Interested in developing hypervisors for research? Check out my training course!
tandasat / ddimon Goto Github PK
View Code? Open in Web Editor NEWMonitoring and controlling kernel API calls with stealth hook using EPT
License: MIT License
Monitoring and controlling kernel API calls with stealth hook using EPT
License: MIT License
Interested in developing hypervisors for research? Check out my training course!
I tried to run DdiMon on windows 10 17134 x86, but always get BSOD. Is this a version error?
the stack is
00 818e0f24 8184e779 00000003 bf3ba2f8 00000065 nt!RtlpBreakWithStatusInstruction
01 818e0f78 8184e167 8708c340 818e1394 00000000 nt!KiBugCheckDebugBreak+0x1f
02 818e1368 817c1e02 0000007f 00000008 80a1cc00 nt!KeBugCheck2+0x79d
03 818e138c 817d82a1 0000007f 00000008 80a1cc00 nt!KiBugCheck2+0xc6
04 818e138c b6d42394 0000007f 00000008 80a1cc00 nt!KiTrap08+0x6e
05 af62beb0 b6d43009 3df54360 00000002 b6d421d0 DdiMon!UtilLoadPdptes+0x1e [d:\project\ddimon\hyperplatform\hyperplatform\util.cpp @ 835]
06 af62bf00 b6d43ec6 af62bf50 00000002 8947d000 DdiMon!VmmpHandleCrAccess+0x1db [d:\project\ddimon\hyperplatform\hyperplatform\vmm.cpp @ 1114]
07 af62bf40 b6d427e0 af62bf50 00000000 af62bfd8 DdiMon!VmmpHandleVmExit+0x12a [d:\project\ddimon\hyperplatform\hyperplatform\vmm.cpp @ 269]
08 af62bf64 b6d4106e af62bfd8 00000000 00000000 DdiMon!VmmVmExitHandler+0x5e [d:\project\ddimon\hyperplatform\hyperplatform\vmm.cpp @ 206]
09 af62bf6c 00000000 00000000 00000000 00000000 DdiMon!AsmVmmEntryPoint+0x37 [D:\project\DdiMon\HyperPlatform\HyperPlatform\Arch\x86\x86.asm @ 117]
Hi Satoshi,
Is it possible to hook some user land APIs using DdiMon ?
I understand that Ddimon only take cares of the kernel address space, is it possible to specify a user mode process (through CR3 maybe?)
Thanks
Hello, the question has bothered me for a long time, I tried to use ShpEnablePageShadowingForRW ShEnablePageShadowing function to hide the nt! The memory of NtCreateFile looks like this:
_Use_decl_annotations_ NTSTATUS ShEnablePageShadowing(
EptData* ept_data, const SharedShadowHookData* shared_sh_data) {
//HYPERPLATFORM_COMMON_DBG_BREAK();
// ======== mycode
__debugbreak();
HookInformation HookInfo = {0};
PVOID64 vAddr = ExAllocatePoolWithTag(NonPagedPool, 0x1000, 'lysd');
RtlZeroMemory(vAddr, 0x1000);
HookInfo.patch_address = (void*)0xfffff8021caefa50; // nt!NtCreateFile:
HookInfo.pa_base_for_rw = UtilPaFromVa(vAddr);
ShpEnablePageShadowingForRW(HookInfo, ept_data);
// ======== mycode
for (auto& info : shared_sh_data->hooks) {
ShpEnablePageShadowingForExec(*info, ept_data);
}
return STATUS_SUCCESS;
}
The good news is that it works, the bad news is that it bluescreens ๐
the dump file(os version is win10 1909 x64)
112922-9890-01.zip
Please give me some advice,thank you ๐
the system lags when running the hypervisor.. and i checked your code in hooking section the method is slow because the "const auto original" always finds the original function inside the callback function.
My Specs: WIN10 x64, CORE I7 6700HQ VT-X/HT/VT-D, 16GB RAM, 256SSD, RTX 2060 GPU
how to hook Shadow SSDT using DdiMon?
So I ended up getting this going, but it seems like when I run a special application that happens to prevent kernel debug mode it crashes Ddimon entirely. I'm pretty sure they're doing it intentionally to crash HyperPlatform.
How would one go about debugging these kinds of crashes?
Hi there,
great work! I really like to see more open source implementations that make use of virtualization like this. I've used essentially the same technique in the DRAKVUF analysis system on top of the Xen hypervisor. One issue though that you should keep in mind is that when you are changing the mapping in the EPT to allow the violating CPU to progress while you enable MTF on it, is that the other CPUs are also free to fetch the instruction that should have been breakpointed. In other words, you have a race-condition on the EPT with multiple CPUs. A solution to this that I can recommend is creating multiple EPTs (one for X and one for R/W) so that you can swap the EPT pointer in the VMCS specific to each vCPU instead of changing the mapping in the shared EPT on-the-fly. In Xen this is implemented with the altp2m subsystem.
Cheers,
Tamas
hi satoshi :)
i'm trying to utilize your wonderful hv to explore a process that does not want me there. it's protected with a kernel driver and running it while ddimon is running causes me to basically freeze and get a dpc_watchdog_violation bsod several minutes later. this seems to only happen if i have shadow hooks on functions that are exported by ntoskrnl. shadow hooking ssdt functions causes no issues whatsoever.
by any chance, would you happen to have an idea what might be triggering this and what i can do about it?
from crash dump:
ffffb280`124d5bc8 fffff801`481e619b : 00000000`00000133 00000000`00000001 00000000`00001e00 fffff801`4845e378 : nt!KeBugCheckEx
ffffb280`124d5bd0 fffff801`480533ba : 000000e4`c2a298da ffffb280`12480180 00000000`00000282 00000000`00000000 : nt!KeAccumulateTicks+0x19049b
ffffb280`124d5c30 fffff801`4896751b : 000000e4`c2a27e20 ffffda03`43f7f010 00000000`00000000 ffffda03`3c8e0a00 : nt!KeClockInterruptNotify+0x9da
ffffb280`124d5f40 fffff801`48118a65 : ffffda03`3c8e0a00 00000000`00000000 00000000`00001000 ffffc2d9`40098c20 : hal!HalpTimerClockIpiRoutine+0x1b
ffffb280`124d5f70 fffff801`481bc95a : ffffd907`f124f2a0 ffffda03`3c8e0a00 00000000`00000000 ffffc2d9`40098c20 : nt!KiCallInterruptServiceRoutine+0xa5
ffffb280`124d5fb0 fffff801`481bce47 : ffff9780`00080700 ffffda03`3c8e0a00 ffffd907`f124f480 00000000`00000000 : nt!KiInterruptSubDispatchNoLockNoEtw+0xea
ffffd907`f124f220 fffff801`481ccd00 : fffff801`4816c141 ffff9780`00080700 00000000`00000001 00000000`00001011 : nt!KiInterruptDispatchNoLockNoEtw+0x37
ffffd907`f124f3b8 fffff801`4816c141 : ffff9780`00080700 00000000`00000001 00000000`00001011 00000000`00000000 : nt!memcpy+0x240
ffffd907`f124f3c0 fffff801`4816bf57 : fffff801`484d0000 ffffd907`f124f510 00000000`00001000 00000000`00000001 : nt!MiCopySinglePage+0x105
ffffd907`f124f410 fffff801`4bf18215 : ffffda03`43f7f010 00000000`00000000 00000000`00000000 fffff801`48011000 : nt!MmCopyMemory+0x1d7
The same issue as below applies here since submodule is not updated yet. See the link.
tandasat/HyperPlatform#24
This will be addressed shortly.
Hi Tandasat,
I have basically modified DdiMon to suit my needs in order to hide the memory pages of a user-mode DLL injected into an arbitrary process - it works much like Ddimon with a few caveats.
