added 1703 support, and all 2004-1709.

DeepSpaceNetwork/main.cpp

@@ -1,8 +0,0 @@
-#include <iostream>
-#include "com.h"
-
-int main()
-{
-	std::printf("[+] hyper-v (CPUID) result -> 0x%x\n", cpuid_test(VMEXIT_KEY));
-	std::getchar();
-}

PayLoad (Intel)/PayLoad.vcxproj

@@ -43,6 +43,7 @@
     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
     <RootNamespace>TheGoldenRecord</RootNamespace>
     <WindowsTargetPlatformVersion>10.0.19041.0</WindowsTargetPlatformVersion>
+    <ProjectName>PayLoad (Intel)</ProjectName>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">

Usermode Example/Example.vcxproj

@@ -24,6 +24,7 @@
     <ProjectGuid>{09b41831-3164-48ad-8660-23457d82b73b}</ProjectGuid>
     <RootNamespace>DeepSpaceNetwork</RootNamespace>
     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+    <ProjectName>Example</ProjectName>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">

Usermode Example/Example.vcxproj.filters

@@ -15,14 +15,14 @@
       <Filter>Source Files</Filter>
     </ClCompile>
   </ItemGroup>
-  <ItemGroup>
-    <None Include="com.asm">
-      <Filter>Source Files</Filter>
-    </None>
-  </ItemGroup>
   <ItemGroup>
     <ClInclude Include="com.h">
       <Filter>Header Files</Filter>
     </ClInclude>
   </ItemGroup>
+  <ItemGroup>
+    <MASM Include="com.asm">
+      <Filter>Source Files</Filter>
+    </MASM>
+  </ItemGroup>
 </Project>

Usermode Example/com.asm

@@ -1,7 +1,7 @@
 _text segment
-cpuid_test proc
+hyperv proc
 cpuid
 ret
-cpuid_test endp
+hyperv endp
 _text ends
 end

Usermode Example/com.h

@@ -1,3 +1,3 @@
 #pragma once
 #define VMEXIT_KEY 0xDEADBEEFDEADBEEF
-extern "C" size_t cpuid_test(size_t key);
+extern "C" size_t hyperv(size_t key);

Usermode Example/main.cpp

@@ -0,0 +1,8 @@
+#include <iostream>
+#include "com.h"
+
+int main()
+{
+	std::printf("[+] hyper-v (CPUID) result -> 0x%x\n", hyperv(VMEXIT_KEY));
+	std::getchar();
+}

