Gbps
commented
3 years ago Hey, thanks for the positive feedback.
I've known people who have successfully implemented this, though I don't know too much of the specifics of what they did. I believe what they did was set the vm controls to exit on cr3, and when the target cr3 they cared for was swapped in, they would apply the EPT hook, and if the target cr3 was swapping out, it would remove the hook. The problem they dealt with was the Meltdown patch, which means that now there are two cr3 pointers per process now, so you have to watch out for either of those pointers during the cr3 exit. The EPT violation will happen for the process's usermode cr3 (probably, though a syscall could make the exit come from the kernel cr3), but as part of the exit the VMCS_HOST_CR3 control dictates that the System DTB will be loaded in, so you won't actually see the user process's memory by default in the exit handler. You'll need to set your cr3 value to the value from the cr3 exit or read the guest's cr3 value.
Hopefully that provides some insight.
intelfanatik
I've been messing around with gbhv for a while (amazing project, adding features was a breeze with such a simple yet consistent and robust code base), and i've been trying to implement ept hooks that are process specific after implementing capstone as a disassembler, yet i'm not having that much success with it. As far as i understand, i need to save the cr3 and restore it on ept violation and switch the page to whatever has the correct access rights (x or rw), though i'm having trouble implementing this myself. Has anyone tried to do this yet? Sorry for the edits, but i pressed enter by mistake after writing out the title.