The purpose of this is to prevent people from dumping the contents of the DLL from memory back onto disk and from preventing signature scans for my DLL. While my code works in hiding the DLL, the target process crashes.
Do you happen to know why this happens? I had a suspicion that this might have been triggered by code in the .text section accessing elements in the .data section so I then only applied protection to the .text section, but the same thing happens - the process still crashes. When I apply this protection to a DLL that merely executes junk in a while(true) loop everything is able to work fine. I also make sure to use VirtualLock() in order to prevent the user-mode memory from being paged out.
The following bug check can some times occurs. It seems that a captured parameter is no longer valid or CR3 is not correct in the post-handler.
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000001e7f29f5b30, memory referenced
Arg2: 00000000000000ff, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8012d4043e1, address which referenced memory
Debugging Details:
------------------
Page 24df4c not present in the dump file. Type ".hh dbgerr004" for details
Page 900 not present in the dump file. Type ".hh dbgerr004" for details
Page 900 not present in the dump file. Type ".hh dbgerr004" for details
Page 900 not present in the dump file. Type ".hh dbgerr004" for details
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 10586.162.amd64fre.th2_release_sec.160223-1728
DUMP_TYPE: 1
BUGCHECK_P1: 1e7f29f5b30
BUGCHECK_P2: ff
BUGCHECK_P3: 0
BUGCHECK_P4: fffff8012d4043e1
READ_ADDRESS: 000001e7f29f5b30
CURRENT_IRQL: 2
FAULTING_IP:
DdiMon!DdimonpPostNtQuerySystemInformationHandler+55 [c:\users\user\desktop\b\ddimon\ddimon\ddi_mon.cpp @ 570]
fffff801`2d4043e1 833b00 cmp dword ptr [rbx],0
CPU_COUNT: 1
CPU_MHZ: 8fc
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 45
CPU_STEPPING: 1
CPU_MICROCODE: 6,45,1,0 (F,M,S,R) SIG: 1D'00000000 (cache) 1D'00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: taskhostw.exe
ANALYSIS_SESSION_HOST: DESKTOP-LQSEFPE
ANALYSIS_SESSION_TIME: 03-26-2016 09:50:06.0629
ANALYSIS_VERSION: 10.0.10586.567 amd64fre
TRAP_FRAME: ffffe001000abae0 -- (.trap 0xffffe001000abae0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffd00022d543f0 rbx=0000000000000000 rcx=ffffe000fb3fb720
rdx=ffffe000fddc01e0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8012d4043e1 rsp=ffffe001000abc70 rbp=00000000001aa000
r8=ffffe001000abf70 r9=ffffd00022d543f0 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl zr na po nc
DdiMon!DdimonpPostNtQuerySystemInformationHandler+0x55:
fffff801`2d4043e1 833b00 cmp dword ptr [rbx],0 ds:00000000`00000000=????????
Resetting default scope
BAD_STACK_POINTER: ffffe001000ab998
LAST_CONTROL_TRANSFER: from fffff80277f592e9 to fffff80277f4e760
STACK_TEXT:
ffffe001`000ab998 fffff802`77f592e9 : 00000000`0000000a 000001e7`f29f5b30 00000000`000000ff 00000000`00000000 : nt!KeBugCheckEx
ffffe001`000ab9a0 fffff802`77f57ac7 : 00000002`68d58fa3 ffffe001`000abba0 ffffe001`00201fa3 ffffd000`25bbefa3 : nt!KiBugCheckDispatch+0x69
ffffe001`000abae0 fffff801`2d4043e1 : 00000000`00000000 00000000`00000282 ffff551c`47acffb6 00000000`001aa000 : nt!KiPageFault+0x247
ffffe001`000abc70 fffff801`2d40512f : ffffe000`fb3fb720 ffffd000`22d543f0 ffffe000`fe5f8a30 00000000`001aa000 : DdiMon!DdimonpPostNtQuerySystemInformationHandler+0x55 [c:\users\user\desktop\b\ddimon\ddimon\ddi_mon.cpp @ 570]
ffffe001`000abca0 fffff801`2d40364e : ffffe001`000abf10 00000000`80000603 ffffe001`000abf10 fffff801`2d40252c : DdiMon!SbpHandleBreakpoint+0x157 [c:\users\user\desktop\b\ddimon\ddimon\shadow_bp.cpp @ 232]
ffffe001`000abe40 fffff801`2d403e58 : ffffe001`000abf10 ffffd000`22d54470 00000000`00000002 fffff801`2d40252c : DdiMon!VmmpHandleException+0x19a [c:\users\user\desktop\b\ddimon\hyperplatform\hyperplatform\vmm.cpp @ 375]
ffffe001`000abea0 fffff801`2d402cdf : 00000000`00000000 ffffd000`22d543f0 ffffd000`22d54470 00000000`00000002 : DdiMon!VmmpHandleVmExit+0xf8 [c:\users\user\desktop\b\ddimon\hyperplatform\hyperplatform\vmm.cpp @ 225]
ffffe001`000abef0 fffff801`2d401345 : ffffe000`fe792080 00000000`00000000 00000000`00000000 00000000`00000000 : DdiMon!VmmVmExitHandler+0x73 [c:\users\user\desktop\b\ddimon\hyperplatform\hyperplatform\vmm.cpp @ 186]
ffffe001`000abf50 ffffe000`fe792080 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffd000`22d546f8 : DdiMon!AsmVmmEntryPoint+0x25 [C:\Users\user\Desktop\b\DdiMon\HyperPlatform\HyperPlatform\Arch\x64\x64.asm @ 147]
ffffe001`000abf58 00000000`00000000 : 00000000`00000000 00000000`00000000 ffffd000`22d546f8 00000000`00000000 : 0xffffe000`fe792080
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: a13bb464cc91134233d42cbdcfc911eab41edb76
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 994b36c9b884fcd36245d5c70b24711b26ec8878
THREAD_SHA1_HASH_MOD: 1526857b180b8f4f0777031e8d38f8c68c26ed47
FOLLOWUP_IP:
DdiMon!DdimonpPostNtQuerySystemInformationHandler+55 [c:\users\user\desktop\b\ddimon\ddimon\ddi_mon.cpp @ 570]
fffff801`2d4043e1 833b00 cmp dword ptr [rbx],0
FAULT_INSTR_CODE: 75003b83
FAULTING_SOURCE_LINE: c:\users\user\desktop\b\ddimon\ddimon\ddi_mon.cpp
FAULTING_SOURCE_FILE: c:\users\user\desktop\b\ddimon\ddimon\ddi_mon.cpp
FAULTING_SOURCE_LINE_NUMBER: 570
FAULTING_SOURCE_CODE:
566: return;
567: }
568:
569: auto next = reinterpret_cast<SystemProcessInformation*>(info.parameters[1]);
> 570: while (next->next_entry_offset) {
571: auto curr = next;
572: next = reinterpret_cast<SystemProcessInformation*>(
573: reinterpret_cast<UCHAR*>(curr) + curr->next_entry_offset);
574:
575: // Occasionally, curr->next_entry_offset has a large value which makes next
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: DdiMon!DdimonpPostNtQuerySystemInformationHandler+55
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: DdiMon
IMAGE_NAME: DdiMon.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 56f6bca3
BUCKET_ID_FUNC_OFFSET: 55
FAILURE_BUCKET_ID: AV_STACKPTR_ERROR_DdiMon!DdimonpPostNtQuerySystemInformationHandler
BUCKET_ID: AV_STACKPTR_ERROR_DdiMon!DdimonpPostNtQuerySystemInformationHandler
PRIMARY_PROBLEM_CLASS: AV_STACKPTR_ERROR_DdiMon!DdimonpPostNtQuerySystemInformationHandler
TARGET_TIME: 2016-03-26T16:48:06.000Z
OSBUILD: 10586
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2016-02-23 21:48:00
BUILDDATESTAMP_STR: 160223-1728
BUILDLAB_STR: th2_release_sec
BUILDOSVER_STR: 10.0.10586.162.amd64fre.th2_release_sec.160223-1728
ANALYSIS_SESSION_ELAPSED_TIME: 124b
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_stackptr_error_ddimon!ddimonppostntquerysysteminformationhandler
FAILURE_ID_HASH: {95807f3a-5768-f194-f150-fd491b46d820}
Followup: MachineOwner
---------
Hey,
I've been going through the project since i'm learning about vmx and how to use it (as well as EPT)
and I saw the technique you used in order to make sure patch guard won't bsod the pc when he find the hooks.
