From 811d11af97659ec9e3b5c134288dbc747b5edbd6 Mon Sep 17 00:00:00 2001 From: momo5502 Date: Tue, 19 Apr 2022 18:13:00 +0200 Subject: [PATCH] Some cleanup --- src/driver/driver_main.cpp | 152 ------------------------------------- src/driver/ept.cpp | 14 ++-- src/driver/hypervisor.cpp | 11 ++- src/runner/main.cpp | 9 +++ 4 files changed, 24 insertions(+), 162 deletions(-) diff --git a/src/driver/driver_main.cpp b/src/driver/driver_main.cpp index b83f023..f45766f 100644 --- a/src/driver/driver_main.cpp +++ b/src/driver/driver_main.cpp @@ -4,159 +4,10 @@ #include "irp.hpp" #include "exception.hpp" #include "hypervisor.hpp" -#include "memory.hpp" -#include "process.hpp" #define DOS_DEV_NAME L"\\DosDevices\\HelloDev" #define DEV_NAME L"\\Device\\HelloDev" -namespace -{ - void log_current_process_name() - { - const auto process = process::get_current_process(); - const auto* name = process.get_image_filename(); - - if (name) - { - debug_log("Denied for process: %s\n", name); - } - } - - NTSTATUS (*NtCreateFileOrig)( - PHANDLE FileHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - PIO_STATUS_BLOCK IoStatusBlock, - PLARGE_INTEGER AllocationSize, - ULONG FileAttributes, - ULONG ShareAccess, - ULONG CreateDisposition, - ULONG CreateOptions, - PVOID EaBuffer, - ULONG EaLength - ); - - NTSTATUS NtCreateFileHook( - PHANDLE FileHandle, - ACCESS_MASK DesiredAccess, - POBJECT_ATTRIBUTES ObjectAttributes, - PIO_STATUS_BLOCK IoStatusBlock, - PLARGE_INTEGER AllocationSize, - ULONG FileAttributes, - ULONG ShareAccess, - ULONG CreateDisposition, - ULONG CreateOptions, - PVOID EaBuffer, - ULONG EaLength - ) - { - static WCHAR BlockedFileName[] = L"test.txt"; - static SIZE_T BlockedFileNameLength = (sizeof(BlockedFileName) / sizeof(BlockedFileName[0])) - 1; - - PWCH NameBuffer; - USHORT NameLength; - - __try - { - ProbeForRead(ObjectAttributes, sizeof(OBJECT_ATTRIBUTES), 1); - ProbeForRead(ObjectAttributes->ObjectName, sizeof(UNICODE_STRING), 1); - - NameBuffer = ObjectAttributes->ObjectName->Buffer; - NameLength = ObjectAttributes->ObjectName->Length; - - ProbeForRead(NameBuffer, NameLength, 1); - - /* Convert to length in WCHARs */ - NameLength /= sizeof(WCHAR); - - /* Does the file path (ignoring case and null terminator) end with our blocked file name? */ - if (NameLength >= BlockedFileNameLength && - _wcsnicmp(&NameBuffer[NameLength - BlockedFileNameLength], BlockedFileName, - BlockedFileNameLength) == 0) - { - log_current_process_name(); - return STATUS_ACCESS_DENIED; - } - } - __except (EXCEPTION_EXECUTE_HANDLER) - { - NOTHING; - } - - return NtCreateFileOrig(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, - FileAttributes, - ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); - } - - VOID HvEptHookWriteAbsoluteJump(uint8_t* TargetBuffer, SIZE_T TargetAddress) - { - /** - * Use 'push ret' instead of 'jmp qword[rip+0]', - * Because 'jmp qword[rip+0]' will read hooked page 8bytes. - * - * 14 bytes hook: - * 0x68 0x12345678 ......................push 'low 32bit of