From edd474d5ffede07931ebd51780f91ceea95043b9 Mon Sep 17 00:00:00 2001 From: Matthijs Lavrijsen Date: Wed, 21 Jun 2023 05:40:31 +0200 Subject: Update README.md --- Misc/EfiGuard.png | Bin 24954 -> 0 bytes Misc/EfiGuard.svg | 243 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 2 +- 3 files changed, 244 insertions(+), 1 deletion(-) delete mode 100644 Misc/EfiGuard.png create mode 100644 Misc/EfiGuard.svg diff --git a/Misc/EfiGuard.png b/Misc/EfiGuard.png deleted file mode 100644 index 1f85806..0000000 Binary files a/Misc/EfiGuard.png and /dev/null differ diff --git a/Misc/EfiGuard.svg b/Misc/EfiGuard.svg new file mode 100644 index 0000000..d344fb2 --- /dev/null +++ b/Misc/EfiGuard.svg @@ -0,0 +1,243 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + optional + + + + + + + + + + EFI + Boot Services + + + + + + + + + + EFI + Runtime Services + + + + + + + + + Winload.efi + + + + + + + + + + Bootmgr.efi + + + + + + + + + WinPE? + + + + + + + + + Bootmgfw.efi + + + + + + + + + + Loader.efi + + + + + + + + + + EFI DXE + Dispatcher + + + + + + + + + + EfiGuardDxe.efi + + + + + + + + + + + + + Ntoskrnl.exe + + + + + + + + PG + + + + + + + DSE + + + + + + + + + HAL.dll + + + + + + + + + + EfiDSEFix.exe + + + Kernel mode + + User mode + + + + + + + No + + + + Yes + + + + patch + + + + + + + + + + + + + + load + + + + + + + + + hook + + + + + + + + + + + + patch + + + + + + + + + + + + + + syscall + + + diff --git a/README.md b/README.md index 0be9d3a..19843e1 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ The output binary `EfiDSEFix.exe` will be in `Application/EfiDSEFix/bin`. The Visual Studio solution also includes projects for `EfiGuardDxe.efi` and `Loader.efi` which can be used with [VisualUefi](https://github.com/ionescu007/VisualUefi), but these projects are not built by default as they will not link without additional code, and the build output will be inferior (bigger) than what EDK2 produces. `Loader.efi` will not link at all due to VisualUefi missing UefiBootManagerLib. These project files are thus meant as a development aid only and the EFI files should still be compiled with EDK2. To set up VisualUefi for this purpose, clone the repository into `workspace/VisualUefi` and open `EfiGuard.sln`. # Architecture - ![architecture](Misc/EfiGuard.png) + ![architecture](Misc/EfiGuard.svg) While EfiGuard is a UEFI bootkit, it did not start out as one. EfiGuard was originally an on-disk patcher running on NT (similar to [UPGDSED](https://github.com/hfiref0x/UPGDSED)), intended to test the viability of a disassembler-based aproach, as opposed to using PDB symbols and version-specific signatures. [PatchNtoskrnl.c](EfiGuardDxe/PatchNtoskrnl.c) still looks very much like this original design. Only after this approach proved successful, with no modifications to code needed in over a year of Windows updates, did UEFI come into the picture as a way to further improve capabilities and ease of use. Some of the benefits provided by a bootkit approach include: -- cgit v1.2.3