-
-
[原创]年末系列3:揪出物理内存里的VMCS
-
发表于: 2017-1-25 15:42
-
众所周知,大家都喜欢VT来VT去,但是由于某些VT不支持nested造成了很多工作上的问题。
于是想了一想,想要hook 其他人VT的HostRip处理VM-EXIT不就可以暴力XXOO了么。
于是参考intel-vt的初始化代码,发现VT的初始化设置的VMCS都是一PAGE_SIZE的内存块
,这个内存块有一定的特征形式
于是脑洞大开,写了个搜索VMWARE NESTED和_SANDYBRIDGE的VMCS的代码
简单粗暴了点...
VMCS的结构偏移定义是自己挖掘的...
//首先是VMCS_1是VMWARE的NESTED
VMCS_10是SANDY结构的
使用的都是I7系列CPU
接着是扫描的代码
判断VMCS的代码:
得到HostRip之后,可以尝试去hook HostRip从而展现其他力量了。
比如我搜索出来某东西的VMCS
然后对这个hostRip的代码做hook就可以XXOO,
当然有时候需要切换hostCR3后才能访问hostRip
参考资料有的,参考blackhat2016某PPT里有提到扫描VMCS,不过老外特么没给代码,而且扯了SMM的手——用SMM上物理内存扫描的话,可以扫到被EPT保护的物理内存内部...
具体pdf名称是:
us-16-Wojtczuk-Analysis-Of-The-Attack-Surface-Of-Windows-10-Virtualization-Based-Security
和一个老的论文:
Hypervisor Memory Forensics
这个需要搜索论文库了,里面是讲了一些理论,但是有用。
最后还有一些参考的东西是google的内存离线分析工程rekall的一些wiki和issues...
讨论技术,吹水扯淡,加我的qq群:48715131
于是想了一想,想要hook 其他人VT的HostRip处理VM-EXIT不就可以暴力XXOO了么。
于是参考intel-vt的初始化代码,发现VT的初始化设置的VMCS都是一PAGE_SIZE的内存块
,这个内存块有一定的特征形式
于是脑洞大开,写了个搜索VMWARE NESTED和_SANDYBRIDGE的VMCS的代码
简单粗暴了点...
VMCS的结构偏移定义是自己挖掘的...
//首先是VMCS_1是VMWARE的NESTED
VMCS_10是SANDY结构的
使用的都是I7系列CPU
namespace VMCS_SCAN_DEF1
{
enum NEW_VMCS_1
{
VMCS_OFFSET_VPID = 0x00000e68,//(null)
// POSTED_INTERRUPT_NOTIFICATION_VECTOR INVALID_FIELD
// EPTP_INDEX INVALID_FIELD
VMCS_OFFSET_GUEST_ES_SEL = 0x00000f20,//(null)
VMCS_OFFSET_GUEST_CS_SEL = 0x00000f22,//(null)
VMCS_OFFSET_GUEST_SS_SEL = 0x00000f24,//(null)
VMCS_OFFSET_GUEST_DS_SEL = 0x00000f26,//(null)
VMCS_OFFSET_GUEST_FS_SEL = 0x00000f28,//(null)
VMCS_OFFSET_GUEST_GS_SEL = 0x00000f2a,//(null)
VMCS_OFFSET_GUEST_LDTR_SEL = 0x00000f2c,//(null)
VMCS_OFFSET_GUEST_TR_SEL = 0x00000f2e,//(null)
VMCS_OFFSET_GUEST_INTERRUPT_STATUS = 0x00000f2e,//(null)
VMCS_OFFSET_HOST_ES_SEL = 0x00000f7c,//(null)
VMCS_OFFSET_HOST_CS_SEL = 0x00000f7e,//(null)
VMCS_OFFSET_HOST_SS_SEL = 0x00000f80,//(null)
VMCS_OFFSET_HOST_DS_SEL = 0x00000f82,//(null)
VMCS_OFFSET_HOST_FS_SEL = 0x00000f84,//(null)
VMCS_OFFSET_HOST_GS_SEL = 0x00000f86,//(null)
VMCS_OFFSET_HOST_TR_SEL = 0x00000f88,//(null)
VMCS_OFFSET_IO_BITMAP_A_FULL = 0x00000008,//(null)
VMCS_OFFSET_IO_BITMAP_A_HIGH = 0x0000000c,//(null)