However since I saw that ept rule is to act similar to page table just with vmm I was wondering if the protection was working on passing patch guard because it's accessing the virtual addresses of the functions.
Is this mean that if patch guard would do a direct access to the physical memory than it will see the hooks right?
I'm trying to think if there is a way to block another kernel code from messing with the pages, so for example if another kernel driver will scan our driver and find the addresses is that mean he can direct access the memory and find the hooks? is there a way to block this kind of behavior?
Thank you for your help!
Hello Tandasat,
After the recent windows update I am having issues with loading my hypervisor. Every time I start the hypervisor's service I get a manually initiated crash, something that I haven't had problems with before.
After some investigating with Windbg, I found that the BSOD was caused by an unexpected Vm-Exit in VmmpHandleUnexpectedExit() during VmInitialization.
Have you been having the same sorts of issues?
As demonstrated in the below link, Capstone now supports Windows drivers without adding any hack.
https://github.com/aquynh/capstone/tree/master/contrib/cs_driver
Apply this update to the project to clean-up project settings.
I am very interested in cheating and anti cheating technology, and I noticed that FU_ Hypervisor, but this project is no longer maintained, but I am very interested in this project. Do you plan to continue maintenance
DPC_WATCHDOG_VIOLATION ISSUE
i Intel core i7 6700HQ supporting VT-x and EPT with driver signed but still bsod with DPC_WATCHDOG_VIOLATION ..how can i fix this?
Porting changes made in HyperPlatofm would be easier if submodules are used instead of copying files. Do so if appropriate.
2>shadow_hook.obj : error LNK2019: Unresolved external symbol _invoke_watson๏ผFunction "protected: virtual void __cdecl stdext::bad_alloc::_Doraise(void)const " (?_Doraise@bad_alloc@stdext@@MEBAXXZ)
2>shadow_hook.obj : error LNK2001: Unresolved external symbol "void (__cdecl* std::_Raise_handler)(class stdext::exception const &)" (?_Raise_handler@std@@3P6AXAEBVexception@stdext@@@ZEA)
hi, I got some problems in the ShpSetupInlineHook->ShpGetInstructionSize()
when i try hook ssdt function its aways return 0, so i change it :
ShpSetupInlineHook:
/*
const auto patch_size = ShpGetInstructionSize(patch_address);
if (!patch_size) {
return false;
}*/
ULONG patch_size;
if (FindCodeLenght(patch_address, &patch_size) == FALSE)
{
return false;
}
copy from other project (svm ver Ddimon)
BOOLEAN
FindCodeLenght(
_In_ PVOID HookAddress,
_Out_ PULONG InstructionLength
)
{
BOOLEAN ok;
typedef struct _BYTE_PATTERN
{
ULONG InsructionLength;
ULONG MatchLength;
UCHAR Bytes[15];
} BYTE_PATTERN, * PBYTE_PATTERN;
static const BYTE_PATTERN knownPatterns[] =
{
{ // push rbx
2, 2, { 0x40, 0x53, },
},
{ // push rbp
2, 2, { 0x40, 0x55, },
},
{ // push rdi
2, 2, { 0x40, 0x57, },
},
{ // sub rsp, Imm
4, 3, { 0x48, 0x83, 0xEC, /*Imm*/ },
},
{ // mov [rsp - 8 + arg_8], rdx
5, 5, { 0x48, 0x89, 0x54, 0x24, 0x10, },
},
{ // mov [rsp + Offset], rbx
5, 4, { 0x48, 0x89, 0x5c, 0x24, /*Offset*/ },
},
{ // mov rax, rsp
3, 3, { 0x48, 0x8B, 0xC4, },
},
{ // xor edx, edx
2, 2, { 0x33, 0xD2, },
},
{ // a little change for hook NtGetContextThread
2, 2, { 0x4c, 0x8b, },
},
};
*InstructionLength = 0;
ok = FALSE;
for (auto& pattern : knownPatterns)
{
if (RtlEqualMemory(HookAddress, pattern.Bytes, pattern.MatchLength) != FALSE)
{
*InstructionLength = pattern.InsructionLength;
ok = TRUE;
goto Exit;
}
}
Exit:
return ok;
}
hope can help people with the same problems
hey @tandasat amazing job dude, I love your codes!
I am trying to know if ddimon can be used to detect execution inside some memory range, or can be used only as inline hooking?
It puts the whole OS in supervised mode? Is possible to run it inside virtualbox?
Windows 7 Kernel Version 7600 MP (1 procs) Free x64
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
VMwareยฎ Workstation 15
15.5.0 build-14665864
the last versions
git clone --recursive https://github.com/tandasat/DdiMon.git
it doesn't BSOD when I use windbg to attach
bin files:
https://drive.google.com/file/d/1x6luZ4Vx1iSO3A5OuD8fUv4n79GCgmsz/view?usp=sharing
According to this tutorial https://rayanfam.com/topics/hypervisor-from-scratch-part-8/
Scroll to "An Important Note When Modifying EPT Entries"
One interesting thing that I encountered during the test of my driver on the multi-core system was the fact that EPT entries should be modified in one instruction.
For example, if you change the access bits of an EPT entry, bit by bit, then you probably get the error (EPT Misconfiguration) that one access bits changed and before the next access bit applies another core tries to access page table and it sometimes leads to an EPT Misconfiguration and sometimes you might not get the desired behavior.
so good thing to change that.
I had a question about EPT exits. Does anyone know why something would be reading the page of a hooked kernel function multiple times? I'd assume maybe patchguard but seems way too frequent. Wouldn't it just need to execute it since its function code? Also why would it read it back to back after I already set the page, example
ept violation address:0000000002805000, type:read/write
ept violation address:0000000002805000, type:read/write
ept violation address:0000000002805350, type:exec
shouldn't after the first read/write it should only trigger a EPT exit if something tries to exec(since the page is already set from first read/write)?
Hey,
I've looked into the project and seen something interested, I saw you used std::vector (specifically in shadow_hook.cpp in SharedShadowHookData struct to keep all the hooks and later to iterate over them)
And I was interested since I remembered that c++ STL and kernel doesn't go very well,
I tried to create a new file in the ddimon project and use std::vector but in compile time I got errors about using c++ exceptions in kernel (with /kernel flag).
Couldn't found any difference between my file to the existing one in the project (no file properties difference from what I saw).
So I was wondered how did you able to use std::vector in the kernel and without the compiler throw errors.
Thanks for the help,
Mor.
Hi tandasat,
I was hoping you could give some advice on how to defeat rdtsc checks that anti-cheat and malware software do to detect the hypervisor.
Here's some examples
// CALCULATE CYCLES FOR 1000MS
const auto timestamp_calibrator = __rdtsc();
Sleep(1000);
const auto timestamp_calibration = __rdtsc() - timestamp_calibrator;
// TIME CPUID
auto total_time = 0;
for (std::size_t count = 0; count < 0x6694; count++)
{
// SAVE PRE CPUID TIME
const auto timestamp_pre = __rdtsc();
std::uint32_t cpuid_data[4] = {};
__cpuid(cpuid_data, 0);
// SAVE THE DELTA
total_time += __rdtsc() - timestamp_pre;
}
the author of the blog said possible counters are
There are a few issues with this detection method. The first being that itโs susceptible to time-forging, which is typically done one of two ways: TSC offsetting in the VMCS, or decreasing the TSC every time CPUID is executed. There are many more ways to beat time based attacks, but the latter is much simpler to implement as you can ensure that instruction execution times are within one or two clock ticks of real hardware execution.
I've been researching and testing but haven't managed to figure out how to implement either of these counters. I see in hyperplatform there's
vm_procctl_requested.fields.rdtsc_exiting
which i've used and
vm_procctl_requested.fields.use_tsc_offseting
vm_procctl2_requested.fields.use_tsc_scaling
and the description of these is
unsigned UseTscOffseting :1; // bit3 This control determines whether executions of RDTSC, RDTSP, RDMSR(IA32_TIME_STAMP_COUNTER), return a value modified by the TSC offset field
but i'm not sure to utilize this to get close to real hardware timing inside of RDTSC vm exit or otherwise.
Hello, author, there are methods missing in the shadow_hook.cpp file of your project, including: KShEnablePageShadowing{Line 209} and kShDisablePageShadowing{Line 221}, which were reported in #14, are currently identified as missing methods from HyperPlatform/util.h, It is presumed that the HyperPlatform version is updated. Here are the details:
About the code definition here (in HyperPlatform/utils.h):
Thank you for your dedication to Intel VT EPT hook technology. This project provides me with very valuable technical support for understanding and using this technology. I look forward to and pay attention to the repair progress of this problem, and I will complete my master's graduation project on this basis. I look forward to your repair or alternative opinions.
BSOD code
sgdt [rcx]
windbg----------------------------------------------------
PROCESS_NAME: Notepad2.exe
TRAP_FRAME: ffff9f040f207c70 -- (.trap 0xffff9f040f207c70)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000033 rbx=0000000000000000 rcx=0000000000000006
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80123823ccb rsp=ffff9f040f207e00 rbp=0000000000000000
r8=ffff9f040f207fe0 r9=0000000000000802 r10=0000000000000000
r11=ffff78fb67e00000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz na pe nc
DdiMon+0x3ccb:
fffff80123823ccb 66891f mov word ptr [rdi],bx ds:00000000
00000000=????
Resetting default scope
BAD_STACK_POINTER: ffff9f040f207b28
STACK_TEXT:
ffff9f040f207b28 fffff801
189ce569 : 000000000000000a 000001e2
1abb0000 00000000000000ff 00000000
00000000 : nt!KeBugCheckEx
ffff9f040f207b30 fffff801
189ca8a5 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiBugCheckDispatch+0x69
ffff9f040f207c70 fffff801
23823ccb : 0000000000000000 00000000
00000033 ffff9f040f207eb0 ffff9f04
07361000 : nt!KiPageFault+0x465
ffff9f040f207e00 00000000
00000000 : 0000000000000033 ffff9f04
0f207eb0 ffff9f0407361000 00000002
42e89222 : DdiMon+0x3ccb
SYMBOL_NAME: DdiMon+3ccb
MODULE_NAME: DdiMon
IDA pro DdiMon+3ccb
v21 = UtilVmRead(kGuestGdtrBase);
v22 = UtilVmRead(kGuestGdtrLimit);
v23 = (*(_QWORD *)(v21 + 8 * ((unsigned __int64)(unsigned __int16)UtilVmRead(kGuestCsSelector) >> 3)) >> 53) & 1i64;
*(_WORD *)v11 = v22; // BSOD
if ( v23 )
*(_QWORD *)(v11 + 2) = v21;
else
*(_DWORD *)(v11 + 2) = v21;
goto LABEL_44;
vmm.cpp
// 64bit
descriptor_table_reg->base = gdt_base; //BSOD
descriptor_table_reg->limit = gdt_limit;
Hello, hypervisor dones't hook some exported functions for example NTQUERYVIRTUALMEMORY, NTREADVIRTUALMEMORY and so on how i can solve? other exported functions hooks well.
Hi,
Although DdiMon works perfectly well nested in VmWare it bugcheck systematically while running inside KVM.
Logs shows that hypervisor was succefully loaded and i confirmed that the hook functions are getting called as well.
It takes a couple of secondes to bugcheck between 5 and 20 depending of the VM activity.
i can repro on the same VM used in VmWare (Windows 7 SP1 x64 with 2 processors)
bugcheck shows :
EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.
FAULTING_IP:
+0
fffffa80`00c3f000 0f01c1 vmcall
Below is the extract of the log and the !analyze results.
I can provide the dump if needed.
13:44:57.014 DBG #1 4 2472 System Log thread started (TID= 00000000000009A8).
13:44:57.124 INF #0 4 44 System Log has been initialized.
13:44:57.124 DBG #0 4 44 System Info= FFFFF88004CE4410, Buffer= FFFFFA8000E2C000 FFFFFA8000E3C000, File= \SystemRoot\DdiMon.log
13:44:57.124 DBG #0 4 44 System PXE at fffff6fb7dbed000, PPE at fffff6fb7da00000, PDE at fffff6fb40000000, PTE at fffff68000000000
13:44:57.124 DBG #0 4 44 System Physical Memory Range: 0000000000001000 - 000000000009f000
13:44:57.124 DBG #0 4 44 System Physical Memory Range: 0000000000100000 - 000000003ffde000
13:44:57.124 DBG #0 4 44 System Physical Memory Total: 1048048 KB
13:44:57.139 DBG #0 4 44 System shared_data = FFFFFA8002684070
13:44:57.170 DBG #0 4 44 System MTRR Default=6, VariableCount=8, FixedSupported=1, FixedEnabled=1
13:44:57.170 INF #0 4 44 System Initializing VMX for the processor 0.
13:44:57.514 DBG #0 4 44 System vmm_stack_limit = FFFFFA800107A000
13:44:57.514 DBG #0 4 44 System vmm_stack_region_base = fffffa8001080000
13:44:57.514 DBG #0 4 44 System vmm_stack_data = fffffa800107fff8
13:44:57.530 DBG #0 4 44 System vmm_stack_base = fffffa800107fff0
13:44:57.530 DBG #0 4 44 System processor_data = FFFFFA80029F5210 stored at fffffa800107fff8
13:44:57.530 DBG #0 4 44 System guest_stack_pointer = fffff88002ffa660
13:44:57.530 DBG #0 4 44 System guest_inst_pointer = fffff88004c123a7
13:44:57.530 DBG #0 4 44 System IA32_VMX_CR0_FIXED0 = 80000021
13:44:57.530 DBG #0 4 44 System IA32_VMX_CR0_FIXED1 = ffffffff
13:44:57.530 DBG #0 4 44 System Original CR0 = 80050031
13:44:57.530 DBG #0 4 44 System Fixed CR0 = 80050031
13:44:57.530 DBG #0 4 44 System IA32_VMX_CR4_FIXED0 = 00002000
13:44:57.530 DBG #0 4 44 System IA32_VMX_CR4_FIXED1 = 003727ff
13:44:57.530 DBG #0 4 44 System Original CR4 = 000406f8
13:44:57.530 DBG #0 4 44 System Fixed CR4 = 000426f8
13:44:57.530 DBG #0 4 44 System VmEntryControls = 000013ff
13:44:57.530 DBG #0 4 44 System VmExitControls = 0003effb
13:44:57.530 DBG #0 4 44 System PinBasedControls = 00000016
13:44:57.530 DBG #0 4 44 System ProcessorBasedControls = 9680e172
13:44:57.545 DBG #0 4 44 System SecondaryProcessorBasedControls = 0010102e
13:44:57.545 DBG #0 4 44 System Context at FFFFF88004C123F8: rax= 0000000000000000 rbx= 0000000000000000 rcx= fffff88004cf2710 rdx= fffffa8002684070 rsi= fffffa8000dfe000 rdi= fffff88002ffa798 rsp= fffff88002ffa6e0 rbp= 0000000000000000 r8= 0000000000000065 r9= 0000000000000000 r10= 0000000000000000 r11= fffff88002ff9e60 r12= 0000000000000001 r13= ffffffff80000938 r14= fffffa80029bc780 r15= 000000000000001c efl= 00000282
13:44:57.545 INF #0 4 44 System Initialized successfully.
13:44:57.545 INF #1 4 44 System Initializing VMX for the processor 1.
13:44:57.889 DBG #1 4 44 System vmm_stack_limit = FFFFFA80012BB000
13:44:57.889 DBG #1 4 44 System vmm_stack_region_base = fffffa80012c1000
13:44:57.889 DBG #1 4 44 System vmm_stack_data = fffffa80012c0ff8
13:44:57.889 DBG #1 4 44 System vmm_stack_base = fffffa80012c0ff0
13:44:57.889 DBG #1 4 44 System processor_data = FFFFFA80029F9210 stored at fffffa80012c0ff8
13:44:57.889 DBG #1 4 44 System guest_stack_pointer = fffff88002ffa660
13:44:57.889 DBG #1 4 44 System guest_inst_pointer = fffff88004c123a7
13:44:57.889 DBG #1 4 44 System IA32_VMX_CR0_FIXED0 = 80000021
13:44:57.889 DBG #1 4 44 System IA32_VMX_CR0_FIXED1 = ffffffff
13:44:57.905 DBG #1 4 44 System Original CR0 = 80050031
13:44:57.905 DBG #1 4 44 System Fixed CR0 = 80050031
13:44:57.905 DBG #1 4 44 System IA32_VMX_CR4_FIXED0 = 00002000
13:44:57.905 DBG #1 4 44 System IA32_VMX_CR4_FIXED1 = 003727ff
13:44:57.905 DBG #1 4 44 System Original CR4 = 000406f8
13:44:57.905 DBG #1 4 44 System Fixed CR4 = 000426f8
13:44:57.905 DBG #1 4 44 System VmEntryControls = 000013ff
13:44:57.905 DBG #1 4 44 System VmExitControls = 0003effb
13:44:57.905 DBG #1 4 44 System PinBasedControls = 00000016
13:44:57.905 DBG #1 4 44 System ProcessorBasedControls = 9680e172
13:44:57.905 DBG #1 4 44 System SecondaryProcessorBasedControls = 0010102e
13:44:57.905 DBG #1 4 44 System Context at FFFFF88004C123F8: rax= 0000000000000000 rbx= 0000000000000000 rcx= fffff88004cf2710 rdx= fffffa8002684070 rsi= fffffa8000dfe000 rdi= fffff88002ffa798 rsp= fffff88002ffa6e0 rbp= 0000000000000000 r8= 0000000000000065 r9= 0000000000000000 r10= 0000000000000000 r11= fffff88002ff9e60 r12= 0000000000000001 r13= ffffffff80000938 r14= fffffa80029bc780 r15= 000000000000001c efl= 00000282
13:44:57.905 INF #1 4 44 System Initialized successfully.
13:44:57.905 DBG #1 4 44 System Patch = FFFFF800029BA0E0, Exec = FFFFFA80012C40E0, RW = FFFFFA80012C30E0, Trampoline = FFFFFA80029ED480
13:44:57.920 INF #1 4 44 System Hook has been installed at fffff800029ba0e0 ExAllocatePoolWithTag.
13:44:57.920 DBG #0 4 44 System Patch = FFFFF800029BA0D0, Exec = FFFFFA80012C40D0, RW = FFFFFA80012C30D0, Trampoline = FFFFFA8002803D00
13:44:57.920 INF #0 4 44 System Hook has been installed at fffff800029ba0d0 ExFreePool.
13:44:57.920 DBG #0 4 44 System Patch = FFFFF800029BAD90, Exec = FFFFFA80012C4D90, RW = FFFFFA80012C3D90, Trampoline = FFFFFA8001D72930
13:44:57.920 INF #0 4 44 System Hook has been installed at fffff800029bad90 ExFreePoolWithTag.
13:44:57.920 DBG #0 4 44 System Patch = FFFFF8000289BC10, Exec = FFFFFA80012C6C10, RW = FFFFFA80012C5C10, Trampoline = FFFFFA8002380EC0
13:44:57.920 INF #0 4 44 System Hook has been installed at fffff8000289bc10 ExQueueWorkItem.
13:44:57.936 DBG #0 4 44 System Patch = FFFFF80002B998FC, Exec = FFFFFA80012C88FC, RW = FFFFFA80012C78FC, Trampoline = FFFFFA8002A479E0
13:44:57.936 INF #0 4 44 System Hook has been installed at fffff80002b998fc NtQuerySystemInformation.
13:44:57.952 INF #1 4 44 System DdiMon has been initialized.
13:44:57.967 INF #0 4 44 System The VMM has been installed.
Bugcheck:
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: c000001d, Exception code that caused the bugcheck
Arg2: 00c3f000, Address of the instruction which caused the bugcheck
Arg3: 04f0a750, Address of the context record for the exception that caused the bugcheck
Arg4: 00000000, zero.
Debugging Details:
------------------
DUMP_CLASS: 1
DUMP_QUALIFIER: 402
BUILD_VERSION_STRING: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
SYSTEM_MANUFACTURER: QEMU
SYSTEM_PRODUCT_NAME: Standard PC (i440FX + PIIX, 1996)
SYSTEM_VERSION: pc-i440fx-bionic
BIOS_VENDOR: SeaBIOS
BIOS_VERSION: 1.10.2-1ubuntu1
BIOS_DATE: 04/01/2014
DUMP_TYPE: 0
BUGCHECK_P1: c000001d
BUGCHECK_P2: fffffa8000c3f000
BUGCHECK_P3: fffff88004f0a750
BUGCHECK_P4: 0
EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.
FAULTING_IP:
+0
fffffa80`00c3f000 0f01c1 vmcall
CONTEXT: 04f0a750 -- (.cxr 0xfffff88004f0a750)
eax=009ea180 ebx=00000000 ecx=fffff880 edx=04f0b248 esi=00000001 edi=fffff880
eip=00000000 esp=00000000 ebp=fffff880 iopl=0 nv up di pl nz na po cy
cs=0000 ss=0018 ds=b138 es=0000 fs=2000 gs=0000 efl=00000001
00000000`00000000 ?? ???