TargetAddress' - * 0xC7 0x44 0x24 0x04 0x12345678........mov dword[rsp + 4], 'high 32bit of TargetAddress' - * 0xC3..................................ret - */ - - UINT32 Low32; - UINT32 High32; - - Low32 = (UINT32)TargetAddress; - High32 = (UINT32)(TargetAddress >> 32); - - /* push 'low 32bit of TargetAddress' */ - TargetBuffer[0] = 0x68; - *((UINT32*)&TargetBuffer[1]) = Low32; - - /* mov dword[rsp + 4], 'high 32bit of TargetAddress' */ - *((UINT32*)&TargetBuffer[5]) = 0x042444C7; - *((UINT32*)&TargetBuffer[9]) = High32; - - /* ret */ - TargetBuffer[13] = 0xC3; - } - - void* HookCreateFile(hypervisor& hypervisor) - { - const uint8_t fixup[] = { - 0x48, 0x81, 0xEC, 0x88, 0x00, 0x00, 0x00, 0x33, 0xC0, 0x48, 0x89, 0x44, 0x24, 0x78 - }; - - auto* target = reinterpret_cast(&NtCreateFile); - if (memcmp(target, fixup, sizeof(fixup)) != 0) - { - debug_log("Fixup is invalid\n"); - return nullptr; - } - - auto* trampoline = static_cast(memory::allocate_non_paged_memory(sizeof(fixup) + 14)); - if (!trampoline) - { - debug_log("Failed to allocate trampoline\n"); - return nullptr; - } - - memcpy(trampoline, fixup, sizeof(fixup)); - - - HvEptHookWriteAbsoluteJump(trampoline + sizeof(fixup), - size_t(target) + sizeof(fixup)); - - /* Let the hook function call the original function */ - NtCreateFileOrig = reinterpret_cast(trampoline); - - /* Write the absolute jump to our shadow page memory to jump to our hook. */ - uint8_t hook[14]; - HvEptHookWriteAbsoluteJump(hook, reinterpret_cast(NtCreateFileHook)); - - hypervisor.install_ept_hook(target, hook, sizeof(hook)); - return trampoline; - } -} - class global_driver { public: @@ -168,14 +19,12 @@ public: , irp_(driver_object, DEV_NAME, DOS_DEV_NAME) { debug_log("Driver started\n"); - this->trampoline_ = HookCreateFile(this->hypervisor_); } ~global_driver() { debug_log("Unloading driver\n"); this->hypervisor_.disable_all_ept_hooks(); - memory::free_non_paged_memory(this->trampoline_); } global_driver(global_driver&&) noexcept = delete; @@ -193,7 +42,6 @@ private: hypervisor hypervisor_{}; sleep_callback sleep_callback_{}; irp irp_{}; - void* trampoline_{nullptr}; void sleep_notification(const sleep_callback::type type) { diff --git a/src/driver/ept.cpp b/src/driver/ept.cpp index 280f366..cb8b6ff 100644 --- a/src/driver/ept.cpp +++ b/src/driver/ept.cpp @@ -10,12 +10,12 @@ #define MTRR_PAGE_SIZE 4096 #define MTRR_PAGE_MASK (~(MTRR_PAGE_SIZE-1)) -#define ADDRMASK_EPT_PML1_OFFSET(_VAR_) (_VAR_ & 0xFFFULL) +#define ADDRMASK_EPT_PML1_OFFSET(_VAR_) ((_VAR_) & 0xFFFULL) -#define ADDRMASK_EPT_PML1_INDEX(_VAR_) ((_VAR_ & 0x1FF000ULL) >> 12) -#define ADDRMASK_EPT_PML2_INDEX(_VAR_) ((_VAR_ & 0x3FE00000ULL) >> 21) -#define ADDRMASK_EPT_PML3_INDEX(_VAR_) ((_VAR_ & 0x7FC0000000ULL) >> 30) -#define ADDRMASK_EPT_PML4_INDEX(_VAR_) ((_VAR_ & 0xFF8000000000ULL) >> 39) +#define ADDRMASK_EPT_PML1_INDEX(_VAR_) (((_VAR_) & 0x1FF000ULL) >> 12) +#define ADDRMASK_EPT_PML2_INDEX(_VAR_) (((_VAR_) & 0x3FE00000ULL) >> 21) +#define ADDRMASK_EPT_PML3_INDEX(_VAR_) (((_VAR_) & 