From a36292df1de157cf298dbc53bedaf3384dca506d Mon Sep 17 00:00:00 2001 From: Matthijs Lavrijsen Date: Wed, 12 May 2021 12:55:58 +0200 Subject: [PATCH] EfiDSEFix: fix BSOD on Windows 10 with KB5003173 when using '-d' EfiDSEFix was not finding the address of CI!g_CiOptions correctly after KB5003173 changed the layout of CI!CiInitialize. Fixes #28 --- Application/EfiDSEFix/src/EfiDSEFix.cpp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/Application/EfiDSEFix/src/EfiDSEFix.cpp b/Application/EfiDSEFix/src/EfiDSEFix.cpp index 9235e82..324018d 100644 --- a/Application/EfiDSEFix/src/EfiDSEFix.cpp +++ b/Application/EfiDSEFix/src/EfiDSEFix.cpp @@ -85,7 +85,7 @@ QueryCiOptions( LONG Relative = 0; hde64s hs; - const PUCHAR CiInitialize = reinterpret_cast(GetProcedureAddress(reinterpret_cast(MappedBase), "CiInitialize")); + const PUCHAR CiInitialize = static_cast(GetProcedureAddress(reinterpret_cast(MappedBase), "CiInitialize")); if (CiInitialize == nullptr) return 0; @@ -96,13 +96,19 @@ QueryCiOptions( do { // call CipInitialize - if (CiInitialize[i] == 0xE8) + const BOOLEAN IsCall = CiInitialize[i] == 0xE8; + if (IsCall) j++; - if (j > 1) + if (IsCall && j > 1) { Relative = *reinterpret_cast(CiInitialize + i + 1); - break; + + // KB5003173 added a new 'call wil_InitializeFeatureStaging' to CiInitialize that we need to skip + const PUCHAR CallTarget = CiInitialize + i + 5 + Relative; + hde64_disasm(CallTarget, &hs); + if ((hs.flags & F_ERROR) == 0 && hs.len >= 4 && hs.len <= 6) // wil_InitializeFeatureStaging: 3, __security_init_cookie: 7, CipInitialize: 5 + break; } hde64_disasm(CiInitialize + i, &hs);