From 8d7a3187959ed0cf7cf55e7656f8ee595db9a088 Mon Sep 17 00:00:00 2001
From: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Wed, 27 Feb 2019 00:09:40 +0100
Subject: Windows: use specific order for EFI boot arguments memory regions
 that matches the one used by EFI bootloader.

---
 src/Boot/Windows/BootDefs.h |  3 ++-
 src/Common/Tcdefs.h         |  8 ++++++++
 src/Driver/DriveFilter.c    | 19 +++++++++++--------
 src/Driver/DriveFilter.h    |  2 +-
 src/Driver/Ntdriver.c       | 42 +++++++++++++++++++++++++++++++++++++++++-
 5 files changed, 63 insertions(+), 11 deletions(-)

diff --git a/src/Boot/Windows/BootDefs.h b/src/Boot/Windows/BootDefs.h
index cd4b2263..3d65f0a0 100644
--- a/src/Boot/Windows/BootDefs.h
+++ b/src/Boot/Windows/BootDefs.h
@@ -205,6 +205,7 @@ TC_HIDDEN_OS_CREATION_PHASE_WIPED = TC__HIDDEN_OS_CREATION_PHASE_WIPED
 0x100000, 0x200000, 0x300000, 0x400000, 0x500000, 0x600000, 0x700000, 0x800000, \
 0x900000, 0xA00000, 0xB00000, 0xC00000, 0xD00000, 0xE00000, 0xF00000, 0x1000000
 
-#define EFI_BOOTARGS_REGIONS EFI_BOOTARGS_REGIONS_LOW, EFI_BOOTARGS_REGIONS_HIGH
+#define EFI_BOOTARGS_REGIONS_DEFAULT EFI_BOOTARGS_REGIONS_LOW, EFI_BOOTARGS_REGIONS_HIGH
+#define EFI_BOOTARGS_REGIONS_EFI EFI_BOOTARGS_REGIONS_HIGH, EFI_BOOTARGS_REGIONS_LOW
 
 #endif // TC_HEADER_Boot_BootDefs
diff --git a/src/Common/Tcdefs.h b/src/Common/Tcdefs.h
index 47a4bc54..ec1df6a4 100644
--- a/src/Common/Tcdefs.h
+++ b/src/Common/Tcdefs.h
@@ -281,6 +281,14 @@ typedef VOID (NTAPI *KeRestoreExtendedProcessorStateFn) (
 	PXSTATE_SAVE XStateSave
 	);
 
+typedef NTSTATUS (NTAPI *ExGetFirmwareEnvironmentVariableFn) (
+  PUNICODE_STRING VariableName,
+  LPGUID          VendorGuid,
+  PVOID           Value,
+  PULONG          ValueLength,
+  PULONG          Attributes
+);
+
 extern NTSTATUS NTAPI KeSaveExtendedProcessorState (
     __in ULONG64 Mask,
     PXSTATE_SAVE XStateSave
diff --git a/src/Driver/DriveFilter.c b/src/Driver/DriveFilter.c
index 5fbacac4..c9efd7fb 100644
--- a/src/Driver/DriveFilter.c
+++ b/src/Driver/DriveFilter.c
@@ -75,28 +75,31 @@ static int64 DecoySystemWipedAreaEnd;
 PKTHREAD DecoySystemWipeThread = NULL;
 static NTSTATUS DecoySystemWipeResult;
 
-uint64 BootArgsRegions[] = { EFI_BOOTARGS_REGIONS };
+static uint64 BootArgsRegionsDefault[] = { EFI_BOOTARGS_REGIONS_DEFAULT };
+static uint64 BootArgsRegionsEFI[] = { EFI_BOOTARGS_REGIONS_EFI };
 
