Do you know how to implement a ring0 debugger?

[ghost]

How does one implement a system where one can read register values between each instruction? Hypervisor? Callbacks?

Thank you!

[HoShiMin]

@avalon1337 Yes, you can implement a kernel debugger using a hypervisor and your own int3-handler (handler of breakpoint). You should overwrite an existing handler in IDT and hide this modification from PatchGuard by hypervisor. It is the most simple way to debug instructions one-by-one.

[marcussacana]

@HoShiMin I don't wanted create an issue just to do a question, this issue make me think, is possible run a proccess with an fake cpuid without use Virtual machines?, maybe run a program with hypervisor...? In the true I have no need to fake my cpuid, but this make me think, how hard is to fake the cpuid? since we have many programs that use this instruction to fingerprint the computer...

[HoShiMin]

@marcussacana, the only way to change CPUID is use hypervisor (hypervisor and virtual machine is the same thing). If you want to do it, you should write a hypervisor using AMD-V/RVI or VT-x/EPT depending on your processor. And then you can catch #VMEXIT on CPUID call and change all registers you want: https://wasm.in/attachments/05-01-2019-22-52-48-png.4425

[marcussacana]

Interesting, I always thought of hyper-v as a hardware-level sandbox... but in the end it is equivalent to a VM...

[HoShiMin]

@marcussacana, exactly. Hyper-V/ESXi/Citrix are Type-1 hypervisors (running directly on the system hardware - your 'host' Windows with enabled Hyper-V works under hypervisor), VMware/VirtualBox/KVM/etc. - are Type-2 hypervisors (running on a host OS). For your task is more convinient to develop a Type-2 hypervisor (just a Windows driver) and virtualize an already running OS.

[marcussacana]

I see, thanks for taking my doubts, well, even if I wanted to do it I would have to study a lot more about programming of a more 'low level', which I am not so well versed with; One last doubt, when you say that a VM is necessary for this, in the end it is possible to isolate just a single program running on OS Host with the Hyper-V?, I mean, without having to virtualize an entire guest operating system like vmware/vbox...

[HoShiMin]

@marcussacana, hypervisor is the processor-wide technology, not the process-wide. You can't virtualize only the app, because the processor knows nothing about processes and even about OS. Anyway, you virtualize all entire system (or rather CPU logical core(s) that executes code of all processes in the system). If you want per-process filtering, you can implement it in your VMM (e.g., you can filter processes by CR3 register as it shows you per-process address space, or you can read the PID from the PEB directly - there are much ways to do what you want).

[marcussacana]

I see, that clarifies my doubts, you even looked like an encyclopedia now :) thanks for your patience.

[HoShiMin]

@marcussacana, you're welcome ^_^