-
-
[原创]一个可拦截DR,CR,Int 1, Int3操作的VT驱动
-
发表于: 2015-12-21 11:20
-
滴水之恩,涌泉相报,之前遇到的VT问题在看雪解决了,现在分享下源码,因为每个人的代码侧重点不一样,所以可能对刚刚入门VT的朋友影响也不同,我吃VT的亏吃了两三个月,坚决不能让朋友们再吃亏了,这次非得普及下,现在代码可以拦截rdmsr wrmsr int 1 int 3 dr cr,目前只有这些功能,目前只支持xp单核(win7还没来得及调试),卸载通过调用的VMCALL,但是有时候会蓝屏 (⊙﹏⊙) 希望有兴趣的朋友和这方面的大牛可以加群探讨:522814899 (我们争取不做水群)
下载: VtTest.rar
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
哇哇哇,法师大神,我看过你的好多帖子,收益颇丰,现在在处理多核虚拟化,遇到了个很棘手的问题,如果多个CPU共用一个HOST_RIP的话,得保证每次只能有一个处理器VM-EXIT,不然有其他处理器修改HOST_RIP中的变量,会造成不可预测的错误,看了其他很多人的64位代码,有些是直接共用,有些是对HOST_RIP的开始处的IRQL增加到DPC,然后结束处恢复到原来的IRQL,于是我也比着葫芦画瓢的在HOST_RIP开始处增加到DPC,中间处理代码,处理完后降低为原来的IRQL,可是经常蓝屏或者卡死,于是一步步缩小代码,发现是MOV EAX, CR3的问题,也就是系统中只能有一次MOV EAX,CR3的操作,如果再有MOV EAX,CR3的指令,系统就会卡死,我在拦截MOV EAX,CR3的地方下了个断点,只能断下来一次,如果再有MOV EAX,CR3的操作,根本无法断下来,代码我检查了好几遍了,也没发现什么错误,法师大神能不能帮忙看下啊
ULONG GuestEAX;
ULONG GuestEBX;
ULONG GuestECX;
ULONG GuestEDX;
ULONG GuestEBP;
ULONG GuestESP;
ULONG GuestESI;
ULONG GuestEDI;
KIRQL VmExitChangeIrql, VmExitCurrentIrql;
//////////////////////////////////////////// 虚拟机处理系统 ////////////////////////////////////////////////////////
__declspec( naked ) VOID VMMEntryPoint( )
{
_asm CLI
_asm PUSHAD
VmExitChangeIrql = 0;
VmExitCurrentIrql = KeGetCurrentIrql();
if (VmExitCurrentIrql < DISPATCH_LEVEL)
{
VmExitChangeIrql = KeRaiseIrqlToDpcLevel();
}
_asm STI
_asm POPAD
_asm{
CLI
MOV GuestEAX, EAX
MOV GuestEBX, EBX
MOV GuestECX, ECX
MOV GuestEDX, EDX
MOV GuestEBP, EBP
MOV GuestESI, ESI
MOV GuestEDI, EDI
}
ReadGuestState();
GuestResumeEIP = GuestEIP + ExitInstructionLength;
VMWRITE(GUEST_RIP,(ULONG)GuestResumeEIP ); //0x0000681E
if(ExitReason==0xA){
if(GuestEAX==0x123){
GuestEBX=0x11111111;
GuestECX=0x22222222;
GuestEDX=0x33333333;
}
else{
_asm{
MOV EAX, GuestEAX
CPUID
MOV GuestEAX, EAX
MOV GuestEBX, EBX
MOV GuestECX, ECX
MOV GuestEDX, EDX
}
}
_asm JMP ResumeGuest
}
if(ExitReason==0x1C){
movcrControlRegister= (ExitQualification & 0x0000000F); // bit0-bit3
movcrAccessType= ( (ExitQualification>>4) & 0x00000003); // bit4-bit5
movcrOprandType= ( (ExitQualification>>6) & 0x00000001); // bit6
movcrGeneralPurposeRegister= ( (ExitQualification>>8) &0xF);// bit8-bit11
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 0 )
{
VMWRITE( GUEST_CR3, GuestEAX );
_asm JMP ResumeGuest
}
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 1 )
{
VMWRITE( GUEST_CR3, GuestECX );
_asm JMP ResumeGuest
}
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 2 )
{
VMWRITE( GUEST_CR3, GuestEDX );
_asm JMP ResumeGuest
}
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 3 )
{
VMWRITE( GUEST_CR3, GuestEBX );
_asm JMP ResumeGuest
}
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 4 )
{
VMWRITE( GUEST_CR3, GuestESP );
_asm JMP ResumeGuest
}
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 5 )
{
VMWRITE( GUEST_CR3, GuestEBP );