-NTSTATUS LoadBootArguments ()
+NTSTATUS LoadBootArguments (BOOL bIsEfi)
 {
 	NTSTATUS status = STATUS_UNSUCCESSFUL;
 	PHYSICAL_ADDRESS bootArgsAddr;
 	byte *mappedBootArgs;
 	byte *mappedCryptoInfo = NULL;
 	uint16 bootLoaderArgsIndex;
+	uint64* BootArgsRegionsPtr = bIsEfi? BootArgsRegionsEFI : BootArgsRegionsDefault;
+	size_t BootArgsRegionsCount = bIsEfi? sizeof(BootArgsRegionsEFI)/ sizeof(BootArgsRegionsEFI[0]) : sizeof(BootArgsRegionsDefault)/ sizeof(BootArgsRegionsDefault[0]);
 
 	KeInitializeMutex (&MountMutex, 0);
 //	__debugbreak();
 	for (bootLoaderArgsIndex = 0;
-		bootLoaderArgsIndex < sizeof(BootArgsRegions)/ sizeof(BootArgsRegions[1]) && status != STATUS_SUCCESS;
+		bootLoaderArgsIndex < BootArgsRegionsCount && status != STATUS_SUCCESS;
 		++bootLoaderArgsIndex)
 	{
-		bootArgsAddr.QuadPart = BootArgsRegions[bootLoaderArgsIndex] + TC_BOOT_LOADER_ARGS_OFFSET;
+		bootArgsAddr.QuadPart = BootArgsRegionsPtr[bootLoaderArgsIndex] + TC_BOOT_LOADER_ARGS_OFFSET;
 		Dump ("Checking BootArguments at 0x%x\n", bootArgsAddr.LowPart);
 
-			mappedBootArgs = MmMapIoSpace (bootArgsAddr, sizeof (BootArguments), MmCached);
-			if (!mappedBootArgs)
-				return STATUS_INSUFFICIENT_RESOURCES;
+		mappedBootArgs = MmMapIoSpace (bootArgsAddr, sizeof (BootArguments), MmCached);
+		if (!mappedBootArgs)
+			return STATUS_INSUFFICIENT_RESOURCES;
 
 		if (TC_IS_BOOT_ARGUMENTS_SIGNATURE (mappedBootArgs))
 		{
@@ -118,7 +121,7 @@ NTSTATUS LoadBootArguments ()
 			// Sanity check: for valid boot argument, the password is less than 64 bytes long
 			if (bootArguments->BootPassword.Length <= MAX_LEGACY_PASSWORD)
 			{
-				BootLoaderArgsPtr = BootArgsRegions[bootLoaderArgsIndex];
+				BootLoaderArgsPtr = BootArgsRegionsPtr[bootLoaderArgsIndex];
 
 				BootArgs = *bootArguments;
 				BootArgsValid = TRUE;
diff --git a/src/Driver/DriveFilter.h b/src/Driver/DriveFilter.h
index f19609b0..b164fa5b 100644
--- a/src/Driver/DriveFilter.h
+++ b/src/Driver/DriveFilter.h
@@ -70,7 +70,7 @@ CRYPTO_INFO *GetSystemDriveCryptoInfo ();
 BOOL IsBootDriveMounted ();
 BOOL IsBootEncryptionSetupInProgress ();
 BOOL IsHiddenSystemRunning ();
-NTSTATUS LoadBootArguments ();
+NTSTATUS LoadBootArguments (BOOL bIsEfi);
 static NTSTATUS SaveDriveVolumeHeader (DriveFilterExtension *Extension);
 NTSTATUS StartBootEncryptionSetup (PDEVICE_OBJECT DeviceObject, PIRP irp, PIO_STACK_LOCATION irpSp);
 void EmergencyClearAllKeys (PIRP irp, PIO_STACK_LOCATION irpSp);
diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c
index 97fb1bf1..bf57fcdc 100644
--- a/src/Driver/Ntdriver.c
+++ b/src/Driver/Ntdriver.c
@@ -140,12 +140,44 @@ static BOOL EnableExtendedIoctlSupport = FALSE;
 static BOOL AllowTrimCommand = FALSE;
 static KeSaveExtendedProcessorStateFn KeSaveExtendedProcessorStatePtr = NULL;
 static KeRestoreExtendedProcessorStateFn KeRestoreExtendedProcessorStatePtr = NULL;
+static ExGetFirmwareEnvironmentVariableFn ExGetFirmwareEnvironmentVariablePtr = NULL;
 
