Created
September 22, 2018 16:25
-
-
Save newyear2006/232a01dde3453845df886ac58e6d064d to your computer and use it in GitHub Desktop.
Versuch Confirm-SecurebootUEFI in Powershell nachzubauen und UEFI-Firmware-Variablen auszulesen
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # peeked from C:\WINDOWS\Microsoft.Net\assembly\GAC_64\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll | |
| $UEFIInterop = Add-Type @" | |
| using System; | |
| using System.Reflection; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace UEFIInterop | |
| { | |
| public class NativeMethods | |
| { | |
| [DllImport("ntdll.dll", CharSet=CharSet.Unicode, ExactSpelling=false, SetLastError=true)] | |
| public static extern uint NtQuerySystemEnvironmentValueEx(ref UNICODE_STRING VariableName, byte[] VendorGuid, byte[] Value, ref uint ValueLength, out uint Attributes); | |
| [DllImport("ntdll.dll", CharSet=CharSet.Unicode, ExactSpelling=false, SetLastError=true)] | |
| public static extern uint NtSetSystemEnvironmentValueEx(ref UNICODE_STRING VariableName, byte[] VendorGuid, byte[] Value, uint ValueLength, uint Attributes); | |
| } | |
| public struct UNICODE_STRING | |
| { | |
| private const int SIZEOF_WCHAR = 2; | |
| private ushort Length; | |
| private ushort MaximumLength; | |
| private string Buffer; | |
| public UNICODE_STRING(string sourceString) | |
| { | |
| this.Buffer = sourceString; | |
| this.Length = (ushort)(this.Buffer.Length * 2); | |
| this.MaximumLength = (ushort)(this.Length + 2); | |
| } | |
| } | |
| } | |
| "@ -PassThru | |
| [UEFIInterop.NativeMethods]::EFI_MICROSOFT_GUID | |
| $EFI_MICROSOFT_GUID = [Guid]"{77fa9abd-0359-4d32-bd60-28f4e78f784b}" | |
| #oder | |
| $EFI_MICROSOFT_GUID = New-Object System.Guid(2012912317, 857, 19762, 189, 96, 40, 244, 231, 143, 120, 75) | |
| $EFI_GLOBAL_VARIABLE = [Guid]"{8BE4DF61-93CA-11D2-AA0D-00E098032B8C}" | |
| $Attributes = [Uint32]0 | |
| $Size=[uint32]0 | |
| $BootOrder=New-Object UEFIInterop.UNICODE_STRING("BootOrder") | |
| # in Verbindung mit $EFI_MICROSOFT_GUID | |
| $KernelConfig=New-Object UEFIInterop.UNICODE_STRING("Kernel_Lsa_Ppl_Config") | |
| $num=[uint32]0 | |
| $attr=[uint32]0 | |
| $r=[UEFIInterop.NativeMethods]::NtQuerySystemEnvironmentValueEx([ref]$BootOrder, $EFI_GLOBAL_VARIABLE.ToByteArray(), $null, [ref] $num, [out] $attr) | |
| # https://msdn.microsoft.com/en-us/library/cc704588.aspx | |
| $STATUS_PRIVILEGE_NOT_HELD = 0xc0000061 | |
| $STATUS_ACCESS_VIOLATION = 0xc0000005 | |
| $STATUS_XX = 0xc0000023 | |
| $SFTCode = @" | |
| [DllImport("kernel32.dll", SetLastError=true)] | |
| public static extern UInt32 GetFirmwareEnvironmentVariableW(string lpName, string lpGuid, IntPtr pBuffer, UInt32 nSize); | |
| [DllImport("kernel32.dll", SetLastError=true)] | |
| public static extern UInt32 GetFirmwareEnvironmentVariableEx(string lpName, string lpGuid, IntPtr pBuffer, UInt32 nSize, ref UInt32 pdwAttribubutes); | |
| [DllImport("kernel32.dll")] | |
| public static extern void RtlZeroMemory(IntPtr dst, int length); | |
| [DllImport("ntdll.dll", CharSet=CharSet.Unicode, ExactSpelling=false, SetLastError=true)] | |
| public static extern uint NtQuerySystemEnvironmentValueEx(ref UNICODE_STRING VariableName, byte[] VendorGuid, byte[] Value, ref uint ValueLength, out uint Attributes); | |
| [DllImport("ntdll.dll", CharSet=CharSet.Unicode, ExactSpelling=false, SetLastError=true)] | |
