-
Notifications
You must be signed in to change notification settings - Fork 61
/
Copy pathWinLoad.h
133 lines (124 loc) · 4.34 KB
/
WinLoad.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#pragma once
#include "HvLoader.h"
#include "PayLoad.h"
extern INLINE_HOOK WinLoadImageShitHook;
extern INLINE_HOOK WinLoadAllocateImageHook;
// 2004-1511 winload.BlImgAllocateImageBuffer
#define ALLOCATE_IMAGE_BUFFER_SIG "\xE8\x00\x00\x00\x00\x8B\xD8\x85\xC0\x78\x7C\x21\x7C\x24\x00\x45\x33\xC0"
#define ALLOCATE_IMAGE_BUFFER_MASK "x????xxxxxxxxx?xxx"
// 1703-1511
//
// for 1703-1511, we are going to want to hook BlImgAllocateImageBuffer inside of hvloader.efi
// not winload. We will have to scan for BlImgLoadPEImageEx in winload and then wait for hvloader
// to be loaded to install hooks in hvloader...
#define LOAD_PE_IMG_SIG "\x48\x89\x44\x24\x00\xE8\x00\x00\x00\x00\x44\x8B\xF0\x85\xC0\x79\x11"
#define LOAD_PE_IMG_MASK "xxxx?x????xxxxxxx"
static_assert(sizeof(ALLOCATE_IMAGE_BUFFER_SIG) == sizeof(ALLOCATE_IMAGE_BUFFER_MASK), "signature and mask do not match size!");
typedef UINT64 (EFIAPI* ALLOCATE_IMAGE_BUFFER)(VOID** imageBuffer, UINTN imageSize, UINT32 memoryType,
UINT32 attributes, VOID* unused, UINT32 Value);
typedef EFI_STATUS(EFIAPI* LDR_LOAD_IMAGE)(VOID* a1, VOID* a2, CHAR16* ImagePath, UINT64* ImageBasePtr, UINT32* ImageSize,
VOID* a6, VOID* a7, VOID* a8, VOID* a9, VOID* a10, VOID* a11, VOID* a12, VOID* a13, VOID* a14);
/// <summary>
/// for 1703-1507, we are going to want to install hooks inside
/// of hvloader.efi... in order to know when hvloader.efi is loaded into memory
/// we are going to install a hook on winload.BlImgLoadPEImageEx...
/// </summary>
/// <param name="a1">unknown</param>
/// <param name="a2">unknown</param>
/// <param name="ImagePath">
/// unicode string path to image being loaded into memory...
/// </param>
/// <param name="ImageBasePtr">
/// pointer to a void pointer which will contain the base
/// address of the module after its loaded...
/// </param>
/// <param name="ImageSize">pass by ref size of the image loaded into memory...</param>
/// <param name="a6">unknown</param>
/// <param name="a7">unknown</param>
/// <param name="a8">unknown</param>
/// <param name="a9">unknown</param>
/// <param name="a10">unknown</param>
/// <param name="a11">unknown</param>
/// <param name="a12">unknown</param>
/// <param name="a13">unknown</param>
/// <param name="a14">unknown</param>
/// <returns>status of image loaded...</returns>
EFI_STATUS EFIAPI BlImgLoadPEImageEx
(
VOID* a1,
VOID* a2,
CHAR16* ImagePath,
UINT64* ImageBasePtr,
UINT32* ImageSize,
VOID* a6,
VOID* a7,
VOID* a8,
VOID* a9,
VOID* a10,
VOID* a11,
VOID* a12,
VOID* a13,
VOID* a14
);
/// <summary>
/// for 2004-1709, winload exports a bunch of functions... specifically BlLdrLoadImage,
/// which hvloader calls to load hyper-v into memory... BlLdrLoadImage calls BlImgAllocateImageBuffer
/// to allocate memory for hyper-v's module, we are hooking BlImgAllocateImageBuffer to extend
/// the allocations size and to make the entire allocation RWX...
/// </summary>
/// <param name="imageBuffer">pass by ref of a pointer to the allocation base...</param>
/// <param name="imageSize">size of the allocation...</param>
/// <param name="memoryType"></param>
/// <param name="attributes"></param>
/// <param name="unused"></param>
/// <param name="flags"></param>
/// <returns></returns>
EFI_STATUS EFIAPI BlImgAllocateImageBuffer
(
VOID** imageBuffer,
UINTN imageSize,
UINT32 memoryType,
UINT32 attributes,
VOID* unused,
UINT32 Value
);
/// <summary>
/// 2004-1709, BlLdrLoadImage is exported from winload... I shithook this and
/// when hyper-v is loaded I install my hooks/extend hyper-v's allocation...
/// </summary>
/// <param name="Arg1"></param>
/// <param name="ModulePath"></param>
/// <param name="ModuleName"></param>
/// <param name="Arg4"></param>
/// <param name="Arg5"></param>
/// <param name="Arg6"></param>
/// <param name="Arg7"></param>
/// <param name="lplpTableEntry"></param>
/// <param name="Arg9"></param>
/// <param name="Arg10"></param>
/// <param name="Arg11"></param>
/// <param name="Arg12"></param>
/// <param name="Arg13"></param>
/// <param name="Arg14"></param>
/// <param name="Arg15"></param>
/// <param name="Arg16"></param>
/// <returns></returns>
EFI_STATUS EFIAPI BlLdrLoadImage
(
VOID* Arg1,
CHAR16* ModulePath,
CHAR16* ModuleName,
VOID* Arg4,
VOID* Arg5,
VOID* Arg6,
VOID* Arg7,
PPLDR_DATA_TABLE_ENTRY lplpTableEntry,
VOID* Arg9,
VOID* Arg10,
VOID* Arg11,
VOID* Arg12,
VOID* Arg13,
VOID* Arg14,
VOID* Arg15,
VOID* Arg16
);