Resetting default scope
CPU_COUNT: 2
CPU_MHZ: a81
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 5e
CPU_STEPPING: 3
CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: 1'00000000 (cache) 1'00000000 (init)
BUGCHECK_STR: 0x3B
PROCESS_NAME: conhost.exe
CURRENT_IRQL: c
ANALYSIS_SESSION_HOST: DESKTOP-B7SL839
ANALYSIS_SESSION_TIME: 07-27-2018 13:54:17.0368
ANALYSIS_VERSION: 10.0.14321.1024 amd64fre
IP_IN_FREE_BLOCK: 0
BAD_STACK_POINTER: 00000000
LAST_CONTROL_TRANSFER: from 00000000 to 00000000
STACK_TEXT:
00000000 00000000 00000000 00000000 00000000 0x0
STACK_COMMAND: kb
SYMBOL_NAME: ANALYSIS_INCONCLUSIVE
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
DEBUG_FLR_IMAGE_TIMESTAMP: 0
BUCKET_ID: INVALID_KERNEL_CONTEXT_0x3B
DEFAULT_BUCKET_ID: INVALID_KERNEL_CONTEXT_0x3B
PRIMARY_PROBLEM_CLASS: INVALID_KERNEL_CONTEXT
FAILURE_BUCKET_ID: INVALID_KERNEL_CONTEXT_0x3B
TARGET_TIME: 2018-07-27T11:45:07.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2010-11-20 10:30:02
BUILDDATESTAMP_STR: 101119-1850
BUILDLAB_STR: win7sp1_rtm
BUILDOSVER_STR: 6.1.7601.17514.amd64fre.win7sp1_rtm.101119-1850
ANALYSIS_SESSION_ELAPSED_TIME: 40b
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:invalid_kernel_context_0x3b
FAILURE_ID_HASH: {47d39f4d-e8b2-9190-8f3e-f596bd729a8d}
hello sir satothi!
I am trying to figure out a way to detect (both AMD and INTEL) if VTx are enabled, can you help me with this?
why
HypercallNumber::kShEnablePageShadowing and
HypercallNumber::kShDisablePageShadowing
are missing?
I'm dealing with a similar issue to this thread #26
as in security software is freezing my system on load and eventually issuing a DPC_WATCHDOG_VIOLATION. I applied all the changes from that thread but nothing is helping. I have confirmed the issue only arises when I hook something, otherwise no freeze.
I'm using latest ddimon and here's the memory.dmp
`
DPC_WATCHDOG_VIOLATION (133)
The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL
or above.
Arguments:
Arg1: 0000000000000000, A single DPC or ISR exceeded its time allotment. The offending
component can usually be identified with a stack trace.
Arg2: 0000000000000501, The DPC time count (in ticks).
Arg3: 0000000000000500, The DPC time allotment (in ticks).
Arg4: fffff8045cd73358, cast to nt!DPC_WATCHDOG_GLOBAL_TRIAGE_BLOCK, which contains
additional information regarding this single DPC timeout
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: TickPeriods ***
KEY_VALUES_STRING: 1
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 402
BUILD_VERSION_STRING:
SYSTEM_PRODUCT_NAME: To Be Filled By O.E.M.
SYSTEM_SKU: To Be Filled By O.E.M.
SYSTEM_VERSION: To Be Filled By O.E.M.
BIOS_VENDOR: American Megatrends Inc.
BIOS_VERSION: P3.10
BIOS_DATE: 07/04/2018
BASEBOARD_MANUFACTURER:
BASEBOARD_PRODUCT:
BASEBOARD_VERSION:
DUMP_TYPE: 0
BUGCHECK_P1: 0
BUGCHECK_P2: 501
BUGCHECK_P3: 500
BUGCHECK_P4: fffff8045cd73358
DPC_TIMEOUT_TYPE: SINGLE_DPC_TIMEOUT_EXCEEDED
CPU_COUNT: 6
CPU_MHZ: e10
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 9e
CPU_STEPPING: a
CPU_MICROCODE: 6,9e,a,0 (F,M,S,R) SIG: 96'00000000 (cache) 96'00000000 (init)
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXWINLOGON: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0x133
PROCESS_NAME: System
CURRENT_IRQL: d
ANALYSIS_SESSION_HOST:
ANALYSIS_SESSION_TIME: 12-15-2019 22:05:37.0391
ANALYSIS_VERSION: 10.0.18362.1 amd64fre
LAST_CONTROL_TRANSFER: from fffff8045c9ee83d to fffff8045c9c1220
STACK_TEXT:
ffffbc01879bcb08 fffff804
5c9ee83d : 0000000000000133 00000000
00000000 0000000000000501 00000000
00000500 : nt!KeBugCheckEx
ffffbc01879bcb10 fffff804
5c81f857 : 0000014240a3c9a1 ffffbc01
879c0180 0000000000000286 fffffd0a
80837a10 : nt!KeAccumulateTicks+0x1cbe1d
ffffbc01879bcb70 fffff804
5d2b91e1 : 0000000000000000 ffffd108
652d4400 fffffd0a80837a90 ffffd108
652d44b0 : nt!KeClockInterruptNotify+0xc07
ffffbc01879bcf30 fffff804
5c8029e5 : ffffd108652d4400 00000000
00000000 0000000000000000 ffff1d2c
7670378f : hal!HalpTimerClockIpiRoutine+0x21
ffffbc01879bcf60 fffff804
5c9c2cba : fffffd0a80837a90 ffffd108
652d4400 000000000000fffe ffffd108
652d4400 : nt!KiCallInterruptServiceRoutine+0xa5
ffffbc01879bcfb0 fffff804
5c9c3227 : ffffbc0188259ef0 ffffbc01
88259ef0 000000000000002a 00000000
00000000 : nt!KiInterruptSubDispatchNoLockNoEtw+0xfa
fffffd0a80837a10 fffff804
5c81b9eb : ffffffffffffffd2 fffff804
5cdab573 0000000000000010 00000000
00000286 : nt!KiInterruptDispatchNoLockNoEtw+0x37
fffffd0a80837ba0 fffff804
5cdab585 : ffffd108654fdfa0 ffffd108
653f7840 0000000000000010 ffffd108
654fd000 : nt!KeYieldProcessorEx+0x1b
fffffd0a80837bd0 fffff804
5cdaa6e5 : 000000001eb9414f ffffbc01
879c0180 ffffd10879a92a90 fffffd0a
80837c90 : nt!IopLiveDumpProcessCorralStateChange+0x2d
fffffd0a80837c00 fffff804
5c86ae85 : ffffbc01879c2f80 ffffd108
653f6000 ffffd108673cf260 ffffbc01
00000002 : nt!IopLiveDumpCorralDpc+0x55
fffffd0a80837c40 fffff804
5c86a4df : ffffbc01879c0180 00000000
00000000 0000000000000002 00000000
00000004 : nt!KiExecuteAllDpcs+0x305
fffffd0a80837d80 fffff804
5c9c8265 : 0c45b60f450d55b6 ffffbc01
879c0180 0000000000000000 00000000
c0000002 : nt!KiRetireDpcList+0x1ef
