#pragma once
#include "HvLoader.h"
#include "PayLoad.h"
extern INLINE_HOOK WinLoadImageShitHook;
extern INLINE_HOOK WinLoadAllocateImageHook;
// 2004-1511 winload.BlImgAllocateImageBuffer
#define ALLOCATE_IMAGE_BUFFER_SIG "\xE8\x00\x00\x00\x00\x8B\xD8\x85\xC0\x78\x7C\x21\x7C\x24\x00\x45\x33\xC0"
#define ALLOCATE_IMAGE_BUFFER_MASK "x????xxxxxxxxx?xxx"
// 1703-1511
//
// for 1703-1511, we are going to want to hook BlImgAllocateImageBuffer inside of hvloader.efi
// not winload. We will have to scan for BlImgLoadPEImageEx in winload and then wait for hvloader
// to be loaded to install hooks in hvloader...
#define LOAD_PE_IMG_SIG "\x48\x89\x44\x24\x00\xE8\x00\x00\x00\x00\x44\x8B\xF0\x85\xC0\x79\x11"
#define LOAD_PE_IMG_MASK "xxxx?x????xxxxxxx"
static_assert(sizeof(ALLOCATE_IMAGE_BUFFER_SIG) == sizeof(ALLOCATE_IMAGE_BUFFER_MASK), "signature and mask do not match size!");
typedef UINT64 (EFIAPI* ALLOCATE_IMAGE_BUFFER)(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType,
UINT32 attributes, VOID* unused, UINT32 Value);
typedef EFI_STATUS(EFIAPI* LDR_LOAD_IMAGE)(VOID* a1, VOID* a2, CHAR16* ImagePath, UINT64* ImageBasePtr, UINT32* ImageSize,
VOID* a6, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14);
///
/// for 1703-1507, we are going to want to install hooks inside
/// of hvloader.efi... in order to know when hvloader.efi is loaded into memory
/// we are going to install a hook on winload.BlImgLoadPEImageEx...
///
/// unknown
/// unknown
///
/// unicode string path to image being loaded into memory...
///
///
/// pointer to a void pointer which will contain the base
/// address of the module after its loaded...
///
/// pass by ref size of the image loaded into memory...
/// unknown
/// unknown
/// unknown
/// unknown
/// unknown
/// unknown
/// unknown
/// unknown
/// unknown
/// status of image loaded...
EFI_STATUS EFIAPI BlImgLoadPEImageEx
(
VOID* a1,
VOID* a2,
CHAR16* ImagePath,
UINT64* ImageBasePtr,
UINT32* ImageSize,
VOID* a6,
VOID* a7,
VOID* a8,
VOID* a9,
VOID* a10,
VOID* a11,
VOID* a12,
VOID* a13,
VOID* a14
);
///
/// for 2004-1709, winload exports a bunch of functions... specifically BlLdrLoadImage,
/// which hvloader calls to load hyper-v into memory... BlLdrLoadImage calls BlImgAllocateImageBuffer
/// to allocate memory for hyper-v's module, we are hooking BlImgAllocateImageBuffer to extend
/// the allocations size and to make the entire allocation RWX...
///
/// pass by ref of a pointer to the allocation base...
/// size of the allocation...
///
///
///
///
///
EFI_STATUS EFIAPI BlImgAllocateImageBuffer
(
VOID** imageBuffer,
UINTN imageSize,
UINT32 memoryType,
UINT32 attributes,
VOID* unused,
UINT32 Value
);
///
/// 2004-1709, BlLdrLoadImage is exported from winload... I shithook this and
/// when hyper-v is loaded I install my hooks/extend hyper-v's allocation...
///
///
///
///
///
///
///
///
///
///
///
///
///
///
///
///
///
///
EFI_STATUS EFIAPI BlLdrLoadImage
(
VOID* Arg1,
CHAR16* ModulePath,
CHAR16* ModuleName,
VOID* Arg4,
VOID* Arg5,
VOID* Arg6,
VOID* Arg7,
PPLDR_DATA_TABLE_ENTRY lplpTableEntry,
VOID* Arg9,
VOID* Arg10,
VOID* Arg11,
VOID* Arg12,
VOID* Arg13,
VOID* Arg14,
VOID* Arg15,
VOID* Arg16
);