Kon-boot 2.4分析

目录

• 1.bootx64.efi
  • 打印信息
  • Scan_80000CA8 获取磁盘信息
  • 加载KonBootDxeX64.efi驱动
  • 最后加载原始磁盘中的bootx64.efi
    • start_original_boot_80000EA0
• 2.KonBootDxeX64.efi
  • hookGetVariable_3198
    • get_idt_base_80003221
    • initfunc_80001B1C
      • find_export_func_800013DC
        • LSH16_80001354
      • PsSetLoadImageNotifyRoutine(imgloadNotifyRoutine_80001A1C);
        • • imgloadNotifyRoutine_80001A1C
          • patch_winlogon_80001514
  • gEfiBootServices->CreateEvent EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE,
    • NotifyFunction

1.bootx64.efi

U盘中bootx64.efi：uefi 应用，用来加载u盘中KonBootDxeX64.efi驱动，运行磁盘中的启动文件 bootx64.efi（Windows中bootx64.efi与bootmgfw.efi为同一文件）

打印信息

Scan_80000CA8 获取磁盘信息

加载KonBootDxeX64.efi驱动

find_800013F8查找\efi\boot\KonBootDxeX64.efi

Load_start_Image_80000C1C 加载KonBootDxeX64.efi驱动

最后加载原始磁盘中的bootx64.efi

start_original_boot_80000EA0

2.KonBootDxeX64.efi

主要操作：

hook gEfiRuntimeServices->GetVariable

设置事件EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE回调函数

hookGetVariable_3198

get_idt_base_80003221

initfunc_80001B1C

find_export_func_800013DC

LSH16_80001354

PsSetLoadImageNotifyRoutine(imgloadNotifyRoutine_80001A1C);

imgloadNotifyRoutine_80001A1C

patch_winlogon_80001514

gEfiBootServices->CreateEvent EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE,

gEfiBootServices->CreateEvent(

EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE,

TPL_NOTIFY,

(EFI_EVENT_NOTIFY)NotifyFunction,

0i64,

&Event);

NotifyFunction