diff options
| author | Matthijs Lavrijsen <mattiwatti@gmail.com> | 2023-07-31 03:54:46 +0200 |
|---|---|---|
| committer | Matthijs Lavrijsen <mattiwatti@gmail.com> | 2023-07-31 03:54:46 +0200 |
| commit | 41b17319e8d812a0c267e7570ba1583ffee73aaa (patch) | |
| tree | 170a254e33fe8d3e14b55bb1f1e07de9b72effe0 | |
| parent | 3779ef2496e4f495c1f07e06e486a4bc13928ccf (diff) | |
EfiDSEFix: acquire SE_DEBUG_PRIVILEGE when finding kernel addresses
Fixes #97
| -rw-r--r-- | Application/EfiDSEFix/src/EfiDSEFix.cpp | 60 |
1 files changed, 48 insertions, 12 deletions
diff --git a/Application/EfiDSEFix/src/EfiDSEFix.cpp b/Application/EfiDSEFix/src/EfiDSEFix.cpp index a0ccd73..924f759 100644 --- a/Application/EfiDSEFix/src/EfiDSEFix.cpp +++ b/Application/EfiDSEFix/src/EfiDSEFix.cpp @@ -35,7 +35,7 @@ FindKernelModule( if (_stricmp(ModuleName, reinterpret_cast<PCHAR>(Module.FullPathName) + Module.OffsetToFileName) == 0) { *ModuleBase = reinterpret_cast<ULONG_PTR>(Module.ImageBase); - Status = STATUS_SUCCESS; + Status = Module.ImageBase == nullptr ? STATUS_NOT_FOUND : STATUS_SUCCESS; break; } } @@ -302,6 +302,28 @@ SetSystemEnvironmentPrivilege( return Status; } +static +NTSTATUS +SetDebugPrivilege( + _In_ BOOLEAN Enable, + _Out_opt_ PBOOLEAN WasEnabled + ) +{ + if (WasEnabled != nullptr) + *WasEnabled = FALSE; + + BOOLEAN SeDebugWasEnabled; + const NTSTATUS Status = RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, + Enable, + FALSE, + &SeDebugWasEnabled); + + if (NT_SUCCESS(Status) && WasEnabled != nullptr) + *WasEnabled = SeDebugWasEnabled; + + return Status; +} + NTSTATUS TestSetVariableHook( ) @@ -309,13 +331,19 @@ TestSetVariableHook( UINT16 Mz; // Enable privileges in case we were called directly from the CLI with --check - BOOLEAN SeSystemEnvironmentWasEnabled; + BOOLEAN SeSystemEnvironmentWasEnabled, SeDebugWasEnabled; NTSTATUS Status = SetSystemEnvironmentPrivilege(TRUE, &SeSystemEnvironmentWasEnabled); if (!NT_SUCCESS(Status)) { Printf(L"Fatal error: failed to acquire SE_SYSTEM_ENVIRONMENT_PRIVILEGE. Make sure you are running as administrator.\n"); return Status; } + Status = SetDebugPrivilege(TRUE, &SeDebugWasEnabled); + if (!NT_SUCCESS(Status)) + { + Printf(L"Fatal error: failed to acquire SE_DEBUG_PRIVILEGE. Make sure you are running as administrator.\n"); + return Status; + } if (QueryVbsEnabled()) { @@ -383,6 +411,7 @@ TestSetVariableHook( Exit: SetSystemEnvironmentPrivilege(SeSystemEnvironmentWasEnabled, nullptr); + SetDebugPrivilege(SeDebugWasEnabled, nullptr); return Status; } @@ -459,22 +488,28 @@ AdjustCiOptions( if (OldCiOptionsValue != nullptr) *OldCiOptionsValue = CODEINTEGRITY_OPTION_ENABLED; - // Find CI!g_CiOptions/nt!g_CiEnabled - PVOID CiOptionsAddress; - NTSTATUS Status = AnalyzeCi(&CiOptionsAddress); - if (!NT_SUCCESS(Status)) - return Status; - - Printf(L"%ls at 0x%p.\n", (NtCurrentPeb()->OSBuildNumber >= 9200 ? L"CI!g_CiOptions" : L"nt!g_CiEnabled"), CiOptionsAddress); - // Enable privileges - BOOLEAN SeSystemEnvironmentWasEnabled; - Status = SetSystemEnvironmentPrivilege(TRUE, &SeSystemEnvironmentWasEnabled); + BOOLEAN SeSystemEnvironmentWasEnabled, SeDebugWasEnabled; + NTSTATUS Status = SetSystemEnvironmentPrivilege(TRUE, &SeSystemEnvironmentWasEnabled); if (!NT_SUCCESS(Status)) { Printf(L"Fatal error: failed to acquire SE_SYSTEM_ENVIRONMENT_PRIVILEGE. Make sure you are running as administrator.\n"); return Status; } + Status = SetDebugPrivilege(TRUE, &SeDebugWasEnabled); + if (!NT_SUCCESS(Status)) + { + Printf(L"Fatal error: failed to acquire SE_DEBUG_PRIVILEGE. Make sure you are running as administrator.\n"); + return Status; + } + + // Find CI!g_CiOptions/nt!g_CiEnabled + PVOID CiOptionsAddress; + Status = AnalyzeCi(&CiOptionsAddress); + if (!NT_SUCCESS(Status)) + return Status; + + Printf(L"%ls at 0x%p.\n", (NtCurrentPeb()->OSBuildNumber >= 9200 ? L"CI!g_CiOptions" : L"nt!g_CiEnabled"), CiOptionsAddress); // Enable/disable CI Status = TriggerExploit(CiOptionsAddress, @@ -484,6 +519,7 @@ AdjustCiOptions( // Revert privileges SetSystemEnvironmentPrivilege(SeSystemEnvironmentWasEnabled, nullptr); + SetDebugPrivilege(SeDebugWasEnabled, nullptr); return Status; } |