Wed 29 Apr 2020 03:51:40 PM CEST

README.md

@@ -2,7 +2,7 @@
   <img src="assets/logo.png"/>
 </p>
 
-Efi-memory is a proof-of-concept EFI runtime driver for reading and writing to virtual memory. It hooks SetVariable() to communicate with client program in the OS. 
+Efi-memory is a proof-of-concept EFI runtime driver for reading and writing to virtual memory. It uses [EfiGuards](https://github.com/Mattiwatti/EfiGuard/) method of hooking SetVariable to communicate with the user-mode process.
 
 ## Repo content
 driver/

client/efi-mapper/kdmapper/efi_driver.cpp

@@ -41,8 +41,13 @@ bool efi_driver::MemCopy(HANDLE device_handle, uint64_t destination, uint64_t so
 	MemoryCommand* cmd = new MemoryCommand();
 	cmd->operation = 0;
 	cmd->magic = COMMAND_MAGIC;
-	cmd->data1 = destination;
+	
-	cmd->data2 = source;
+	uintptr_t data[10];
+	data[0] = destination;
+	data[1] = source;
+
+	memcpy(&cmd->data, &data[0], sizeof(data));
+
 	cmd->size = (int)size;
 
 	SendCommand(cmd);
@@ -82,8 +87,19 @@ uint64_t efi_driver::AllocatePool(HANDLE device_handle, nt::POOL_TYPE pool_type,
 
 	uint64_t allocated_pool = 0;
 
-	if (!CallKernelFunction(device_handle, &allocated_pool, kernel_ExAllocatePool, pool_type, size))
+	MemoryCommand* cmd = new MemoryCommand();
-		return 0;
+	cmd->operation = 1;
+	cmd->magic = COMMAND_MAGIC;
+
+	uintptr_t data[10];
+	data[0] = kernel_ExAllocatePool;
+	data[1] = pool_type;
+	data[2] = size;
+	data[3] = (uintptr_t)&allocated_pool;
+
+	memcpy(&cmd->data, &data[0], sizeof(data));
+
+	SendCommand(cmd);
 
 	return allocated_pool;
 }
@@ -98,7 +114,19 @@ bool efi_driver::FreePool(HANDLE device_handle, uint64_t address)
 	if (!kernel_ExFreePool)
 		kernel_ExFreePool = GetKernelModuleExport(device_handle, utils::GetKernelModuleAddress("ntoskrnl.exe"), "ExFreePool");
 
-	return CallKernelFunction<void>(device_handle, nullptr, kernel_ExFreePool, address);
+	MemoryCommand* cmd = new MemoryCommand();
+	cmd->operation = 2;
+	cmd->magic = COMMAND_MAGIC;
+
+	uintptr_t data[10];
+	data[0] = kernel_ExFreePool;
+	data[1] = address;
+
+	memcpy(&cmd->data, &data[0], sizeof(data));
+
+	SendCommand(cmd);
+
+	return true; // yolo?
 }
 
 uint64_t efi_driver::GetKernelModuleExport(HANDLE device_handle, uint64_t kernel_module_base, const std::string & function_name)
@@ -193,6 +221,36 @@ bool efi_driver::GetNtGdiDdDDIReclaimAllocations2KernelInfo(HANDLE device_handle
 	return true;
 }
 
