ultimate [anticheat name censored] bypass

SamuelTulach · Jul 9, 2020 · 98a70ec · 98a70ec
1 parent 5a3e74f
commit 98a70ec
Show file tree

Hide file tree

Showing 4 changed files with 143 additions and 35 deletions.
diff --git a/driver/dummy.h b/driver/dummy.h
@@ -0,0 +1,89 @@
+// This header contains dummy functions to hook in runtime services table
+// We want to do this since then, the function pointers are going to be pointing
+// to somewhat similar memory location
+
+#include "general.h"
+
+static EFI_GET_TIME oGetTime;
+EFIAPI EFI_STATUS HookedGetTime(EFI_TIME* time, EFI_TIME_CAPABILITIES* capabilities) 
+{
+    return oGetTime(time, capabilities);
+}
+
+static EFI_SET_TIME oSetTime;
+EFIAPI EFI_STATUS HookedSetTime(EFI_TIME* time) 
+{
+    return oSetTime(time);
+}
+
+static EFI_GET_WAKEUP_TIME oGetWakeupTime;
+EFIAPI EFI_STATUS HookedGetWakeupTime(BOOLEAN* enabled, BOOLEAN* pending, EFI_TIME* time) 
+{
+    return oGetWakeupTime(enabled, pending, time);
+}
+
+static EFI_SET_WAKEUP_TIME oSetWakeupTime;
+EFIAPI EFI_STATUS HookedSetWakeupTime(BOOLEAN enable, EFI_TIME* time) 
+{
+    return oSetWakeupTime(enable, time);
+}
+
+static EFI_SET_VIRTUAL_ADDRESS_MAP oSetVirtualAddressMap;
+EFIAPI EFI_STATUS HookedSetVirtualAddressMap(UINTN mapSize, UINTN descriptorSize, UINT32 version, EFI_MEMORY_DESCRIPTOR* virtualMap) 
+{
+    return oSetVirtualAddressMap(mapSize, descriptorSize, version, virtualMap);
+}
+
+static EFI_CONVERT_POINTER oConvertPointer;
+EFIAPI EFI_STATUS HookedConvertPointer(UINTN debug, void** address) 
+{
+    return oConvertPointer(debug, address);
+}
+
+static EFI_GET_VARIABLE oGetVariable;
+EFIAPI EFI_STATUS HookedGetVariable(CHAR16* variableName, EFI_GUID* vendorGuid, UINT32* attributes, UINTN* dataSize, void* data) 
+{
+    return oGetVariable(variableName, vendorGuid, attributes, dataSize, data);
+}
+
+static EFI_GET_NEXT_VARIABLE_NAME oGetNextVariableName;
+EFIAPI EFI_STATUS HookedGetNextVariableName(UINTN* variableNameSize, CHAR16* variableName, EFI_GUID* vendorGuid) 
+{
+    return oGetNextVariableName(variableNameSize, variableName, vendorGuid);
+}
+
+/*static EFI_SET_VARIABLE oSetVariable;
+EFIAPI EFI_STATUS HookedSetVariable(CHAR16* variableName, EFI_GUID* vendorGuid, UINT32 attributes, UINTN dataSize, void* data) 
+{
+    return oSetVariable(variableName, vendorGuid, attributes, dataSize, data);
+}*/
+
+static EFI_GET_NEXT_HIGH_MONO_COUNT oGetNextHighMonotonicCount;
+EFIAPI EFI_STATUS HookedGetNextHighMonotonicCount(UINT32* highCount) 
+{
+    return oGetNextHighMonotonicCount(highCount);
+}
+
+static EFI_RESET_SYSTEM oResetSystem;
+EFIAPI EFI_STATUS HookedResetSystem(EFI_RESET_TYPE resetType, EFI_STATUS resetStatus, UINTN dataSize, CHAR16* resetData) 
+{
+    return oResetSystem(resetType, resetStatus, dataSize, resetData);
+}
+
+static EFI_UPDATE_CAPSULE oUpdateCapsule;
+EFIAPI EFI_STATUS HookedUpdateCapsule(EFI_CAPSULE_HEADER** capsuleHeaderArray, UINTN capsuleCount, EFI_PHYSICAL_ADDRESS scatterGatherList) 
+{
+    return oUpdateCapsule(capsuleHeaderArray, capsuleCount, scatterGatherList);
+}
+
+static EFI_QUERY_CAPSULE_CAPABILITIES oQueryCapsuleCapabilities;
+EFIAPI EFI_STATUS HookedQueryCapsuleCapabilities(EFI_CAPSULE_HEADER** capsuleHeaderArray, UINTN capsuleCount, UINT64* maximumCapsuleSize, EFI_RESET_TYPE* resetType) 
+{
+    return oQueryCapsuleCapabilities(capsuleHeaderArray, capsuleCount, maximumCapsuleSize, resetType);
+}
+
+static EFI_QUERY_VARIABLE_INFO oQueryVariableInfo;
+EFIAPI EFI_STATUS HookedQueryVariableInfo(UINT32 attributes, UINT64* maximumVariableStorageSize, UINT64* remainingVariableStorageSize, UINT64* maximumVariableSize) 
+{
+    return oQueryVariableInfo(attributes, maximumVariableStorageSize, remainingVariableStorageSize, maximumVariableSize);
+}
diff --git a/driver/general.h b/driver/general.h
@@ -0,0 +1,16 @@
+#ifndef GENERAL_H
+#define GENERAL_H
+
+// Since some retard decided to use M$ ABI in EFI standard
+// instead of SysV ABI, we now have to do transitions
+// GNU-EFI has a functionality for this (thanks god)
+#define GNU_EFI_USE_MS_ABI 1
+#define stdcall __attribute__((stdcall)) // wHy NoT tO jUsT uSe MsVc
+#define fastcall __attribute__((fastcall))
+// EFIAPI == __attribute__((ms_abi))
+
+// Mandatory defines
+#include <efi.h>
+#include <efilib.h>
+
+#endif
diff --git a/driver/main.c b/driver/main.c
@@ -1,13 +1,7 @@
-// Since some retard decided to use M$ ABI in EFI standard
-// instead of SysV ABI, we now have to do transitions
-// GNU-EFI has a functionality for this (thanks god)
-#define GNU_EFI_USE_MS_ABI 1
-#define stdcall __attribute__((stdcall)) // wHy NoT tO jUsT uSe MsVc
-#define fastcall __attribute__((fastcall))
+#include "general.h"
 
-// Mandatory defines
-#include <efi.h>
-#include <efilib.h>
+// Dummy hooks
+#include "dummy.h"
 
 // Since Windows does not want to allocate execusable memory for our driver
 // in new versions of the OS, then we have to do it ourselves (I guess)
@@ -182,6 +176,22 @@ SetVirtualAddressMapEvent(
     // Convert orignal SetVariable address
     RT->ConvertPointer(0, &oSetVariable);
 
+    // Convert all other addresses
+    RT->ConvertPointer(0, &oGetTime);
+    RT->ConvertPointer(0, &oSetTime);
+    RT->ConvertPointer(0, &oGetWakeupTime);
+    RT->ConvertPointer(0, &oSetWakeupTime);
+    RT->ConvertPointer(0, &oSetVirtualAddressMap);
+    RT->ConvertPointer(0, &oConvertPointer);
+    RT->ConvertPointer(0, &oGetVariable);
+    RT->ConvertPointer(0, &oGetNextVariableName);
+    //RT->ConvertPointer(0, &oSetVariable);
+    RT->ConvertPointer(0, &oGetNextHighMonotonicCount);
+    RT->ConvertPointer(0, &oResetSystem);
+    RT->ConvertPointer(0, &oUpdateCapsule);
+    RT->ConvertPointer(0, &oQueryCapsuleCapabilities);
+    RT->ConvertPointer(0, &oQueryVariableInfo);
+
     // Convert runtime services pointer
     RtLibEnableVirtualMappings();
 
@@ -226,7 +236,7 @@ SetServicePointer(
     )
 {
     // We don't want to fuck up the system
-    if (ServiceTableFunction == NULL || NewFunction == NULL)
+    if (ServiceTableFunction == NULL || NewFunction == NULL || *ServiceTableFunction == NULL)
         return NULL;
 
     // Make sure boot services pointers are not null
@@ -333,16 +343,25 @@ efi_main(IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable)
     // Hook SetVariable (should not fail)
     oSetVariable = (EFI_SET_VARIABLE)SetServicePointer(&RT->Hdr, (VOID**)&RT->SetVariable, (VOID**)&HookedSetVariable);
 
+    // Hook all the other runtime services functions
+    oGetTime = (EFI_GET_TIME)SetServicePointer(&RT->Hdr, (VOID**)&RT->GetTime, (VOID**)&HookedGetTime);
+    oSetTime = (EFI_SET_TIME)SetServicePointer(&RT->Hdr, (VOID**)&RT->SetTime, (VOID**)&HookedSetTime);
+    oGetWakeupTime = (EFI_SET_TIME)SetServicePointer(&RT->Hdr, (VOID**)&RT->GetWakeupTime, (VOID**)&HookedGetWakeupTime);
+    oSetWakeupTime = (EFI_SET_WAKEUP_TIME)SetServicePointer(&RT->Hdr, (VOID**)&RT->SetWakeupTime, (VOID**)&HookedSetWakeupTime);
+    oSetVirtualAddressMap = (EFI_SET_VIRTUAL_ADDRESS_MAP)SetServicePointer(&RT->Hdr, (VOID**)&RT->SetVirtualAddressMap, (VOID**)&HookedSetVirtualAddressMap);
+    oConvertPointer = (EFI_CONVERT_POINTER)SetServicePointer(&RT->Hdr, (VOID**)&RT->ConvertPointer, (VOID**)&HookedConvertPointer);
+    oGetVariable = (EFI_GET_VARIABLE)SetServicePointer(&RT->Hdr, (VOID**)&RT->GetVariable, (VOID**)&HookedGetVariable);
+    oGetNextVariableName = (EFI_GET_NEXT_VARIABLE_NAME)SetServicePointer(&RT->Hdr, (VOID**)&RT->GetNextVariableName, (VOID**)&HookedGetNextVariableName);
+    //oSetVariable = (EFI_SET_VARIABLE)SetServicePointer(&RT->Hdr, (VOID**)&RT->SetVariable, (VOID**)&HookedSetVariable);
+    oGetNextHighMonotonicCount = (EFI_GET_NEXT_HIGH_MONO_COUNT)SetServicePointer(&RT->Hdr, (VOID**)&RT->GetNextHighMonotonicCount, (VOID**)&HookedGetNextHighMonotonicCount);
+    oResetSystem = (EFI_RESET_SYSTEM)SetServicePointer(&RT->Hdr, (VOID**)&RT->ResetSystem, (VOID**)&HookedResetSystem);
+    oUpdateCapsule = (EFI_UPDATE_CAPSULE)SetServicePointer(&RT->Hdr, (VOID**)&RT->UpdateCapsule, (VOID**)&HookedUpdateCapsule);
+    oQueryCapsuleCapabilities = (EFI_QUERY_CAPSULE_CAPABILITIES)SetServicePointer(&RT->Hdr, (VOID**)&RT->QueryCapsuleCapabilities, (VOID**)&HookedQueryCapsuleCapabilities);
+    oQueryVariableInfo = (EFI_QUERY_VARIABLE_INFO)SetServicePointer(&RT->Hdr, (VOID**)&RT->QueryVariableInfo, (VOID**)&HookedQueryVariableInfo);
+
     // Print confirmation text
-    Print(L"\n");
-    Print(L"       __ _                                  \n");
-    Print(L"  ___ / _(_)___ _ __  ___ _ __  ___ _ _ _  _ \n");
-    Print(L" / -_)  _| |___| '  \\/ -_) '  \\/ _ \\ '_| || |\n");
-    Print(L" \\___|_| |_|   |_|_|_\\___|_|_|_\\___/_|  \\_, |\n");
-    Print(L"                                        |__/ \n");
-    Print(L"Made by: Samuel Tulach\n");
-    Print(L"Thanks to: @Mattiwatti (EfiGuard), Roderick W. Smith (rodsbooks.com)\n\n");
-    Print(L"Driver has been loaded successfully. You can now boot to the OS.\n");
+    Print(L"efi-memory (build on: %a in: %a)\n", __DATE__, __TIME__);
+    Print(L"https://github.com/SamuelTulach/efi-memory\n");  
 
     return EFI_SUCCESS;
 }
diff --git a/update.sh b/update.sh