Can you ept hook usermode?

[thewolfram]

hey, is it possible to do an ept hook in usermode with the current state of hv?

[jonomango]

Theoretically, it should be able to EPT hook in usermode with the current implementation, however, there are some limitations that apply to kernel mode as well. The issue is that the EPT hooking works with physical addresses instead of virtual addresses, so if the memory gets paged out while it is hooked the hook will now be invalidated and bad stuff occurs. Use at your own risk.

[thewolfram]

Theoretically, it should be able to EPT hook in usermode with the current implementation, however, there are some limitations that apply to kernel mode as well. The issue is that the EPT hooking works with physical addresses instead of virtual addresses, so if the memory gets paged out while it is hooked the hook will now be invalidated and bad stuff occurs. Use at your own risk.

I managed to ept hook in kernel and now trying to do so in usermode. I guess you first need to be in process context and then place a hook?

[jonomango]

You dont even need to be in the process context. Since the hypercall_install_ept_hook hypercall uses physical addresses, you just need to translate the usermode virtual address somehow (use the process's CR3).

[jonomango]

Also, make sure you are executing the hypercall on every processor, or else the hook will only apply on the processor that ran the hypercall :)

[jonomango]

Here is an old example of using the EPT hooks to intercept syscalls that should still be applicable.

[thewolfram]

Here is an old example of using the EPT hooks to intercept syscalls that should still be applicable.

Thanks, I actually used this example to do my hook in kernel. Now I need to figure out translating process VA to physical one.

[thewolfram]

So I managed to successfully install ept hook in usermode, but I have a problem when hook doesn't get activated right away, I need to call orig function few times and only then exec page gets executed

[jonomango]

What do you mean that you need to call the original function in the program you are hooking? Do you have an example of what you're doing so I can better understand?

[thewolfram]

Sorry for that long answer, my usermode application is just crashing

[thewolfram]

And btw, its crashing when I execute OriginalFunction() in my main for a second time, but HookedFunction() never gets called.

[jonomango]

Have you tried printing out the results for MmGetPhysicalAddress()? I see that you're locking the buffer that you allocate, but that doesn't prevent OriginalFunction() from being paged out (I'm not even sure if VirtualLock() ensures that the PFN stays the same).

[thewolfram]

Have you tried printing out the results for MmGetPhysicalAddress()? I see that you're locking the buffer that you allocate, but that doesn't prevent OriginalFunction() from being paged out (I'm not even sure if VirtualLock() ensures that the PFN stays the same).

Yeah, I tried to print them they have normal addresses. Can it be that my OriginalFunction and HookedFunction are very close to each other (in the same page)?

[thewolfram]

Thats what he said

[chiefmasterR]

edit: reopened issue (https://github.com/jonomango/hv/issues/29)