+bool efi_driver::GetNtGdiGetCOPPCompatibleOPMInformationInfo(HANDLE device_handle, uint64_t* out_kernel_function_ptr, uint8_t* out_kernel_original_bytes)
+{
+	// 48ff2551d81f00   jmp	cs:__imp_NtGdiGetCOPPCompatibleOPMInformation
+	// cccccccccc       padding
+
+	static uint64_t kernel_function_ptr = 0;
+	static uint8_t kernel_original_jmp_bytes[12] = { 0 };
+
+	if (!kernel_function_ptr || kernel_original_jmp_bytes[0] == 0)
+	{
+		const uint64_t kernel_NtGdiGetCOPPCompatibleOPMInformation = GetKernelModuleExport(device_handle, utils::GetKernelModuleAddress("win32kfull.sys"), "NtGdiGetCOPPCompatibleOPMInformation");
+
+		if (!kernel_NtGdiGetCOPPCompatibleOPMInformation)
+		{
+			std::cout << "[-] Failed to get export win32kfull.NtGdiGetCOPPCompatibleOPMInformation" << std::endl;
+			return false;
+		}
+
+		kernel_function_ptr = kernel_NtGdiGetCOPPCompatibleOPMInformation;
+
+		if (!ReadMemory(device_handle, kernel_function_ptr, kernel_original_jmp_bytes, sizeof(kernel_original_jmp_bytes)))
+			return false;
+	}
+
+	*out_kernel_function_ptr = kernel_function_ptr;
+	memcpy(out_kernel_original_bytes, kernel_original_jmp_bytes, sizeof(kernel_original_jmp_bytes));
+
+	return true;
+}
+
 bool efi_driver::ClearMmUnloadedDrivers(HANDLE device_handle)
 {
 	ULONG buffer_size = 0;

client/efi-mapper/kdmapper/efi_driver.hpp

@@ -14,8 +14,7 @@ namespace efi_driver
 	{
 		int magic;
 		int operation;
-		unsigned long long data1;
+		unsigned long long data[10];
-		unsigned long long data2;
 		int size;
 	} MemoryCommand;
 
@@ -45,69 +44,6 @@ namespace efi_driver
 	bool FreePool(HANDLE device_handle, uint64_t address);
 	uint64_t GetKernelModuleExport(HANDLE device_handle, uint64_t kernel_module_base, const std::string& function_name);
 	bool GetNtGdiDdDDIReclaimAllocations2KernelInfo(HANDLE device_handle, uint64_t* out_kernel_function_ptr, uint64_t* out_kernel_original_function_address);
+	bool GetNtGdiGetCOPPCompatibleOPMInformationInfo(HANDLE device_handle, uint64_t* out_kernel_function_ptr, uint8_t* out_kernel_original_bytes);
 	bool ClearMmUnloadedDrivers(HANDLE device_handle);
-
+}
-	template<typename T, typename ...A>
-	bool CallKernelFunction(HANDLE device_handle, T* out_result, uint64_t kernel_function_address, const A ...arguments)
-	{
-		constexpr auto call_void = std::is_same_v<T, void>;
-
-		if constexpr (!call_void)
-		{
-			if (!out_result)
-				return false;
-		}
-		else
-		{
-			UNREFERENCED_PARAMETER(out_result);
-		}
-
-		if (!kernel_function_address)
-			return false;
-
-		// Setup function call 
-
-		const auto NtGdiDdDDIReclaimAllocations2 = reinterpret_cast<void*>(GetProcAddress(LoadLibrary("gdi32full.dll"), "NtGdiDdDDIReclaimAllocations2"));
-
-		if (!NtGdiDdDDIReclaimAllocations2)
-		{
-			std::cout << "[-] Failed to get export gdi32full.NtGdiDdDDIReclaimAllocations2" << std::endl;
-			return false;
-		}
-
-		// Get function pointer (@win32kbase!gDxgkInterface table) used by NtGdiDdDDIReclaimAllocations2 and save the original address (dxgkrnl!DxgkReclaimAllocations2)
-
-		uint64_t kernel_function_ptr = 0;
-		uint64_t kernel_original_function_address = 0;
-
-		if (!GetNtGdiDdDDIReclaimAllocations2KernelInfo(device_handle, &kernel_function_ptr, &kernel_original_function_address))
-			return false;
-
-		// Overwrite the pointer with kernel_function_address
-
-		if (!WriteMemory(device_handle, kernel_function_ptr, &kernel_function_address, sizeof(kernel_function_address)))
-			return false;
-
-		// Call function 
-
-		if constexpr (!call_void)
-		{
-			using FunctionFn = T(__stdcall*)(A...);
-			const auto Function = static_cast<FunctionFn>(NtGdiDdDDIReclaimAllocations2);
-
-			*out_result = Function(arguments...);
-		}
-		else
-		{
-			using FunctionFn = void(__stdcall*)(A...);
-			const auto Function = static_cast<FunctionFn>(NtGdiDdDDIReclaimAllocations2);
-
-			Function(arguments...);
-		}
-
-		// Restore the pointer
-
-		WriteMemory(device_handle, kernel_function_ptr, &kernel_original_function_address, sizeof(kernel_original_function_address));
-		return true;
-	}
-}

client/efi-mapper/kdmapper/kdmapper.cpp

@@ -79,18 +79,23 @@ uint64_t kdmapper::MapDriver(HANDLE iqvw64e_device_handle, const std::string& dr
 
 		std::cout << "[<] Calling DriverEntry 0x" << reinterpret_cast<void*>(address_of_entry_point) << std::endl;
 
-		NTSTATUS status = 0;
+		long status = 0; // NTSTATUS
 
-		if (!efi_driver::CallKernelFunction(iqvw64e_device_handle, &status, address_of_entry_point))
+		efi_driver::MemoryCommand* cmd = new efi_driver::MemoryCommand();
-		{
+		cmd->operation = 5;
-			std::cout << "[-] Failed to call driver entry" << std::endl;
+		cmd->magic = COMMAND_MAGIC;
-			break;
+
-		}
+		uintptr_t data[10];
+		data[0] = address_of_entry_point;
+		data[1] = (uintptr_t)&status;
+
+		memcpy(&cmd->data, &data[0], sizeof(data));
+
+		efi_driver::SendCommand(cmd);
 
 		std::cout << "[+] DriverEntry returned 0x" << std::hex << std::setw(8) << std::setfill('0') << std::uppercase << status << std::nouppercase << std::dec << std::endl;
 
 		// Erase PE headers
-
 		efi_driver::SetMemory(iqvw64e_device_handle, kernel_image_base, 0, nt_headers->OptionalHeader.SizeOfHeaders);
 		return kernel_image_base;
 

