#include "EfiGuardDxe.h" #include #include t_OslFwpKernelSetupPhase1 gOriginalOslFwpKernelSetupPhase1 = NULL; UINT8 gOslFwpKernelSetupPhase1Backup[sizeof(gHookTemplate)] = { 0 }; // Signature for winload!OslFwpKernelSetupPhase1+XX, where the value of XX needs to be determined by backtracking. // Windows 10 only. On older OSes, and on Windows 10 as fallback, OslFwpKernelSetupPhase1 is found via xrefs to EfipGetRsdt STATIC CONST UINT8 SigOslFwpKernelSetupPhase1[] = { 0xE8, 0xCC, 0xCC, 0xCC, 0xCC, // call BlpArchSwitchContext 0x48, 0x8B, 0x05, 0xCC, 0xCC, 0xCC, 0xCC, // mov rax, gBS 0xCC, 0x8B, 0xCC, // mov rdx, XX 0x48, 0x8B, 0x0D, 0xCC, 0xCC, 0xCC, 0xCC // mov rcx, EfiImageHandle }; STATIC UNICODE_STRING ImgpFilterValidationFailureMessage = RTL_CONSTANT_STRING(L"*** Windows is unable to verify the signature of"); // newline, etc etc... // Signature for winload!BlStatusPrint. This is only needed if winload.efi does not export it (RS4 and earlier) // Windows 10 only. I could find a universal signature for this, but I rarely need the debugger output anymore... STATIC CONST UINT8 SigBlStatusPrint[] = { 0x48, 0x8B, 0xC4, // mov rax, rsp 0x48, 0x89, 0x48, 0x08, // mov [rax+8], rcx 0x48, 0x89, 0x50, 0x10, // mov [rax+10h], rdx 0x4C, 0x89, 0x40, 0x18, // mov [rax+18h], r8 0x4C, 0x89, 0x48, 0x20, // mov [rax+20h], r9 0x53, // push rbx 0x48, 0x83, 0xEC, 0x40, // sub rsp, 40h 0xE8, 0xCC, 0xCC, 0xCC, 0xCC, // call BlBdDebuggerEnabled 0x84, 0xC0, // test al, al 0x74, 0xCC // jz XX }; NTSTATUS EFIAPI BlStatusPrintNoop( IN CONST CHAR16 *Format, ... ) { return 0xC00000BBL; // STATUS_NOT_SUPPORTED } t_BlStatusPrint gBlStatusPrint = BlStatusPrintNoop; // // Gets a loaded module entry from the boot loader's LoadOrderList // STATIC PKLDR_DATA_TABLE_ENTRY EFIAPI GetBootLoadedModule( IN LIST_ENTRY* LoadOrderListHead, IN CHAR16* ModuleName ) { if (ModuleName == NULL || LoadOrderListHead == NULL) return NULL; for (LIST_ENTRY* ListEntry = LoadOrderListHead->ForwardLink; ListEntry != LoadOrderListHead; ListEntry = ListEntry->ForwardLink) { // This is fairly heavy abuse of CR(), but legal C because (only) the first field of a struct is guaranteed to be at offset 0 (C99 6.7.2.1, point 13) CONST PBLDR_DATA_TABLE_ENTRY Entry = (PBLDR_DATA_TABLE_ENTRY)BASE_CR(ListEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (Entry != NULL && StrnCmp(Entry->KldrEntry.BaseDllName.Buffer, ModuleName, (Entry->KldrEntry.BaseDllName.Length / sizeof(CHAR16))) == 0) return &Entry->KldrEntry; } return NULL; } // // winload.efi!OslFwpKernelSetupPhase1 hook to patch ntoskrnl.exe // EFI_STATUS EFIAPI HookedOslFwpKernelSetupPhase1( IN PLOADER_PARAMETER_BLOCK LoaderBlock ) { // Restore the original function bytes that we replaced with our hook CopyMem((VOID*)gOriginalOslFwpKernelSetupPhase1, gOslFwpKernelSetupPhase1Backup, sizeof(gOslFwpKernelSetupPhase1Backup)); UINT8* LoadOrderListHeadAddress = (UINT8*)&LoaderBlock->LoadOrderListHead; if (gKernelPatchInfo.LegacyLoaderBlock) { // We are booting Vista or some other fossil, which means that our LOADER_PARAMETER_BLOCK declaration in no way matches what is // actually being passed by the loader. Notably, the first four UINT32 fields are absent, so fix up the list entry pointer. LoadOrderListHeadAddress -= FIELD_OFFSET(LOADER_PARAMETER_BLOCK, LoadOrderListHead); } // Get the kernel entry from the loader block's LoadOrderList CONST PKLDR_DATA_TABLE_ENTRY KernelEntry = GetBootLoadedModule((LIST_ENTRY*)LoadOrderListHeadAddress, L"ntoskrnl.exe"); if (KernelEntry == NULL) { gKernelPatchInfo.Status = EFI_LOAD_ERROR; PRINT_KERNEL_PATCH_MSG(L"[HookedOslFwpKernelSetupPhase1] Failed to find ntoskrnl.exe in LoadOrderList!