VMCS_OFFSET_IO_BITMAP_B_FULL = 0x00000010,//(null)
VMCS_OFFSET_IO_BITMAP_B_HIGH = 0x00000014,//(null)
VMCS_OFFSET_MSR_BITMAP_FULL = 0x00000018,//(null)
VMCS_OFFSET_MSR_BITMAP_HIGH = 0x0000001c,//(null)
VMCS_OFFSET_EXIT_MSR_STORE_ADDR_FULL = 0x00000020,//(null)
VMCS_OFFSET_EXIT_MSR_STORE_ADDR_HIGH = 0x00000024,//(null)
VMCS_OFFSET_EXIT_MSR_LOAD_ADDR_FULL = 0x00000028,//(null)
VMCS_OFFSET_EXIT_MSR_LOAD_ADDR_HIGH = 0x0000002c,//(null)
VMCS_OFFSET_ENTRY_MSR_LOAD_ADDR_FULL = 0x00000030,//(null)
VMCS_OFFSET_ENTRY_MSR_LOAD_ADDR_HIGH = 0x00000034,//(null)
VMCS_OFFSET_EXECUTIVE_VMCS_PTR_FULL = 0x00000038,//(null)
VMCS_OFFSET_EXECUTIVE_VMCS_PTR_HIGH = 0x0000003c,//(null)
VMCS_OFFSET_TSC_OFFSET_FULL = 0x00000048,//(null)
VMCS_OFFSET_TSC_OFFSET_HIGH = 0x0000004c,//(null)
VMCS_OFFSET_VIRTUAL_APIC_PAGE_ADDR_FULL = 0x00000050,//(null)
VMCS_OFFSET_VIRTUAL_APIC_PAGE_ADDR_HIGH = 0x00000054,//(null)
// APIC_ACCESS_ADDR_FULL INVALID_FIELD
// APIC_ACCESS_ADDR_HIGH INVALID_FIELD
// POSTED_INTERRUPT_DESCRIPTION_ADDR_FULL INVALID_FIELD
// POSTED_INTERRUPT_DESCRIPTION_ADDR_HIGH INVALID_FIELD
VMCS_OFFSET_VM_FUNCTION_CTRL_FULL = 0x00000068,//(null)
VMCS_OFFSET_VM_FUNCTION_CTRL_HIGH = 0x0000006c,//(null)
VMCS_OFFSET_EPT_POINTER_FULL = 0x00000070,//(null)
VMCS_OFFSET_EPT_POINTER_HIGH = 0x00000074,//(null)
// EOI_EXIT_BITMAP_0_FULL INVALID_FIELD
// EOI_EXIT_BITMAP_0_HIGH INVALID_FIELD
// EOI_EXIT_BITMAP_1_FULL INVALID_FIELD
// EOI_EXIT_BITMAP_1_HIGH INVALID_FIELD
// EOI_EXIT_BITMAP_2_FULL INVALID_FIELD
// EOI_EXIT_BITMAP_2_HIGH INVALID_FIELD
// EOI_EXIT_BITMAP_3_FULL INVALID_FIELD
// EOI_EXIT_BITMAP_3_HIGH INVALID_FIELD
VMCS_OFFSET_EPTP_LIST_ADDRESS_FULL = 0x00000098,//(null)
VMCS_OFFSET_EPTP_LIST_ADDRESS_HIGH = 0x0000009c,//(null)
// VMREAD_BITMAP_ADDRESS_FULL INVALID_FIELD
// VMREAD_BITMAP_ADDRESS_HIGH INVALID_FIELD
// VMWRITE_BITMAP_ADDRESS_FULL INVALID_FIELD
// VMWRITE_BITMAP_ADDRESS_HIGH INVALID_FIELD
// VE_INFO_ADDRESS_FULL INVALID_FIELD
// VE_INFO_ADDRESS_HIGH INVALID_FIELD
VMCS_OFFSET_GUEST_PHYSICAL_ADDR_FULL = 0x00000178,//(null)
VMCS_OFFSET_GUEST_PHYSICAL_ADDR_HIGH = 0x0000017c,//(null)
