[main] Fix extraction of bootmgr.exe from Windows 10 bootmgr

The Windows 10 version of bootmgr includes an XCA-compressed embedded copy of bootmgr.exe at an offset that is 8-byte aligned rather than 16-byte aligned. Update the scan to search on 8-byte boundaries instead of 16-byte boundaries. Retain the 16-byte boundary requirement for LZNT1-compressed embedded copies of bootmgr.exe, since fewer sanity checks are available for LZNT1 and so the scan is more likely to hit false positives. Update the test cases to include the ability to extract bootmgr.exe from the Windows 10 version of bootmgr. Reported-by: Steve Si <[email protected]> Signed-off-by: Michael Brown <[email protected]>
ipxe · Apr 30, 2021 · c4e023d · c4e023d
1 parent ec2f36e
commit c4e023d
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,9 @@ Changelog
 
 ## [Unreleased]
 
+- Fix extraction of embedded `bootmgr.exe` from Windows 10 versions of
+  `bootmgr`.
+
 ## [v2.7.2] 2021-02-22
 
 - Fix BIOS booting of 32-bit versions of Windows 8 and above with more

diff --git a/src/main.c b/src/main.c
@@ -264,11 +264,11 @@ static struct vdisk_file * add_bootmgr ( const void *data, size_t len ) {
 	ssize_t decompressed_len;
 	size_t padded_len;
 
-	/* Look for an embedded compressed bootmgr.exe on a paragraph
-	 * boundary.
+	/* Look for an embedded compressed bootmgr.exe on an
+	 * eight-byte boundary.
 	 */
 	for ( offset = BOOTMGR_MIN_LEN ; offset < ( len - BOOTMGR_MIN_LEN ) ;
-	      offset += 0x10 ) {
+	      offset += 0x08 ) {
 
 		/* Initialise checks */
 		decompress = NULL;
@@ -282,7 +282,8 @@ static struct vdisk_file * add_bootmgr ( const void *data, size_t len ) {
 		 * boundary, with a preceding tag byte indicating that
 		 * these two bytes would indeed be uncompressed.
 		 */
-		if ( ( ( compressed[0x02] & 0x03 ) == 0x00 ) &&
+		if ( ( ( offset & 0x0f ) == 0x00 ) &&
+		     ( ( compressed[0x02] & 0x03 ) == 0x00 ) &&
 		     ( compressed[0x03] == 'M' ) &&
 		     ( compressed[0x04] == 'Z' ) ) {
 			DBG ( "...checking for LZNT1-compressed bootmgr.exe at "
@@ -313,7 +314,7 @@ static struct vdisk_file * add_bootmgr ( const void *data, size_t len ) {
 		}
 
 		/* If we have not found a possible bootmgr.exe, skip
-		 * to the next paragraph.
+		 * to the next offset.
 		 */
 		if ( ! decompress )
 			continue;

diff --git a/test/bootmgr10.yml b/test/bootmgr10.yml
@@ -0,0 +1,9 @@
+name: Test Windows 10 bootmgr.exe extraction
+version: win10
+arch: x64
+bootmgr: true
+logcheck:
+  - "found bootmgr"
+  - "checking for XCA-compressed bootmgr.exe"
+  - "extracting embedded bootmgr.exe"
+  - "Using bootmgr.exe"
diff --git a/test/bootmgr.yml → test/bootmgr7.yml b/test/bootmgr.yml → test/bootmgr7.yml
@@ -1,8 +1,9 @@
-name: Test bootmgr.exe extraction
+name: Test Windows 7 bootmgr.exe extraction
 version: win7
 arch: x64
 bootmgr: true
 logcheck:
   - "found bootmgr"
+  - "checking for LZNT1-compressed bootmgr.exe"
   - "extracting embedded bootmgr.exe"
   - "Using bootmgr.exe"