Upstream/CloverBootloader
1
0
Fork 0
mirror of https://github.com/CloverHackyColor/CloverBootloader.git synced 2025-02-01 22:41:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

Kernel pointer will be member of loader class

Browse Source 
Signed-off-by: SergeySlice <sergey.slice@gmail.com>
This commit is contained in:
SergeySlice 2020-05-09 10:56:30 +03:00
parent c36b0438b3
commit dc4d0062a8
6 changed files with 232 additions and 339 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

358
rEFIt_UEFI/Platform/kernel_patcher.cpp
View File

File diff suppressed because it is too large Load Diff

3
rEFIt_UEFI/Platform/kernel_patcher.h
View File

@ -141,7 +141,7 @@ extern BOOLEAN SSSE3;
VOID Patcher_SSE3_5(VOID* kernelData);
VOID Patcher_SSE3_6(VOID* kernelData);
VOID Patcher_SSE3_7(VOID* kernelData);
VOID Patcher_SSE3_7();
#include "../gui/menu_items/menu_items.h" // for LOADER_ENTRY
class LOADER_ENTRY;
@ -192,6 +192,5 @@ UINTN SearchAndReplace(UINT8 *Source, UINT64 SourceSize, const UINT8 *Search, UI
UINTN SearchAndReplaceMask(UINT8 *Source, UINT64 SourceSize, const UINT8 *Search, const UINT8 *MaskSearch, UINTN SearchSize,
const UINT8 *Replace, const UINT8 *MaskReplace, INTN MaxReplaces);
//UINTN searchProc(LOADER_ENTRY *Entry, unsigned char * kernel, const char *procedure);
#endif /* !__LIBSAIO_KERNEL_PATCHER_H */