_asm JMP ResumeGuest
}
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 6 )
{
VMWRITE( GUEST_CR3, GuestESI );
_asm JMP ResumeGuest
}
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 7 )
{
VMWRITE( GUEST_CR3, GuestEDI );
_asm JMP ResumeGuest
}
// Control Register Access (reg32 <-- CR3)
//
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 0 )
{
// 错误出现在这里,我在MOV EAX,GuestCR3这里下了个断点,只能断下来一次,比如打开DbgView和Xuer都有MOV EAX,CR3的操作
// 如果先打开DbgView程序会断到这里,如果再打开Xuer,程序就断不到这里了,系统会卡死
// 如果先打开Xuer,程序会断到这里,再打开DbgView的话,程序就断不下来了
//也就是只有一次MOV EAX,CR3的操作,我怀疑是不是把EAX赋值给GuestEAX的过程中GuestEAX会不会被改写了,但是这也仅仅只是个猜测,无法证实
_asm MOV EAX , GuestCR3
_asm MOV GuestEAX, EAX
_asm JMP ResumeGuest
}
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 1 )
{
_asm MOV EAX , GuestCR3
_asm MOV GuestECX, EAX
_asm JMP ResumeGuest
}
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 2 )
{
_asm MOV EAX , GuestCR3
_asm MOV GuestEDX, EAX
_asm JMP ResumeGuest
}
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 3 )
{
_asm MOV EAX , GuestCR3
_asm MOV GuestEBX, EAX
_asm JMP ResumeGuest
}
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 4 )
{
VMWRITE(GUEST_RSP, GuestCR3);
_asm JMP ResumeGuest
}
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 5 )
{
_asm MOV EAX , GuestCR3
_asm MOV GuestEBP, EAX
_asm JMP ResumeGuest
}
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 6 )
{
_asm MOV EAX , GuestCR3
_asm MOV GuestESI, EAX
_asm JMP ResumeGuest
}
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOprandType == 0 && movcrGeneralPurposeRegister == 7 )
{
_asm MOV EAX , GuestCR3
_asm MOV GuestEDI, EAX
_asm JMP ResumeGuest
}
}
PrintGuestState();
ResumeGuest:
if (VmExitCurrentIrql < DISPATCH_LEVEL)
{
KeLowerIrql(VmExitChangeIrql);
}
_asm
{
MOV EAX, GuestEAX
MOV ECX, GuestECX
MOV EDX, GuestEDX
MOV EBX, GuestEBX
MOV ESP, GuestESP
MOV EBP, GuestEBP
MOV ESI, GuestESI
MOV EDI, GuestEDI
STI
_emit 0x0F // VMRESUME
_emit 0x01
_emit 0xC3
}
}
VOID ReadGuestState()
{
HandlerLogging=0;
ExitInstructionLength = VMREAD(VM_EXIT_INSTRUCTION_LEN);
ExitReason = VMREAD(VM_EXIT_REASON);
ExitQualification=VMREAD(EXIT_QUALIFICATION);
GuestEIP = VMREAD(GUEST_RIP);
GuestESP = VMREAD(GUEST_RSP);
GuestCR3 = VMREAD(GUEST_CR3);
GuestDR7 = VMREAD(GUEST_DR7);
}
VOID PrintGuestState()
{
Log( "----- VMM Guest -----", 0 );
Log("The GuestEAX:",GuestEAX);
Log("The GuestEBX:",GuestEBX);
Log("The GuestECX:",GuestECX);
Log("The GuestEDX:",GuestEDX);
Log("The GuestESP:",GuestESP);
Log("The GuestEBP:",GuestEBP);
Log("The GuestESI:",GuestESI);
Log("The GuestEDI:",GuestEDI);
Log("The GuestCR3:",GuestCR3);
Log("The GuestEIP:",GuestEIP);
Log("The ExitReason:",ExitReason);
Log("The ExitQualification:",ExitQualification);
}
从前天晚上卡死到今天上午,也没办法了,恰好看到这方面的前辈了,希望前辈能帮忙解答下吧 
|
|
|
|
|
|
|
|
|
|