client/efi-mapper/kdmapper/kdmapper.vcxproj

@@ -1,141 +1,144 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <ItemGroup Label="ProjectConfigurations">
+  <ItemGroup Label="ProjectConfigurations">
-    <ProjectConfiguration Include="Debug|Win32">
+    <ProjectConfiguration Include="Debug|Win32">
-      <Configuration>Debug</Configuration>
+      <Configuration>Debug</Configuration>
-      <Platform>Win32</Platform>
+      <Platform>Win32</Platform>
-    </ProjectConfiguration>
+    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|Win32">
+    <ProjectConfiguration Include="Release|Win32">
-      <Configuration>Release</Configuration>
+      <Configuration>Release</Configuration>
-      <Platform>Win32</Platform>
+      <Platform>Win32</Platform>
-    </ProjectConfiguration>
+    </ProjectConfiguration>
-    <ProjectConfiguration Include="Debug|x64">
+    <ProjectConfiguration Include="Debug|x64">
-      <Configuration>Debug</Configuration>
+      <Configuration>Debug</Configuration>
-      <Platform>x64</Platform>
+      <Platform>x64</Platform>
-    </ProjectConfiguration>
+    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|x64">
+    <ProjectConfiguration Include="Release|x64">
-      <Configuration>Release</Configuration>
+      <Configuration>Release</Configuration>
-      <Platform>x64</Platform>
+      <Platform>x64</Platform>
-    </ProjectConfiguration>
+    </ProjectConfiguration>
-  </ItemGroup>
+  </ItemGroup>
-  <PropertyGroup Label="Globals">
+  <PropertyGroup Label="Globals">
-    <VCProjectVersion>15.0</VCProjectVersion>
+    <VCProjectVersion>15.0</VCProjectVersion>
-    <ProjectGuid>{518E0636-BA8F-459D-ACAC-81BD33475E3E}</ProjectGuid>
+    <ProjectGuid>{518E0636-BA8F-459D-ACAC-81BD33475E3E}</ProjectGuid>
-    <RootNamespace>kdmapper</RootNamespace>
+    <RootNamespace>kdmapper</RootNamespace>
-    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
-  </PropertyGroup>
+  </PropertyGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>Application</ConfigurationType>
-    <UseDebugLibraries>true</UseDebugLibraries>
+    <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
-    <CharacterSet>MultiByte</CharacterSet>
+    <CharacterSet>MultiByte</CharacterSet>
-  </PropertyGroup>
+  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>Application</ConfigurationType>
-    <UseDebugLibraries>false</UseDebugLibraries>
+    <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
-    <CharacterSet>MultiByte</CharacterSet>
+    <CharacterSet>MultiByte</CharacterSet>
-  </PropertyGroup>
+  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>Application</ConfigurationType>
-    <UseDebugLibraries>true</UseDebugLibraries>
+    <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
-    <CharacterSet>MultiByte</CharacterSet>
+    <CharacterSet>MultiByte</CharacterSet>
-    <SpectreMitigation>false</SpectreMitigation>
+    <SpectreMitigation>false</SpectreMitigation>
-  </PropertyGroup>
+  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>Application</ConfigurationType>
-    <UseDebugLibraries>false</UseDebugLibraries>
+    <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v142</PlatformToolset>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
-    <CharacterSet>MultiByte</CharacterSet>
+    <CharacterSet>MultiByte</CharacterSet>
-    <SpectreMitigation>false</SpectreMitigation>
+    <SpectreMitigation>false</SpectreMitigation>
-  </PropertyGroup>
+  </PropertyGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
-  <ImportGroup Label="ExtensionSettings">
+  <ImportGroup Label="ExtensionSettings">
-  </ImportGroup>
+  </ImportGroup>
-  <ImportGroup Label="Shared">
+  <ImportGroup Label="Shared">
-  </ImportGroup>
+  </ImportGroup>
-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
+  </ImportGroup>
-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
+  </ImportGroup>
-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
+  </ImportGroup>
-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
+  </ImportGroup>
-  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Label="UserMacros" />
-  <PropertyGroup />
+  <PropertyGroup />
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <ClCompile>
+    <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level3</WarningLevel>
-      <Optimization>Disabled</Optimization>
+      <Optimization>Disabled</Optimization>
-      <SDLCheck>true</SDLCheck>
+      <SDLCheck>true</SDLCheck>
-      <ConformanceMode>true</ConformanceMode>
+      <ConformanceMode>true</ConformanceMode>
-    </ClCompile>
+    </ClCompile>
-  </ItemDefinitionGroup>
+  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <ClCompile>
+    <ClCompile>
-      <WarningLevel>Level4</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
-      <SDLCheck>true</SDLCheck>
+      <SDLCheck>true</SDLCheck>
-      <ConformanceMode>true</ConformanceMode>
+      <ConformanceMode>true</ConformanceMode>
-      <LanguageStandard>stdcpp17</LanguageStandard>
+      <LanguageStandard>stdcpp17</LanguageStandard>
-      <TreatWarningAsError>false</TreatWarningAsError>
+      <TreatWarningAsError>false</TreatWarningAsError>
-    </ClCompile>
+    </ClCompile>
-  </ItemDefinitionGroup>
+    <Link>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      <AdditionalDependencies>version.lib;%(AdditionalDependencies)</AdditionalDependencies>
-    <ClCompile>
+    </Link>
-      <WarningLevel>Level3</WarningLevel>
+  </ItemDefinitionGroup>
-      <Optimization>MaxSpeed</Optimization>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-      <FunctionLevelLinking>true</FunctionLevelLinking>
+    <ClCompile>
-      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <WarningLevel>Level3</WarningLevel>
-      <SDLCheck>true</SDLCheck>
+      <Optimization>MaxSpeed</Optimization>
-      <ConformanceMode>true</ConformanceMode>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
-    </ClCompile>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
-    <Link>
+      <SDLCheck>true</SDLCheck>
-      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <ConformanceMode>true</ConformanceMode>
-      <OptimizeReferences>true</OptimizeReferences>
+    </ClCompile>
-    </Link>
+    <Link>
-  </ItemDefinitionGroup>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      <OptimizeReferences>true</OptimizeReferences>
-    <ClCompile>
+    </Link>
-      <WarningLevel>Level4</WarningLevel>
+  </ItemDefinitionGroup>
-      <Optimization>MaxSpeed</Optimization>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-      <FunctionLevelLinking>true</FunctionLevelLinking>
+    <ClCompile>
-      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <WarningLevel>Level4</WarningLevel>
-      <SDLCheck>true</SDLCheck>
+      <Optimization>MaxSpeed</Optimization>
-      <ConformanceMode>true</ConformanceMode>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
-      <TreatWarningAsError>true</TreatWarningAsError>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <LanguageStandard>stdcpp17</LanguageStandard>
+      <SDLCheck>true</SDLCheck>
-    </ClCompile>
+      <ConformanceMode>true</ConformanceMode>
-    <Link>
+      <TreatWarningAsError>true</TreatWarningAsError>
-      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <LanguageStandard>stdcpp17</LanguageStandard>
-      <OptimizeReferences>true</OptimizeReferences>
+    </ClCompile>
-    </Link>
+    <Link>
-  </ItemDefinitionGroup>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
-  <ItemGroup>
+      <OptimizeReferences>true</OptimizeReferences>
-    <ClCompile Include="efi_driver.cpp" />
+    </Link>
-    <ClCompile Include="main.cpp" />
+  </ItemDefinitionGroup>
-    <ClCompile Include="kdmapper.cpp" />
+  <ItemGroup>
-    <ClCompile Include="portable_executable.cpp" />
+    <ClCompile Include="efi_driver.cpp" />
-    <ClCompile Include="service.cpp" />
+    <ClCompile Include="main.cpp" />
-    <ClCompile Include="utils.cpp" />
+    <ClCompile Include="kdmapper.cpp" />
-  </ItemGroup>
+    <ClCompile Include="portable_executable.cpp" />
-  <ItemGroup>
+    <ClCompile Include="service.cpp" />
-    <ClInclude Include="efi_driver.hpp" />
+    <ClCompile Include="utils.cpp" />
-    <ClInclude Include="kdmapper.hpp" />
+  </ItemGroup>
-    <ClInclude Include="nt.hpp" />
+  <ItemGroup>
-    <ClInclude Include="portable_executable.hpp" />
+    <ClInclude Include="efi_driver.hpp" />
-    <ClInclude Include="service.hpp" />
+    <ClInclude Include="kdmapper.hpp" />
-    <ClInclude Include="utils.hpp" />
+    <ClInclude Include="nt.hpp" />
-  </ItemGroup>
+    <ClInclude Include="portable_executable.hpp" />
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+    <ClInclude Include="service.hpp" />
-  <ImportGroup Label="ExtensionTargets">
+    <ClInclude Include="utils.hpp" />
-  </ImportGroup>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
 </Project>

