From c4e023d42356be9aff9dd3da549df59ce13d3943 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Fri, 30 Apr 2021 13:01:08 +0100 Subject: [PATCH] [main] Fix extraction of bootmgr.exe from Windows 10 bootmgr The Windows 10 version of bootmgr includes an XCA-compressed embedded copy of bootmgr.exe at an offset that is 8-byte aligned rather than 16-byte aligned. Update the scan to search on 8-byte boundaries instead of 16-byte boundaries. Retain the 16-byte boundary requirement for LZNT1-compressed embedded copies of bootmgr.exe, since fewer sanity checks are available for LZNT1 and so the scan is more likely to hit false positives. Update the test cases to include the ability to extract bootmgr.exe from the Windows 10 version of bootmgr. Reported-by: Steve Si Signed-off-by: Michael Brown --- CHANGELOG.md | 3 +++ src/main.c | 11 ++++++----- test/bootmgr10.yml | 9 +++++++++ test/{bootmgr.yml => bootmgr7.yml} | 3 ++- 4 files changed, 20 insertions(+), 6 deletions(-) create mode 100644 test/bootmgr10.yml rename test/{bootmgr.yml => bootmgr7.yml} (58%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7fdda73..4f77918 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,9 @@ Changelog ## [Unreleased] +- Fix extraction of embedded `bootmgr.exe` from Windows 10 versions of + `bootmgr`. + ## [v2.7.2] 2021-02-22 - Fix BIOS booting of 32-bit versions of Windows 8 and above with more diff --git a/src/main.c b/src/main.c index c7d4512..371c822 100644 --- a/src/main.c +++ b/src/main.c @@ -264,11 +264,11 @@ static struct vdisk_file * add_bootmgr ( const void *data, size_t len ) { ssize_t decompressed_len; size_t padded_len; - /* Look for an embedded compressed bootmgr.exe on a paragraph - * boundary. + /* Look for an embedded compressed bootmgr.exe on an + * eight-byte boundary. */ for ( offset = BOOTMGR_MIN_LEN ; offset < ( len - BOOTMGR_MIN_LEN ) ; - offset += 0x10 ) { + offset += 0x08 ) { /* Initialise checks */ decompress = NULL; @@ -282,7 +282,8 @@ static struct vdisk_file * add_bootmgr ( const void *data, size_t len ) { * boundary, with a preceding tag byte indicating that * these two bytes would indeed be uncompressed. */ - if ( ( ( compressed[0x02] & 0x03 ) == 0x00 ) && + if ( ( ( offset & 0x0f ) == 0x00 ) && + ( ( compressed[0x02] & 0x03 ) == 0x00 ) && ( compressed[0x03] == 'M' ) && ( compressed[0x04] == 'Z' ) ) { DBG ( "...checking for LZNT1-compressed bootmgr.exe at " @@ -313,7 +314,7 @@ static struct vdisk_file * add_bootmgr ( const void *data, size_t len ) { } /* If we have not found a possible bootmgr.exe, skip - * to the next paragraph. + * to the next offset. */ if ( ! decompress ) continue; diff --git a/test/bootmgr10.yml b/test/bootmgr10.yml new file mode 100644 index 0000000..705448e --- /dev/null +++ b/test/bootmgr10.yml @@ -0,0 +1,9 @@ +name: Test Windows 10 bootmgr.exe extraction +version: win10 +arch: x64 +bootmgr: true +logcheck: + - "found bootmgr" + - "checking for XCA-compressed bootmgr.exe" + - "extracting embedded bootmgr.exe" + - "Using bootmgr.exe" diff --git a/test/bootmgr.yml b/test/bootmgr7.yml similarity index 58% rename from test/bootmgr.yml rename to test/bootmgr7.yml index 579419b..58fe6aa 100644 --- a/test/bootmgr.yml +++ b/test/bootmgr7.yml @@ -1,8 +1,9 @@ -name: Test bootmgr.exe extraction +name: Test Windows 7 bootmgr.exe extraction version: win7 arch: x64 bootmgr: true logcheck: - "found bootmgr" + - "checking for LZNT1-compressed bootmgr.exe" - "extracting embedded bootmgr.exe" - "Using bootmgr.exe"