\r\n"); goto CallOriginal; } VOID* KernelBase = KernelEntry->DllBase; CONST UINT32 KernelSize = KernelEntry->SizeOfImage; CONST PEFI_IMAGE_NT_HEADERS NtHeaders = KernelBase != NULL && KernelSize > 0 ? RtlpImageNtHeaderEx(KernelBase, (UINTN)KernelSize) : NULL; if (KernelBase == NULL || KernelSize == 0) { gKernelPatchInfo.Status = EFI_NOT_FOUND; PRINT_KERNEL_PATCH_MSG(L"[HookedOslFwpKernelSetupPhase1] Kernel image at 0x%p with size 0x%lx is invalid!\r\n", KernelBase, KernelSize); goto CallOriginal; } // Patch the kernel gKernelPatchInfo.KernelBase = KernelBase; gKernelPatchInfo.Status = PatchNtoskrnl(KernelBase, NtHeaders); CallOriginal: // No error handling here (not a lot of options). This is done in the ExitBootServices() callback which reads the patch status // Call the original function to transfer execution back to winload!OslFwpKernelSetupPhase1 return gOriginalOslFwpKernelSetupPhase1(LoaderBlock); } // // Patches ImgpValidateImageHash in bootmgfw.efi, bootmgr.efi, and winload.[efi|exe] to allow loading modified kernels and boot loaders. // Failures are ignored because this patch is not needed for the bootkit to work // EFI_STATUS EFIAPI PatchImgpValidateImageHash( IN INPUT_FILETYPE FileType, IN UINT8* ImageBase, IN PEFI_IMAGE_NT_HEADERS NtHeaders ) { // This works on pretty much anything really ASSERT(FileType == WinloadExe || FileType == BootmgfwEfi || FileType == BootmgrEfi || FileType == WinloadEfi); CONST CHAR16* ShortName = FileType == BootmgfwEfi ? L"bootmgfw" : (FileType == BootmgrEfi ? L"bootmgr" : L"winload"); CONST PEFI_IMAGE_SECTION_HEADER CodeSection = IMAGE_FIRST_SECTION(NtHeaders); CONST UINT32 CodeSizeOfRawData = CodeSection->SizeOfRawData; CONST UINT8* CodeStartVa = ImageBase + CodeSection->VirtualAddress; Print(L"== Disassembling .text to find %S!ImgpValidateImageHash ==\r\n", ShortName); UINT8* AndMinusFortyOneAddress = NULL; // Initialize Zydis ZydisDecoder Decoder; ZyanStatus Status = ZydisInit(NtHeaders, &Decoder, NULL); if (!ZYAN_SUCCESS(Status)) { Print(L"Failed to initialize disassembler engine.\r\n"); return EFI_LOAD_ERROR; } CONST UINTN Length = CodeSizeOfRawData; UINTN Offset = 0; ZyanU64 InstructionAddress; ZydisDecodedInstruction Instruction; // Start decode loop while ((InstructionAddress = (ZyanU64)(CodeStartVa + Offset), Status = ZydisDecoderDecodeBuffer(&Decoder, (VOID*)InstructionAddress, Length - Offset, &Instruction)) != ZYDIS_STATUS_NO_MORE_DATA) { if (!ZYAN_SUCCESS(Status)) { Offset++; continue; } // Check if this is 'and REG32, 0FFFFFFD7h' (only esi and r8d are used here really) if (Instruction.operand_count == 3 && (Instruction.length == 3 || Instruction.length == 4) && Instruction.mnemonic == ZYDIS_MNEMONIC_AND && Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && Instruction.