Closed 1337331 closed 1 month ago
None4334
commented
1 month ago If the guest is accessing the memory you will crash. You cant hide and expect the page to work normally using that method as it sets the pfn to a dummy page which is a null page. When the guest tries to execute/read/write the page it will get the dummy page. If you want to hide usermode/kernelmode memory u have to modify the read/write/execute access accordingly like its done in ept hook
1337331
commented
1 month ago If the guest is accessing the memory you will crash. You cant hide and expect the page to work normally using that method as it sets the pfn to a dummy page which is a null page. When the guest tries to execute/read/write the page it will get the dummy page. If you want to hide usermode/kernelmode memory u have to modify the read/write/execute access accordingly like its done in ept hook
But why can hv hide itself?
None4334
commented
1 month ago Its because hypervisor executes on root level. Guest does not need to access hypervisor memory so we just give the guest a null page. But if you are going to hide usermode / kernel mode memory which guest wants to use / execute / read /write. For example you allocate shellcode for your dll and you want to hide it, you cant hide it like this as the guest will have wrong page. Instead of doing that you will create an ept violation by setting the respective bits on ept_pte depending on your needs. In ept violation handler you will do the actual logic where it will hide the memory
1337331
commented
1 month ago Its because hypervisor executes on root level. Guest does not need to access hypervisor memory so we just give the guest a null page. But if you are going to hide usermode / kernel mode memory which guest wants to use / execute / read /write. For example you allocate shellcode for your dll and you want to hide it, you cant hide it like this as the guest will have wrong page. Instead of doing that you will create an ept violation by setting the respective bits on ept_pte depending on your needs. In ept violation handler you will do the actual logic where it will hide the memory
Thank you for your patient answer. But the method you mentioned will be very slow because vmexit every instruction.
and the execute only page mentioned in this issue title can not work either, because for shellcode must be allocated in the target process too so it does not make sense.
Well it depends on what we want to do, I am talking about internal allocated memory hiding Instead of shellcode.
this issue is mainly about execute-only page and faster ept hook, and hiding should probably not be discussed further.
I also have to admit that I am abusing an issue on github by raising multiple questions.
None4334
commented
1 month ago There wont be vmexit every instruction. vm exit occurs when the processor enters your target page. In a common ept hook setup if the processor is inside the hooked target, it will change the perms to execute only till the processor needs to read the page. Every instruction vm exit you are talking about is called single stepping.
1337331
commented
1 month ago There wont be vmexit every instruction. vm exit occurs when the processor enters your target page. In a common ept hook setup if the processor is inside the hooked target, it will change the perms to execute only till the processor needs to read the page. Every instruction vm exit you are talking about is called single stepping.
https://github.com/jonomango/hv/blob/cd4d4022351b5d762045a02108973c697a79bb34/hv/ept.cpp#L259 https://github.com/jonomango/hv/blob/cd4d4022351b5d762045a02108973c697a79bb34/hv/exit-handlers.cpp#L634
Isn't it right to ept violation during execution? and the same for most hypervisors on github.
I know AMD doesn't have execute-only page so it is more complicated, so it should be easy for you to implement it. and other projects are a bit complicated for me, so I am asking the owner here for some tips.
None4334
commented
1 month ago Just a note it isnt my hypervisor i am not the owner of the repository. To answer your question
pte->execute_access = 0 will cause the first ept violation
we set it to the hooked page and remove read /write perms. Now as long as the page is only being executed and not being read or written there wont be any vmexit we have already adjusted accordingly. Once the vcpu tries to read / write another ept violation occurs and its switched back to the original page.
1337331
commented
1 month ago Just a note it isnt my hypervisor i am not the owner of the repository. To answer your question
pte->execute_access = 0 will cause the first ept violation
we set it to the hooked page and remove read /write perms. Now as long as the page is only being executed and not being read or written there wont be any vmexit we have already adjusted accordingly. Once the vcpu tries to read / write another ept violation occurs and its switched back to the original page.
Thank you for pointing out my mistake.
None4334
commented
1 month ago Np
Great to see you active on hv.
First I don't understand how this works: https://github.com/jonomango/hv/blob/cd4d4022351b5d762045a02108973c697a79bb34/hv/hypercalls.cpp#L468 I have tried to use it to hide user mode and kernel mode, but both crashed. or it can only hide vmx root mode code?
Another is I'm trying to implement this for hv: https://docs.hyperdbg.org/design/features/vmm-module/design-of-epthook2 can I declare an array of pages under dummy_page as "Page b"?
I'm still learning so if there are any mistakes please point them out. Thanks!