Voyager (1703-1511)/BootMgfw.c

@@ -0,0 +1,95 @@
+#include "BootMgfw.h"
+
+SHITHOOK BootMgfwShitHook;
+EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID)
+{
+	UINTN HandleCount = NULL;
+	EFI_STATUS Result;
+	EFI_HANDLE* Handles = NULL;
+	EFI_DEVICE_PATH* DevicePath = NULL;
+	EFI_FILE_HANDLE VolumeHandle;
+	EFI_FILE_HANDLE BootMgfwHandle;
+	EFI_FILE_IO_INTERFACE* FileSystem = NULL;
+
+	// get all the handles to file systems...
+	if (EFI_ERROR((Result = gBS->LocateHandleBuffer(ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &HandleCount, &Handles))))
+	{
+		Print(L"error getting file system handles -> 0x%p\n", Result);
+		return DevicePath;
+	}
+
+	// for each handle to the file system, open a protocol with it...
+	for (UINT32 Idx = 0u; Idx < HandleCount && !FileSystem; ++Idx)
+	{
+		if (EFI_ERROR((Result = gBS->OpenProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, (VOID**)&FileSystem, gImageHandle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL))))
+		{
+			Print(L"error opening protocol -> 0x%p\n", Result);
+			return DevicePath;
+		}
+
+		if (EFI_ERROR((Result = FileSystem->OpenVolume(FileSystem, &VolumeHandle))))
+		{
+			Print(L"error opening file system -> 0x%p\n", Result);
+			return DevicePath;
+		}
+
+		// if we found the correct file (\\efi\\microsoft\\boot\\bootmgfw.efi)
+		if (!EFI_ERROR(VolumeHandle->Open(VolumeHandle, &BootMgfwHandle, WINDOWS_BOOTMGR_PATH, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY)))
+			DevicePath = FileDevicePath(Handles[Idx], WINDOWS_BOOTMGR_PATH);
+
+		VolumeHandle->Close(BootMgfwHandle);
+		if (EFI_ERROR((Result = gBS->CloseProtocol(Handles[Idx], &gEfiSimpleFileSystemProtocolGuid, gImageHandle, NULL))))
+		{
+			Print(L"error closing protocol -> 0x%p\n", Result);
+			return DevicePath;
+		}
+	}
+	return DevicePath;
+}
+
+EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath)
+{
+	EFI_STATUS Result = EFI_SUCCESS;
+	EFI_LOADED_IMAGE* BootMgfw = NULL;
+
+	if (EFI_ERROR((Result = gBS->HandleProtocol(BootMgfwPath, &gEfiLoadedImageProtocolGuid, (VOID**)&BootMgfw))))
+		return Result;
+
+	Print(L"Image Base -> 0x%p\n", BootMgfw->ImageBase);
+	Print(L"Image Size -> 0x%x\n", BootMgfw->ImageSize);
+
+	VOID* ArchStartBootApplication = 
+		FindPattern(
+			BootMgfw->ImageBase, 
+			BootMgfw->ImageSize,
+			START_BOOT_APPLICATION_SIG, 
+			START_BOOT_APPLICATION_MASK
+		);
+
+	if (!ArchStartBootApplication)
+		return EFI_ABORTED;
+
+	Print(L"ArchStartBootApplication -> 0x%p\n", RESOLVE_RVA(ArchStartBootApplication, 5, 1));
+	MakeShitHook(&BootMgfwShitHook, RESOLVE_RVA(ArchStartBootApplication, 5, 1), &ArchStartBootApplicationHook, TRUE);
+	return Result;
+}
+
+EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs)
+{
+	DisableShitHook(&BootMgfwShitHook);
+	VOID* ImgLoadPEImageEx =
+		FindPattern(
+			ImageBase,
+			ImageSize,
+			LOAD_PE_IMG_SIG,
+			LOAD_PE_IMG_MASK
+		);
+
+	Print(L"PE PayLoad Size -> 0x%x\n", PayLoadSize());
+	Print(L"winload base -> 0x%p\n", ImageBase);
+	Print(L"winload size -> 0x%x\n", ImageSize);
+	Print(L"winload.BlImgLoadPEImageEx -> 0x%p\n", RESOLVE_RVA(ImgLoadPEImageEx, 5, 1));
+
+	MakeShitHook(&WinLoadImageShitHook, RESOLVE_RVA(ImgLoadPEImageEx, 5, 1), &BlImgLoadPEImageEx, TRUE);
+	return ((IMG_ARCH_START_BOOT_APPLICATION)BootMgfwShitHook.Address)(AppEntry, ImageBase, ImageSize, BootOption, ReturnArgs);
+}

Voyager (1703-1511)/BootMgfw.h

@@ -0,0 +1,27 @@
+#pragma once
+#include <Uefi.h>
+#include <Library/UefiLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/DevicePathLib.h>
+#include <Library/PrintLib.h>
+#include <Protocol/SimpleFileSystem.h>
+#include <Protocol/LoadedImage.h>
+#include <IndustryStandard/PeImage.h>
+#include <Guid/GlobalVariable.h>
+#include "WinLoad.h"
+
+#if WINVER >= 1607
+#define START_BOOT_APPLICATION_SIG "\xE8\x00\x00\x00\x00\x48\x8B\xCE\x8B\xD8\xE8\x00\x00\x00\x00\x41\x8B\xCF"
+#define START_BOOT_APPLICATION_MASK "x????xxxxxx????xxx"
+#endif
+
+static_assert(sizeof(START_BOOT_APPLICATION_SIG) == sizeof(START_BOOT_APPLICATION_MASK), "signature and mask size's dont match...");
+#define WINDOWS_BOOTMGR_PATH L"\\efi\\microsoft\\boot\\bootmgfw.efi"
+extern SHITHOOK BootMgfwShitHook;
+typedef EFI_STATUS(EFIAPI* IMG_ARCH_START_BOOT_APPLICATION)(VOID*, VOID*, UINT32, UINT8, VOID*);
+EFI_DEVICE_PATH* EFIAPI GetBootMgfwPath(VOID);
+EFI_STATUS EFIAPI InstallBootMgfwHooks(EFI_HANDLE BootMgfwPath);
+EFI_STATUS EFIAPI ArchStartBootApplicationHook(VOID* AppEntry, VOID* ImageBase, UINT32 ImageSize, UINT8 BootOption, VOID* ReturnArgs);