fffffd0a80837fb0 fffff804
5c9c8050 : 0000000000000000 ffffd108
672171e0 0000000000000000 fffff804
5cc68c80 : nt!KxRetireDpcList+0x5
fffffd0a87966b20 fffff804
5c9c7720 : 0000000000000000 fffffd0a
87966bd0 ffffd108652d4400 00000000
00000000 : nt!KiDispatchInterruptContinue
fffffd0a87966b50 fffff804
5c901064 : ffffd108766c3550 fffff804
5e4cc089 ffffa98c2f402a80 fffff804
5c8c2cfc : nt!KiDpcInterrupt+0x2f0
fffffd0a87966ce0 fffff804
5c8c12ae : fffff8045cc68c80 00000000
00000002 ffffbc0187dc7180 00000000
00001000 : nt!ExpWaitForSpinLockSharedAndAcquire+0x64
fffffd0a87966d20 fffff804
5c855d97 : fffff8045cc68bc0 ffff9bfc
02391008 ffffd108766c3601 fffff804
5cc68bc0 : nt!MiLockWorkingSetShared+0xee
fffffd0a87966d50 fffff804
5ced3bb5 : fffff804722000e0 fffff804
722000e0 000000000000000c 00000000
00000fff : nt!MiLockCode+0x147
fffffd0a87966ef0 fffff804
7220614c : ffffd108766c3550 fffffd0a
879670e0 ffffd108673afa40 ffffd108
673afa40 : nt!MmResetDriverPaging+0xa5
fffffd0a87966f20 fffff804
72206037 : 00000000656c6946 fffff804
5cb6f06d fffffd0a879670e0 00000000
00000000 : Msfs!MsCommonCreate+0xdc
fffffd0a87966ff0 fffff804
5c831f39 : ffffd10865fe3010 ffffd108
766c3550 0000000000000000 00000000
00000000 : Msfs!MsFsdCreate+0x27
fffffd0a87967020 fffff804
5e4fce8c : 0000000000000010 00000000
00000000 0000000000000000 00000000
00000000 : nt!IofCallDriver+0x59
fffffd0a87967060 fffff804
5c831f39 : ffffd1087d5a8100 fffff804
5cde590c 0000000000000000 00000000
00000030 : FLTMGR!FltpCreate+0x46c
fffffd0a87967110 fffff804
5c830fe4 : 0000000000000000 00000000
00000000 ffffd108766c36f8 fffff804
5c8317a3 : nt!IofCallDriver+0x59
fffffd0a87967150 fffff804
5cde5ffb : fffffd0a87967410 fffff804
5cde590c fffffd0a87967380 ffffd108
7aa4a4e0 : nt!IoCallDriverWithTracing+0x34
fffffd0a879671a0 fffff804
5cdecfcf : ffffd108673af8f0 ffffd108
673af80c ffffd10877eaf7e0 ffffa98c
2fa04000 : nt!IopParseDevice+0x62b
fffffd0a87967310 fffff804
5cdeb431 : ffffd10877eaf700 fffffd0a
87967558 0000000000000240 ffffd108
652f7380 : nt!ObpLookupObjectName+0x78f
fffffd0a879674d0 fffff804
5ce30300 : ffffd10800000001 fffffd0a
87967998 0000000000000000 ffffbc01
87dc7180 : nt!ObOpenObjectByNameEx+0x201
fffffd0a87967610 fffff804
5ce2fa38 : fffffd0a879679e0 00000000
00000080 fffffd0a87967998 fffffd0a
87967988 : nt!IopCreateFile+0x820
fffffd0a879676b0 fffff804
5c9d2b15 : ffffd108766c3550 00000000
00000002 0000000000000170 00000000
00000001 : nt!NtOpenFile+0x58
fffffd0a87967740 fffff804
5c9c5060 : fffff8045ce447c4 00000000
00000000 0000000000000000 00000000
00040282 : nt!KiSystemServiceCopyEnd+0x25
fffffd0a87967948 fffff804
5ce447c4 : 0000000000000000 00000000
00000000 0000000000040282 fffff804
5c869d59 : nt!KiServiceLinkage
fffffd0a87967950 fffff804
5e503b6c : 0000000000000000 00000000
00000000 0000000000000030 fffff804
5e4ea800 : nt!IoGetDeviceObjectPointer+0x94
fffffd0a879679e0 fffff804
5c8bd465 : ffffd108652a0500 ffffd108
78185040 fffff8045e503aa0 ffffd108
652a0500 : FLTMGR!FltpManualDeviceAttachWorker+0xcc
fffffd0a87967a70 fffff804
5c92a725 : ffffd10878185040 00000000
00000080 ffffd10865294380 000024ef
bd9bbfff : nt!ExpWorkerThread+0x105
fffffd0a87967b10 fffff804
5c9c886a : ffffbc0187e79180 ffffd108
78185040 fffff8045c92a6d0 00000000
00000000 : nt!PspSystemThreadStartup+0x55
fffffd0a87967b60 00000000
00000000 : fffffd0a87968000 fffffd0a
87961000 0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x2a
THREAD_SHA1_HASH_MOD_FUNC: 20df6024a5c03bdd36d1680f5e2bf77cf839246c
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 34208103f2bc76fcde0bfeae8b7994e947ea59f9
THREAD_SHA1_HASH_MOD: 927a0c775c0b5510d0e1cbb5ae141a64633523eb
FOLLOWUP_IP:
Msfs!MsCommonCreate+dc
fffff804`7220614c 33d2 xor edx,edx
FAULT_INSTR_CODE: 8d48d233
SYMBOL_STACK_INDEX: 13
SYMBOL_NAME: Msfs!MsCommonCreate+dc
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Msfs
IMAGE_NAME: Msfs.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: dc
FAILURE_BUCKET_ID: 0x133_DPC_Msfs!MsCommonCreate
BUCKET_ID: 0x133_DPC_Msfs!MsCommonCreate
PRIMARY_PROBLEM_CLASS: 0x133_DPC_Msfs!MsCommonCreate
TARGET_TIME: 2019-12-14T05:09:53.000Z
OSBUILD: 18362
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 190318-1202
BUILDLAB_STR: 19h1_release
BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_ELAPSED_TIME: 19b1
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x133_dpc_msfs!mscommoncreate
FAILURE_ID_HASH: {349b4bae-9c52-cd03-915a-31077bf2ad14}
`
I been at this a few days so any help would be great
Use GVA in ShHandleEptViolation to find hookinfo, which should actually be found using GPA. For example, if you use the function of mdl to remap VA in the guest, you will not get the correct processing here.
const auto info = ShpFindPatchInfoByPage(shared_sh_data, fault_va); if (!info) { return; }
In the function VmmpRestoreExtendedProcessorState, is _fxsave correct? Should it be _fxrstor?
@tandasat this article https://secret.club/2020/04/13/how-anti-cheats-detect-system-emulation.html has a lot of detection vectors. I've managed to counter a good majority of them ( I think) thanks to his information, but i'm not sure how to handle the INVD/WBINVD one and was hoping you'd give some tips.