| public static extern uint NtSetSystemEnvironmentValueEx(ref UNICODE_STRING VariableName, byte[] VendorGuid, byte[] Value, uint ValueLength, uint Attributes); | |
| public struct UNICODE_STRING | |
| { | |
| private const int SIZEOF_WCHAR = 2; | |
| private ushort Length; | |
| private ushort MaximumLength; | |
| private string Buffer; | |
| public UNICODE_STRING(string sourceString) | |
| { | |
| this.Buffer = sourceString; | |
| this.Length = (ushort)(this.Buffer.Length * 2); | |
| this.MaximumLength = (ushort)(this.Length + 2); | |
| } | |
| } | |
| "@ | |
| $SFT = Add-Type -MemberDefinition $SFTCode -Name "SFTKlasse" -Language CSharp -UsingNamespace "System.Reflection", "System.Diagnostics", "System.Collections.Generic" -PassThru | |
| # https://docs.microsoft.com/de-de/windows/desktop/api/winbase/nf-winbase-setfirmwareenvironmentvariableexa | |
| $VARIABLE_ATTRIBUTE_NON_VOLATILE = 0x00000001 | |
| $VARIABLE_ATTRIBUTE_BOOTSERVICE_ACCESS = 0x00000002 | |
| $VARIABLE_ATTRIBUTE_RUNTIME_ACCESS = 0x00000004 | |
| $VARIABLE_ATTRIBUTE_HARDWARE_ERROR_RECORD = 0x00000008 | |
| $VARIABLE_ATTRIBUTE_AUTHENTICATED_WRITE_ACCESS = 0x00000010 | |
| $VARIABLE_ATTRIBUTE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS = 0x00000020 | |
| $VARIABLE_ATTRIBUTE_APPEND_WRITE = 0x00000040 | |
| # 7.2 Variable Services: | |
| # http://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf#page=285 | |
| # http://wiki.phoenix.com/wiki/index.php/EFI_STATUS#EFI_SUCCESS | |
| $EFI_SUCCESS = 0 | |
| $EFI_NOT_FOUND = 14 | |
| $EFI_BUFFER_TOO_SMALL = 5 | |
| $EFI_INVALID_PARAMETER = 2 | |
| $EFI_SECURITY_VIOLATION = 26 | |
| # #define ENCODE_ERROR ( StatusCode ) ((RETURN_STATUS)(MAX_BIT | (StatusCode))) | |
| # https://docs.microsoft.com/en-us/windows/desktop/debug/system-error-codes | |
| # https://msdn.microsoft.com/en-us/library/cc231199.aspx | |
| $ERROR_NOACCESS = 998 | |
| $ERROR_PRIVILEGE_NOT_HELD = 1314 | |
| $ERROR_ENVVAR_NOT_FOUND = 203 | |
| $ERROR_INVALID_PARAMETER = 87 | |
| $ERROR_INVALID_FUNCTION = 1 | |
| $EFI_GLOBAL_VARIABLE = "{8BE4DF61-93CA-11D2-AA0D-00E098032B8C}" | |
| # wichtig! | |
| [System.IntPtr]::Size -eq 8 | |
| $r=$sft::GetFirmwareEnvironmentVariableW("","{00000000-0000-0000-0000-000000000000}",[System.IntPtr]::Zero,0); $e=[System.Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| $r; $e | |
| $r=$sft::GetFirmwareEnvironmentVariableW("OsIndicationsSupported",$EFI_GLOBAL_VARIABLE,[System.IntPtr]::Zero,0); $e=[System.Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| $r; $e | |
| $r=$sft::GetFirmwareEnvironmentVariableW("BootOrder",$EFI_GLOBAL_VARIABLE,[System.IntPtr]::Zero,0); $e=[System.Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| $r; $e | |
| $strSize = 1000 | |
| $strPointer=[System.Runtime.InteropServices.Marshal]::AllocHGlobal($strSize) | |
| $sft::RtlZeroMemory($strPointer, $strSize) | |
| $r=$sft::GetFirmwareEnvironmentVariableW("BootOrder",$EFI_GLOBAL_VARIABLE,$strPointer,$strSize); $e=[System.Runtime.InteropServices.Marshal]::GetLastWin32Error() | |
| $r; $e | |
| $buffer = New-Object Byte[]($strSize) | |
| $buffer|Out-GridView | |
| [System.Runtime.InteropServices.Marshal]::copy($strPointer, $buffer, 0,$strSize) | |
| [System.Runtime.InteropServices.Marshal]::FreeHGlobal($strPointer) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment