diff options
Diffstat (limited to 'EfiGuardDxe/EfiGuardDxe.h')
| -rw-r--r-- | EfiGuardDxe/EfiGuardDxe.h | 223 |
1 files changed, 223 insertions, 0 deletions
diff --git a/EfiGuardDxe/EfiGuardDxe.h b/EfiGuardDxe/EfiGuardDxe.h new file mode 100644 index 0000000..e26dc5e --- /dev/null +++ b/EfiGuardDxe/EfiGuardDxe.h @@ -0,0 +1,223 @@ +#pragma once + +#include <Uefi.h> + +#include <Protocol/DriverSupportedEfiVersion.h> +#include <Protocol/EfiGuard.h> +#include <Library/UefiLib.h> +#include <Library/DebugLib.h> +#include <Library/MemoryAllocationLib.h> +#include <Library/UefiBootServicesTableLib.h> +#include <Library/UefiRuntimeServicesTableLib.h> + +#include <Zydis/Zydis.h> +#include "ntdef.h" +#include "pe.h" +#include "arc.h" +#include "util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +// +// EfiGuard driver protocol handle +// +extern EFIGUARD_DRIVER_PROTOCOL gEfiGuardDriverProtocol; + +// +// Driver configuration data +// +extern EFIGUARD_CONFIGURATION_DATA gDriverConfig; + +// +// Bootmgfw.efi handle +// +extern EFI_HANDLE gBootmgfwHandle; + +// +// TRUE if ExitBootServices() has been called +// +extern BOOLEAN gEfiAtRuntime; + +// +// TRUE if SetVirtualAddressMap() has been called +// +extern BOOLEAN gEfiGoneVirtual; + +// +// Universal template bytes for a faux call inline hook (mov [e|r]ax, <addr>, push [e|r]ax, ret) +// +extern CONST UINT8 gHookTemplate[(sizeof(VOID*) / 4) + sizeof(VOID*) + 2]; + + +// +// [bootmgfw|bootmgr]!ImgArch[Efi]StartBootApplication hook to patch either winload.efi or bootmgr.efi +// This function was named ImgArchEfiStartBootApplication on versions <= 10.0.16299.0, later simply ImgArchStartBootApplication. +// +// Windows Vista/7 prototype +typedef +EFI_STATUS +(EFIAPI* +t_ImgArchStartBootApplication_Vista)( + IN PBL_APPLICATION_ENTRY AppEntry, + IN VOID* ImageBase, + IN UINT32 ImageSize, + OUT PBL_RETURN_ARGUMENTS ReturnArguments + ); + +// Windows 8+ prototype +typedef +EFI_STATUS +(EFIAPI* +t_ImgArchStartBootApplication_Eight)( + IN PBL_APPLICATION_ENTRY AppEntry, + IN VOID* ImageBase, + IN UINT32 ImageSize, + IN UINT32 BootOption, + OUT PBL_RETURN_ARGUMENTS ReturnArguments + ); + +extern VOID* /*t_ImgArchStartBootApplication_XX*/ gOriginalBootmgfwImgArchStartBootApplication; +extern UINT8 gBootmgfwImgArchStartBootApplicationBackup[sizeof(gHookTemplate)]; + +// This is only used if bootmgr.efi is invoked during the boot process +extern VOID* /*t_ImgArchStartBootApplication_XX*/ gOriginalBootmgrImgArchStartBootApplication; +extern UINT8 gBootmgrImgArchStartBootApplicationBackup[sizeof(gHookTemplate)]; + + +// +// Patches the Windows Boot Manager: either bootmgfw.efi or bootmgr.efi; normally the former unless booting a WIM file +// +EFI_STATUS +EFIAPI +PatchBootManager( + IN INPUT_FILETYPE FileType, + IN VOID* ImageBase, + IN UINTN ImageSize + ); + + +// +// winload!OslFwpKernelSetupPhase1 hook +// +typedef +EFI_STATUS +(EFIAPI* +t_OslFwpKernelSetupPhase1)( + IN PLOADER_PARAMETER_BLOCK LoaderBlock + ); + +extern t_OslFwpKernelSetupPhase1 gOriginalOslFwpKernelSetupPhase1; +extern UINT8 gOslFwpKernelSetupPhase1Backup[sizeof(gHookTemplate)]; + +EFI_STATUS +EFIAPI +HookedOslFwpKernelSetupPhase1( + IN PLOADER_PARAMETER_BLOCK LoaderBlock + ); + + +// +// Patches winload.efi +// +EFI_STATUS +EFIAPI +PatchWinload( + IN VOID* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders + ); + +// +// Patches ImgpValidateImageHash in bootmgfw.efi, bootmgr.efi, and winload.