diff --git a/src/driver/ept.cpp b/src/driver/ept.cpp index 1407a2f..55c5679 100644 --- a/src/driver/ept.cpp +++ b/src/driver/ept.cpp @@ -94,6 +94,20 @@ namespace vmx } } } + + void reset_all_watch_point_pages(ept_code_watch_point* watch_point) + { + while (watch_point) + { + if (watch_point->target_page) + { + watch_point->target_page->read_access = 0; + watch_point->target_page->execute_access = 1; + } + + watch_point = watch_point->next_watch_point; + } + } } ept_hook::ept_hook(const uint64_t physical_base) @@ -251,6 +265,8 @@ namespace vmx auto* watch_point = this->find_ept_code_watch_point(physical_base_address); if (watch_point) { + reset_all_watch_point_pages(this->ept_code_watch_points); + if (!violation_qualification.ept_executable && violation_qualification.execute_access) { watch_point->target_page->execute_access = 1; @@ -368,6 +384,8 @@ namespace vmx { throw std::runtime_error("Failed to get PML1 entry for target address"); } + + watch_point->target_page->read_access = 0; } ept_pointer ept::get_ept_pointer() const diff --git a/src/driver/hypervisor.cpp b/src/driver/hypervisor.cpp index a42ab7c..eb6f675 100644 --- a/src/driver/hypervisor.cpp +++ b/src/driver/hypervisor.cpp @@ -192,6 +192,31 @@ bool hypervisor::install_ept_hook(const void* destination, const void* source, c return failures == 0; } +bool hypervisor::install_ept_code_watch_point(const uint64_t physical_page) const +{ + try + { + this->ept_->install_code_watch_point(physical_page); + } + catch (std::exception& e) + { + debug_log("Failed to install ept watch point on core %d: %s\n", thread::get_processor_index(), e.what()); + return false; + } + catch (...) + { + debug_log("Failed to install ept watch point on core %d.\n", thread::get_processor_index()); + return false; + } + + thread::dispatch_on_all_cores([&] + { + this->ept_->invalidate(); + }); + + return true; +} + void hypervisor::disable_all_ept_hooks() const { this->ept_->disable_all_hooks(); diff --git a/src/driver/hypervisor.hpp b/src/driver/hypervisor.hpp index 2bae9b1..25edaca 100644 --- a/src/driver/hypervisor.hpp +++ b/src/driver/hypervisor.hpp @@ -21,6 +21,9 @@ public: bool install_ept_hook(const void* destination, const void* source, size_t length, vmx::ept_translation_hint* translation_hint = nullptr); + + bool install_ept_code_watch_point(uint64_t physical_page) const; + void disable_all_ept_hooks() const; vmx::ept& get_ept() const; diff --git a/src/driver/irp.cpp b/src/driver/irp.cpp index 133609e..aabebc5 100644 --- a/src/driver/irp.cpp +++ b/src/driver/irp.cpp @@ -182,7 +182,12 @@ namespace const auto physical_address = memory::get_physical_address(const_cast(current)); if (physical_address) { - hypervisor->get_ept().install_code_watch_point(physical_address); + debug_log("Watching %p -> %llX\n", current, physical_address); + (void)hypervisor->install_ept_code_watch_point(physical_address); + } + else + { + debug_log("Failed to resovle physical address for %p\n", current); } } } diff --git a/src/runner/main.cpp b/src/runner/main.cpp index 9356eaa..a764aa9 100644 --- a/src/runner/main.cpp +++ b/src/runner/main.cpp @@ -185,10 +185,11 @@ std::vector query_records(const driver_device& driver_device, const si return result; } -void report_records(const std::atomic_bool& flag, const driver_device& driver_device) +void report_records(const std::atomic_bool& flag, const driver_device& driver_device, const uint32_t pid, const HMODULE target_module, const std::vector>& regions) { std::set access_addresses{}; + int i = 0; while (flag) { std::this_thread::sleep_for(std::chrono::seconds(1)); @@ -201,6 +202,11 @@ void report_records(const std::atomic_bool& flag, const driver_device& driver_de printf("%p\n", reinterpret_cast(new_record)); } } + + if((++i) % 5 == 0) + { + watch_regions(driver_device, pid, target_module, regions); + } } } @@ -268,7 +274,7 @@ void unsafe_main(const int /*argc*/, char* /*argv*/[]) std::atomic_bool terminate{false}; std::thread t([&]() { - report_records(terminate, driver_device); + report_records(terminate, driver_device, pid, target_module, regions); }); _getch();