I tried to run DdiMon on windows 10 17134 x86, but always get BSOD. Is this a version error?
the stack is

ChildEBP RetAddr Args to Child

00 818e0f24 8184e779 00000003 bf3ba2f8 00000065 nt!RtlpBreakWithStatusInstruction
01 818e0f78 8184e167 8708c340 818e1394 00000000 nt!KiBugCheckDebugBreak+0x1f
02 818e1368 817c1e02 0000007f 00000008 80a1cc00 nt!KeBugCheck2+0x79d
03 818e138c 817d82a1 0000007f 00000008 80a1cc00 nt!KiBugCheck2+0xc6
04 818e138c b6d42394 0000007f 00000008 80a1cc00 nt!KiTrap08+0x6e
05 af62beb0 b6d43009 3df54360 00000002 b6d421d0 DdiMon!UtilLoadPdptes+0x1e [d:\project\ddimon\hyperplatform\hyperplatform\util.cpp @ 835]
06 af62bf00 b6d43ec6 af62bf50 00000002 8947d000 DdiMon!VmmpHandleCrAccess+0x1db [d:\project\ddimon\hyperplatform\hyperplatform\vmm.cpp @ 1114]
07 af62bf40 b6d427e0 af62bf50 00000000 af62bfd8 DdiMon!VmmpHandleVmExit+0x12a [d:\project\ddimon\hyperplatform\hyperplatform\vmm.cpp @ 269]
08 af62bf64 b6d4106e af62bfd8 00000000 00000000 DdiMon!VmmVmExitHandler+0x5e [d:\project\ddimon\hyperplatform\hyperplatform\vmm.cpp @ 206]
09 af62bf6c 00000000 00000000 00000000 00000000 DdiMon!AsmVmmEntryPoint+0x37 [D:\project\DdiMon\HyperPlatform\HyperPlatform\Arch\x86\x86.asm @ 117]

Hi Satoshi,

Is it possible to hook some user land APIs using DdiMon ?
I understand that Ddimon only take cares of the kernel address space, is it possible to specify a user mode process (through CR3 maybe?)

Thanks

Hello, the question has bothered me for a long time, I tried to use ShpEnablePageShadowingForRW ShEnablePageShadowing function to hide the nt! The memory of NtCreateFile looks like this:

_Use_decl_annotations_ NTSTATUS ShEnablePageShadowing(
    EptData* ept_data, const SharedShadowHookData* shared_sh_data) {
  //HYPERPLATFORM_COMMON_DBG_BREAK();

  // ======== mycode
  __debugbreak();
  HookInformation HookInfo = {0};
  PVOID64 vAddr = ExAllocatePoolWithTag(NonPagedPool, 0x1000, 'lysd');
  RtlZeroMemory(vAddr, 0x1000);

  HookInfo.patch_address = (void*)0xfffff8021caefa50;  // nt!NtCreateFile:
  HookInfo.pa_base_for_rw = UtilPaFromVa(vAddr);

  ShpEnablePageShadowingForRW(HookInfo, ept_data);
  // ======== mycode

  for (auto& info : shared_sh_data->hooks) {
    ShpEnablePageShadowingForExec(*info, ept_data);
  }

  return STATUS_SUCCESS;
}

The good news is that it works, the bad news is that it bluescreens 😅

the dump file(os version is win10 1909 x64)
112922-9890-01.zip

Please give me some advice,thank you 🙂

the system lags when running the hypervisor.. and i checked your code in hooking section the method is slow because the "const auto original" always finds the original function inside the callback function.

My Specs: WIN10 x64, CORE I7 6700HQ VT-X/HT/VT-D, 16GB RAM, 256SSD, RTX 2060 GPU

how to hook Shadow SSDT using DdiMon?

So I ended up getting this going, but it seems like when I run a special application that happens to prevent kernel debug mode it crashes Ddimon entirely. I'm pretty sure they're doing it intentionally to crash HyperPlatform.

How would one go about debugging these kinds of crashes?

Hi there,
great work! I really like to see more open source implementations that make use of virtualization like this. I've used essentially the same technique in the DRAKVUF analysis system on top of the Xen hypervisor. One issue though that you should keep in mind is that when you are changing the mapping in the EPT to allow the violating CPU to progress while you enable MTF on it, is that the other CPUs are also free to fetch the instruction that should have been breakpointed. In other words, you have a race-condition on the EPT with multiple CPUs. A solution to this that I can recommend is creating multiple EPTs (one for X and one for R/W) so that you can swap the EPT pointer in the VMCS specific to each vCPU instead of changing the mapping in the shared EPT on-the-fly. In Xen this is implemented with the altp2m subsystem.

Cheers,
Tamas

hi satoshi :)

i'm trying to utilize your wonderful hv to explore a process that does not want me there. it's protected with a kernel driver and running it while ddimon is running causes me to basically freeze and get a dpc_watchdog_violation bsod several minutes later. this seems to only happen if i have shadow hooks on functions that are exported by ntoskrnl. shadow hooking ssdt functions causes no issues whatsoever.

by any chance, would you happen to have an idea what might be triggering this and what i can do about it?

from crash dump:

ffffb280`124d5bc8 fffff801`481e619b : 00000000`00000133 00000000`00000001 00000000`00001e00 fffff801`4845e378 : nt!KeBugCheckEx
ffffb280`124d5bd0 fffff801`480533ba : 000000e4`c2a298da ffffb280`12480180 00000000`00000282 00000000`00000000 : nt!KeAccumulateTicks+0x19049b
ffffb280`124d5c30 fffff801`4896751b : 000000e4`c2a27e20 ffffda03`43f7f010 00000000`00000000 ffffda03`3c8e0a00 : nt!KeClockInterruptNotify+0x9da
ffffb280`124d5f40 fffff801`48118a65 : ffffda03`3c8e0a00 00000000`00000000 00000000`00001000 ffffc2d9`40098c20 : hal!HalpTimerClockIpiRoutine+0x1b
ffffb280`124d5f70 fffff801`481bc95a : ffffd907`f124f2a0 ffffda03`3c8e0a00 00000000`00000000 ffffc2d9`40098c20 : nt!KiCallInterruptServiceRoutine+0xa5
ffffb280`124d5fb0 fffff801`481bce47 : ffff9780`00080700 ffffda03`3c8e0a00 ffffd907`f124f480 00000000`00000000 : nt!KiInterruptSubDispatchNoLockNoEtw+0xea
ffffd907`f124f220 fffff801`481ccd00 : fffff801`4816c141 ffff9780`00080700 00000000`00000001 00000000`00001011 : nt!KiInterruptDispatchNoLockNoEtw+0x37
ffffd907`f124f3b8 fffff801`4816c141 : ffff9780`00080700 00000000`00000001 00000000`00001011 00000000`00000000 : nt!memcpy+0x240
ffffd907`f124f3c0 fffff801`4816bf57 : fffff801`484d0000 ffffd907`f124f510 00000000`00001000 00000000`00000001 : nt!MiCopySinglePage+0x105
ffffd907`f124f410 fffff801`4bf18215 : ffffda03`43f7f010 00000000`00000000 00000000`00000000 fffff801`48011000 : nt!MmCopyMemory+0x1d7

The same issue as below applies here since submodule is not updated yet. See the link.
tandasat/HyperPlatform#24

This will be addressed shortly.

Hi Tandasat,
I have basically modified DdiMon to suit my needs in order to hide the memory pages of a user-mode DLL injected into an arbitrary process - it works much like Ddimon with a few caveats.

• it works in user-mode and makes note of the user-mode pages allocated for the DLL
• sets read/write access of the corresponding EPT pages to be false while setting execution access to be true
• Upon EPT violation, the handler sets the EPT page to redirect to a null page before setting the MTF and resetting the last modified memory page in the MTF handler to point to the original page.

The purpose of this is to prevent people from dumping the contents of the DLL from memory back onto disk and from preventing signature scans for my DLL. While my code works in hiding the DLL, the target process crashes.

Do you happen to know why this happens? I had a suspicion that this might have been triggered by code in the .text section accessing elements in the .data section so I then only applied protection to the .text section, but the same thing happens - the process still crashes. When I apply this protection to a DLL that merely executes junk in a while(true) loop everything is able to work fine. I also make sure to use VirtualLock() in order to prevent the user-mode memory from being paged out.

The following bug check can some times occurs. It seems that a captured parameter is no longer valid or CR3 is not correct in the post-handler.

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000001e7f29f5b30, memory referenced
Arg2: 00000000000000ff, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8012d4043e1, address which referenced memory

Debugging Details:
------------------

Page 24df4c not present in the dump file. Type ".hh dbgerr004" for details
Page 900 not present in the dump file. Type ".hh dbgerr004" for details
Page 900 not present in the dump file. Type ".hh dbgerr004" for details
Page 900 not present in the dump file. Type ".hh dbgerr004" for details

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  10586.162.amd64fre.th2_release_sec.160223-1728

DUMP_TYPE:  1

BUGCHECK_P1: 1e7f29f5b30

BUGCHECK_P2: ff

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8012d4043e1

READ_ADDRESS:  000001e7f29f5b30 

CURRENT_IRQL:  2

FAULTING_IP: 
DdiMon!DdimonpPostNtQuerySystemInformationHandler+55 [c:\users\user\desktop\b\ddimon\ddimon\ddi_mon.cpp @ 570]
fffff801`2d4043e1 833b00          cmp     dword ptr [rbx],0

CPU_COUNT: 1

CPU_MHZ: 8fc

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 45

CPU_STEPPING: 1

CPU_MICROCODE: 6,45,1,0 (F,M,S,R)  SIG: 1D'00000000 (cache) 1D'00000000 (init)

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  taskhostw.exe

ANALYSIS_SESSION_HOST:  DESKTOP-LQSEFPE

ANALYSIS_SESSION_TIME:  03-26-2016 09:50:06.0629

ANALYSIS_VERSION: 10.0.10586.567 amd64fre

TRAP_FRAME:  ffffe001000abae0 -- (.trap 0xffffe001000abae0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffd00022d543f0 rbx=0000000000000000 rcx=ffffe000fb3fb720
rdx=ffffe000fddc01e0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8012d4043e1 rsp=ffffe001000abc70 rbp=00000000001aa000
 r8=ffffe001000abf70  r9=ffffd00022d543f0 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up di pl zr na po nc
DdiMon!DdimonpPostNtQuerySystemInformationHandler+0x55:
fffff801`2d4043e1 833b00          cmp     dword ptr [rbx],0 ds:00000000`00000000=????????
Resetting default scope

BAD_STACK_POINTER:  ffffe001000ab998

LAST_CONTROL_TRANSFER:  from fffff80277f592e9 to fffff80277f4e760

STACK_TEXT:  
ffffe001`000ab998 fffff802`77f592e9 : 00000000`0000000a 000001e7`f29f5b30 00000000`000000ff 00000000`00000000 : nt!KeBugCheckEx
ffffe001`000ab9a0 fffff802`77f57ac7 : 00000002`68d58fa3 ffffe001`000abba0 ffffe001`00201fa3 ffffd000`25bbefa3 : nt!KiBugCheckDispatch+0x69
ffffe001`000abae0 fffff801`2d4043e1 : 00000000`00000000 00000000`00000282 ffff551c`47acffb6 00000000`001aa000 : nt!KiPageFault+0x247
ffffe001`000abc70 fffff801`2d40512f : ffffe000`fb3fb720 ffffd000`22d543f0 ffffe000`fe5f8a30 00000000`001aa000 : DdiMon!DdimonpPostNtQuerySystemInformationHandler+0x55 [c:\users\user\desktop\b\ddimon\ddimon\ddi_mon.cpp @ 570]
ffffe001`000abca0 fffff801`2d40364e : ffffe001`000abf10 00000000`80000603 ffffe001`000abf10 fffff801`2d40252c : DdiMon!SbpHandleBreakpoint+0x157 [c:\users\user\desktop\b\ddimon\ddimon\shadow_bp.cpp @ 232]
ffffe001`000abe40 fffff801`2d403e58 : ffffe001`000abf10 ffffd000`22d54470 00000000`00000002 fffff801`2d40252c : DdiMon!VmmpHandleException+0x19a [c:\users\user\desktop\b\ddimon\hyperplatform\hyperplatform\vmm.cpp @ 375]
ffffe001`000abea0 fffff801`2d402cdf : 00000000`00000000 ffffd000`22d543f0 ffffd000`22d54470 00000000`00000002 : DdiMon!VmmpHandleVmExit+0xf8 [c:\users\user\desktop\b\ddimon\hyperplatform\hyperplatform\vmm.cpp @ 225]
ffffe001`000abef0 fffff801`2d401345 : ffffe000`fe792080 00000000`00000000 00000000`00000000 00000000`00000000 : DdiMon!VmmVmExitHandler+0x73 [c:\users\user\desktop\b\ddimon\hyperplatform\hyperplatform\vmm.cpp @ 186]
ffffe001`000abf50 ffffe000`fe792080 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffd000`22d546f8 : DdiMon!AsmVmmEntryPoint+0x25 [C:\Users\user\Desktop\b\DdiMon\HyperPlatform\HyperPlatform\Arch\x64\x64.asm @ 147]
ffffe001`000abf58 00000000`00000000 : 00000000`00000000 00000000`00000000 ffffd000`22d546f8 00000000`00000000 : 0xffffe000`fe792080


STACK_COMMAND:  kb

THREAD_SHA1_HASH_MOD_FUNC:  a13bb464cc91134233d42cbdcfc911eab41edb76

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  994b36c9b884fcd36245d5c70b24711b26ec8878

THREAD_SHA1_HASH_MOD:  1526857b180b8f4f0777031e8d38f8c68c26ed47

FOLLOWUP_IP: 
DdiMon!DdimonpPostNtQuerySystemInformationHandler+55 [c:\users\user\desktop\b\ddimon\ddimon\ddi_mon.cpp @ 570]
fffff801`2d4043e1 833b00          cmp     dword ptr [rbx],0

FAULT_INSTR_CODE:  75003b83

FAULTING_SOURCE_LINE:  c:\users\user\desktop\b\ddimon\ddimon\ddi_mon.cpp

FAULTING_SOURCE_FILE:  c:\users\user\desktop\b\ddimon\ddimon\ddi_mon.cpp

FAULTING_SOURCE_LINE_NUMBER:  570

FAULTING_SOURCE_CODE:  
   566:     return;
   567:   }
   568: 
   569:   auto next = reinterpret_cast<SystemProcessInformation*>(info.parameters[1]);
>  570:   while (next->next_entry_offset) {
   571:     auto curr = next;
   572:     next = reinterpret_cast<SystemProcessInformation*>(
   573:         reinterpret_cast<UCHAR*>(curr) + curr->next_entry_offset);
   574: 
   575:     // Occasionally, curr->next_entry_offset has a large value which makes next


SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  DdiMon!DdimonpPostNtQuerySystemInformationHandler+55

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: DdiMon

IMAGE_NAME:  DdiMon.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  56f6bca3

BUCKET_ID_FUNC_OFFSET:  55

FAILURE_BUCKET_ID:  AV_STACKPTR_ERROR_DdiMon!DdimonpPostNtQuerySystemInformationHandler

BUCKET_ID:  AV_STACKPTR_ERROR_DdiMon!DdimonpPostNtQuerySystemInformationHandler

PRIMARY_PROBLEM_CLASS:  AV_STACKPTR_ERROR_DdiMon!DdimonpPostNtQuerySystemInformationHandler

TARGET_TIME:  2016-03-26T16:48:06.000Z

OSBUILD:  10586

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2016-02-23 21:48:00

BUILDDATESTAMP_STR:  160223-1728

BUILDLAB_STR:  th2_release_sec

BUILDOSVER_STR:  10.0.10586.162.amd64fre.th2_release_sec.160223-1728

ANALYSIS_SESSION_ELAPSED_TIME: 124b

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_stackptr_error_ddimon!ddimonppostntquerysysteminformationhandler

FAILURE_ID_HASH:  {95807f3a-5768-f194-f150-fd491b46d820}

Followup:     MachineOwner
---------

Hey,

I've been going through the project since i'm learning about vmx and how to use it (as well as EPT)
and I saw the technique you used in order to make sure patch guard won't bsod the pc when he find the hooks.

However since I saw that ept rule is to act similar to page table just with vmm I was wondering if the protection was working on passing patch guard because it's accessing the virtual addresses of the functions.

Is this mean that if patch guard would do a direct access to the physical memory than it will see the hooks right?

I'm trying to think if there is a way to block another kernel code from messing with the pages, so for example if another kernel driver will scan our driver and find the addresses is that mean he can direct access the memory and find the hooks? is there a way to block this kind of behavior?

Thank you for your help!

Hello Tandasat,
After the recent windows update I am having issues with loading my hypervisor. Every time I start the hypervisor's service I get a manually initiated crash, something that I haven't had problems with before.
After some investigating with Windbg, I found that the BSOD was caused by an unexpected Vm-Exit in VmmpHandleUnexpectedExit() during VmInitialization.

Have you been having the same sorts of issues?

As demonstrated in the below link, Capstone now supports Windows drivers without adding any hack.
https://github.com/aquynh/capstone/tree/master/contrib/cs_driver

Apply this update to the project to clean-up project settings.

I am very interested in cheating and anti cheating technology, and I noticed that FU_ Hypervisor, but this project is no longer maintained, but I am very interested in this project. Do you plan to continue maintenance

DPC_WATCHDOG_VIOLATION ISSUE
i Intel core i7 6700HQ supporting VT-x and EPT with driver signed but still bsod with DPC_WATCHDOG_VIOLATION ..how can i fix this?

Porting changes made in HyperPlatofm would be easier if submodules are used instead of copying files. Do so if appropriate.

2>shadow_hook.obj : error LNK2019: Unresolved external symbol _invoke_watson，Function "protected: virtual void __cdecl stdext::bad_alloc::_Doraise(void)const " (?_Doraise@bad_alloc@stdext@@MEBAXXZ)

2>shadow_hook.obj : error LNK2001: Unresolved external symbol "void (__cdecl* std::_Raise_handler)(class stdext::exception const &)" (?_Raise_handler@std@@3P6AXAEBVexception@stdext@@@ZEA)

hi, I got some problems in the ShpSetupInlineHook->ShpGetInstructionSize()
when i try hook ssdt function its aways return 0, so i change it :
ShpSetupInlineHook:

  /*
  const auto patch_size = ShpGetInstructionSize(patch_address);
  if (!patch_size) {
    return false;
  }*/
  ULONG patch_size;
  if (FindCodeLenght(patch_address, &patch_size) == FALSE)
  {
	  return false;
  }

copy from other project (svm ver Ddimon)

BOOLEAN
FindCodeLenght(
	_In_ PVOID HookAddress,
	_Out_ PULONG InstructionLength
)
{
	BOOLEAN ok;
	typedef struct _BYTE_PATTERN
	{
		ULONG InsructionLength;
		ULONG MatchLength;
		UCHAR Bytes[15];
	} BYTE_PATTERN, * PBYTE_PATTERN;
	static const BYTE_PATTERN knownPatterns[] =
	{
		{   // push    rbx
			2, 2, { 0x40, 0x53, },
		},
		{   // push    rbp
			2, 2, { 0x40, 0x55, },
		},
		{   // push    rdi
			2, 2, { 0x40, 0x57, },
		},
		{   // sub     rsp, Imm
			4, 3, { 0x48, 0x83, 0xEC, /*Imm*/ },
		},
		{   // mov     [rsp - 8 + arg_8], rdx
			5, 5, { 0x48, 0x89, 0x54, 0x24, 0x10, },
		},
		{   // mov     [rsp + Offset], rbx
			5, 4, { 0x48, 0x89, 0x5c, 0x24, /*Offset*/ },
		},
		{   // mov     rax, rsp
			3, 3, { 0x48, 0x8B, 0xC4, },
		},
		{   // xor     edx, edx
			2, 2, { 0x33, 0xD2, },
		},
		{   // a little change for hook NtGetContextThread
			2, 2, { 0x4c, 0x8b, },
		},
	};

	*InstructionLength = 0;

	ok = FALSE;
	for (auto& pattern : knownPatterns)
	{
		if (RtlEqualMemory(HookAddress, pattern.Bytes, pattern.MatchLength) != FALSE)
		{
			*InstructionLength = pattern.InsructionLength;
			ok = TRUE;
			goto Exit;
		}
	}

Exit:
	return ok;
}

hope can help people with the same problems

hey @tandasat amazing job dude, I love your codes!

I am trying to know if ddimon can be used to detect execution inside some memory range, or can be used only as inline hooking?

It puts the whole OS in supervised mode? Is possible to run it inside virtualbox?

• windows7

Windows 7 Kernel Version 7600 MP (1 procs) Free x64
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255

• VM

VMware® Workstation 15 
15.5.0 build-14665864

• ddimon

the last versions
git clone --recursive https://github.com/tandasat/DdiMon.git

Reproduce

1. DrvLoader DdiMon.sys
2. Wait 10 - 15 minutes after installed driver

it doesn't BSOD when I use windbg to attach

bin files:

https://drive.google.com/file/d/1x6luZ4Vx1iSO3A5OuD8fUv4n79GCgmsz/view?usp=sharing

1 or 2 cores is OK, 100% cpu workload in 4 cores, Don't known what happened!

2 two-cores cpu or 4 one-core cpu have same result!

According to this tutorial https://rayanfam.com/topics/hypervisor-from-scratch-part-8/

Scroll to "An Important Note When Modifying EPT Entries"

One interesting thing that I encountered during the test of my driver on the multi-core system was the fact that EPT entries should be modified in one instruction.

For example, if you change the access bits of an EPT entry, bit by bit, then you probably get the error (EPT Misconfiguration) that one access bits changed and before the next access bit applies another core tries to access page table and it sometimes leads to an EPT Misconfiguration and sometimes you might not get the desired behavior.

so good thing to change that.

I had a question about EPT exits. Does anyone know why something would be reading the page of a hooked kernel function multiple times? I'd assume maybe patchguard but seems way too frequent. Wouldn't it just need to execute it since its function code? Also why would it read it back to back after I already set the page, example

ept violation address:0000000002805000, type:read/write 
ept violation address:0000000002805000, type:read/write 
ept violation address:0000000002805350, type:exec 

shouldn't after the first read/write it should only trigger a EPT exit if something tries to exec(since the page is already set from first read/write)?

Hey,

I've looked into the project and seen something interested, I saw you used std::vector (specifically in shadow_hook.cpp in SharedShadowHookData struct to keep all the hooks and later to iterate over them)

And I was interested since I remembered that c++ STL and kernel doesn't go very well,
I tried to create a new file in the ddimon project and use std::vector but in compile time I got errors about using c++ exceptions in kernel (with /kernel flag).

Couldn't found any difference between my file to the existing one in the project (no file properties difference from what I saw).

So I was wondered how did you able to use std::vector in the kernel and without the compiler throw errors.

Thanks for the help,
Mor.

Hi tandasat,

I was hoping you could give some advice on how to defeat rdtsc checks that anti-cheat and malware software do to detect the hypervisor.

Here's some examples

  // CALCULATE CYCLES FOR 1000MS
    const auto timestamp_calibrator = __rdtsc();
    Sleep(1000);
    const auto timestamp_calibration = __rdtsc() - timestamp_calibrator;

    // TIME CPUID
    auto total_time = 0;
    for (std::size_t count = 0; count < 0x6694; count++)
    {
        // SAVE PRE CPUID TIME
        const auto timestamp_pre = __rdtsc();
 
        std::uint32_t cpuid_data[4] = {};
        __cpuid(cpuid_data, 0);
 
        // SAVE THE DELTA
        total_time += __rdtsc() - timestamp_pre;
    }

the author of the blog said possible counters are

There are a few issues with this detection method. The first being that it’s susceptible to time-forging, which is typically done one of two ways: TSC offsetting in the VMCS, or decreasing the TSC every time CPUID is executed. There are many more ways to beat time based attacks, but the latter is much simpler to implement as you can ensure that instruction execution times are within one or two clock ticks of real hardware execution.

I've been researching and testing but haven't managed to figure out how to implement either of these counters. I see in hyperplatform there's

vm_procctl_requested.fields.rdtsc_exiting

which i've used and

vm_procctl_requested.fields.use_tsc_offseting
vm_procctl2_requested.fields.use_tsc_scaling

and the description of these is

unsigned UseTscOffseting :1; // bit3 This control determines whether executions of RDTSC, RDTSP, RDMSR(IA32_TIME_STAMP_COUNTER), return a value modified by the TSC offset field

but i'm not sure to utilize this to get close to real hardware timing inside of RDTSC vm exit or otherwise.

Hello, author, there are methods missing in the shadow_hook.cpp file of your project, including: KShEnablePageShadowing{Line 209} and kShDisablePageShadowing{Line 221}, which were reported in #14, are currently identified as missing methods from HyperPlatform/util.h, It is presumed that the HyperPlatform version is updated. Here are the details:

About the code definition here (in HyperPlatform/utils.h):

Thank you for your dedication to Intel VT EPT hook technology. This project provides me with very valuable technical support for understanding and using this technology. I look forward to and pay attention to the repair progress of this problem, and I will complete my master's graduation project on this basis. I look forward to your repair or alternative opinions.

BSOD code

sgdt [rcx]

windbg----------------------------------------------------
PROCESS_NAME: Notepad2.exe

TRAP_FRAME: ffff9f040f207c70 -- (.trap 0xffff9f040f207c70)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000033 rbx=0000000000000000 rcx=0000000000000006
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80123823ccb rsp=ffff9f040f207e00 rbp=0000000000000000
r8=ffff9f040f207fe0 r9=0000000000000802 r10=0000000000000000
r11=ffff78fb67e00000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz na pe nc
DdiMon+0x3ccb:
fffff80123823ccb 66891f mov word ptr [rdi],bx ds:0000000000000000=????
Resetting default scope

BAD_STACK_POINTER: ffff9f040f207b28

STACK_TEXT:
ffff9f040f207b28 fffff801189ce569 : 000000000000000a 000001e21abb0000 00000000000000ff 0000000000000000 : nt!KeBugCheckEx
ffff9f040f207b30 fffff801189ca8a5 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69
ffff9f040f207c70 fffff80123823ccb : 0000000000000000 0000000000000033 ffff9f040f207eb0 ffff9f0407361000 : nt!KiPageFault+0x465
ffff9f040f207e00 0000000000000000 : 0000000000000033 ffff9f040f207eb0 ffff9f0407361000 0000000242e89222 : DdiMon+0x3ccb

SYMBOL_NAME: DdiMon+3ccb

MODULE_NAME: DdiMon

IDA pro DdiMon+3ccb
v21 = UtilVmRead(kGuestGdtrBase);
v22 = UtilVmRead(kGuestGdtrLimit);
v23 = (*(_QWORD *)(v21 + 8 * ((unsigned __int64)(unsigned __int16)UtilVmRead(kGuestCsSelector) >> 3)) >> 53) & 1i64;
*(_WORD *)v11 = v22; // BSOD
if ( v23 )
*(_QWORD *)(v11 + 2) = v21;
else
*(_DWORD *)(v11 + 2) = v21;
goto LABEL_44;

vmm.cpp
// 64bit
descriptor_table_reg->base = gdt_base; //BSOD
descriptor_table_reg->limit = gdt_limit;

Hello, hypervisor dones't hook some exported functions for example NTQUERYVIRTUALMEMORY, NTREADVIRTUALMEMORY and so on how i can solve? other exported functions hooks well.

Hi,

Although DdiMon works perfectly well nested in VmWare it bugcheck systematically while running inside KVM.

Logs shows that hypervisor was succefully loaded and i confirmed that the hook functions are getting called as well.
It takes a couple of secondes to bugcheck between 5 and 20 depending of the VM activity.

i can repro on the same VM used in VmWare (Windows 7 SP1 x64 with 2 processors)

bugcheck shows :

EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION}  Illegal Instruction  An attempt was made to execute an illegal instruction.

FAULTING_IP: 
+0

fffffa80`00c3f000 0f01c1          vmcall

Below is the extract of the log and the !analyze results.
I can provide the dump if needed.

13:44:57.014	DBG	#1	    4	 2472	System         	Log thread started (TID= 00000000000009A8).
13:44:57.124	INF	#0	    4	   44	System         	Log has been initialized.
13:44:57.124	DBG	#0	    4	   44	System         	Info= FFFFF88004CE4410, Buffer= FFFFFA8000E2C000 FFFFFA8000E3C000, File= \SystemRoot\DdiMon.log
13:44:57.124	DBG	#0	    4	   44	System         	PXE at fffff6fb7dbed000, PPE at fffff6fb7da00000, PDE at fffff6fb40000000, PTE at fffff68000000000
13:44:57.124	DBG	#0	    4	   44	System         	Physical Memory Range: 0000000000001000 - 000000000009f000
13:44:57.124	DBG	#0	    4	   44	System         	Physical Memory Range: 0000000000100000 - 000000003ffde000
13:44:57.124	DBG	#0	    4	   44	System         	Physical Memory Total: 1048048 KB
13:44:57.139	DBG	#0	    4	   44	System         	shared_data           = FFFFFA8002684070
13:44:57.170	DBG	#0	    4	   44	System         	MTRR Default=6, VariableCount=8, FixedSupported=1, FixedEnabled=1
13:44:57.170	INF	#0	    4	   44	System         	Initializing VMX for the processor 0.
13:44:57.514	DBG	#0	    4	   44	System         	vmm_stack_limit       = FFFFFA800107A000
13:44:57.514	DBG	#0	    4	   44	System         	vmm_stack_region_base = fffffa8001080000
13:44:57.514	DBG	#0	    4	   44	System         	vmm_stack_data        = fffffa800107fff8
13:44:57.530	DBG	#0	    4	   44	System         	vmm_stack_base        = fffffa800107fff0
13:44:57.530	DBG	#0	    4	   44	System         	processor_data        = FFFFFA80029F5210 stored at fffffa800107fff8
13:44:57.530	DBG	#0	    4	   44	System         	guest_stack_pointer   = fffff88002ffa660
13:44:57.530	DBG	#0	    4	   44	System         	guest_inst_pointer    = fffff88004c123a7
13:44:57.530	DBG	#0	    4	   44	System         	IA32_VMX_CR0_FIXED0   = 80000021
13:44:57.530	DBG	#0	    4	   44	System         	IA32_VMX_CR0_FIXED1   = ffffffff
13:44:57.530	DBG	#0	    4	   44	System         	Original CR0          = 80050031
13:44:57.530	DBG	#0	    4	   44	System         	Fixed CR0             = 80050031
13:44:57.530	DBG	#0	    4	   44	System         	IA32_VMX_CR4_FIXED0   = 00002000
13:44:57.530	DBG	#0	    4	   44	System         	IA32_VMX_CR4_FIXED1   = 003727ff
13:44:57.530	DBG	#0	    4	   44	System         	Original CR4          = 000406f8
13:44:57.530	DBG	#0	    4	   44	System         	Fixed CR4             = 000426f8
13:44:57.530	DBG	#0	    4	   44	System         	VmEntryControls                  = 000013ff
13:44:57.530	DBG	#0	    4	   44	System         	VmExitControls                   = 0003effb
13:44:57.530	DBG	#0	    4	   44	System         	PinBasedControls                 = 00000016
13:44:57.530	DBG	#0	    4	   44	System         	ProcessorBasedControls           = 9680e172
13:44:57.545	DBG	#0	    4	   44	System         	SecondaryProcessorBasedControls  = 0010102e
13:44:57.545	DBG	#0	    4	   44	System         	Context at FFFFF88004C123F8: rax= 0000000000000000 rbx= 0000000000000000 rcx= fffff88004cf2710 rdx= fffffa8002684070 rsi= fffffa8000dfe000 rdi= fffff88002ffa798 rsp= fffff88002ffa6e0 rbp= 0000000000000000  r8= 0000000000000065  r9= 0000000000000000 r10= 0000000000000000 r11= fffff88002ff9e60 r12= 0000000000000001 r13= ffffffff80000938 r14= fffffa80029bc780 r15= 000000000000001c efl= 00000282
13:44:57.545	INF	#0	    4	   44	System         	Initialized successfully.
13:44:57.545	INF	#1	    4	   44	System         	Initializing VMX for the processor 1.
13:44:57.889	DBG	#1	    4	   44	System         	vmm_stack_limit       = FFFFFA80012BB000
13:44:57.889	DBG	#1	    4	   44	System         	vmm_stack_region_base = fffffa80012c1000
13:44:57.889	DBG	#1	    4	   44	System         	vmm_stack_data        = fffffa80012c0ff8
13:44:57.889	DBG	#1	    4	   44	System         	vmm_stack_base        = fffffa80012c0ff0
13:44:57.889	DBG	#1	    4	   44	System         	processor_data        = FFFFFA80029F9210 stored at fffffa80012c0ff8
13:44:57.889	DBG	#1	    4	   44	System         	guest_stack_pointer   = fffff88002ffa660
13:44:57.889	DBG	#1	    4	   44	System         	guest_inst_pointer    = fffff88004c123a7
13:44:57.889	DBG	#1	    4	   44	System         	IA32_VMX_CR0_FIXED0   = 80000021
13:44:57.889	DBG	#1	    4	   44	System         	IA32_VMX_CR0_FIXED1   = ffffffff
13:44:57.905	DBG	#1	    4	   44	System         	Original CR0          = 80050031
13:44:57.905	DBG	#1	    4	   44	System         	Fixed CR0             = 80050031
13:44:57.905	DBG	#1	    4	   44	System         	IA32_VMX_CR4_FIXED0   = 00002000
13:44:57.905	DBG	#1	    4	   44	System         	IA32_VMX_CR4_FIXED1   = 003727ff
13:44:57.905	DBG	#1	    4	   44	System         	Original CR4          = 000406f8
13:44:57.905	DBG	#1	    4	   44	System         	Fixed CR4             = 000426f8
13:44:57.905	DBG	#1	    4	   44	System         	VmEntryControls                  = 000013ff
13:44:57.905	DBG	#1	    4	   44	System         	VmExitControls                   = 0003effb
13:44:57.905	DBG	#1	    4	   44	System         	PinBasedControls                 = 00000016
13:44:57.905	DBG	#1	    4	   44	System         	ProcessorBasedControls           = 9680e172
13:44:57.905	DBG	#1	    4	   44	System         	SecondaryProcessorBasedControls  = 0010102e
13:44:57.905	DBG	#1	    4	   44	System         	Context at FFFFF88004C123F8: rax= 0000000000000000 rbx= 0000000000000000 rcx= fffff88004cf2710 rdx= fffffa8002684070 rsi= fffffa8000dfe000 rdi= fffff88002ffa798 rsp= fffff88002ffa6e0 rbp= 0000000000000000  r8= 0000000000000065  r9= 0000000000000000 r10= 0000000000000000 r11= fffff88002ff9e60 r12= 0000000000000001 r13= ffffffff80000938 r14= fffffa80029bc780 r15= 000000000000001c efl= 00000282
13:44:57.905	INF	#1	    4	   44	System         	Initialized successfully.
13:44:57.905	DBG	#1	    4	   44	System         	Patch = FFFFF800029BA0E0, Exec = FFFFFA80012C40E0, RW = FFFFFA80012C30E0, Trampoline = FFFFFA80029ED480
13:44:57.920	INF	#1	    4	   44	System         	Hook has been installed at fffff800029ba0e0 ExAllocatePoolWithTag.
13:44:57.920	DBG	#0	    4	   44	System         	Patch = FFFFF800029BA0D0, Exec = FFFFFA80012C40D0, RW = FFFFFA80012C30D0, Trampoline = FFFFFA8002803D00
13:44:57.920	INF	#0	    4	   44	System         	Hook has been installed at fffff800029ba0d0 ExFreePool.
13:44:57.920	DBG	#0	    4	   44	System         	Patch = FFFFF800029BAD90, Exec = FFFFFA80012C4D90, RW = FFFFFA80012C3D90, Trampoline = FFFFFA8001D72930
13:44:57.920	INF	#0	    4	   44	System         	Hook has been installed at fffff800029bad90 ExFreePoolWithTag.
13:44:57.920	DBG	#0	    4	   44	System         	Patch = FFFFF8000289BC10, Exec = FFFFFA80012C6C10, RW = FFFFFA80012C5C10, Trampoline = FFFFFA8002380EC0
13:44:57.920	INF	#0	    4	   44	System         	Hook has been installed at fffff8000289bc10 ExQueueWorkItem.
13:44:57.936	DBG	#0	    4	   44	System         	Patch = FFFFF80002B998FC, Exec = FFFFFA80012C88FC, RW = FFFFFA80012C78FC, Trampoline = FFFFFA8002A479E0
13:44:57.936	INF	#0	    4	   44	System         	Hook has been installed at fffff80002b998fc NtQuerySystemInformation.
13:44:57.952	INF	#1	    4	   44	System         	DdiMon has been initialized.
13:44:57.967	INF	#0	    4	   44	System         	The VMM has been installed.

Bugcheck:

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: c000001d, Exception code that caused the bugcheck
Arg2: 00c3f000, Address of the instruction which caused the bugcheck
Arg3: 04f0a750, Address of the context record for the exception that caused the bugcheck
Arg4: 00000000, zero.

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 402

BUILD_VERSION_STRING:  7601.17514.amd64fre.win7sp1_rtm.101119-1850

SYSTEM_MANUFACTURER:  QEMU

SYSTEM_PRODUCT_NAME:  Standard PC (i440FX + PIIX, 1996)

SYSTEM_VERSION:  pc-i440fx-bionic

BIOS_VENDOR:  SeaBIOS

BIOS_VERSION:  1.10.2-1ubuntu1

BIOS_DATE:  04/01/2014

DUMP_TYPE:  0

BUGCHECK_P1: c000001d

BUGCHECK_P2: fffffa8000c3f000

BUGCHECK_P3: fffff88004f0a750

BUGCHECK_P4: 0

EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION}  Illegal Instruction  An attempt was made to execute an illegal instruction.

FAULTING_IP: 
+0
fffffa80`00c3f000 0f01c1          vmcall

CONTEXT:  04f0a750 -- (.cxr 0xfffff88004f0a750)
eax=009ea180 ebx=00000000 ecx=fffff880 edx=04f0b248 esi=00000001 edi=fffff880
eip=00000000 esp=00000000 ebp=fffff880 iopl=0         nv up di pl nz na po cy
cs=0000  ss=0018  ds=b138  es=0000  fs=2000  gs=0000             efl=00000001
00000000`00000000 ??              ???
Resetting default scope

CPU_COUNT: 2

CPU_MHZ: a81

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 5e

CPU_STEPPING: 3

CPU_MICROCODE: 6,5e,3,0 (F,M,S,R)  SIG: 1'00000000 (cache) 1'00000000 (init)

BUGCHECK_STR:  0x3B

PROCESS_NAME:  conhost.exe

CURRENT_IRQL:  c

ANALYSIS_SESSION_HOST:  DESKTOP-B7SL839

ANALYSIS_SESSION_TIME:  07-27-2018 13:54:17.0368

ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

IP_IN_FREE_BLOCK: 0

BAD_STACK_POINTER:  00000000

LAST_CONTROL_TRANSFER:  from 00000000 to 00000000

STACK_TEXT:  
00000000 00000000 00000000 00000000 00000000 0x0


STACK_COMMAND:  kb

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

BUCKET_ID:  INVALID_KERNEL_CONTEXT_0x3B

DEFAULT_BUCKET_ID:  INVALID_KERNEL_CONTEXT_0x3B

PRIMARY_PROBLEM_CLASS:  INVALID_KERNEL_CONTEXT

FAILURE_BUCKET_ID:  INVALID_KERNEL_CONTEXT_0x3B

TARGET_TIME:  2018-07-27T11:45:07.000Z

OSBUILD:  7601

OSSERVICEPACK:  1000

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 7

OSEDITION:  Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2010-11-20 10:30:02

BUILDDATESTAMP_STR:  101119-1850

BUILDLAB_STR:  win7sp1_rtm

BUILDOSVER_STR:  6.1.7601.17514.amd64fre.win7sp1_rtm.101119-1850

ANALYSIS_SESSION_ELAPSED_TIME: 40b

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:invalid_kernel_context_0x3b

FAILURE_ID_HASH:  {47d39f4d-e8b2-9190-8f3e-f596bd729a8d}

hello sir satothi!

I am trying to figure out a way to detect (both AMD and INTEL) if VTx are enabled, can you help me with this?

why
HypercallNumber::kShEnablePageShadowing and
HypercallNumber::kShDisablePageShadowing
are missing?

I'm dealing with a similar issue to this thread #26

as in security software is freezing my system on load and eventually issuing a DPC_WATCHDOG_VIOLATION. I applied all the changes from that thread but nothing is helping. I have confirmed the issue only arises when I hook something, otherwise no freeze.

I'm using latest ddimon and here's the memory.dmp
`
DPC_WATCHDOG_VIOLATION (133)
The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL
or above.
Arguments:
Arg1: 0000000000000000, A single DPC or ISR exceeded its time allotment. The offending
component can usually be identified with a stack trace.
Arg2: 0000000000000501, The DPC time count (in ticks).
Arg3: 0000000000000500, The DPC time allotment (in ticks).
Arg4: fffff8045cd73358, cast to nt!DPC_WATCHDOG_GLOBAL_TRIAGE_BLOCK, which contains
additional information regarding this single DPC timeout

Debugging Details:

*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***

*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***

*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***

*** Type referenced: TickPeriods ***

KEY_VALUES_STRING: 1

PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 402

BUILD_VERSION_STRING:

SYSTEM_PRODUCT_NAME: To Be Filled By O.E.M.

SYSTEM_SKU: To Be Filled By O.E.M.

SYSTEM_VERSION: To Be Filled By O.E.M.

BIOS_VENDOR: American Megatrends Inc.

BIOS_VERSION: P3.10

BIOS_DATE: 07/04/2018

BASEBOARD_MANUFACTURER:

BASEBOARD_PRODUCT:

BASEBOARD_VERSION:

DUMP_TYPE: 0

BUGCHECK_P1: 0

BUGCHECK_P2: 501

BUGCHECK_P3: 500

BUGCHECK_P4: fffff8045cd73358

DPC_TIMEOUT_TYPE: SINGLE_DPC_TIMEOUT_EXCEEDED

CPU_COUNT: 6

CPU_MHZ: e10

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 9e

CPU_STEPPING: a

CPU_MICROCODE: 6,9e,a,0 (F,M,S,R) SIG: 96'00000000 (cache) 96'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXWINLOGON: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x133

PROCESS_NAME: System

CURRENT_IRQL: d

ANALYSIS_SESSION_HOST:

ANALYSIS_SESSION_TIME: 12-15-2019 22:05:37.0391

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

LAST_CONTROL_TRANSFER: from fffff8045c9ee83d to fffff8045c9c1220

STACK_TEXT:
ffffbc01879bcb08 fffff8045c9ee83d : 0000000000000133 0000000000000000 0000000000000501 0000000000000500 : nt!KeBugCheckEx
ffffbc01879bcb10 fffff8045c81f857 : 0000014240a3c9a1 ffffbc01879c0180 0000000000000286 fffffd0a80837a10 : nt!KeAccumulateTicks+0x1cbe1d
ffffbc01879bcb70 fffff8045d2b91e1 : 0000000000000000 ffffd108652d4400 fffffd0a80837a90 ffffd108652d44b0 : nt!KeClockInterruptNotify+0xc07
ffffbc01879bcf30 fffff8045c8029e5 : ffffd108652d4400 0000000000000000 0000000000000000 ffff1d2c7670378f : hal!HalpTimerClockIpiRoutine+0x21
ffffbc01879bcf60 fffff8045c9c2cba : fffffd0a80837a90 ffffd108652d4400 000000000000fffe ffffd108652d4400 : nt!KiCallInterruptServiceRoutine+0xa5
ffffbc01879bcfb0 fffff8045c9c3227 : ffffbc0188259ef0 ffffbc0188259ef0 000000000000002a 0000000000000000 : nt!KiInterruptSubDispatchNoLockNoEtw+0xfa
fffffd0a80837a10 fffff8045c81b9eb : ffffffffffffffd2 fffff8045cdab573 0000000000000010 0000000000000286 : nt!KiInterruptDispatchNoLockNoEtw+0x37
fffffd0a80837ba0 fffff8045cdab585 : ffffd108654fdfa0 ffffd108653f7840 0000000000000010 ffffd108654fd000 : nt!KeYieldProcessorEx+0x1b
fffffd0a80837bd0 fffff8045cdaa6e5 : 000000001eb9414f ffffbc01879c0180 ffffd10879a92a90 fffffd0a80837c90 : nt!IopLiveDumpProcessCorralStateChange+0x2d
fffffd0a80837c00 fffff8045c86ae85 : ffffbc01879c2f80 ffffd108653f6000 ffffd108673cf260 ffffbc0100000002 : nt!IopLiveDumpCorralDpc+0x55
fffffd0a80837c40 fffff8045c86a4df : ffffbc01879c0180 0000000000000000 0000000000000002 0000000000000004 : nt!KiExecuteAllDpcs+0x305
fffffd0a80837d80 fffff8045c9c8265 : 0c45b60f450d55b6 ffffbc01879c0180 0000000000000000 00000000c0000002 : nt!KiRetireDpcList+0x1ef
fffffd0a80837fb0 fffff8045c9c8050 : 0000000000000000 ffffd108672171e0 0000000000000000 fffff8045cc68c80 : nt!KxRetireDpcList+0x5
fffffd0a87966b20 fffff8045c9c7720 : 0000000000000000 fffffd0a87966bd0 ffffd108652d4400 0000000000000000 : nt!KiDispatchInterruptContinue
fffffd0a87966b50 fffff8045c901064 : ffffd108766c3550 fffff8045e4cc089 ffffa98c2f402a80 fffff8045c8c2cfc : nt!KiDpcInterrupt+0x2f0
fffffd0a87966ce0 fffff8045c8c12ae : fffff8045cc68c80 0000000000000002 ffffbc0187dc7180 0000000000001000 : nt!ExpWaitForSpinLockSharedAndAcquire+0x64
fffffd0a87966d20 fffff8045c855d97 : fffff8045cc68bc0 ffff9bfc02391008 ffffd108766c3601 fffff8045cc68bc0 : nt!MiLockWorkingSetShared+0xee
fffffd0a87966d50 fffff8045ced3bb5 : fffff804722000e0 fffff804722000e0 000000000000000c 0000000000000fff : nt!MiLockCode+0x147
fffffd0a87966ef0 fffff8047220614c : ffffd108766c3550 fffffd0a879670e0 ffffd108673afa40 ffffd108673afa40 : nt!MmResetDriverPaging+0xa5
fffffd0a87966f20 fffff80472206037 : 00000000656c6946 fffff8045cb6f06d fffffd0a879670e0 0000000000000000 : Msfs!MsCommonCreate+0xdc
fffffd0a87966ff0 fffff8045c831f39 : ffffd10865fe3010 ffffd108766c3550 0000000000000000 0000000000000000 : Msfs!MsFsdCreate+0x27
fffffd0a87967020 fffff8045e4fce8c : 0000000000000010 0000000000000000 0000000000000000 0000000000000000 : nt!IofCallDriver+0x59
fffffd0a87967060 fffff8045c831f39 : ffffd1087d5a8100 fffff8045cde590c 0000000000000000 0000000000000030 : FLTMGR!FltpCreate+0x46c
fffffd0a87967110 fffff8045c830fe4 : 0000000000000000 0000000000000000 ffffd108766c36f8 fffff8045c8317a3 : nt!IofCallDriver+0x59
fffffd0a87967150 fffff8045cde5ffb : fffffd0a87967410 fffff8045cde590c fffffd0a87967380 ffffd1087aa4a4e0 : nt!IoCallDriverWithTracing+0x34
fffffd0a879671a0 fffff8045cdecfcf : ffffd108673af8f0 ffffd108673af80c ffffd10877eaf7e0 ffffa98c2fa04000 : nt!IopParseDevice+0x62b
fffffd0a87967310 fffff8045cdeb431 : ffffd10877eaf700 fffffd0a87967558 0000000000000240 ffffd108652f7380 : nt!ObpLookupObjectName+0x78f
fffffd0a879674d0 fffff8045ce30300 : ffffd10800000001 fffffd0a87967998 0000000000000000 ffffbc0187dc7180 : nt!ObOpenObjectByNameEx+0x201
fffffd0a87967610 fffff8045ce2fa38 : fffffd0a879679e0 0000000000000080 fffffd0a87967998 fffffd0a87967988 : nt!IopCreateFile+0x820
fffffd0a879676b0 fffff8045c9d2b15 : ffffd108766c3550 0000000000000002 0000000000000170 0000000000000001 : nt!NtOpenFile+0x58
fffffd0a87967740 fffff8045c9c5060 : fffff8045ce447c4 0000000000000000 0000000000000000 0000000000040282 : nt!KiSystemServiceCopyEnd+0x25
fffffd0a87967948 fffff8045ce447c4 : 0000000000000000 0000000000000000 0000000000040282 fffff8045c869d59 : nt!KiServiceLinkage
fffffd0a87967950 fffff8045e503b6c : 0000000000000000 0000000000000000 0000000000000030 fffff8045e4ea800 : nt!IoGetDeviceObjectPointer+0x94
fffffd0a879679e0 fffff8045c8bd465 : ffffd108652a0500 ffffd10878185040 fffff8045e503aa0 ffffd108652a0500 : FLTMGR!FltpManualDeviceAttachWorker+0xcc
fffffd0a87967a70 fffff8045c92a725 : ffffd10878185040 0000000000000080 ffffd10865294380 000024efbd9bbfff : nt!ExpWorkerThread+0x105
fffffd0a87967b10 fffff8045c9c886a : ffffbc0187e79180 ffffd10878185040 fffff8045c92a6d0 0000000000000000 : nt!PspSystemThreadStartup+0x55
fffffd0a87967b60 0000000000000000 : fffffd0a87968000 fffffd0a87961000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x2a

THREAD_SHA1_HASH_MOD_FUNC: 20df6024a5c03bdd36d1680f5e2bf77cf839246c

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 34208103f2bc76fcde0bfeae8b7994e947ea59f9

THREAD_SHA1_HASH_MOD: 927a0c775c0b5510d0e1cbb5ae141a64633523eb

FOLLOWUP_IP:
Msfs!MsCommonCreate+dc
fffff804`7220614c 33d2 xor edx,edx

FAULT_INSTR_CODE: 8d48d233

SYMBOL_STACK_INDEX: 13

SYMBOL_NAME: Msfs!MsCommonCreate+dc

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Msfs

IMAGE_NAME: Msfs.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: dc

FAILURE_BUCKET_ID: 0x133_DPC_Msfs!MsCommonCreate

BUCKET_ID: 0x133_DPC_Msfs!MsCommonCreate

PRIMARY_PROBLEM_CLASS: 0x133_DPC_Msfs!MsCommonCreate

TARGET_TIME: 2019-12-14T05:09:53.000Z

OSBUILD: 18362

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: unknown_date

BUILDDATESTAMP_STR: 190318-1202

BUILDLAB_STR: 19h1_release

BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME: 19b1

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x133_dpc_msfs!mscommoncreate

FAILURE_ID_HASH: {349b4bae-9c52-cd03-915a-31077bf2ad14}

Followup: MachineOwner

`

I been at this a few days so any help would be great

Use GVA in ShHandleEptViolation to find hookinfo, which should actually be found using GPA. For example, if you use the function of mdl to remap VA in the guest, you will not get the correct processing here.

const auto info = ShpFindPatchInfoByPage(shared_sh_data, fault_va); if (!info) { return; }

In the function VmmpRestoreExtendedProcessorState, is _fxsave correct? Should it be _fxrstor?

@tandasat this article https://secret.club/2020/04/13/how-anti-cheats-detect-system-emulation.html has a lot of detection vectors. I've managed to counter a good majority of them ( I think) thanks to his information, but i'm not sure how to handle the INVD/WBINVD one and was hoping you'd give some tips.

for the XSETBV one, here's definitions he uses that I managed to find different places online (took awhile)

`#define X86_XCR0_FP_POS 0
#define X86_XCR0_FP (1ULL << X86_XCR0_FP_POS)
#define X86_XCR0_SSE_POS 1
#define X86_XCR0_SSE (1ULL << X86_XCR0_SSE_POS)
#define X86_XCR0_YMM_POS 2
#define X86_XCR0_YMM (1ULL << X86_XCR0_YMM_POS)
#define X86_XCR0_BNDREGS_POS 3
#define X86_XCR0_BNDREGS (1ULL << X86_XCR0_BNDREGS_POS)
#define X86_XCR0_BNDCSR_POS 4
#define X86_XCR0_BNDCSR (1ULL << X86_XCR0_BNDCSR_POS)
#define X86_XCR0_OPMASK_POS 5
#define X86_XCR0_OPMASK (1ULL << X86_XCR0_OPMASK_POS)
#define X86_XCR0_ZMM_POS 6
#define X86_XCR0_ZMM (1ULL << X86_XCR0_ZMM_POS)
#define X86_XCR0_HI_ZMM_POS 7
#define X86_XCR0_HI_ZMM (1ULL << X86_XCR0_HI_ZMM_POS)
#define X86_XCR0_PKRU_POS 9
#define X86_XCR0_PKRU (1ULL << X86_XCR0_PKRU_POS)
#define X86_XCR0_LWP_POS 62
#define X86_XCR0_LWP (1ULL << X86_XCR0_LWP_POS)

#define X86_XSTATE_X87 (1ULL << 0)
#define X86_XSTATE_SSE (1ULL << 1)
#define X86_XSTATE_AVX (1ULL << 2)
#define X86_XSTATE_BNDREGS (1ULL << 3)
#define X86_XSTATE_BNDCFG (1ULL << 4)
#define X86_XSTATE_MPX (X86_XSTATE_BNDREGS | X86_XSTATE_BNDCFG)

/* AVX 512 adds three feature bits. All three must be enabled. */
#define X86_XSTATE_K (1ULL << 5)
#define X86_XSTATE_ZMM_H (1ULL << 6)
#define X86_XSTATE_ZMM (1ULL << 7)
#define X86_XSTATE_AVX512 (X86_XSTATE_K | X86_XSTATE_ZMM_H | X86_XSTATE_ZMM)

#define X86_XSTATE_PKRU (1ULL << 9)