client/efi-mapper/kdmapper/main.cpp

@@ -1,7 +1,7 @@
 #include "kdmapper.hpp"
 
 int main(const int argc, char** argv)
-{
+{	
 	if (argc != 2 || std::filesystem::path(argv[1]).extension().string().compare(".sys"))
 	{
 		std::cout << "[-] Incorrect usage" << std::endl;

client/efi-mapper/kdmapper/portable_executable.cpp

@@ -23,6 +23,7 @@ portable_executable::vec_relocs portable_executable::GetRelocs(void* image_base)
 		return {};
 
 	vec_relocs relocs;
+	return relocs; // gonna probably kill me for this but for some reason drivers without reallocation seems falsely reporting some shit memory regions causing mapper to crash
 
 	auto current_base_relocation = reinterpret_cast<PIMAGE_BASE_RELOCATION>(reinterpret_cast<uint64_t>(image_base) + nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
 	const auto reloc_end = reinterpret_cast<uint64_t>(current_base_relocation) + nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;

driver/LICENSE.md

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2020 Samuel Tulach
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

driver/LICENSE.txt

@@ -0,0 +1,15 @@
+Copyright (c) 2020 Samuel Tulach (@SamuelTulach)
+Copyright (c) 2019 Matthijs Lavrijsen (@Mattiwatti)
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.

