Future/hypervisor
1
0
Fork 0
mirror of https://github.com/momo5502/hypervisor.git synced 2025-05-23 12:44:51 +00:00
Code

Hook tests

Browse Source
This commit is contained in:
momo5502 2022-04-16 22:37:28 +02:00
parent 4c3e5d78ac
commit 77785486ae
6 changed files with 64 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/driver/ept.cpp
View File

@ -135,7 +135,7 @@ namespace vmx
memcpy(hook->fake_page + page_offset, source, length);
}
void ept::install_hook(void* destination, const void* source, const size_t length)
void ept::install_hook(const void* destination, const void* source, const size_t length)
{
auto current_destination = reinterpret_cast<uint64_t>(destination);
auto current_source = reinterpret_cast<uint64_t>(source);

2
src/driver/ept.hpp
View File

@ -53,7 +53,7 @@ namespace vmx
void initialize();
void install_hook(void* destination, const void* source, size_t length);
void install_hook(const void* destination, const void* source, size_t length);
void disable_all_hooks() const;
void handle_violation(guest_context& guest_context) const;

6
src/driver/hypervisor.cpp
View File

@ -159,7 +159,7 @@ bool hypervisor::is_enabled() const
return is_hypervisor_present();
}
bool hypervisor::install_ept_hook(void* destination, const void* source, const size_t length)
bool hypervisor::install_ept_hook(const void* destination, const void* source, const size_t length)
{
volatile long failures = 0;
thread::dispatch_on_all_cores([&]()
@ -1005,7 +1005,7 @@ void hypervisor::free_vm_states()
this->vm_state_count_ = 0;
}
bool hypervisor::try_install_ept_hook_on_core(void* destination, const void* source, const size_t length)
bool hypervisor::try_install_ept_hook_on_core(const void* destination, const void* source, const size_t length)
{
try
{
@ -1024,7 +1024,7 @@ bool hypervisor::try_install_ept_hook_on_core(void* destination, const void* sou
}
}
void hypervisor::install_ept_hook_on_core(void* destination, const void* source, const size_t length)
void hypervisor::install_ept_hook_on_core(const void* destination, const void* source, const size_t length)
{
auto* vm_state = this->get_current_vm_state();
if (!vm_state)

6
src/driver/hypervisor.hpp
View File

@ -19,7 +19,7 @@ public:
bool is_enabled() const;
bool install_ept_hook(void* destination, const void* source, size_t length);
bool install_ept_hook(const void* destination, const void* source, size_t length);
void disable_all_ept_hooks() const;
static hypervisor* get_instance();
@ -35,8 +35,8 @@ private:
void allocate_vm_states();
void free_vm_states();
bool try_install_ept_hook_on_core(void* destination, const void* source, size_t length);
void install_ept_hook_on_core(void* destination, const void* source, size_t length);
bool try_install_ept_hook_on_core(const void* destination, const void* source, size_t length);
void install_ept_hook_on_core(const void* destination, const void* source, size_t length);
vmx::state* get_current_vm_state() const;
};

67
src/driver/irp.cpp
View File

@ -8,6 +8,8 @@
#include <irp_data.hpp>
#include "process.hpp"
#include "thread.hpp"
#include "hypervisor.hpp"
namespace
{
@ -38,27 +40,55 @@ namespace
// TODO: This is vulnerable as fuck. Optimize!
void apply_hook(hook_request* request)
{
const auto address = reinterpret_cast<uint64_t>(request->target_address);
const auto aligned_address = address & (PAGE_SIZE - 1);
const auto offset = address - aligned_address;
debug_log("Pid: %d | Address: %p\n", request->process_id, request->target_address);
const auto process_handle = process::find_process_by_id(request->process_id);
if (!process_handle || !process_handle.is_alive())
thread::kernel_thread t([r = *request]()
{
debug_log("Bad process\n");
return;
}
debug_log("Pid: %d | Address: %p\n", r.process_id, r.target_address);
const auto name = process_handle.get_image_filename();
if (name)
{
debug_log("Attaching to %s\n", name);
}
const auto process_handle = process::find_process_by_id(r.process_id);
if (!process_handle || !process_handle.is_alive())
{
debug_log("Bad process\n");
return;
}
//process::scoped_process_attacher attacher{process_handle};
//debug_log("Original: %s\n", request->target_address);
const auto name = process_handle.get_image_filename();
if (name)
{
debug_log("Attaching to %s\n", name);
}
debug_log("Level: %d\n", static_cast<int>(KeGetCurrentIrql()));
/*
auto buffer = new uint8_t[r.source_data_size];
if (!buffer)
{
debug_log("Failed to allocate buffer\n");
return;
}
auto destructor = utils::finally([buffer]()
{
delete[] buffer;
});
memcpy(buffer, r.source_data, r.source_data_size);
*/
process::scoped_process_attacher attacher{process_handle};
debug_log("Original: %p\n", r.target_address);
uint8_t buffer = 0xEB;
//hypervisor::get_instance()->install_ept_hook(r.target_address, buffer, r.source_data_size);
hypervisor::get_instance()->install_ept_hook(r.target_address, &buffer, 1);
debug_log("Done1\n");
});
t.join();
debug_log("Done\n");
}
_Function_class_(DRIVER_DISPATCH) NTSTATUS io_ctl_handler(
@ -81,6 +111,7 @@ namespace
debug_log("Hello from the Driver!\n");
break;
case HOOK_DRV_IOCTL:
apply_hook(static_cast<hook_request*>(irp_sp->Parameters.DeviceIoControl.Type3InputBuffer));
break;
default:

8
src/runner/main.cpp
View File

@ -66,7 +66,13 @@ void unsafe_main(const int /*argc*/, char* /*argv*/[])
hook_request hook_request{};
hook_request.process_id = _pid; //GetCurrentProcessId();
hook_request.target_address = (void*)0x1401644A8; //"My Message!";
hook_request.target_address = (void*)0x14007DCF7; //"My Message!";
uint8_t buffer[1];
buffer[0] = 0xEB;
hook_request.source_data = buffer;
hook_request.source_data_size = 1;
input.assign(reinterpret_cast<uint8_t*>(&hook_request),
reinterpret_cast<uint8_t*>(&hook_request) + sizeof(hook_request));