search

ionescu007 / SimpleVisor

SimpleVisor is a simple, portable, Intel VT-x hypervisor with two specific goals: using the least amount of assembly code (10 lines), and having the smallest amount of VMX-related code to support dynamic hyperjacking and unhyperjacking (that is, virtualizing the host state from within the host). It works on Windows and UEFI.
http://ionescu007.github.io/SimpleVisor/
1.69k stars 259 forks source link

ShvOsCaptureContext suffers from stack corruptions on restore #48

Open momo5502 opened 2 years ago

momo5502 commented 2 years ago

ShvOsCaptureContext​ (at least the nt implementation) can suffer from stack corruptions when restoring the context.

The reason is that it adds an extra stack frame when calling RtlCaptureContext. While capturing the registers, including the stack pointer, it does not capture the data on the stack.

That means the captured stack pointer points to data, that might and will be overwriten by future function calls after ShvOsCaptureContext​ has returned.

In consequence, control flow will not continue here after a launch: https://github.com/ionescu007/SimpleVisor/blob/master/shvvp.c#L143 But rather here instead: https://github.com/ionescu007/SimpleVisor/blob/master/shvvp.c#L149 right after the call to ShvVmxLaunchOnVp

The reason is that the return pointer on the stack, where rsp of the stored context points to, is overwritten by the call to ShvVmxLaunchOnVp.

Either ShvOsCaptureContext would need to be inlined or a fixup must be done to remove the extra frame from the captured context.

Asdiopss commented 1 year ago

hi man, do you fixed the ShvOsCaptureContext​ bosd on ntos? I have the same problem as you

momo5502 commented 1 year ago

hi man, do you fixed the ShvOsCaptureContext​ bosd on ntos? I have the same problem as you

Not sure if the BSOD you get really results from the same issue I had, because I did't get one. However, if so, simply inlining ShvOsCaptureContext or directly replacing all calls with RtlCaptureContext should fix the issue