Voyager (1703-1511)/HvLoader.c

@@ -0,0 +1,87 @@
+#include "HvLoader.h"
+
+SHITHOOK HvLoadImageHook;
+SHITHOOK HvLoadAllocImageHook;
+BOOLEAN ExtendedAllocation = FALSE;
+BOOLEAN HookedHyperV = FALSE;
+
+EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer(VOID* a1, VOID* a2, VOID* a3, VOID* a4, UINT64* ImageBase,
+	UINT32* ImageSize, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14, VOID* a15)
+{
+	DisableShitHook(&HvLoadImageHook);
+	EFI_STATUS Result = ((HV_LDR_LOAD_IMAGE)HvLoadImageHook.Address)(a1, a2, a3, a4, ImageBase, ImageSize, a7, a8,
+		a9, a10, a11, a12, a13, a14, a15);
+	EnableShitHook(&HvLoadImageHook);
+
+	if (ExtendedAllocation && !HookedHyperV)
+	{
+		HookedHyperV = TRUE;
+		EFI_IMAGE_DOS_HEADER* HypervDosHeader = *ImageBase;
+		if (HypervDosHeader->e_magic != EFI_IMAGE_DOS_SIGNATURE)
+			return NULL;
+
+		EFI_IMAGE_NT_HEADERS64* HypervNtHeader = (UINT64)HypervDosHeader + HypervDosHeader->e_lfanew;
+		if (HypervNtHeader->Signature != EFI_IMAGE_NT_SIGNATURE)
+			return NULL;
+
+		EFI_IMAGE_SECTION_HEADER* pSection = ((UINT64)&HypervNtHeader->OptionalHeader) +
+			HypervNtHeader->FileHeader.SizeOfOptionalHeader;
+
+		for (UINT16 i = 0; i < HypervNtHeader->FileHeader.NumberOfSections; i += 1, pSection += 1)
+		{
+			if (!AsciiStrCmp(&pSection->Name, ".reloc"))
+			{
+				VOYAGER_DATA_T VoyagerData;
+				MakeVoyagerData
+				(
+					&VoyagerData,
+					*ImageBase,
+					*ImageSize,
+					*ImageBase + pSection->VirtualAddress + pSection->Misc.VirtualSize,
+					PayLoadSize()
+				);
+
+				DBG_PRINT(".reloc section base address -> 0x%p\n", *ImageBase + pSection->VirtualAddress);
+				DBG_PRINT(".reloc section end (aka golden record base address) -> 0x%p\n", *ImageBase + pSection->VirtualAddress + pSection->Misc.VirtualSize);
+
+				VOID* VmExitHook = MapModule(&VoyagerData, PayLoad);
+				VOID* VmExitFunction = HookVmExit
+				(
+					VoyagerData.HypervModuleBase,
+					VoyagerData.HypervModuleSize,
+					VmExitHook
+				);
+
+				pSection->Characteristics = SECTION_RWX;
+				pSection->Misc.VirtualSize += PayLoadSize();
+				DBG_PRINT("VmExitHook (PayLoad Entry Point) -> 0x%p\n", VmExitHook);
+			}
+		}
+
+		HypervNtHeader->OptionalHeader.SizeOfImage += PayLoadSize();
+		*ImageSize += PayLoadSize();
+	}
+
+	DBG_PRINT("[HvLoader (Load Image)] ImageBase -> 0x%p, ImageSize -> 0x%p\n", *ImageBase, *ImageSize);
+	return Result;
+}
+
+UINT64 EFIAPI HvLoaderBlImgAllocateImageBuffer(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType, UINT32 attributes, VOID* unused, UINT32 flags)
+{
+	if (imageSize == HV_ALLOC_SIZE && !ExtendedAllocation)
+	{
+		ExtendedAllocation = TRUE;
+		imageSize += PayLoadSize();
+
+		// allocate the entire hyper-v module as rwx...
+		memoryType = BL_MEMORY_ATTRIBUTE_RWX;
+	}
+
+	DisableShitHook(&HvLoadAllocImageHook);
+	UINT64 Result = ((ALLOCATE_IMAGE_BUFFER)HvLoadAllocImageHook.Address)(imageBuffer, imageSize, memoryType, attributes, unused, flags);
+	if(!ExtendedAllocation)
+		EnableShitHook(&HvLoadAllocImageHook);
+
+	DBG_PRINT("[HvLoader (Alloc Image Memory)] Allocated memory -> 0x%p, size -> 0x%x\n", *imageBuffer, imageSize);
+	return Result;
+}