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && Instruction.operands[1].imm.is_signed == ZYAN_TRUE && Instruction.operands[1].imm.value.s == (ZyanI64)((ZyanI32)0xFFFFFFD7)) // Sign extend to 64 bits { AndMinusFortyOneAddress = (UINT8*)InstructionAddress; break; } Offset += Instruction.length; } // Backtrack to function start CONST UINT8* ImgpValidateImageHash = BacktrackToFunctionStart(AndMinusFortyOneAddress, CodeStartVa); if (ImgpValidateImageHash == NULL) { Print(L" Failed to find %S!ImgpValidateImageHash%S.\r\n", ShortName, (AndMinusFortyOneAddress == NULL ? L" 'and xxx, 0FFFFFFD7h' instruction" : L"")); return EFI_NOT_FOUND; } // Apply the patch *((UINT32*)ImgpValidateImageHash) = 0xC3C033; // xor eax, eax, ret // Print info Print(L" Patched %S!ImgpValidateImageHash [RVA: 0x%X].\r\n", ShortName, (UINT32)(ImgpValidateImageHash - ImageBase)); return EFI_SUCCESS; } // // Patches ImgpFilterValidationFailure in bootmgfw.efi, bootmgr.efi, and winload.[efi|exe] // Failures are ignored because this patch is not needed for the bootkit to work // EFI_STATUS EFIAPI PatchImgpFilterValidationFailure( IN INPUT_FILETYPE FileType, IN UINT8* ImageBase, IN PEFI_IMAGE_NT_HEADERS NtHeaders ) { // This works on pretty much anything really ASSERT(FileType == WinloadExe || FileType == BootmgfwEfi || FileType == BootmgrEfi || FileType == WinloadEfi); CONST CHAR16* ShortName = FileType == BootmgfwEfi ? L"bootmgfw" : (FileType == BootmgrEfi ? L"bootmgr" : L"winload"); // Find .text and/or .rdata sections PEFI_IMAGE_SECTION_HEADER PatternSection = NULL, CodeSection = NULL; PEFI_IMAGE_SECTION_HEADER Section = IMAGE_FIRST_SECTION(NtHeaders); for (UINT16 i = 0; i < NtHeaders->FileHeader.NumberOfSections; ++i) { if (CompareMem(Section->Name, ".text", sizeof(".text") - 1) == 0) CodeSection = Section; if ((FileType == BootmgfwEfi || FileType == BootmgrEfi) && CompareMem(Section->Name, ".text", sizeof(".text") - 1) == 0) // [bootmgfw|bootmgr].efi (usually) has no .rdata section, and starting at .text is always fine PatternSection = Section; else if ((FileType == WinloadExe || FileType == WinloadEfi) && CompareMem(Section->Name, ".rdata", sizeof(".rdata") - 1) == 0) // For winload.[exe|efi] the string is in .rdata PatternSection = Section; Section++; } ASSERT(PatternSection != NULL); ASSERT(CodeSection != NULL); CONST UINT32 PatternStartRva = PatternSection->VirtualAddress; CONST UINT32 PatternSizeOfRawData = PatternSection->SizeOfRawData; CONST UINT8* PatternStartVa = ImageBase + PatternStartRva; CHAR8 SectionName[EFI_IMAGE_SIZEOF_SHORT_NAME + 1]; CopyMem((VOID*)SectionName, (VOID*)PatternSection->Name, EFI_IMAGE_SIZEOF_SHORT_NAME); SectionName[EFI_IMAGE_SIZEOF_SHORT_NAME] = '\0'; Print(L"\r\n== Searching for load failure string in %a [RVA: 0x%X - 0x%X] ==\r\n", SectionName, PatternStartRva, PatternStartRva + PatternSizeOfRawData); // Search for the black screen of death string "Windows is unable to verify the integrity of the file [...]" UINT8* IntegrityFailureStringAddress = NULL; for (UINT8* Address = (UINT8*)PatternStartVa; Address < ImageBase + NtHeaders->OptionalHeader.SizeOfImage - ImgpFilterValidationFailureMessage.MaximumLength; ++Address) { if (CompareMem(Address, ImgpFilterValidationFailureMessage.Buffer, ImgpFilterValidationFailureMessage.Length) == 0) { IntegrityFailureStringAddress = Address; Print(L" Found load failure string at 0x%llx.\r\n", (UINTN)IntegrityFailureStringAddress); break; } } if (IntegrityFailureStringAddress == NULL) { Print(L" Failed to find load failure string.