/* Supported mask and size of the extended state. */
#define X86_XSTATE_X87_MASK X86_XSTATE_X87
#define X86_XSTATE_SSE_MASK (X86_XSTATE_X87 | X86_XSTATE_SSE)
#define X86_XSTATE_AVX_MASK (X86_XSTATE_SSE_MASK | X86_XSTATE_AVX)
#define X86_XSTATE_MPX_MASK (X86_XSTATE_SSE_MASK | X86_XSTATE_MPX)
#define X86_XSTATE_AVX_MPX_MASK (X86_XSTATE_AVX_MASK | X86_XSTATE_MPX)
#define X86_XSTATE_AVX_AVX512_MASK (X86_XSTATE_AVX_MASK | X86_XSTATE_AVX512)
#define X86_XSTATE_AVX_MPX_AVX512_PKU_MASK
(X86_XSTATE_AVX_MPX_MASK | X86_XSTATE_AVX512 | X86_XSTATE_PKRU)

#define X86_XSTATE_ALL_MASK (X86_XSTATE_AVX_MPX_AVX512_PKU_MASK)

#define X86_XSTATE_SSE_SIZE 576
#define X86_XSTATE_AVX_SIZE 832
#define X86_XSTATE_BNDREGS_SIZE 1024
#define X86_XSTATE_BNDCFG_SIZE 1088
#define X86_XSTATE_AVX512_SIZE 2688
#define X86_XSTATE_PKRU_SIZE 2696
#define X86_XSTATE_MAX_SIZE 2696

#define XCR_XFEATURE_ENABLED_MASK 0x00000000`

Hello
i have a problem with compiling
on x86 :
a hypervisior feature is not available to the user
on x64:
this driver has been blocked from loading.
why?
could anyone help?

When VM-Exit occured and it hasn't vmresumed, if Thread Dispatching is activiated what should happen?

1. Can threads on none-root CPU be dispatched to the VM-Exited CPU?
   2.On VM-Exited CPU, shouldn't the current thread be dispatched to other non-root CPUs?

Hello, ddimon project wake up the computer BSOD, the reason is.
-#pragma alloc_text(INIT, DdimonInitialization)
+#pragma alloc_text(PAGE, DdimonInitialization)

and

#pragma alloc_text(INIT, ShAllocateShadowHookData)
#pragma alloc_text(INIT, ShAllocateSharedShaowHookData)
#pragma alloc_text(INIT, ShEnableHooks)
#pragma alloc_text(INIT, ShInstallHook)
#pragma alloc_text(INIT, ShpSetupInlineHook)
#pragma alloc_text(INIT, ShpGetInstructionSize)
#pragma alloc_text(INIT, ShpMakeTrampolineCode)

All INIT need to be changed PAGE

Hello tandasat, first of all thank you for your contribution to the community. I was experimimenting with your HyperVisor and works great hoewer and im trying to log System Drivers API calls but seems like ddimon dones't catch it, i tried hooking PsLookupProcessByProcessId and it only logs the calls from userland, is there anyway to log the ones from kernel too? thanks.

Hey, the moment I inject my DLL and attempt to hook, my pc crashes with this stop code: UNEXPECTED KERNEL MODE TRAP.

I'm using Windows 10, Version 1803 (OS Build 17134.523) HOME x64

Things I've checked:

VT-x enabled, triple-checked that and used programs such as Speccy, LeoMoon CPU-V and Task Manager self to check if virtualization is enabled, and it is!
DEP enabled for all programs
Testmode enabled, Build 17134.rs4_release.180410-1804

The driver has been modified a bit, so it fits our needs (it will stay private, won't be distributed and all credits go to "tandasat").

Driver starts without any problems.

Andddddd, here is where the witchcraft comes, the same DLL works on my friend's pc without any problems, injecting into the same process using the same injector. He is also on Windows 10, Version 1803 (OS Build 17134.523) PRO x64, note that he is on PRO and I'm on HOME (Home doesn't have to access to Hyper-V, maybe the reason?).

Here is the crash dump analyze for it, used latest version Windbg.exe:

CrashDump.txt

Appreciate any kind of help.

Hey! I met a bug check (DRIVER_VERIFIER_DETECTED_VIOLATION) when hooking NtProtectVirtualMemory & NtMapViewOfSection APIs. I tested it in Windows 7 SP1 x64, and hooked NtProtectVirtualMemory by its SSDT index (77) hardcode in the source code. It didn't cause BSOD at once, but several minutes later, it happened.

It won't cause BSOD either if I hook any of them alone. I don't know if there are some other APIs can result in such a condition.

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught.  This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000091, A driver switched stacks using a method that is not supported by
	the operating system. The only supported way to extend a kernel
	mode stack is by using KeExpandKernelStackAndCallout.
Arg2: 00000002
Arg3: 018e9b60
Arg4: 00000000

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  7601.17514.amd64fre.win7sp1_rtm.101119-1850

SYSTEM_MANUFACTURER:  VMware, Inc.

VIRTUAL_MACHINE:  VMware

SYSTEM_PRODUCT_NAME:  VMware Virtual Platform

SYSTEM_VERSION:  None

BIOS_VENDOR:  Phoenix Technologies LTD

BIOS_VERSION:  6.00

BIOS_DATE:  07/02/2015

BASEBOARD_MANUFACTURER:  Intel Corporation

BASEBOARD_PRODUCT:  440BX Desktop Reference Platform

BASEBOARD_VERSION:  None

DUMP_TYPE:  1

BUGCHECK_P1: 91

BUGCHECK_P2: 2

BUGCHECK_P3: fffffa80018e9b60

BUGCHECK_P4: 0

BUGCHECK_STR:  0xc4_91

CPU_COUNT: 1

CPU_MHZ: e11

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3c

CPU_STEPPING: 3

CPU_MICROCODE: 6,0,0,0 (F,M,S,R)  SIG: 1E'00000000 (cache) 1E'00000000 (init)

CURRENT_IRQL:  0

ANALYSIS_SESSION_HOST:  LIQI3-S-D8

ANALYSIS_SESSION_TIME:  06-09-2017 17:54:29.0797

ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

IP_IN_FREE_BLOCK: 0

LAST_CONTROL_TRANSFER:  from 00000000 to 00000000

STACK_TEXT:  
00000000 00000000 00000000 00000000 00000000 0x0


STACK_COMMAND:  kb

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

BUCKET_ID:  INVALID_KERNEL_CONTEXT_0xc4_91

DEFAULT_BUCKET_ID:  INVALID_KERNEL_CONTEXT_0xc4_91

PRIMARY_PROBLEM_CLASS:  INVALID_KERNEL_CONTEXT

FAILURE_BUCKET_ID:  INVALID_KERNEL_CONTEXT_0xc4_91

TARGET_TIME:  2017-06-09T09:50:23.000Z

OSBUILD:  7601

OSSERVICEPACK:  1000

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 7

OSEDITION:  Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2010-11-20 17:30:02

BUILDDATESTAMP_STR:  101119-1850

BUILDLAB_STR:  win7sp1_rtm

BUILDOSVER_STR:  6.1.7601.17514.amd64fre.win7sp1_rtm.101119-1850

ANALYSIS_SESSION_ELAPSED_TIME: 37a

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:invalid_kernel_context_0xc4_91

FAILURE_ID_HASH:  {c8fab66e-0b86-6ef2-c0d0-229ea9ea76fc}

Followup:     MachineOwner
---------

when I add some ept hook code logic, lib compilation always prompts c1090.
sometimes it can be compiled successfully by cleaning up the capstone_static_winkernel.
It can't work well according to Microsoft prompts.

i always get this error,i tried lots of ways,if i just copy this file to the project ,i will get more error.
error C1083 can't open: “capstone.h”: No such file or directory DdiMon C:\Users\hunter\Desktop\fdssd\DdiMon-master\DdiMon\shadow_hook.cpp 21

i do not know how to include this file ,can you help me

Sometimes cmd.exe is listed even after installing DdiMon. Frequency of occurrence of this issue varies from system to system, but I have more often seen in a real machine than in VMs.

It is caused by a workaround for #2 made with 22b62da. A root cause is likely to be the same as that of #2 but I have not been able to figure it out.