Voyager (1703-1511)/HvLoader.h

@@ -0,0 +1,30 @@
+#pragma once
+#include "Utils.h"
+#include "PayLoad.h"
+#include "Hvix64.h"
+
+#if WINVER >= 1607
+#define ALLOCATE_IMAGE_BUFFER_SIG "\xE8\x00\x00\x00\x00\x4C\x8B\x65\x60"
+#define ALLOCATE_IMAGE_BUFFER_MASK "x????xxxx"
+#endif
+
+#if WINVER == 1703
+#define HV_LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x44\x8B\xAD"
+#define HV_LOAD_PE_IMG_MASK "x????xxx"
+#elif WINVER == 1607
+#define HV_LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x48\x8B\x4D\x80\x41\x8B\xD4"
+#define HV_LOAD_PE_IMG_MASK "x????xxxxxxx"
+#endif
+
+static_assert(sizeof(HV_LOAD_PE_IMG_SIG) == sizeof(HV_LOAD_PE_IMG_MASK), "signature and mask do not match size...");
+static_assert(sizeof(ALLOCATE_IMAGE_BUFFER_SIG) == sizeof(ALLOCATE_IMAGE_BUFFER_MASK), "signature and mask do not match size!");
+typedef EFI_STATUS(EFIAPI* ALLOCATE_IMAGE_BUFFER)(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType, UINT32 attributes, VOID* unused, UINT32 flags);
+typedef EFI_STATUS(EFIAPI* HV_LDR_LOAD_IMAGE)(VOID* a1, VOID* a2, VOID* a3, VOID* a4, UINT64* ImageBase,
+	UINT32* ImageSize, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14, VOID* a15);
+
+UINT64 EFIAPI HvLoaderBlImgAllocateImageBuffer(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType, UINT32 attributes, VOID* unused, UINT32 flags);
+EFI_STATUS EFIAPI HvBlImgLoadPEImageFromSourceBuffer(VOID* a1, VOID* a2, VOID* a3, VOID* a4, UINT64* ImageBase,
+	UINT32* ImageSize, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14, VOID* a15);
+
+extern SHITHOOK HvLoadImageHook;
+extern SHITHOOK HvLoadAllocImageHook;

Voyager (1703-1511)/Hvix64.c

@@ -33,7 +33,7 @@ VOID* MapModule(PVOYAGER_DATA_T VoyagerData, UINT8* ImageBase)
 		if (AsciiStrStr(VoyagerData->ModuleBase + Name[i], "voyager_context"))
 		{
 			*(VOYAGER_DATA_T*)(VoyagerData->ModuleBase + Address[Ordinal[i]]) = *VoyagerData;
-			break; // DO NOT REMOVE? Gorilla Code 2020...
+			break; // DO NOT REMOVE? :|
 		}
 	}
 
@@ -82,14 +82,14 @@ VOID MakeVoyagerData
 	PVOYAGER_DATA_T VoyagerData,
 	VOID* HypervAlloc,
 	UINT64 HypervAllocSize,
-	VOID* GoldenRecordAlloc,
-	UINT64 GoldenRecordSize
+	VOID* PayLoadBase,
+	UINT64 PayLoadSize
 )
 {
 	VoyagerData->HypervModuleBase = HypervAlloc;
 	VoyagerData->HypervModuleSize = HypervAllocSize;
-	VoyagerData->ModuleBase = GoldenRecordAlloc;
-	VoyagerData->ModuleSize = GoldenRecordSize;
+	VoyagerData->ModuleBase = PayLoadBase;
+	VoyagerData->ModuleSize = PayLoadSize;
 
