Gbps / gbhv

Simple x86-64 VT-x Hypervisor with EPT Hooking
Creative Commons Attribution 4.0 International
847 stars 144 forks source link

Shadowing of pages on different cr3s #20

Closed intelfanatik closed 3 years ago

intelfanatik commented 4 years ago

I've been messing around with gbhv for a while (amazing project, adding features was a breeze with such a simple yet consistent and robust code base), and i've been trying to implement ept hooks that are process specific after implementing capstone as a disassembler, yet i'm not having that much success with it. As far as i understand, i need to save the cr3 and restore it on ept violation and switch the page to whatever has the correct access rights (x or rw), though i'm having trouble implementing this myself. Has anyone tried to do this yet? Sorry for the edits, but i pressed enter by mistake after writing out the title.

Gbps commented 4 years ago

Hey, thanks for the positive feedback.

I've known people who have successfully implemented this, though I don't know too much of the specifics of what they did. I believe what they did was set the vm controls to exit on cr3, and when the target cr3 they cared for was swapped in, they would apply the EPT hook, and if the target cr3 was swapping out, it would remove the hook. The problem they dealt with was the Meltdown patch, which means that now there are two cr3 pointers per process now, so you have to watch out for either of those pointers during the cr3 exit. The EPT violation will happen for the process's usermode cr3 (probably, though a syscall could make the exit come from the kernel cr3), but as part of the exit the VMCS_HOST_CR3 control dictates that the System DTB will be loaded in, so you won't actually see the user process's memory by default in the exit handler. You'll need to set your cr3 value to the value from the cr3 exit or read the guest's cr3 value.

Hopefully that provides some insight.

Gbps commented 4 years ago

Note that usermode pages are always tradable. That means that, at any time, the memory manager can choose to copy the page to a different physical page in order to defragment the physical memory layout. This happens to free up larger contiguous physical ranges for things like network buffers when the system is under memory pressure or has been running for a very long time. It's probably unlikely to happen, but still definitely possible. So, be aware of this, because that means that the kernel might cause an EPT violation on your page when you're not expecting it.

intelfanatik commented 4 years ago

Thank you for the invaluable insight. I'll keep working on it.