\r\n"); return EFI_NOT_FOUND; } CONST UINT32 CodeStartRva = CodeSection->VirtualAddress; CONST UINT32 CodeSizeOfRawData = CodeSection->SizeOfRawData; CONST UINT8* CodeStartVa = ImageBase + CodeStartRva; ZeroMem((VOID*)SectionName, sizeof(SectionName)); CopyMem((VOID*)SectionName, (VOID*)CodeSection->Name, EFI_IMAGE_SIZEOF_SHORT_NAME); Print(L"== Disassembling %a to find %S!ImgpFilterValidationFailure ==\r\n", SectionName, ShortName); UINT8* LeaIntegrityFailureAddress = NULL; // Initialize Zydis ZydisDecoder Decoder; ZyanStatus Status = ZydisInit(NtHeaders, &Decoder, NULL); if (!ZYAN_SUCCESS(Status)) { Print(L"Failed to initialize disassembler engine.\r\n"); return EFI_LOAD_ERROR; } CONST UINTN Length = CodeSizeOfRawData; UINTN Offset = 0; ZyanU64 InstructionAddress; ZydisDecodedInstruction Instruction; // Start decode loop while ((InstructionAddress = (ZyanU64)(CodeStartVa + Offset), Status = ZydisDecoderDecodeBuffer(&Decoder, (VOID*)InstructionAddress, Length - Offset, &Instruction)) != ZYDIS_STATUS_NO_MORE_DATA) { if (!ZYAN_SUCCESS(Status)) { Offset++; continue; } // Check if this is "lea REG, ds:[rip + offset_to_bsod_string]" if (Instruction.operand_count == 2 && Instruction.mnemonic == ZYDIS_MNEMONIC_LEA && Instruction.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && Instruction.operands[1].mem.base == ZYDIS_REGISTER_RIP) { ZyanU64 OperandAddress = 0; if (ZYAN_SUCCESS(ZydisCalcAbsoluteAddress(&Instruction, &Instruction.operands[1], InstructionAddress, &OperandAddress)) && OperandAddress == (UINTN)IntegrityFailureStringAddress) { LeaIntegrityFailureAddress = (UINT8*)InstructionAddress; Print(L" Found load instruction for load failure string at 0x%llx.\r\n", (UINTN)LeaIntegrityFailureAddress); break; } } Offset += Instruction.length; } // Backtrack to function start CONST UINT8* ImgpFilterValidationFailure = BacktrackToFunctionStart(LeaIntegrityFailureAddress, LeaIntegrityFailureAddress - Length); if (ImgpFilterValidationFailure == NULL) { Print(L" Failed to find %S!ImgpFilterValidationFailure%S.\r\n", ShortName, (LeaIntegrityFailureAddress == NULL ? L" load failure string load instruction" : L"")); return EFI_NOT_FOUND; } // Apply the patch *((UINT32*)ImgpFilterValidationFailure) = 0xC3C033; // xor eax, eax, ret // Print info Print(L" Patched %S!ImgpFilterValidationFailure [RVA: 0x%X].\r\n\r\n", ShortName, (UINT32)(ImgpFilterValidationFailure - ImageBase)); return EFI_SUCCESS; } // // Finds OslFwpKernelSetupPhase1 in winload.efi // EFI_STATUS EFIAPI FindOslFwpKernelSetupPhase1( IN CONST UINT8* ImageBase, IN PEFI_IMAGE_NT_HEADERS NtHeaders, IN PEFI_IMAGE_SECTION_HEADER CodeSection, IN PEFI_IMAGE_SECTION_HEADER PatternSection, IN BOOLEAN TryPatternMatch, OUT UINT8** OslFwpKernelSetupPhase1Address ) { *OslFwpKernelSetupPhase1Address = NULL; CONST UINT8* CodeStartVa = ImageBase + CodeSection->VirtualAddress; CONST UINT32 CodeSizeOfRawData = CodeSection->SizeOfRawData; CONST UINT8* PatternStartVa = ImageBase + PatternSection->VirtualAddress; if (TryPatternMatch) { // On Windows 10, try simple pattern matching first since it will most likely work UINT8* Found = NULL; CONST EFI_STATUS Status = FindPattern(SigOslFwpKernelSetupPhase1, 0xCC, sizeof(SigOslFwpKernelSetupPhase1), (VOID*)CodeStartVa, CodeSizeOfRawData, (VOID**)&Found); if (!EFI_ERROR(Status)) { // Found signature; backtrack to function start *OslFwpKernelSetupPhase1Address = BacktrackToFunctionStart(Found, Found - 0x400); if (*OslFwpKernelSetupPhase1Address != NULL) { Print(L"\r\nFound OslFwpKernelSetupPhase1 at 0x%llX.