147
rEFIt_UEFI/Platform/kext_inject.cpp
View File

@ -913,7 +913,7 @@ const UINT8 KBELionReplaceEXT_X64[] = { 0xE8, 0x0C, 0xFD, 0xFF, 0xFF, 0x90, 0
//
VOID EFIAPI LOADER_ENTRY::KernelBooterExtensionsPatch(IN UINT8 *Kernel)
VOID EFIAPI LOADER_ENTRY::KernelBooterExtensionsPatch()
{
UINTN Num = 0;
UINTN NumSnow_i386_EXT = 0;
@ -926,11 +926,11 @@ VOID EFIAPI LOADER_ENTRY::KernelBooterExtensionsPatch(IN UINT8 *Kernel)
DBG_RT("\nPatching kernel for injected kexts...\n");
if (is64BitKernel) {
NumSnow_X64_EXT = SearchAndCount(Kernel, KERNEL_MAX_SIZE, KBESnowSearchEXT_X64, sizeof(KBESnowSearchEXT_X64));
NumLion_X64_EXT = SearchAndCount(Kernel, KERNEL_MAX_SIZE, KBELionSearchEXT_X64, sizeof(KBELionSearchEXT_X64));
NumSnow_X64_EXT = SearchAndCount(KernelData, KERNEL_MAX_SIZE, KBESnowSearchEXT_X64, sizeof(KBESnowSearchEXT_X64));
NumLion_X64_EXT = SearchAndCount(KernelData, KERNEL_MAX_SIZE, KBELionSearchEXT_X64, sizeof(KBELionSearchEXT_X64));
} else {
NumSnow_i386_EXT = SearchAndCount(Kernel, KERNEL_MAX_SIZE, KBESnowSearchEXT_i386, sizeof(KBESnowSearchEXT_i386));
NumLion_i386_EXT = SearchAndCount(Kernel, KERNEL_MAX_SIZE, KBELionSearchEXT_i386, sizeof(KBELionSearchEXT_i386));
NumSnow_i386_EXT = SearchAndCount(KernelData, KERNEL_MAX_SIZE, KBESnowSearchEXT_i386, sizeof(KBESnowSearchEXT_i386));
NumLion_i386_EXT = SearchAndCount(KernelData, KERNEL_MAX_SIZE, KBELionSearchEXT_i386, sizeof(KBELionSearchEXT_i386));
}
if (NumSnow_i386_EXT + NumSnow_X64_EXT + NumLion_i386_EXT + NumLion_X64_EXT > 1) {
@ -944,10 +944,10 @@ VOID EFIAPI LOADER_ENTRY::KernelBooterExtensionsPatch(IN UINT8 *Kernel)
// X64
if (is64BitKernel) {
if (NumSnow_X64_EXT == 1) {
Num = SearchAndReplace(Kernel, KERNEL_MAX_SIZE, KBESnowSearchEXT_X64, sizeof(KBESnowSearchEXT_X64), KBESnowReplaceEXT_X64, 1);
Num = SearchAndReplace(KernelData, KERNEL_MAX_SIZE, KBESnowSearchEXT_X64, sizeof(KBESnowSearchEXT_X64), KBESnowReplaceEXT_X64, 1);
// DBG_RT("==> kernel Snow Leopard X64: %llu replaces done.\n", Num);
} else if (NumLion_X64_EXT == 1) {
Num = SearchAndReplace(Kernel, KERNEL_MAX_SIZE, KBELionSearchEXT_X64, sizeof(KBELionSearchEXT_X64), KBELionReplaceEXT_X64, 1);
Num = SearchAndReplace(KernelData, KERNEL_MAX_SIZE, KBELionSearchEXT_X64, sizeof(KBELionSearchEXT_X64), KBELionReplaceEXT_X64, 1);
// DBG_RT("==> kernel Lion X64: %llu replaces done.\n", Num);
} else {
// EXT - load extra kexts besides kernelcache.
@ -995,11 +995,11 @@ VOID EFIAPI LOADER_ENTRY::KernelBooterExtensionsPatch(IN UINT8 *Kernel)
// address: 0095098b
// bytes:eb05
UINTN procLocation = searchProc(Kernel, "readStartupExtensions");
UINTN procLocation = searchProc("readStartupExtensions");
const UINT8 findJmp[] = {0xEB, 0x05};
const UINT8 patchJmp[] = {0x90, 0x90};
// DBG_RT("==> readStartupExtensions at %llx\n", procLocation);
if (!SearchAndReplace(&Kernel[procLocation], 0x100, findJmp, 2, patchJmp, 1)) {
if (!SearchAndReplace(&KernelData[procLocation], 0x100, findJmp, 2, patchJmp, 1)) {
DBG_RT("load kexts not patched\n");
// for (UINTN j=procLocation+0x3b; j<procLocation+0x4b; ++j) {
// DBG_RT("%02x", Kernel[j]);
@ -1073,123 +1073,34 @@ VOID EFIAPI LOADER_ENTRY::KernelBooterExtensionsPatch(IN UINT8 *Kernel)
}
}
#else
// bool otherSys = false;
// UINTN procLocation = searchProc(Kernel, "IOTaskHasEntitlement");
//Catalina