for the XSETBV one, here's definitions he uses that I managed to find different places online (took awhile)
`#define X86_XCR0_FP_POS 0
#define X86_XCR0_FP (1ULL << X86_XCR0_FP_POS)
#define X86_XCR0_SSE_POS 1
#define X86_XCR0_SSE (1ULL << X86_XCR0_SSE_POS)
#define X86_XCR0_YMM_POS 2
#define X86_XCR0_YMM (1ULL << X86_XCR0_YMM_POS)
#define X86_XCR0_BNDREGS_POS 3
#define X86_XCR0_BNDREGS (1ULL << X86_XCR0_BNDREGS_POS)
#define X86_XCR0_BNDCSR_POS 4
#define X86_XCR0_BNDCSR (1ULL << X86_XCR0_BNDCSR_POS)
#define X86_XCR0_OPMASK_POS 5
#define X86_XCR0_OPMASK (1ULL << X86_XCR0_OPMASK_POS)
#define X86_XCR0_ZMM_POS 6
#define X86_XCR0_ZMM (1ULL << X86_XCR0_ZMM_POS)
#define X86_XCR0_HI_ZMM_POS 7
#define X86_XCR0_HI_ZMM (1ULL << X86_XCR0_HI_ZMM_POS)
#define X86_XCR0_PKRU_POS 9
#define X86_XCR0_PKRU (1ULL << X86_XCR0_PKRU_POS)
#define X86_XCR0_LWP_POS 62
#define X86_XCR0_LWP (1ULL << X86_XCR0_LWP_POS)
#define X86_XSTATE_X87 (1ULL << 0)
#define X86_XSTATE_SSE (1ULL << 1)
#define X86_XSTATE_AVX (1ULL << 2)
#define X86_XSTATE_BNDREGS (1ULL << 3)
#define X86_XSTATE_BNDCFG (1ULL << 4)
#define X86_XSTATE_MPX (X86_XSTATE_BNDREGS | X86_XSTATE_BNDCFG)
/* AVX 512 adds three feature bits. All three must be enabled. */
#define X86_XSTATE_K (1ULL << 5)
#define X86_XSTATE_ZMM_H (1ULL << 6)
#define X86_XSTATE_ZMM (1ULL << 7)
#define X86_XSTATE_AVX512 (X86_XSTATE_K | X86_XSTATE_ZMM_H | X86_XSTATE_ZMM)
#define X86_XSTATE_PKRU (1ULL << 9)
/* Supported mask and size of the extended state. */
#define X86_XSTATE_X87_MASK X86_XSTATE_X87
#define X86_XSTATE_SSE_MASK (X86_XSTATE_X87 | X86_XSTATE_SSE)
#define X86_XSTATE_AVX_MASK (X86_XSTATE_SSE_MASK | X86_XSTATE_AVX)
#define X86_XSTATE_MPX_MASK (X86_XSTATE_SSE_MASK | X86_XSTATE_MPX)
#define X86_XSTATE_AVX_MPX_MASK (X86_XSTATE_AVX_MASK | X86_XSTATE_MPX)
#define X86_XSTATE_AVX_AVX512_MASK (X86_XSTATE_AVX_MASK | X86_XSTATE_AVX512)
#define X86_XSTATE_AVX_MPX_AVX512_PKU_MASK
(X86_XSTATE_AVX_MPX_MASK | X86_XSTATE_AVX512 | X86_XSTATE_PKRU)
#define X86_XSTATE_ALL_MASK (X86_XSTATE_AVX_MPX_AVX512_PKU_MASK)
#define X86_XSTATE_SSE_SIZE 576
#define X86_XSTATE_AVX_SIZE 832
#define X86_XSTATE_BNDREGS_SIZE 1024
#define X86_XSTATE_BNDCFG_SIZE 1088
#define X86_XSTATE_AVX512_SIZE 2688
#define X86_XSTATE_PKRU_SIZE 2696
#define X86_XSTATE_MAX_SIZE 2696
#define XCR_XFEATURE_ENABLED_MASK 0x00000000`
Hello
i have a problem with compiling
on x86 :
a hypervisior feature is not available to the user
on x64:
this driver has been blocked from loading.
why?
could anyone help?
When VM-Exit occured and it hasn't vmresumed, if Thread Dispatching is activiated what should happen?
Hello, ddimon project wake up the computer BSOD, the reason is.
-#pragma alloc_text(INIT, DdimonInitialization)
+#pragma alloc_text(PAGE, DdimonInitialization)
and
#pragma alloc_text(INIT, ShAllocateShadowHookData)
#pragma alloc_text(INIT, ShAllocateSharedShaowHookData)
#pragma alloc_text(INIT, ShEnableHooks)
#pragma alloc_text(INIT, ShInstallHook)
#pragma alloc_text(INIT, ShpSetupInlineHook)
#pragma alloc_text(INIT, ShpGetInstructionSize)
#pragma alloc_text(INIT, ShpMakeTrampolineCode)
All INIT need to be changed PAGE
Hello tandasat, first of all thank you for your contribution to the community. I was experimimenting with your HyperVisor and works great hoewer and im trying to log System Drivers API calls but seems like ddimon dones't catch it, i tried hooking PsLookupProcessByProcessId and it only logs the calls from userland, is there anyway to log the ones from kernel too? thanks.
Hey, the moment I inject my DLL and attempt to hook, my pc crashes with this stop code: UNEXPECTED KERNEL MODE TRAP.
I'm using Windows 10, Version 1803 (OS Build 17134.523) HOME x64
Things I've checked:
VT-x enabled, triple-checked that and used programs such as Speccy, LeoMoon CPU-V and Task Manager self to check if virtualization is enabled, and it is!
DEP enabled for all programs
Testmode enabled, Build 17134.rs4_release.180410-1804
The driver has been modified a bit, so it fits our needs (it will stay private, won't be distributed and all credits go to "tandasat").
Driver starts without any problems.
Andddddd, here is where the witchcraft comes, the same DLL works on my friend's pc without any problems, injecting into the same process using the same injector. He is also on Windows 10, Version 1803 (OS Build 17134.523) PRO x64, note that he is on PRO and I'm on HOME (Home doesn't have to access to Hyper-V, maybe the reason?).
Here is the crash dump analyze for it, used latest version Windbg.exe:
Appreciate any kind of help.
Hey! I met a bug check (DRIVER_VERIFIER_DETECTED_VIOLATION) when hooking NtProtectVirtualMemory & NtMapViewOfSection APIs. I tested it in Windows 7 SP1 x64, and hooked NtProtectVirtualMemory by its SSDT index (77) hardcode in the source code. It didn't cause BSOD at once, but several minutes later, it happened.
It won't cause BSOD either if I hook any of them alone. I don't know if there are some other APIs can result in such a condition.
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000091, A driver switched stacks using a method that is not supported by
the operating system. The only supported way to extend a kernel
mode stack is by using KeExpandKernelStackAndCallout.
Arg2: 00000002
Arg3: 018e9b60
Arg4: 00000000
Debugging Details:
------------------
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 07/02/2015
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 1
BUGCHECK_P1: 91
BUGCHECK_P2: 2
BUGCHECK_P3: fffffa80018e9b60
BUGCHECK_P4: 0
BUGCHECK_STR: 0xc4_91
CPU_COUNT: 1
CPU_MHZ: e11
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3c
CPU_STEPPING: 3
CPU_MICROCODE: 6,0,0,0 (F,M,S,R) SIG: 1E'00000000 (cache) 1E'00000000 (init)
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: LIQI3-S-D8
ANALYSIS_SESSION_TIME: 06-09-2017 17:54:29.0797
ANALYSIS_VERSION: 10.0.14321.1024 amd64fre
IP_IN_FREE_BLOCK: 0
LAST_CONTROL_TRANSFER: from 00000000 to 00000000
STACK_TEXT:
00000000 00000000 00000000 00000000 00000000 0x0
STACK_COMMAND: kb
SYMBOL_NAME: ANALYSIS_INCONCLUSIVE
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
DEBUG_FLR_IMAGE_TIMESTAMP: 0
BUCKET_ID: INVALID_KERNEL_CONTEXT_0xc4_91
DEFAULT_BUCKET_ID: INVALID_KERNEL_CONTEXT_0xc4_91
PRIMARY_PROBLEM_CLASS: INVALID_KERNEL_CONTEXT
FAILURE_BUCKET_ID: INVALID_KERNEL_CONTEXT_0xc4_91
TARGET_TIME: 2017-06-09T09:50:23.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2010-11-20 17:30:02
BUILDDATESTAMP_STR: 101119-1850
BUILDLAB_STR: win7sp1_rtm
BUILDOSVER_STR: 6.1.7601.17514.amd64fre.win7sp1_rtm.101119-1850
ANALYSIS_SESSION_ELAPSED_TIME: 37a
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:invalid_kernel_context_0xc4_91
FAILURE_ID_HASH: {c8fab66e-0b86-6ef2-c0d0-229ea9ea76fc}
Followup: MachineOwner
---------
i always get this error,i tried lots of ways,if i just copy this file to the project ,i will get more error.
error C1083 can't open: โcapstone.hโ: No such file or directory DdiMon C:\Users\hunter\Desktop\fdssd\DdiMon-master\DdiMon\shadow_hook.cpp 21
i do not know how to include this file ,can you help me
Sometimes cmd.exe is listed even after installing DdiMon. Frequency of occurrence of this issue varies from system to system, but I have more often seen in a real machine than in VMs.
It is caused by a workaround for #2 made with 22b62da. A root cause is likely to be the same as that of #2 but I have not been able to figure it out.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.