath);
 EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs);
--- a/(2004-1709)/UefiMain.c
+++ b/(2004-1709)/UefiMain.c
@ -1,5 +1,4 @@
 #include "BootMgfw.h"
-#include <Library/ShellLib.h>

 CHAR8* gEfiCallerBaseName = "Voyager";
 const UINT32 _gUefiDriverRevision = 0x200;
@ -7,7 +6,9 @@ const UINT32 _gUefiDriverRevision = 0x200;
 EFI_STATUS EFIAPI UefiUnload(
    IN EFI_HANDLE ImageHandle
 )
-{ return EFI_SUCCESS; }
+{
+    return EFI_SUCCESS;
+}

 EFI_STATUS EFIAPI UefiMain
 (
@ -16,31 +17,17 @@ EFI_STATUS EFIAPI UefiMain
 )
 {
    EFI_STATUS Result;
-    EFI_HANDLE BootMgfwHandle;
-    EFI_DEVICE_PATH* BootMgfwPath;
-
-    if (EFI_ERROR((Result = GetBootMgfwPath(&BootMgfwPath))))
-    {
-        Print(L"unable to get bootmgfw file path... reason -> %r\n", Result);
-        return EFI_NOT_FOUND;
-    }
-
-    if (EFI_ERROR((Result = gBS->LoadImage(TRUE, ImageHandle, BootMgfwPath, NULL, 0, &BootMgfwHandle))))
-    {
-        Print(L"failed to load bootmgfw.efi...\n");
-        return EFI_ABORTED;
-    }
-
-    if (EFI_ERROR(InstallBootMgfwHooks(BootMgfwHandle)))
+    EFI_DEVICE_PATH_PROTOCOL* BootMgfwPath;
+    if (EFI_ERROR((Result = RestoreBootMgfw())))
    {
-        Print(L"Failed to install bootmgfw hooks...\n");
-        return EFI_ABORTED;
+        DBG_PRINT("unable to get bootmgfw path... reason -> %r\n", Result);
+        return Result;
    }

-    if (EFI_ERROR(gBS->StartImage(BootMgfwHandle, NULL, NULL)))
+    if (EFI_ERROR((Result = InstallBootMgfwHooks(ImageHandle))))
    {
-        Print(L"Failed to start bootmgfw.efi...\n");
-        return EFI_ABORTED;
+        DBG_PRINT("Failed to install bootmgfw hooks... reason -> %r\n", Result);
+        return Result;
    }
    return EFI_SUCCESS;
 }