[efi|exe] +// This patch is completely optional, unless you want to boot a custom kernel or winload image. +// It is applied if possible, but failures are ignored. +// +EFI_STATUS +EFIAPI +PatchImgpValidateImageHash( + IN INPUT_FILETYPE FileType, + IN UINT8* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders + ); + +// +// Patches ImgpFilterValidationFailure in bootmgfw.efi, bootmgr.efi, and winload.[efi|exe] +// This patch is completely optional, unless you want to boot a custom kernel or winload image. +// It is applied if possible, but failures are ignored. +// +EFI_STATUS +EFIAPI +PatchImgpFilterValidationFailure( + IN INPUT_FILETYPE FileType, + IN UINT8* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders + ); + +// +// winload!BlStatusPrint. This is not hooked, but used to print debug output to kd or WinDbg +// from the OslFwpKernelSetupPhase1 hook (in which gST->ConOut is no longer available) +// +typedef +NTSTATUS +(EFIAPI* +t_BlStatusPrint)( + IN CONST CHAR16 *Format, + ... + ); + +extern t_BlStatusPrint gBlStatusPrint; + +NTSTATUS +EFIAPI +BlStatusPrintNoop( + IN CONST CHAR16 *Format, + ... + ); + + +// +// Patches ntoskrnl.exe +// +EFI_STATUS +EFIAPI +PatchNtoskrnl( + IN VOID* ImageBase, + IN PEFI_IMAGE_NT_HEADERS NtHeaders + ); + + +// +// The kernel patch result. This is used to hold data generated during +// HookedOslFwpKernelSetupPhase1 and PatchNtoskrnl until we can safely access +// boot services to print the output. This is done during the ExitBootServices() callback. +// +// Status holds the final patch status. If this is not EFI_SUCCESS, the buffer holds an +// error message, and the user will be prompted to reboot or continue. +// If Status is EFI_SUCCESS, the buffer holds concatenated patch information similar to what +// is printed during the patching of bootmgfw.efi/bootmgr.efi/winload.efi. +// +typedef struct _KERNEL_PATCH_INFORMATION +{ + EFI_STATUS Status; + UINTN BufferSize; // In bytes, excluding null terminator. This may be 0. The maximum buffer size is simply sizeof(Buffer). + CHAR16 Buffer[8192]; // 8K ought to be enough for everyone + BOOLEAN LegacyLoaderBlock; // TRUE if the loader block provided by winload.efi will be for Vista or older kernels + VOID* KernelBase; +} KERNEL_PATCH_INFORMATION; + +extern KERNEL_PATCH_INFORMATION gKernelPatchInfo; + + +// +// Appends a kernel patch status info or error message to the buffer for delayed printing, +// and prints it to a boot debugger immediately if one is connected. +// +#define PRINT_KERNEL_PATCH_MSG(Fmt, ...) { \ + gBlStatusPrint(Fmt, ##__VA_ARGS__); \ + AppendKernelPatchMessage(Fmt, ##__VA_ARGS__); \ + } + +#ifdef __cplusplus +} +#endif |