senji
Silver Üye
- Katılım
- 25 Ara 2025
- Mesajlar
- 59
- Beğeniler
- 20
selamlar.
SB testler için bir şey lazımdı. birkaç saatte yaptım. çok da önemli olmadığı için burada paylaşmak istiyorum.
yararlanmak isteyen arkadaşlarım buyurabilir.
vgc'ye karşı çalışıyor mu denemedim.
DT mi değil mi bilmiyorum, değildir büyük ihtimalle. deneyiniz.
SB testler için bir şey lazımdı. birkaç saatte yaptım. çok da önemli olmadığı için burada paylaşmak istiyorum.
yararlanmak isteyen arkadaşlarım buyurabilir.
vgc'ye karşı çalışıyor mu denemedim.
C:
#include "Driver.h"
#include <ntstrsafe.h>
// sig HalEfiRuntimeServicesTable (w10/w11)
// 48 8B 05 ? ? ? ? 48 8B ? 0F 11 45 ? 48 85 C0
VOID SetSecureBootNtosValue()
{
static const CHAR signature[] = "\xC1\xE8\x03\x24\x01\x88\x42\x01";
pDriver->ulSecureBootValueAddress = FindPattern(
pDriver->ulNtosKrnlBase,
pDriver->ulNtosKrnlSize,
(PCHAR)signature,
-0x6,
TRUE,
0x2
);
if (!pDriver->ulSecureBootValueAddress)
{
return;
}
ULONG currentValue = *(ULONG*)(pDriver->ulSecureBootValueAddress);
pDriver->ulSecureBootOrigValue = currentValue;
// SB enabled disabled (Bit 0 and Bit 3)
currentValue |= 0x1;
currentValue |= 0x8;
*(ULONG*)(pDriver->ulSecureBootValueAddress) = currentValue;
}
VOID SetSecureBootRegKey()
{
CHAR keyPathBuffer[128] = {0};
CHAR valueNameBuffer[128] = {0};
GetDecryptedString(STRING_REG_KEYPATH_SECUREBOOTSTATE, keyPathBuffer);
GetDecryptedString(STRING_REG_KEYNAME_UEFISECUREBOOTENABLED, valueNameBuffer);
WCHAR wideKeyPath[128] = {0};
WCHAR wideValueName[128] = {0};
mbstowcs(wideKeyPath, keyPathBuffer, 128);
mbstowcs(wideValueName, valueNameBuffer, 128);
UNICODE_STRING usKeyPath, usValueName;
RtlInitUnicodeString(&usKeyPath, wideKeyPath);
RtlInitUnicodeString(&usValueName, wideValueName);
OBJECT_ATTRIBUTES objAttributes;
InitializeObjectAttributes(&objAttributes, &usKeyPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
HANDLE hKey = NULL;
NTSTATUS status = ZwOpenKey(&hKey, KEY_ALL_ACCESS, &objAttributes);
if (NT_SUCCESS(status))
{
DWORD secureBootValue = 0x1;
ZwSetValueKey(hKey, &usValueName, 0, REG_DWORD, &secureBootValue, sizeof(DWORD));
ZwClose(hKey);
}
}
VOID SetWCBLFile(PWCHAR filePath)
{
UNICODE_STRING usFilePath;
RtlInitUnicodeString(&usFilePath, filePath);
OBJECT_ATTRIBUTES objAttributes;
InitializeObjectAttributes(&objAttributes, &usFilePath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
IO_STATUS_BLOCK ioStatusBlock = {0};
HANDLE hFile = NULL;
NTSTATUS status = ZwCreateFile(
&hFile,
FILE_ALL_ACCESS,
&objAttributes,
&ioStatusBlock,
NULL,
FILE_ATTRIBUTE_SYSTEM,
0,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if (!NT_SUCCESS(status))
{
return;
}
FILE_STANDARD_INFORMATION fileInfo = {0};
if (NT_SUCCESS(ZwQueryInformationFile(hFile, &ioStatusBlock, &fileInfo, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation)))
{
ULONG fileLength = fileInfo.EndOfFile.LowPart;