\r\n", (UINTN)(*OslFwpKernelSetupPhase1Address)); return EFI_SUCCESS; // Found; early out } } } // On older versions, use some convoluted but robust logic to find OslFwpKernelSetupPhase1 by matching xrefs to EfipGetRsdt. // This of course implies finding EfipGetRsdt first. After that, find all calls to this function, and for each, calculate // the distance from the start of the function to the call. OslFwpKernelSetupPhase1 is reliably (Vista through 10) // the function that has the smallest value for this distance, i.e. the call happens very early in the function. CHAR8 SectionName[EFI_IMAGE_SIZEOF_SHORT_NAME + 1]; CopyMem(SectionName, PatternSection->Name, EFI_IMAGE_SIZEOF_SHORT_NAME); SectionName[EFI_IMAGE_SIZEOF_SHORT_NAME] = '\0'; Print(L"\r\n== Searching for EfipGetRsdt pattern in %a ==\r\n", SectionName); // Search for EFI ACPI 2.0 table GUID: { 8868e871-e4f1-11d3-bc22-0080c73c8881 } UINT8* PatternAddress = NULL; for (UINT8* Address = (UINT8*)PatternStartVa; Address < ImageBase + NtHeaders->OptionalHeader.SizeOfImage - sizeof(gEfiAcpi20TableGuid); ++Address) { if (CompareGuid((CONST GUID*)Address, &gEfiAcpi20TableGuid)) { PatternAddress = Address; Print(L" Found EFI ACPI 2.0 GUID at 0x%llX.\r\n", (UINTN)PatternAddress); break; } } if (PatternAddress == NULL) { Print(L" Failed to find EFI ACPI 2.0 GUID.\r\n"); return EFI_NOT_FOUND; } Print(L"\r\n== Disassembling .text to find EfipGetRsdt ==\r\n"); UINT8* LeaEfiAcpiTableGuidAddress = NULL; // Initialize Zydis ZydisDecoder Decoder; ZyanStatus Status = ZydisInit(NtHeaders, &Decoder, NULL); if (!ZYAN_SUCCESS(Status)) { Print(L"Failed to initialize disassembler engine.\r\n"); return EFI_LOAD_ERROR; } CONST UINTN Length = CodeSizeOfRawData; UINTN Offset = 0; ZyanU64 InstructionAddress; ZydisDecodedInstruction Instruction; // Start decode loop while ((InstructionAddress = (ZyanU64)(CodeStartVa + Offset), Status = ZydisDecoderDecodeBuffer(&Decoder, (VOID*)InstructionAddress, Length - Offset, &Instruction)) != ZYDIS_STATUS_NO_MORE_DATA) { if (!ZYAN_SUCCESS(Status)) { Offset++; continue; } // Check if this is "lea rcx, ds:[rip + offset_to_acpi20_guid]" if (Instruction.operand_count == 2 && Instruction.mnemonic == ZYDIS_MNEMONIC_LEA && Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && Instruction.operands[0].reg.value == ZYDIS_REGISTER_RCX && Instruction.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && Instruction.operands[1].mem.base == ZYDIS_REGISTER_RIP) { ZyanU64 OperandAddress = 0; if (ZYAN_SUCCESS(ZydisCalcAbsoluteAddress(&Instruction, &Instruction.operands[1], InstructionAddress, &OperandAddress)) && OperandAddress == (UINTN)PatternAddress) { // Check for false positives (BlFwGetSystemTable) CONST UINT8* Check = (UINT8*)(CodeStartVa + Offset - 4); // 4 = length of 'lea rdx, [r11+18h]' which precedes this instruction in EfipGetRsdt if (Check[0] == 0x49 && Check[1] == 0x8D && Check[2] == 0x53) // If no match, this is not EfipGetRsdt { LeaEfiAcpiTableGuidAddress = (UINT8*)InstructionAddress; Print(L" Found load instruction for EFI ACPI 2.0 GUID at 0x%llX.