 	VOID* VmExitHandler =
 		FindPattern(
@@ -106,11 +106,10 @@ VOID MakeVoyagerData
 		.text:FFFFF80000237445                 jmp     loc_FFFFF80000237100
 	*/
 
-
 	UINT64 VmExitHandlerCall = ((UINT64)VmExitHandler) + 19; // + 19 bytes to -> call vmexit_c_handler
 	UINT64 VmExitHandlerCallRip = (UINT64)VmExitHandlerCall + 5; // + 5 bytes because "call vmexit_c_handler" is 5 bytes
 	UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA)
-	VoyagerData->VmExitHandlerRva = ((UINT64)GetGoldenRecordEntry(GoldenRecordAlloc)) - (UINT64)VmExitFunction;
+	VoyagerData->VmExitHandlerRva = ((UINT64)PayLoadEntry(PayLoadBase)) - (UINT64)VmExitFunction;
 
 	DBG_PRINT("VmExitHandler -> 0x%p\n", VmExitHandler);
 	DBG_PRINT("VmExitHandlerRva -> 0x%x\n", VoyagerData->VmExitHandlerRva);
@@ -141,7 +140,6 @@ VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook)
 	UINT64 VmExitFunction = VmExitHandlerCallRip + *(INT32*)((UINT64)(VmExitHandlerCall + 1)); // + 1 to skip E8 (call) and read 4 bytes (RVA)
 	INT32 NewVmExitRVA = ((INT64)VmExitHook) - VmExitHandlerCallRip;
 	*(INT32*)((UINT64)(VmExitHandlerCall + 1)) = NewVmExitRVA;
-
 	DBG_PRINT("NewVmExitRVA -> 0x%x\n", NewVmExitRVA);
 	return VmExitFunction;
 }

Voyager (1703-1511)/Hvix64.h

@@ -0,0 +1,40 @@
+#pragma once
+#include "PayLoad.h"
+
+#define HV_ALLOC_SIZE 0x1400000
+#if WINVER == 1703
+#define VMEXIT_HANDLER_SIG "\xD0\x80\x3D\x74\xCC\x47\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
+#define VMEXIT_HANDLER_MASK "xxxxxx??xx????xxxx?x????x"
+#elif WINVER == 1607
+#define VMEXIT_HANDLER_SIG "\xD0\x80\x3D\xB4\x9F\x49\x00\x00\x0F\x84\x00\x00\x00\x00\x48\x8B\x54\x24\x00\xE8\x00\x00\x00\x00\xE9"
+#define VMEXIT_HANDLER_MASK "xxxxxx??xx????xxxx?x????x"
+#endif
+
+static_assert(sizeof(VMEXIT_HANDLER_SIG) == sizeof(VMEXIT_HANDLER_MASK), "signature does not match mask size!");
+static_assert(sizeof(VMEXIT_HANDLER_SIG) == 26, "signature is invalid length!");
+
+//
+// AllocBase is the base address of the extra memory allocated below where hyper-v is
+// AllocSize is the size of the extra allocated memory... This size == module size...
+//
+VOID* MapModule(PVOYAGER_DATA_T VoyagerData, UINT8* ImageBase);
+
+//
+// sig scan hv.exe for vmexit call and replace the relative call (RVA) with 
+// an RVA to the vmexit handler hook (which is the golden records entry point)...
+//
+// returns a pointer to the original vmexit function address...
+//
+VOID* HookVmExit(VOID* HypervBase, VOID* HypervSize, VOID* VmExitHook);
+
+//
+// creates a structure with all the data needed to be passed to the golden record...
+//
+VOID MakeVoyagerData
+(
+	PVOYAGER_DATA_T VoyagerData,
+	VOID* HypervAlloc,
+	UINT64 HypervAllocSize,
+	VOID* PayLoadBase,
+	UINT64 PayLoadSize
+);

Voyager (1703-1511)/PayLoad.c

@@ -1,8 +1,8 @@
-#include "TheGoldenRecord.h"
+#include "PayLoad.h"
 
-UINT32 GetGoldenRecordSize(VOID)
+UINT32 PayLoadSize(VOID)
 {
-	EFI_IMAGE_DOS_HEADER* RecordDosImageHeader = GoldenRecord;
+	EFI_IMAGE_DOS_HEADER* RecordDosImageHeader = PayLoad;
 	if (RecordDosImageHeader->e_magic != EFI_IMAGE_DOS_SIGNATURE)
 		return NULL;
 
@@ -13,9 +13,9 @@ UINT32 GetGoldenRecordSize(VOID)
 	return RecordNtHeaders->OptionalHeader.SizeOfImage;
 }
 
-VOID* GetGoldenRecordEntry(VOID* ModuleBase)
+VOID* PayLoadEntry(VOID* ModuleBase)
 {
-	EFI_IMAGE_DOS_HEADER* RecordDosImageHeader = GoldenRecord;
+	EFI_IMAGE_DOS_HEADER* RecordDosImageHeader = PayLoad;
 	if (RecordDosImageHeader->e_magic != EFI_IMAGE_DOS_SIGNATURE)
 		return NULL;
 
@@ -26,7 +26,7 @@ VOID* GetGoldenRecordEntry(VOID* ModuleBase)
 	return (UINT64)ModuleBase + RecordNtHeaders->OptionalHeader.AddressOfEntryPoint;
 }
 
-unsigned char GoldenRecord[3072] =
+unsigned char PayLoad[3072] =
 {
 	0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
 	0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

Voyager (1703-1511)/PayLoad.h

@@ -0,0 +1,17 @@
+#pragma once
+#include "Utils.h"
+extern unsigned char PayLoad[3072];
+
+#pragma pack(push, 1)
+typedef struct _VOYAGER_DATA_T
+{
+	UINT64 VmExitHandlerRva;
+	UINT64 HypervModuleBase;
+	UINT64 HypervModuleSize;
+	UINT64 ModuleBase;
+	UINT64 ModuleSize;
+} VOYAGER_DATA_T, * PVOYAGER_DATA_T;
+#pragma pack(pop)
+
+UINT32 PayLoadSize(VOID);
+VOID* PayLoadEntry(VOID* ModuleBase);

Voyager (1703-1511)/Utils.h

@@ -0,0 +1,35 @@
+#pragma once
+#include "ShitHook.h"
+#define WINVER 1703
+#define PORT_NUM 0x2F8
+#define BL_MEMORY_ATTRIBUTE_RWX 0x424000
+#define SECTION_RWX (EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_MEM_WRITE | EFI_IMAGE_SCN_MEM_EXECUTE)
+
+VOID __outbytestring(UINT16 Port, UINT8* Buffer, UINT32 Count);
+void __outbyte(unsigned short Port, unsigned char Data);
+#pragma intrinsic(__outbytestring)
+#pragma intrinsic(__outbyte)
+
+static CHAR8 dbg_buffer[0x100];
+#define DBG_PRINT(...) \
+	AsciiSPrint(dbg_buffer, sizeof dbg_buffer, __VA_ARGS__); \
+	__outbytestring(PORT_NUM, dbg_buffer, AsciiStrLen(dbg_buffer))
+
+#define RESOLVE_RVA(SIG_RESULT, RIP_OFFSET, RVA_OFFSET) \
+	(*(INT32*)(((UINT64)SIG_RESULT) + RVA_OFFSET)) + ((UINT64)SIG_RESULT) + RIP_OFFSET
+
+typedef struct _LDR_DATA_TABLE_ENTRY
+{
+	LIST_ENTRY InLoadOrderLinks;	// 16
+	LIST_ENTRY InMemoryOrderLinks;	// 32
+	LIST_ENTRY InInitializationOrderLinks; // 48
+	UINT64 ModuleBase; // 56
+	UINT64 EntryPoint; // 64
+	UINTN SizeOfImage; // 72
+} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY, **PPLDR_DATA_TABLE_ENTRY;
+
+// taken from umap (btbd)
+BOOLEAN CheckMask(CHAR8* base, CHAR8* pattern, CHAR8* mask);
+VOID* FindPattern(CHAR8* base, UINTN size, CHAR8* pattern, CHAR8* mask);
+VOID* GetExport(UINT8* base, CHAR8* export);
+VOID MemCopy(VOID* dest, VOID* src, UINTN size);

Voyager (1703-1511)/Voyager 1703.vcxproj

@@ -0,0 +1,198 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{C4B6B437-62DF-4166-9023-44CFC8A52258}</ProjectGuid>
+    <RootNamespace>HyperMe</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+    <ProjectName>Voyager (1703-1511)</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+    <PreferredToolArchitecture>x86</PreferredToolArchitecture>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <PreferredToolArchitecture>x86</PreferredToolArchitecture>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+    <IncludePath>$(ProjectDir)edk2\CryptoPkg\Include;$(ProjectDir)edk2\ShellPkg\Include;$(ProjectDir)edk2\MdePkg\Include\X64;$(ProjectDir)edk2\MdePkg\Include</IncludePath>
+    <LibraryPath>$(ProjectDir)edk2</LibraryPath>
+    <GenerateManifest>false</GenerateManifest>
+    <TargetExt>.efi</TargetExt>
+    <SourcePath>$(ProjectDir)</SourcePath>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <IncludePath>$(ProjectDir)edk2\CryptoPkg\Include;$(ProjectDir)edk2\ShellPkg\Include;$(ProjectDir)edk2\MdePkg\Include\X64;$(ProjectDir)edk2\MdePkg\Include;$(ProjectDir)edk2\StdLib\Include;$(ProjectDir)</IncludePath>
+    <LibraryPath>$(ProjectDir)edk2</LibraryPath>
+    <GenerateManifest>false</GenerateManifest>
+    <TargetExt>.efi</TargetExt>
+    <SourcePath>$(ProjectDir)</SourcePath>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>EFI Application</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>EFI Application</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <StringPooling>true</StringPooling>
+      <ExceptionHandling>SyncCThrow</ExceptionHandling>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>EFI Application</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <DataExecutionPrevention>false</DataExecutionPrevention>
+      <AdditionalDependencies>UefiHiiLib.lib;UefiHiiServicesLib.lib;UefiSortLib.lib;UefiShellLib.lib;GlueLib.lib;BaseLib.lib;BaseDebugPrintErrorLevelLib.lib;BasePrintLib.lib;UefiLib.lib;UefiBootServicesTableLib.lib;UefiRuntimeServicesTableLib.lib;UefiDevicePathLibDevicePathProtocol.lib;UefiDebugLibConOut.lib;UefiMemoryLib.lib;UefiMemoryAllocationLib.lib;BaseSynchronizationLib.lib;UefiFileHandleLib.lib;UefiApplicationEntryPoint.lib</AdditionalDependencies>
+      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
+      <EntryPointSymbol>EfiMain</EntryPointSymbol>
+    </Link>
+    <ProjectReference>
+      <UseLibraryDependencyInputs>true</UseLibraryDependencyInputs>
+    </ProjectReference>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <StringPooling>true</StringPooling>
+      <ExceptionHandling>SyncCThrow</ExceptionHandling>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>EFI Application</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <DataExecutionPrevention>false</DataExecutionPrevention>
+      <AdditionalDependencies>UefiHiiLib.lib;UefiHiiServicesLib.lib;UefiSortLib.lib;UefiShellLib.lib;GlueLib.lib;BaseLib.lib;BaseDebugPrintErrorLevelLib.lib;BasePrintLib.lib;UefiLib.lib;UefiBootServicesTableLib.lib;UefiRuntimeServicesTableLib.lib;UefiDevicePathLibDevicePathProtocol.lib;UefiDebugLibConOut.lib;UefiMemoryLib.lib;UefiMemoryAllocationLib.lib;BaseSynchronizationLib.lib;UefiFileHandleLib.lib;UefiApplicationEntryPoint.lib</AdditionalDependencies>
+      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
+      <EntryPointSymbol>EfiMain</EntryPointSymbol>
+    </Link>
+    <ProjectReference>
+      <UseLibraryDependencyInputs>true</UseLibraryDependencyInputs>
+    </ProjectReference>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="BootMgfw.c" />
+    <ClCompile Include="Hvix64.c" />
+    <ClCompile Include="HvLoader.c" />
+    <ClCompile Include="ShitHook.c" />
+    <ClCompile Include="PayLoad.c" />
+    <ClCompile Include="UefiMain.c" />
+    <ClCompile Include="Utils.c" />
+    <ClCompile Include="WinLoad.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="BootMgfw.h" />
+    <ClInclude Include="Hvix64.h" />
+    <ClInclude Include="HvLoader.h" />
+    <ClInclude Include="ShitHook.h" />
+    <ClInclude Include="PayLoad.h" />
+    <ClInclude Include="Utils.h" />
+    <ClInclude Include="WinLoad.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

