Closed intelfanatik closed 3 years ago
Hey, thanks for the positive feedback.
I've known people who have successfully implemented this, though I don't know too much of the specifics of what they did. I believe what they did was set the vm controls to exit on cr3, and when the target cr3 they cared for was swapped in, they would apply the EPT hook, and if the target cr3 was swapping out, it would remove the hook. The problem they dealt with was the Meltdown patch, which means that now there are two cr3 pointers per process now, so you have to watch out for either of those pointers during the cr3 exit. The EPT violation will happen for the process's usermode cr3 (probably, though a syscall could make the exit come from the kernel cr3), but as part of the exit the VMCS_HOST_CR3
control dictates that the System DTB will be loaded in, so you won't actually see the user process's memory by default in the exit handler. You'll need to set your cr3 value to the value from the cr3 exit or read the guest's cr3 value.
Hopefully that provides some insight.
Note that usermode pages are always tradable. That means that, at any time, the memory manager can choose to copy the page to a different physical page in order to defragment the physical memory layout. This happens to free up larger contiguous physical ranges for things like network buffers when the system is under memory pressure or has been running for a very long time. It's probably unlikely to happen, but still definitely possible. So, be aware of this, because that means that the kernel might cause an EPT violation on your page when you're not expecting it.
Thank you for the invaluable insight. I'll keep working on it.
I've been messing around with gbhv for a while (amazing project, adding features was a breeze with such a simple yet consistent and robust code base), and i've been trying to implement ept hooks that are process specific after implementing capstone as a disassembler, yet i'm not having that much success with it. As far as i understand, i need to save the cr3 and restore it on ept violation and switch the page to whatever has the correct access rights (x or rw), though i'm having trouble implementing this myself. Has anyone tried to do this yet? Sorry for the edits, but i pressed enter by mistake after writing out the title.