\r\n", (UINTN)LeaEfiAcpiTableGuidAddress); break; } } } Offset += Instruction.length; } if (LeaEfiAcpiTableGuidAddress == NULL) { Print(L" Failed to find load instruction for EFI ACPI 2.0 GUID.\r\n"); return EFI_NOT_FOUND; } CONST UINT8* EfipGetRsdt = BacktrackToFunctionStart(LeaEfiAcpiTableGuidAddress, LeaEfiAcpiTableGuidAddress - Length); if (EfipGetRsdt == NULL) { Print(L" Failed to find EfipGetRsdt.\r\n"); return EFI_NOT_FOUND; } Print(L" Found EfipGetRsdt at 0x%llX.\r\n", (UINTN)EfipGetRsdt); Print(L"\r\n== Disassembling .text to find OslFwpKernelSetupPhase1 ==\r\n"); UINT8* CallEfipGetRsdtAddress = NULL; // Start decode loop Offset = 0; UINTN ShortestDistanceToCall = MAX_UINTN; while ((InstructionAddress = (ZyanU64)(CodeStartVa + Offset), Status = ZydisDecoderDecodeBuffer(&Decoder, (VOID*)InstructionAddress, Length - Offset, &Instruction)) != ZYDIS_STATUS_NO_MORE_DATA) { if (!ZYAN_SUCCESS(Status)) { Offset++; continue; } // Check if this is 'call IMM' if (Instruction.operand_count == 4 && Instruction.operands[0].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && Instruction.operands[0].imm.is_relative == ZYAN_TRUE && Instruction.mnemonic == ZYDIS_MNEMONIC_CALL) { // Check if this is 'call EfipGetRsdt' ZyanU64 OperandAddress = 0; if (ZYAN_SUCCESS(ZydisCalcAbsoluteAddress(&Instruction, &Instruction.operands[0], InstructionAddress, &OperandAddress)) && OperandAddress == (UINTN)EfipGetRsdt) { // Calculate the distance from the start of the function to the instruction. OslFwpKernelSetupPhase1 will always have the shortest distance CONST UINTN StartOfFunction = (UINTN)BacktrackToFunctionStart((UINT8*)InstructionAddress, (UINT8*)InstructionAddress - Length); CONST UINTN Distance = InstructionAddress - StartOfFunction; if (Distance < ShortestDistanceToCall) { CallEfipGetRsdtAddress = (UINT8*)InstructionAddress; ShortestDistanceToCall = Distance; } } } Offset += Instruction.length; } if (CallEfipGetRsdtAddress == NULL) { Print(L" Failed to find a single 'call EfipGetRsdt' instruction.\r\n"); return EFI_NOT_FOUND; } // Found *OslFwpKernelSetupPhase1Address = CallEfipGetRsdtAddress - ShortestDistanceToCall; Print(L" Found OslFwpKernelSetupPhase1 at 0x%llX.\r\n\r\n", (UINTN)(*OslFwpKernelSetupPhase1Address)); return EFI_SUCCESS; } // // Patches winload.efi // EFI_STATUS EFIAPI PatchWinload( IN VOID* ImageBase, IN PEFI_IMAGE_NT_HEADERS NtHeaders ) { // Print file and version info UINT16 MajorVersion = 0, MinorVersion = 0, BuildNumber = 0, Revision = 0; EFI_STATUS Status = GetPeFileVersionInfo(ImageBase, &MajorVersion, &MinorVersion, &BuildNumber, &Revision, NULL); if (EFI_ERROR(Status)) Print(L"\r\nPatchWinload: WARNING: failed to obtain winload.efi version info. Status: %llx\r\n", Status); else { Print(L"\r\nPatching winload.efi v%u.%u.%u.%u...\r\n", MajorVersion, MinorVersion, BuildNumber, Revision); // Check if this is a supported winload version. All patches should work on all versions since Vista SP1, // except for the ImgpFilterValidationFailure patch because this function only exists on Windows 7 and higher. if (BuildNumber < 6001) { Print(L"\r\nPatchWinload: ERROR: Unsupported winload.efi image version.