if (fileLength > 0x10)
{
PBYTE pFileBuffer = (PBYTE)ExAllocatePool(NonPagedPool, fileLength + 1);
if (pFileBuffer)
{
LARGE_INTEGER byteOffset = {0};
status = ZwReadFile(hFile, NULL, NULL, NULL, &ioStatusBlock, pFileBuffer, fileLength, &byteOffset, NULL);
if (NT_SUCCESS(status))
{
INT secureBootIdx = 0, sizeIdx = 0, secureBootIdx2 = 0;
const ULONG_PTR signature = 0x0075006300650053; // "S.e.c.u"
for (int i = 0; i < (int)(fileLength - 0x10); i++)
{
if (*(ULONG_PTR*)(&pFileBuffer[i]) == signature)
{
sizeIdx = i - 0x24;
secureBootIdx = i + 0x14;
secureBootIdx2 = i - 0x8;
break;
}
}
if (pFileBuffer[sizeIdx] == 0x34)
{
memcpy(&pFileBuffer[secureBootIdx + 1], &pFileBuffer[secureBootIdx], fileLength - secureBootIdx);
pFileBuffer[sizeIdx] += 0x1;
pFileBuffer[secureBootIdx] = 0x1;
pFileBuffer[secureBootIdx2] = 0x1;
fileLength += 1;
}
else if (pFileBuffer[sizeIdx] == 0x35)
{
pFileBuffer[secureBootIdx] = 0x1;
pFileBuffer[secureBootIdx2] = 0x1;
}
byteOffset.QuadPart = 0;
ZwWriteFile(hFile, NULL, NULL, NULL, &ioStatusBlock, pFileBuffer, fileLength, &byteOffset, NULL);
}
ExFreePool(pFileBuffer);
}
}
}
ZwClose(hFile);
}
VOID SetRegistryKey(PWCHAR wPath, PWCHAR wKeyName, INT type, PVOID pData, INT dataLen)
{
HANDLE hKey = NULL;
UNICODE_STRING usKeyPath, usValueName;
RtlInitUnicodeString(&usKeyPath, wPath);
RtlInitUnicodeString(&usValueName, wKeyName);
OBJECT_ATTRIBUTES objAttributes;
InitializeObjectAttributes(&objAttributes, &usKeyPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
if (NT_SUCCESS(ZwOpenKey(&hKey, KEY_ALL_ACCESS, &objAttributes)))
{
ZwSetValueKey(hKey, &usValueName, 0, type, pData, dataLen);
ZwClose(hKey);
}
}
VOID SetWCBLRegistry()
{
CHAR integrityServicesBuffer[128] = {0};
CHAR wbclBuffer[128] = {0};
GetDecryptedString(STRING_REG_KEYPATH_INTEGRITYSERVICES, integrityServicesBuffer);
GetDecryptedString(STRING_REG_KEYNAME_WBCL, wbclBuffer);
WCHAR wideIntegrityServices[128] = {0};
WCHAR wideWBCL[128] = {0};
mbstowcs(wideIntegrityServices, integrityServicesBuffer, 128);
mbstowcs(wideWBCL, wbclBuffer, 128);
UNICODE_STRING usKeyPath, usValueName;
RtlInitUnicodeString(&usKeyPath, wideIntegrityServices);
RtlInitUnicodeString(&usValueName, wideWBCL);
OBJECT_ATTRIBUTES objAttributes;
InitializeObjectAttributes(&objAttributes, &usKeyPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
HANDLE hKey = NULL;
if (NT_SUCCESS(ZwOpenKey(&hKey, KEY_ALL_ACCESS, &objAttributes)))
{
PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(NonPagedPool, WBCL_SIZE * 2);
if (pKeyInfo)
{
ULONG resultLength = 0;
if (NT_SUCCESS(ZwQueryValueKey(hKey, &usValueName, KeyValuePartialInformation, pKeyInfo, WBCL_SIZE * 2, &resultLength)))
{
INT secureBootIdx = 0, sizeIdx = 0, secureBootIdx2 = 0;
const ULONG_PTR signature = 0x0075006300650053; // "S.e.c.u"
for (int i = 0; i < (int)(pKeyInfo->DataLength - 0x10); i++)
{
if (*(ULONG_PTR*)(&pKeyInfo->Data[i]) == signature)
{
sizeIdx = i - 0x24;
secureBootIdx = i + 0x14;
secureBootIdx2 = i - 0x8;
break;
}
}
if (pKeyInfo->Data[sizeIdx] == 0x34)
{
memcpy(&pKeyInfo->Data[secureBootIdx + 1], &pKeyInfo->Data[secureBootIdx], pKeyInfo->DataLength - secureBootIdx);
pKeyInfo->Data[sizeIdx] += 0x1;
pKeyInfo->Data[secureBootIdx] = 0x1;
pKeyInfo->Data[secureBootIdx2] = 0x1;
pKeyInfo->DataLength += 1;
}
else if (pKeyInfo->Data[sizeIdx] == 0x35)
{
*(BYTE*)(&pKeyInfo->Data[secureBootIdx]) = 0x1;
}
if (secureBootIdx && sizeIdx)
{
SetRegistryKey(wideIntegrityServices, wideWBCL, REG_BINARY, pKeyInfo->Data, pKeyInfo->DataLength);
}
}
ExFreePool(pKeyInfo);
}
ZwClose(hKey);
}
}
BOOL GetPlatformLogFilePath(PWCHAR outputBuffer)
{
CHAR integrityServicesBuffer[128] = {0};
CHAR platformLogFileBuffer[128] = {0};
GetDecryptedString(STRING_REG_KEYPATH_INTEGRITYSERVICES, integrityServicesBuffer);
GetDecryptedString(STRING_REG_KEYNAME_PLATFORMLOGFILE, platformLogFileBuffer);
WCHAR wideIntegrityServices[128] = {0};
WCHAR widePlatformLogFile[128] = {0};
mbstowcs(wideIntegrityServices, integrityServicesBuffer, 128);
mbstowcs(widePlatformLogFile, platformLogFileBuffer, 128);
UNICODE_STRING usKeyPath, usValueName;
RtlInitUnicodeString(&usKeyPath, wideIntegrityServices);
RtlInitUnicodeString(&usValueName, widePlatformLogFile);
OBJECT_ATTRIBUTES objAttributes;
InitializeObjectAttributes(&objAttributes, &usKeyPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
BOOL success = FALSE;
HANDLE hKey = NULL;
if (NT_SUCCESS(ZwOpenKey(&hKey, KEY_ALL_ACCESS, &objAttributes)))
{
PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(NonPagedPool, 256 * sizeof(WCHAR));
if (pKeyInfo)
{
ULONG resultLength = 0;
if (NT_SUCCESS(ZwQueryValueKey(hKey, &usValueName, KeyValuePartialInformation, pKeyInfo, 256 * sizeof(WCHAR), &resultLength)))
{
RtlStringCbPrintfW(outputBuffer, 256 * sizeof(WCHAR), L"%s", (PWCHAR)pKeyInfo->Data);
success = TRUE;
}
ExFreePool(pKeyInfo);
}
ZwClose(hKey);
}
return success;
}
VOID SetTPMRegister()
{
WCHAR platformFilePath[256] = {0};
if (GetPlatformLogFilePath(platformFilePath))
{
SetWCBLFile(platformFilePath);
SetWCBLRegistry();
}
}
VOID SetUserSharedDataSecureBoot()
{
_KUSER_SHARED_DATA2* sharedData = (_KUSER_SHARED_DATA2*)KI_USER_SHARED_DATA;
_KUSER_SHARED_DATA2* tempBuffer = (_KUSER_SHARED_DATA2*)ExAllocatePool(NonPagedPool, sizeof(_KUSER_SHARED_DATA2));
if (tempBuffer)
{
memcpy(tempBuffer, sharedData, sizeof(_KUSER_SHARED_DATA2));
tempBuffer->DbgSecureBootEnabled = 1;
SafeWrite((PVOID)&sharedData->SharedDataFlags, (PVOID)&tempBuffer->SharedDataFlags, sizeof(ULONG));
ExFreePool(tempBuffer);
}
}DT mi değil mi bilmiyorum, değildir büyük ihtimalle. deneyiniz.
Yakında karaveba şikayet konuları gelir aeşlfkaewşklfaelşwfa
Ama uc'de paylaşsan daha çok rep alırdın burada bunları kullanabilecek yararlanabilecek kişiler olduğunu sanmıyorum yine de eline sağlık.