0x7FC0000000ULL) >> 30) +#define ADDRMASK_EPT_PML4_INDEX(_VAR_) (((_VAR_) & 0xFF8000000000ULL) >> 39) namespace vmx { @@ -316,10 +316,10 @@ namespace vmx } const auto* pml2 = reinterpret_cast(pml2_entry); - auto* pml1 = static_cast(memory::get_virtual_address(pml2->page_frame_number * PAGE_SIZE)); + auto* pml1 = this->find_pml1_table(pml2->page_frame_number * PAGE_SIZE); if (!pml1) { - pml1 = this->find_pml1_table(pml2->page_frame_number * PAGE_SIZE); + pml1 = static_cast(memory::get_virtual_address(pml2->page_frame_number * PAGE_SIZE)); } if (!pml1) diff --git a/src/driver/hypervisor.cpp b/src/driver/hypervisor.cpp index 5c52469..d79e62b 100644 --- a/src/driver/hypervisor.cpp +++ b/src/driver/hypervisor.cpp @@ -159,7 +159,8 @@ bool hypervisor::is_enabled() const return is_hypervisor_present(); } -bool hypervisor::install_ept_hook(const void* destination, const void* source, const size_t length, vmx::ept_translation_hint* translation_hint) +bool hypervisor::install_ept_hook(const void* destination, const void* source, const size_t length, + vmx::ept_translation_hint* translation_hint) { volatile long failures = 0; thread::dispatch_on_all_cores([&]() @@ -573,6 +574,8 @@ void vmx_dispatch_vm_exit(vmx::guest_context& guest_context, const vmx::state& v case VMX_EXIT_REASON_EPT_MISCONFIGURATION: vm_state.ept.handle_misconfiguration(guest_context); break; + //case VMX_EXIT_REASON_EXECUTE_RDTSC: + // break; default: break; } @@ -1005,7 +1008,8 @@ void hypervisor::free_vm_states() this->vm_state_count_ = 0; } -bool hypervisor::try_install_ept_hook_on_core(const void* destination, const void* source, const size_t length, vmx::ept_translation_hint* translation_hint) +bool hypervisor::try_install_ept_hook_on_core(const void* destination, const void* source, const size_t length, + vmx::ept_translation_hint* translation_hint) { try { @@ -1024,7 +1028,8 @@ bool hypervisor::try_install_ept_hook_on_core(const void* destination, const voi } } -void hypervisor::install_ept_hook_on_core(const void* destination, const void* source, const size_t length, vmx::ept_translation_hint* translation_hint) +void hypervisor::install_ept_hook_on_core(const void* destination, const void* source, const size_t length, + vmx::ept_translation_hint* translation_hint) { auto* vm_state = this->get_current_vm_state(); if (!vm_state) diff --git a/src/runner/main.cpp b/src/runner/main.cpp index d6b1a59..d7e1a9a 100644 --- a/src/runner/main.cpp +++ b/src/runner/main.cpp @@ -75,6 +75,15 @@ void unsafe_main(const int /*argc*/, char* /*argv*/[]) hook_request.source_data = buffer; hook_request.source_data_size = sizeof(buffer); + input.assign(reinterpret_cast(&hook_request), + reinterpret_cast(&hook_request) + sizeof(hook_request)); + + (void)driver_device.send(HOOK_DRV_IOCTL, input); + + hook_request.target_address = (void*)0x47F6C7; + hook_request.source_data = buffer; + hook_request.source_data_size = sizeof(buffer); + input.assign(reinterpret_cast(&hook_request), reinterpret_cast(&hook_request) + sizeof(hook_request));