VMCS_OFFSET_VMCS_LINK_PTR_FULL = 0x000002e8,//(null)
VMCS_OFFSET_VMCS_LINK_PTR_HIGH = 0x000002ec,//(null)
VMCS_OFFSET_GUEST_IA32_DEBUGCTL_FULL = 0x000002f0,//(null)
VMCS_OFFSET_GUEST_IA32_DEBUGCTL_HIGH = 0x000002f4,//(null)
VMCS_OFFSET_GUEST_IA32_PAT_FULL = 0x000002f8,//(null)
VMCS_OFFSET_GUEST_IA32_PAT_HIGH = 0x000002fc,//(null)
VMCS_OFFSET_GUEST_IA32_EFER_FULL = 0x00000300,//(null)
VMCS_OFFSET_GUEST_IA32_EFER_HIGH = 0x00000304,//(null)
VMCS_OFFSET_GUEST_IA32_PERF_CTL_FULL = 0x00000308,//(null)
VMCS_OFFSET_GUEST_IA32_PERF_CTL_HIGH = 0x0000030c,//(null)
VMCS_OFFSET_GUEST_PDPTE0_FULL = 0x00000310,//(null)
VMCS_OFFSET_GUEST_PDPTE0_HIGH = 0x00000314,//(null)
VMCS_OFFSET_GUEST_PDPTE1_FULL = 0x00000318,//(null)
VMCS_OFFSET_GUEST_PDPTE1_HIGH = 0x0000031c,//(null)
VMCS_OFFSET_GUEST_PDPTE2_FULL = 0x00000320,//(null)
VMCS_OFFSET_GUEST_PDPTE2_HIGH = 0x00000324,//(null)
VMCS_OFFSET_GUEST_PDPTE3_FULL = 0x00000328,//(null)
VMCS_OFFSET_GUEST_PDPTE3_HIGH = 0x0000032c,//(null)
VMCS_OFFSET_HOST_IA32_PAT_FULL = 0x00000458,//(null)
VMCS_OFFSET_HOST_IA32_PAT_HIGH = 0x0000045c,//(null)
VMCS_OFFSET_HOST_IA32_EFER_FULL = 0x00000460,//(null)
VMCS_OFFSET_HOST_IA32_EFER_HIGH = 0x00000464,//(null)
VMCS_OFFSET_HOST_IA32_PERF_CTL_FULL = 0x00000468,//(null)
VMCS_OFFSET_HOST_IA32_PERF_CTL_HIGH = 0x0000046c,//(null)
VMCS_OFFSET_PIN_VM_EXEC_CONTROLS = 0x00000b88,//(null)
VMCS_OFFSET_PROC_VM_EXEC_CONTROLS = 0x00000b8c,//(null)
VMCS_OFFSET_EXCEPTION_BITMAP = 0x00000b90,//(null)
VMCS_OFFSET_PAGEFAULT_ERRCODE_MASK = 0x00000b94,//(null)
VMCS_OFFSET_PAGEFAULT_ERRCODE_MATCH = 0x00000b98,//(null)
VMCS_OFFSET_CR3_TARGET_COUNT = 0x00000b9c,//(null)
VMCS_OFFSET_EXIT_CONTROLS = 0x00000ba0,//(null)
VMCS_OFFSET_EXIT_MSR_STORE_COUNT = 0x00000ba4,//(null)
VMCS_OFFSET_EXIT_MSR_LOAD_COUNT = 0x00000ba8,//(null)
VMCS_OFFSET_ENTRY_CONTROLS = 0x00000bac,//(null)
VMCS_OFFSET_ENTRY_MSR_LOAD_COUNT = 0x00000bb0,//(null)
VMCS_OFFSET_ENTRY_INT_INFO_FIELD = 0x00000bb4,//(null)
VMCS_OFFSET_ENTRY_EXCEPTION_EC = 0x00000bb8,//(null)
VMCS_OFFSET_ENTRY_INSTR_LENGTH = 0x00000bbc,//(null)
VMCS_OFFSET_TPR_THRESHOLD = 0x00000bc0,//(null)
