Gbps / gbhv

Simple x86-64 VT-x Hypervisor with EPT Hooking
Creative Commons Attribution 4.0 International
845 stars 143 forks source link

syscall hook #15

Closed ShahriyarB closed 3 years ago

ShahriyarB commented 4 years ago

Hello I want to thank you for the driver, it's clean and works just fine without any modifications My problem is that I can't hook functions that are not exported in kernel like NtGetContextThread I managed to get it's address using this and place the hook successfully but there is a SYSTEM_SERVICE_EXCEPTION bsod.

Code:

NTSTATUS (*NtGetContextThreadOrig)(HANDLE ThreadHandle, PCONTEXT Context);

NTSTATUS NtGetContextThreadHook(HANDLE ThreadHandle, PCONTEXT Context)
{
    const NTSTATUS result = NtGetContextThreadOrig(ThreadHandle, Context);

    HvUtilLog("NtGetContextThreadHook called !");   

    return result;
}

BOOL HvEptLogicalProcessorInitialize(PVMM_PROCESSOR_CONTEXT ProcessorContext)
{
    ...

    PVOID NtGetContextThread = SyscallHookGetFunctionAddress(0x00ed, FALSE);

    if (NtGetContextThread)
    {
        if (HvEptAddPageHook(ProcessorContext, NtGetContextThread, (PVOID)NtGetContextThreadHook, (PVOID*)&NtGetContextThreadOrig))
            HvUtilLog("NtGetContextThread hooked");
    }

    return TRUE;
}

Dump:

Microsoft (R) Windows Debugger Version 10.0.19528.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 18362 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff803`4dc00000 PsLoadedModuleList = 0xfffff803`4e048170
Debug session time: Sun May 17 14:58:15.417 2020 (UTC + 4:30)
System Uptime: 0 days 0:13:47.093
Loading Kernel Symbols
...............................................................
................................................................
................................................................
..
Loading User Symbols
PEB is paged out (Peb.Ldr = 0000008f`f51ea018).  Type ".hh dbgerr001" for details
Loading unloaded module list
......
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff803`4ddc2390 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffff9906`67f74770=000000000000003b
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8034e226583, Address of the instruction which caused the bugcheck
Arg3: ffff990667f750a0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

Page 200 not present in the dump file. Type ".hh dbgerr004" for details

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 3

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on SHAHRIYAR

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 3

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 64

    Key  : Analysis.System
    Value: CreateObject

ADDITIONAL_XML: 1

BUGCHECK_CODE:  3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8034e226583

BUGCHECK_P3: ffff990667f750a0

BUGCHECK_P4: 0

CONTEXT:  ffff990667f750a0 -- (.cxr 0xffff990667f750a0)
rax=0000000000000000 rbx=0000000000000550 rcx=ffffc2030f397080
rdx=ffffc203014c2c40 rsi=0000000000000501 rdi=0000000000000000
rip=fffff8034e226583 rsp=ffff990667f75a90 rbp=000001b23b760080
 r8=ffff840134062001  r9=fffff8034dc00000 r10=0000fffff8034e00
r11=ffff840133e2b040 r12=0000000000000001 r13=000001b23b760080
r14=00000000000004d0 r15=00000000000009a0
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nt!NtGetContextThread+0x53:
fffff803`4e226583 f7437400040000  test    dword ptr [rbx+74h],400h ds:002b:00000000`000005c4=????????
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXWINLOGON: 1

PROCESS_NAME:  svchost.exe

STACK_TEXT:  
ffff9906`67f75a90 fffff803`4eb21fd4 : ffffc203`0f397080 ffff9906`67f75b80 00000000`00000550 00000000`00000550 : nt!NtGetContextThread+0x53
ffff9906`67f75ad0 fffff803`4ddd3c18 : 00000000`0000503a ffff9906`67f75b80 00000000`dc0019ff ffffc203`0801d860 : gbhv!NtGetContextThreadHook+0xc [E:\D Drive\Projects\gbhv\gbhv\ept.c @ 441] 
ffff9906`67f75b00 00007fff`866fde04 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
0000008f`f577e4b8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`866fde04

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
    fffff8034e170799-fffff8034e17079a  2 bytes - nt!_guard_check_icall_fptr+1
    [ 60 d7:ae dc ]
    fffff8034e1707a0-fffff8034e1707a2  3 bytes - nt!_guard_dispatch_icall_fptr (+0x07)
    [ 40 e6 db:60 ae dc ]
    fffff8034e226527-fffff8034e226529  3 bytes - nt!RtlpValidRelativeAttribute+ff
    [ cc cc cc:57 65 22 ]
Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    fffff8034e226532-fffff8034e226536  5 bytes - nt!NtGetContextThread+2 (+0x0b)
    [ dc 49 89 5b 08:00 00 00 00 00 ]
13 errors : !nt (fffff8034e170799-fffff8034e226536)

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

MEMORY_CORRUPTOR:  LARGE

STACK_COMMAND:  .cxr 0xffff990667f750a0 ; kb

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE

OS_VERSION:  10.0.18362.1

BUILDLAB_STR:  19h1_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {e29154ac-69a4-0eb8-172a-a860f73c0a3c}

Followup:     memory_corruption
---------