// const UINT8 find2[] = {0x45, 0x31, 0xF6, 0x48, 0x85, 0xC0 };
// const UINT8 mask2[] = {0xFF, 0xFF, 0x00, 0xFF, 0xFF, 0xFF };
//older systems
const UINT8 find3[] = {0x48, 0x85, 00, 0x74, 00, 0x48, 00, 00, 0x48 };
const UINT8 mask3[] = {0xFF, 0xFF, 00, 0xFF, 00, 0xFF, 00, 00, 0xFF };
/*
patchLocation2 = FindMemMask(&Kernel[procLocation], 0x30, find2, sizeof(find2), mask2, sizeof(mask2));
if (patchLocation2 == KERNEL_MAX_SIZE) {
//other systems
patchLocation2 = FindMemMask(&Kernel[procLocation], 0x30, find3, sizeof(find3), mask3, sizeof(mask3));
otherSys = true;
}
if (patchLocation2 != KERNEL_MAX_SIZE) {
patchLocation2 += procLocation;
}
*/
/*
procLocation = searchProc(Kernel, "loadExecutable");
//check
DBG_RT("==> loadExecutable (10.11 - recent macOS) at %llx\n", procLocation);
// for (UINTN j=procLocation+0x39; j<procLocation+0x50; ++j) {
// DBG_RT("%02x ", Kernel[j]);
// }
// DBG_RT("\n");
// Stall(10000000);
const UINT8 find2[] = {0x48, 0x85, 00, 0x74, 00, 0x48, 00, 00, 0x48 };
const UINT8 mask2[] = {0xFF, 0xFF, 00, 0xFF, 00, 0xFF, 00, 00, 0xFF };
patchLocation2 = FindMemMask(&Kernel[procLocation], 0x1000, find2, sizeof(find2), mask2, sizeof(mask2));
if (patchLocation2 == KERNEL_MAX_SIZE) {
//Mojave
procLocation = searchProc(Kernel, "IOTaskHasEntitlement");
const UINT8 find4[] = {0x48, 0x85, 0xC0, 0x74, 0x00, 00, 00};
const UINT8 mask4[] = {0xFF, 0xFF, 0xFF, 0xFF, 0xC0, 00, 00};
patchLocation2 = FindMemMask(&Kernel[procLocation], 0x100, find3, sizeof(find3), mask3, sizeof(mask3));
if (patchLocation2 != KERNEL_MAX_SIZE) {
taskFound = true;
} else {
//Catalina
//ffffff80009a2273 85C0 test eax, eax
//ffffff80009a2275 0F843C010000 je 0xffffff80009a23b7
//ffffff80009a227b 498B4500 mov rax, qword [ds:r13+0x0]
const UINT8 find3[] = {0x00, 0x85, 0xC0, 0x0F, 0x84, 00, 0x00, 0x00, 0x00, 0x49 };
const UINT8 mask3[] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 00, 0xFC };
patchLocation2 = FindMemMask(&Kernel[procLocation], 0x1000, find3, sizeof(find3), mask3, sizeof(mask3));
}
}
if (patchLocation2 != KERNEL_MAX_SIZE) {
patchLocation2 += procLocation;
}
*/
#endif
// Stall(9000000);
/*
if (!patchLocation2 || patchLocation2 == KERNEL_MAX_SIZE) {
DBG_RT("==> can't find SIP (10.11 - recent macOS), kernel patch aborted.\n");
for (UINTN j=procLocation; j<procLocation+0x20; ++j) {
DBG_RT("%02x ", Kernel[j]);
}
DBG_RT("\n");
Stall(3000000);
} else {
UINT8 jmp;
if (!otherSys) {
patchLocation2 += 3;
jmp = Kernel[patchLocation2 + 4] + 1;
DBG_RT("Catalina\n");
} else {
if (Kernel[patchLocation2 + 2] == 0xC0) {
jmp = Kernel[patchLocation2 + 4];
DBG_RT("Mojave\n");
} else {
jmp = Kernel[patchLocation2 + 4] - 2;
DBG_RT("Capitan\n");
}
}
const UINT8 repl4[] = {0xB8, 0x01, 0x00, 0x00, 0x00, 0xEB};
CopyMem(&Kernel[patchLocation2], repl4, sizeof(repl4));
Kernel[patchLocation2 + 6] = jmp;
DBG_RT("=> patch SIP applied\n");
for (UINTN j=procLocation; j<procLocation+0x80; ++j) {
DBG_RT("%02x ", Kernel[j]);
}
DBG_RT("\n");
Stall(10000000);
}
*/
//ffffff80009a2267 488D35970D2400 lea rsi, qword [ds:0xffffff8000be3005] ; "com.apple.private.security.kext-management"
//ffffff80009a226e E89D780D00 call _IOTaskHasEntitlement
//ffffff80009a2273 85C0 test eax, eax =>change to eb06 -> jmp .+6
//ffffff80009a2275 0F843C010000 je 0xffffff80009a23b7
//ffffff80009a227b
UINTN taskLocation = searchProc(Kernel, "IOTaskHasEntitlement");
procLocation = searchProc(Kernel, "loadExecutable");
patchLocation2 = FindMemMask(&Kernel[procLocation], 0x500, find3, sizeof(find3), mask3, sizeof(mask3));
UINTN taskLocation = searchProc("IOTaskHasEntitlement");
procLocation = searchProc("loadExecutable");
patchLocation2 = FindMemMask(&KernelData[procLocation], 0x500, find3, sizeof(find3), mask3, sizeof(mask3));
if (patchLocation2 != KERNEL_MAX_SIZE) {
DBG_RT("=> patch SIP applied\n");
patchLocation2 += procLocation;
Kernel[patchLocation2 + 3] = 0xEB;
if (Kernel[patchLocation2 + 4] == 0x6C) {
Kernel[patchLocation2 + 4] = 0x15;
KernelData[patchLocation2 + 3] = 0xEB;
if (KernelData[patchLocation2 + 4] == 0x6C) {
KernelData[patchLocation2 + 4] = 0x15;
} else {
Kernel[patchLocation2 + 4] = 0x12;
KernelData[patchLocation2 + 4] = 0x12;
}
} else {
patchLocation2 = FindRelative32(Kernel, procLocation, 0x500, taskLocation);
patchLocation2 = FindRelative32(KernelData, procLocation, 0x500, taskLocation);
if (patchLocation2 != 0) {
DBG_RT("=> patch2 SIP applied\n");
Kernel[patchLocation2] = 0xEB;
Kernel[patchLocation2 + 1] = 0x06;
KernelData[patchLocation2] = 0xEB;
KernelData[patchLocation2 + 1] = 0x06;
}
}
Stall(10000000);
@ -1232,10 +1143,10 @@ VOID EFIAPI LOADER_ENTRY::KernelBooterExtensionsPatch(IN UINT8 *Kernel)
//Slice - hope this patch useful for some system that I have no.
// KxldUnmap by vit9696
// Avoid race condition in OSKext::removeKextBootstrap when using booter kexts without keepsyms=1.
procLocation = searchProc(Kernel, "removeKextBootstrap");
procLocation = searchProc("removeKextBootstrap");
const UINT8 find5[] = {0x00, 0x0F, 0x85, 00, 00, 0x00, 0x00, 0x48 };
const UINT8 mask5[] = {0xFF, 0xFF, 0xFF, 00, 00, 0xFF, 0xFF, 0xFF };
patchLocation3 = FindMemMask(&Kernel[procLocation], 0x1000, find5, sizeof(find5), mask5, sizeof(mask5));
patchLocation3 = FindMemMask(&KernelData[procLocation], 0x1000, find5, sizeof(find5), mask5, sizeof(mask5));
/*
@ -1274,25 +1185,23 @@ VOID EFIAPI LOADER_ENTRY::KernelBooterExtensionsPatch(IN UINT8 *Kernel)
DBG_RT("==> patched KxldUnmap (10.14 - recent macOS)\n");
// 00 0F 85 XX XX 00 00 48
// 00 90 E9 XX XX 00 00 48
Kernel[procLocation + patchLocation3 + 1] = 0x90;
Kernel[procLocation + patchLocation3 + 2] = 0xE9;
KernelData[procLocation + patchLocation3 + 1] = 0x90;
KernelData[procLocation + patchLocation3 + 2] = 0xE9;
}
}
} else {
// i386
if (NumSnow_i386_EXT == 1) {
Num = SearchAndReplace(Kernel, KERNEL_MAX_SIZE, KBESnowSearchEXT_i386, sizeof(KBESnowSearchEXT_i386), KBESnowReplaceEXT_i386, 1);
Num = SearchAndReplace(KernelData, KERNEL_MAX_SIZE, KBESnowSearchEXT_i386, sizeof(KBESnowSearchEXT_i386), KBESnowReplaceEXT_i386, 1);
// DBG_RT("==> kernel Snow Leopard i386: %llu replaces done.\n", Num);
} else if (NumLion_i386_EXT == 1) {
Num = SearchAndReplace(Kernel, KERNEL_MAX_SIZE, KBELionSearchEXT_i386, sizeof(KBELionSearchEXT_i386), KBELionReplaceEXT_i386, 1);
Num = SearchAndReplace(KernelData, KERNEL_MAX_SIZE, KBELionSearchEXT_i386, sizeof(KBELionSearchEXT_i386), KBELionReplaceEXT_i386, 1);
// DBG_RT("==> kernel Lion i386: %llu replaces done.\n", Num);
} else {
DBG_RT("==> ERROR: NOT patched - unknown kernel.\n");
}
}
if (KernelAndKextPatches->KPDebug) {
DBG_RT("Pausing 5 secs ...\n");
Stall(5000000);
}
DBG_RT("Pausing 5 secs ...\n");
Stall(5000000);
}