\r\n"); Status = EFI_UNSUPPORTED; goto Exit; } // Some... adjustments... need to be made later on in the case of pre-Windows 7 loader blocks gKernelPatchInfo.LegacyLoaderBlock = BuildNumber < 7600; } // Find the .text and .rdata sections PEFI_IMAGE_SECTION_HEADER CodeSection = NULL, PatternSection = NULL; PEFI_IMAGE_SECTION_HEADER Section = IMAGE_FIRST_SECTION(NtHeaders); for (UINT16 i = 0; i < NtHeaders->FileHeader.NumberOfSections; ++i) { CHAR8 SectionName[EFI_IMAGE_SIZEOF_SHORT_NAME + 1]; CopyMem(SectionName, Section->Name, EFI_IMAGE_SIZEOF_SHORT_NAME); SectionName[EFI_IMAGE_SIZEOF_SHORT_NAME] = '\0'; if (AsciiStrCmp(SectionName, ".text") == 0) CodeSection = Section; else if (AsciiStrCmp(SectionName, ".rdata") == 0) PatternSection = Section; Section++; } ASSERT(CodeSection != NULL); ASSERT(PatternSection != NULL); // (Optional) On Windows 10, find winload!BlStatusPrint if (BuildNumber >= 10240) { gBlStatusPrint = (t_BlStatusPrint)GetProcedureAddress((UINTN)ImageBase, NtHeaders, "BlStatusPrint"); if (gBlStatusPrint == NULL) { // Not exported (RS4 and earlier) - try to find by signature FindPattern(SigBlStatusPrint, 0xCC, sizeof(SigBlStatusPrint), (VOID*)((UINT8*)ImageBase + CodeSection->VirtualAddress), CodeSection->SizeOfRawData, (VOID**)&gBlStatusPrint); if (gBlStatusPrint == NULL) { gBlStatusPrint = BlStatusPrintNoop; Print(L"\r\nWARNING: winload!BlStatusPrint not found. No boot debugger output will be available.\r\n"); } } } // Find winload!OslFwpKernelSetupPhase1 Status = FindOslFwpKernelSetupPhase1((UINT8*)ImageBase, NtHeaders, CodeSection, PatternSection, (BOOLEAN)(BuildNumber >= 10240), (UINT8**)&gOriginalOslFwpKernelSetupPhase1); if (EFI_ERROR(Status)) { Print(L"\r\nPatchWinload: failed to find OslFwpKernelSetupPhase1. Status: %llx\r\n", Status); goto Exit; } Print(L"HookedOslFwpKernelSetupPhase1 at 0x%p.\r\n", (VOID*)&HookedOslFwpKernelSetupPhase1); CONST EFI_TPL Tpl = gBS->RaiseTPL(TPL_HIGH_LEVEL); // Note: implies cli // Backup original function prologue CopyMem(gOslFwpKernelSetupPhase1Backup, (VOID*)gOriginalOslFwpKernelSetupPhase1, sizeof(gOslFwpKernelSetupPhase1Backup)); // Place faux call (push addr, ret) at the start of the function to transfer execution to our hook CopyMem((VOID*)gOriginalOslFwpKernelSetupPhase1, (VOID*)gHookTemplate, sizeof(gHookTemplate)); *(UINTN*)((UINT8*)gOriginalOslFwpKernelSetupPhase1 + 2) = (UINTN)&HookedOslFwpKernelSetupPhase1; gBS->RestoreTPL(Tpl); // Patch ImgpValidateImageHash to allow custom boot loaders. This is completely // optional (unless booting a custom ntoskrnl.exe), and failures are ignored PatchImgpValidateImageHash(WinloadEfi, (UINT8*)ImageBase, NtHeaders); if (BuildNumber >= 7600) { // Patch ImgpFilterValidationFailure so it doesn't silently // rat out every violation to a TPM or SI log. Also optional PatchImgpFilterValidationFailure(WinloadEfi, (UINT8*)ImageBase, NtHeaders); } Exit: if (EFI_ERROR(Status)) { // Patch failed. Prompt user to ask what they want to do Print(L"\r\nPress any key to continue anyway, or press ESC to reboot.\r\n"); if (!WaitForKey()) { gRT->ResetSystem(EfiResetCold, EFI_SUCCESS, 0, NULL); } } else { Print(L"Successfully patched winload!OslFwpKernelSetupPhase1.\r\n"); RtlSleep(2000); if (gDriverConfig.WaitForKeyPress) { Print(L"\r\nPress any key to continue.\r\n"); WaitForKey(); } } // Return success, because even if the patch failed, the user chose not to reboot above return EFI_SUCCESS; }