Voyager (1703-1511)/Voyager 1703.vcxproj.filters

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="UefiMain.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="WinLoad.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="BootMgfw.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="ShitHook.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="Utils.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="Hvix64.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="PayLoad.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="HvLoader.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="BootMgfw.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="WinLoad.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Hvix64.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="ShitHook.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Utils.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="PayLoad.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="HvLoader.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>

Voyager (1703-1511)/WinLoad.c

@@ -0,0 +1,43 @@
+#include "WinLoad.h"
+
+SHITHOOK WinLoadImageShitHook;
+CHAR8 ModulePathCStr[0x100];
+
+EFI_STATUS EFIAPI BlImgLoadPEImageEx(VOID* a1, VOID* a2, CHAR16* ImagePath, UINT64* ImageBasePtr, UINT32* ImageSize,
+	VOID* a6, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14)
+{
+	UnicodeStrToAsciiStr(ImagePath, ModulePathCStr);
+	DBG_PRINT(ModulePathCStr);
+
+	DisableShitHook(&WinLoadImageShitHook);
+	EFI_STATUS Result = ((LDR_LOAD_IMAGE)WinLoadImageShitHook.Address)(a1, a2, ImagePath, ImageBasePtr, ImageSize, a6, a7, a8,
+		a9, a10, a11, a12, a13, a14);
+	EnableShitHook(&WinLoadImageShitHook);
+
+	if (StrStr(ImagePath, L"hvloader.efi"))
+	{
+		VOID* LoadImage = 
+			FindPattern(
+				*ImageBasePtr, 
+				*ImageSize, 
+				HV_LOAD_PE_IMG_SIG,
+				HV_LOAD_PE_IMG_MASK
+			);
+
+		VOID* AllocImage =
+			FindPattern(
+				*ImageBasePtr,
+				*ImageSize,
+				ALLOCATE_IMAGE_BUFFER_SIG,
+				ALLOCATE_IMAGE_BUFFER_MASK
+			);
+
+		MakeShitHook(&HvLoadImageHook, RESOLVE_RVA(LoadImage, 5, 1), &HvBlImgLoadPEImageFromSourceBuffer, TRUE);
+		MakeShitHook(&HvLoadAllocImageHook, RESOLVE_RVA(AllocImage, 5, 1), &HvLoaderBlImgAllocateImageBuffer, TRUE);
+		DBG_PRINT("LoadImageHook -> 0x%p\n", RESOLVE_RVA(LoadImage, 5, 1));
+		DBG_PRINT("AllocImage -> 0x%p\n", RESOLVE_RVA(AllocImage, 5, 1));
+	}
+
+	DBG_PRINT("[%s] Image Base -> 0x%p, Image Size -> 0x%p\n", __FUNCTION__, *ImageBasePtr, *ImageSize);
+	return Result;
+}

Voyager (1703-1511)/WinLoad.h

@@ -0,0 +1,21 @@
+#pragma once
+#include "Utils.h"
+#include "HvLoader.h"
+#include "PayLoad.h"
+
+extern SHITHOOK WinLoadImageShitHook;
+
+#if WINVER == 1703
+#define LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x85\xC0\x79\x45"
+#define LOAD_PE_IMG_MASK "x????xxxx"
+#elif WINVER == 1607
+#define LOAD_PE_IMG_SIG "\xE8\x00\x00\x00\x00\x48\x8B\x7D\xF7"
+#define LOAD_PE_IMG_MASK "x????xxxx"
+#endif
+
+static_assert(sizeof(LOAD_PE_IMG_SIG) == sizeof(LOAD_PE_IMG_MASK), "signature and mask do not match size...");
+typedef EFI_STATUS (EFIAPI* LDR_LOAD_IMAGE)(VOID* a1, VOID* a2, CHAR16* ImagePath, UINT64* ImageBasePtr, UINT32* ImageSize,
+	VOID* a6, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14);
+
+EFI_STATUS EFIAPI BlImgLoadPEImageEx(VOID* a1, VOID* a2, CHAR16* ImagePath, UINT64* ImageBasePtr, UINT32* ImageSize,
+	VOID* a6, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14);