Known Issues - Githubissues

Gbps / gbhv

Simple x86-64 VT-x Hypervisor with EPT Hooking

Creative Commons Attribution 4.0 International

847 stars 144 forks source link

Known Issues #2

Open Gbps opened 5 years ago

Gbps commented 5 years ago

Will be fixed in the coming weeks:

SSE register states not saved properly between exits
Unloading the driver is currently unsupported and crashes
EPT hooking interface definitely needs to be cleaned up
More documentation on running the driver and using debugview++
Testing with manual driver mapper and popular DSE bypasses
Investigation into VBS and nested virtualization compatibility
Fix tabs spaces issue

Seegee commented 4 years ago

@Gbps Was wondering if you ever got around to test this with any sort of driver manual mapper? Provided that SEH / driver object references are removed, should this load alright when manual mapped early in the boot process using a mapper similar to Umap?

Gbps commented 4 years ago

There's nothing I can think of that would make this not work with a mapper. The driver itself is quite small, and I don't think SEH is used anywhere.

On Wed, Sep 9, 2020, 8:39 PM CJ Sculti notifications@github.com wrote:

@Gbps https://github.com/Gbps Was wondering if you ever got around to test this with any sort of driver manual mapper? Provided that SEH / driver object references are removed, should this load alright when manual mapped early in the boot process using a mapper similar to Umap https://github.com/btbd/umap?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Gbps/gbhv/issues/2#issuecomment-689899317, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKZAKDEADG7PCPQG5I45LTSFAN2LANCNFSM4GK4FINQ .

autisticlittleguy commented 4 years ago

The hypervisor itself runs just fine while being manually mapped, i didn't have to make any changes to the code base except accomodate for some detection vectors introduced by manual mapping the driver. An issue i've noticed under vmware though is that PML1 entries can't get translated to virtual memory addresses for some reason. This seems to happen absolutely randomly, since sometimes the hooks just work, sometimes half of them work, sometimes none work.

[!] HvEptAddPageHook: Failed to get PML1 entry for target address. [DEBUG] Couldn't translate physical memory 0000000002E1D000 to virtual memory 0000000000000000, aborting...

autisticlittleguy commented 4 years ago

I'd like to add that the translation issue presents itself whether or not you use DSE bypass technique.

Gbps commented 4 years ago

@autisticlittleguy Can you open a separate issue? Also, in your new issue, can you debug print/debugger to figure out where inside HvEptGetPml1Entry the function is returning NULL? Thanks!

Seegee commented 4 years ago

@autisticlittleguy this seems like the same issue that I reported in #17 . I only tested loading the driver normally, not manual mapping, and was having the same issue.

Seegee commented 4 years ago

@Gbps I've added debug prints to my function and created a new issue here #18 regarding this.

Seegee commented 4 years ago

@autisticlittleboy, just curious, what additional detection vectors did you need to 'remove' when manual mapping the driver, other than hiding the memory where the code lies in kernel?