driver/main.c

@@ -2,6 +2,8 @@
 // instead of SysV ABI, we now have to do transitions
 // GNU-EFI has a functionality for this (thanks god)
 #define GNU_EFI_USE_MS_ABI 1
+#define stdcall __attribute__((stdcall)) // wHy NoT tO jUsT uSe MsVc
+#define fastcall __attribute__((fastcall))
 
 // Mandatory defines
 #include <efi.h>
@@ -42,11 +44,17 @@ typedef struct _MemoryCommand
 {
     int magic;
     int operation;
-    unsigned long long data1;
+    unsigned long long data[10];
-    unsigned long long data2;
     int size;
 } MemoryCommand;
 
+// Functions (Windows only)
+typedef uintptr_t (stdcall *ExAllocatePool)(int type, uintptr_t size);
+typedef void (stdcall *ExFreePool)(uintptr_t address);
+typedef void (stdcall *StandardFuncStd)();
+typedef void (fastcall *StandardFuncFast)();
+typedef unsigned long (stdcall *DriverEntry)(void* driver, void* registry);
+
 // Function that actually performs the r/w
 EFI_STATUS
 RunCommand(MemoryCommand* cmd) 
@@ -62,10 +70,60 @@ RunCommand(MemoryCommand* cmd)
     if (cmd->operation == 0) 
     {
         // Same as memcpy function
-        CopyMem(cmd->data1, cmd->data2, cmd->size);    
+        CopyMem(cmd->data[0], cmd->data[1], cmd->size);    
+
         return EFI_SUCCESS;
     }
 
+    // Call ExAllocatePool
+    if (cmd->operation == 1) 
+    {
+        void* function = cmd->data[0]; // Pointer to the function (supplied by client)
+        ExAllocatePool exalloc = (ExAllocatePool)function;
+        int temp = cmd->data[1]; // gcc you ok?
+        uintptr_t allocbase = exalloc(temp, cmd->data[2]);
+        *(uintptr_t*)cmd->data[3] = allocbase;
+    }
+
+    // Call ExFreePool
+    if (cmd->operation == 2) 
+    {
+        void* function = cmd->data[0];
+        ExFreePool exfree = (ExFreePool)function;
+        exfree(cmd->data[1]);
+    }
+
+    // Call any void function (__stdcall)
+    if (cmd->operation == 3) 
+    {
+        void* function = cmd->data[0];
+        StandardFuncStd stand = (StandardFuncStd)function;
+        stand();
+    }
+
+    // Call any void function (__fastcall)
+    if (cmd->operation == 4) 
+    {
+        void* function = cmd->data[0];
+        StandardFuncFast stand = (StandardFuncFast)function;
+        stand();
+    }
+
+    // Call driver entry
+    if (cmd->operation == 5) 
+    {
+        void* function = cmd->data[0];
+        DriverEntry entry = (DriverEntry)function;
+        
+        // gcc compiles long as 8 byte
+        // msvc compiles long as 4 byte
+        // we are gonna use int
+        // you can't even imagine how long I was fking 
+        // with this
+        int status = entry(0, 0);
+        *(int*)cmd->data[1] = status;
+    }
+
     // Invalid command
     return EFI_UNSUPPORTED;
 }
@@ -249,7 +307,7 @@ efi_main(IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable)
                                 TPL_NOTIFY,
                                 SetVirtualAddressMapEvent,
                                 NULL,
-                                VirtualGuid,
+                                &VirtualGuid,
                                 &NotifyEvent);
 
     // Return if event create failed
@@ -264,7 +322,7 @@ efi_main(IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable)
                                 TPL_NOTIFY,
                                 ExitBootServicesEvent,
                                 NULL,
-                                ExitGuid,
+                                &ExitGuid,
                                 &ExitEvent);
 
     // Return if event create failed (yet again)