 POOL_TYPE ExDefaultNonPagedPoolType = NonPagedPool;
 ULONG ExDefaultMdlProtection = 0;
 
 PDEVICE_OBJECT VirtualVolumeDeviceObjects[MAX_MOUNTED_VOLUME_DRIVE_NUMBER + 1];
 
+BOOL IsUefiBoot ()
+{
+	BOOL bStatus = FALSE;
+	NTSTATUS ntStatus = STATUS_NOT_IMPLEMENTED;
+	
+	Dump ("IsUefiBoot BEGIN\n");
+	ASSERT (KeGetCurrentIrql() == PASSIVE_LEVEL);
+
+	if (ExGetFirmwareEnvironmentVariablePtr)
+	{
+		ULONG valueLengh = 0;
+		UNICODE_STRING emptyName;
+		GUID guid;
+		RtlInitUnicodeString(&emptyName, L"");
+		memset (&guid, 0, sizeof(guid));
+		Dump ("IsUefiBoot calling ExGetFirmwareEnvironmentVariable\n");
+		ntStatus = ExGetFirmwareEnvironmentVariablePtr (&emptyName, &guid, NULL, &valueLengh, NULL);
+		Dump ("IsUefiBoot ExGetFirmwareEnvironmentVariable returned 0x%08x\n", ntStatus);
+	}
+	else
+	{
+		Dump ("IsUefiBoot ExGetFirmwareEnvironmentVariable not found on the system\n");
+	}
+	
+	if (STATUS_NOT_IMPLEMENTED != ntStatus)
+		bStatus = TRUE;
+
+	Dump ("IsUefiBoot bStatus = %s END\n", bStatus? "TRUE" : "FALSE");
+	return bStatus;
+}
+
 void GetDriverRandomSeed (unsigned char* pbRandSeed, size_t cbRandSeed)
 {
 	LARGE_INTEGER iSeed, iSeed2;
@@ -248,6 +280,14 @@ NTSTATUS DriverEntry (PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 		KeSaveExtendedProcessorStatePtr = (KeSaveExtendedProcessorStateFn) MmGetSystemRoutineAddress(&saveFuncName);
 		KeRestoreExtendedProcessorStatePtr = (KeRestoreExtendedProcessorStateFn) MmGetSystemRoutineAddress(&restoreFuncName);
 	}
+	
+	// ExGetFirmwareEnvironmentVariable is available starting from Windows 8
+	if ((OsMajorVersion > 6) || (OsMajorVersion == 6 && OsMinorVersion >= 2))
+	{
+		UNICODE_STRING funcName;
+		RtlInitUnicodeString(&funcName, L"ExGetFirmwareEnvironmentVariable");
+		ExGetFirmwareEnvironmentVariablePtr = (ExGetFirmwareEnvironmentVariableFn) MmGetSystemRoutineAddress(&funcName);
+	}
 
 	// Load dump filter if the main driver is already loaded
 	if (NT_SUCCESS (TCDeviceIoControl (NT_ROOT_PREFIX, TC_IOCTL_GET_DRIVER_VERSION, NULL, 0, &version, sizeof (version))))
@@ -278,7 +318,7 @@ NTSTATUS DriverEntry (PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 					TC_BUG_CHECK (STATUS_INVALID_PARAMETER);
 			}
 
-			LoadBootArguments();
+			LoadBootArguments(IsUefiBoot ());
 			VolumeClassFilterRegistered = IsVolumeClassFilterRegistered();
 
 			DriverObject->DriverExtension->AddDevice = DriverAddDevice;
-- 
cgit v1.2.3