4
rEFIt_UEFI/Platform/kext_inject.h
View File

@ -90,9 +90,5 @@ typedef struct
// functions
////////////////////
class LOADER_ENTRY;
//EFI_STATUS LoadKexts(IN LOADER_ENTRY *Entry);
//EFI_STATUS InjectKexts(IN UINT32 deviceTreeP, IN UINT32* deviceTreeLength, LOADER_ENTRY *Entry);
//VOID EFIAPI KernelBooterExtensionsPatch(IN UINT8 *KernelData, LOADER_ENTRY *Entry);
#endif

18
rEFIt_UEFI/Platform/kext_patcher.cpp
View File

@ -598,24 +598,6 @@ VOID LOADER_ENTRY::AppleRTCPatch(UINT8 *Driver, UINT32 DriverSize, CHAR8 *InfoPl
DBG_RT("AppleRTC: not patched\n");
}
/*
UINTN writeCmos = searchProc(Driver, "rtcWrite");
UINTN patchLocation2 = FindRelative32(Driver, procLocation, 0x100, writeCmos);
DBG_RT("AppleRTC:");
if (patchLocation2 != 0) {
Driver[patchLocation2 - 5] = 0xEB;
Driver[patchLocation2 - 4] = 0x03;
DBG_RT(" patched 1\n");
UINTN patchLocation3 = FindRelative32(Driver, patchLocation2, 0x20, writeCmos);
if (patchLocation3 != 0) {
Driver[patchLocation3 - 5] = 0xEB;
Driver[patchLocation3 - 4] = 0x03;
DBG_RT(" patched 2\n");
}
} else {
DBG_RT(" not patched\n");
}
*/
#endif
Stall(5000000);

41
rEFIt_UEFI/gui/menu_items/menu_items.h
View File

@ -357,6 +357,7 @@ class REFIT_ABSTRACT_MENU_ENTRY
XImage CustomLogo;
KERNEL_AND_KEXT_PATCHES *KernelAndKextPatches;
CONST CHAR16 *Settings;
UINT8 *KernelData;
UINT32 AddrVtable;
UINT32 SizeVtable;
UINT32 NamesTable;
@ -366,32 +367,34 @@ class REFIT_ABSTRACT_MENU_ENTRY
LOADER_ENTRY()
: REFIT_MENU_ITEM_BOOTNUM(), VolName(0), DevicePath(0), Flags(0), LoaderType(0), OSVersion(0), BuildVersion(0),
BootBgColor({0,0,0,0}),
CustomBoot(0), KernelAndKextPatches(0), Settings(0),
CustomBoot(0), KernelAndKextPatches(0), Settings(0), KernelData(0),
AddrVtable(0), SizeVtable(0), NamesTable(0), shift(0)
{};
VOID FindBootArgs();
EFI_STATUS getVTable(UINT8* kernel);
UINTN searchProc(UINT8 * kernel, const char *procedure);
EFI_STATUS getVTable();
VOID Get_PreLink();
UINTN searchProc(const char *procedure);
UINTN searchProcInDriver(UINT8 * driver, UINT32 driverLen, const char *procedure);
VOID KernelAndKextsPatcherStart();
VOID KernelAndKextPatcherInit();
BOOLEAN KernelUserPatch(UINT8 * kernel);
BOOLEAN KernelPatchPm(VOID *kernelData);
BOOLEAN KernelLapicPatch_32(VOID *kernelData);
BOOLEAN KernelLapicPatch_64(VOID *kernelData);
BOOLEAN KernelUserPatch();
BOOLEAN KernelPatchPm();
BOOLEAN KernelLapicPatch_32();
BOOLEAN KernelLapicPatch_64();
BOOLEAN BooterPatch(IN UINT8 *BooterData, IN UINT64 BooterSize);
VOID EFIAPI KernelBooterExtensionsPatch(IN UINT8 *Kernel);
BOOLEAN KernelPanicNoKextDump(VOID *kernelData);
VOID KernelCPUIDPatch(UINT8* kernelData);
BOOLEAN PatchCPUID(UINT8* bytes, const UINT8* Location, INT32 LenLoc,
VOID EFIAPI KernelBooterExtensionsPatch();
BOOLEAN KernelPanicNoKextDump();
VOID KernelCPUIDPatch();
BOOLEAN PatchCPUID(const UINT8* Location, INT32 LenLoc,
const UINT8* Search4, const UINT8* Search10, const UINT8* ReplaceModel,
const UINT8* ReplaceExt, INT32 Len);
VOID KernelPatcher_32(VOID* kernelData);
VOID KernelPatcher_64(VOID* kernelData);
VOID KernelPatcher_32();
VOID KernelPatcher_64();
VOID FilterKernelPatches();
VOID FilterKextPatches();
VOID FilterBootPatches();
VOID applyKernPatch(const UINT8 *find, UINTN size, const UINT8 *repl, const CHAR8 *comment);
EFI_STATUS SetFSInjection();
EFI_STATUS InjectKexts(IN UINT32 deviceTreeP, IN UINT32 *deviceTreeLength);
@ -418,12 +421,12 @@ class REFIT_ABSTRACT_MENU_ENTRY
VOID DellSMBIOSPatch(UINT8 *Driver, UINT32 DriverSize, CHAR8 *InfoPlist, UINT32 InfoPlistSize);
VOID SNBE_AICPUPatch(UINT8 *Driver, UINT32 DriverSize, CHAR8 *InfoPlist, UINT32 InfoPlistSize);
VOID BDWE_IOPCIPatch(UINT8 *Driver, UINT32 DriverSize, CHAR8 *InfoPlist, UINT32 InfoPlistSize);
BOOLEAN SandyBridgeEPM(VOID *kernelData);
BOOLEAN HaswellEXCPM(VOID *kernelData);
BOOLEAN HaswellLowEndXCPM(VOID *kernelData);
BOOLEAN BroadwellEPM(VOID *kernelData);
BOOLEAN KernelIvyBridgeXCPM(VOID *kernelData);
BOOLEAN KernelIvyE5XCPM(VOID *kernelData);
BOOLEAN SandyBridgeEPM();
BOOLEAN HaswellEXCPM();
BOOLEAN HaswellLowEndXCPM();
BOOLEAN BroadwellEPM();
BOOLEAN KernelIvyBridgeXCPM();
BOOLEAN KernelIvyE5XCPM();
VOID Stall(int Pause) { if ((KernelAndKextPatches != NULL) && KernelAndKextPatches->KPDebug) { gBS->Stall(Pause); } };
VOID StartLoader();