VMCS_OFFSET_PROC_VM_EXEC_CONTROLS2 = 0x00000bc4,//(null)
// PLE_GAP INVALID_FIELD
// PLE_WINDOW INVALID_FIELD
VMCS_OFFSET_INSTR_ERROR = 0x0000000c,//(null)
VMCS_OFFSET_EXIT_REASON = 0x00000c44,//(null)
VMCS_OFFSET_EXIT_INTERRUPT_INFO = 0x00000c48,//(null)
VMCS_OFFSET_EXIT_INTERRUPT_ERRCODE = 0x00000c4c,//(null)
VMCS_OFFSET_IDT_VECTORING_INFO_FIELD = 0x00000c50,//(null)
VMCS_OFFSET_IDT_VECTORING_ERRCODE = 0x00000c54,//(null)
VMCS_OFFSET_EXIT_INSTR_LEN = 0x00000c58,//(null)
VMCS_OFFSET_INSTR_INFO = 0x00000c5c,//(null)
VMCS_OFFSET_GUEST_ES_LIMIT = 0x00000cf8,//(null)
VMCS_OFFSET_GUEST_CS_LIMIT = 0x00000cfc,//(null)
VMCS_OFFSET_GUEST_SS_LIMIT = 0x00000d00,//(null)
VMCS_OFFSET_GUEST_DS_LIMIT = 0x00000d04,//(null)
VMCS_OFFSET_GUEST_FS_LIMIT = 0x00000d08,//(null)
VMCS_OFFSET_GUEST_GS_LIMIT = 0x00000d0c,//(null)
VMCS_OFFSET_GUEST_LDTR_LIMIT = 0x00000d10,//(null)
VMCS_OFFSET_GUEST_TR_LIMIT = 0x00000d14,//(null)
VMCS_OFFSET_GUEST_GDTR_LIMIT = 0x00000d18,//(null)
VMCS_OFFSET_GUEST_IDTR_LIMIT = 0x00000d1c,//(null)
VMCS_OFFSET_GUEST_ES_ATTR = 0x00000d20,//(null)
VMCS_OFFSET_GUEST_CS_ATTR = 0x00000d24,//(null)
VMCS_OFFSET_GUEST_SS_ATTR = 0x00000d28,//(null)
VMCS_OFFSET_GUEST_DS_ATTR = 0x00000d2c,//(null)
VMCS_OFFSET_GUEST_FS_ATTR = 0x00000d30,//(null)
VMCS_OFFSET_GUEST_GS_ATTR = 0x00000d34,//(null)
VMCS_OFFSET_GUEST_LDTR_ATTR = 0x00000d38,//(null)
VMCS_OFFSET_GUEST_TR_ATTR = 0x00000d3c,//(null)
VMCS_OFFSET_GUEST_INTERRUPTIBILITY_INFO = 0x00000d40,//(null)
VMCS_OFFSET_GUEST_ACTIVITY_STATE = 0x00000d44,//(null)
VMCS_OFFSET_GUEST_SMBASE = 0x00000d48,//(null)
VMCS_OFFSET_GUEST_IA32_SYSENTER_CS = 0x00000d4c,//(null)
// GUEST_PREEMTION_TIMER INVALID_FIELD
VMCS_OFFSET_HOST_IA32_SYSENTER_CS = 0x00000db0,//(null)
VMCS_OFFSET_CR0_MASK = 0x000005c8,//(null)
VMCS_OFFSET_CR4_MASK = 0x000005d0,//(null)
VMCS_OFFSET_CR0_READ_SHADOW = 0x000005d8,//(null)
VMCS_OFFSET_CR4_READ_SHADOW = 0x000005e0,//(null)
VMCS_OFFSET_CR3_TARGET_0 = 0x000005e8,//(null)
VMCS_OFFSET_CR3_TARGET_1 = 0x000005f0,//(null)
VMCS_OFFSET_CR3_TARGET_2 = 0x000005f8,//(null)
VMCS_OFFSET_CR3_TARGET_3 = 0x00000600,//(null)
VMCS_OFFSET_EXIT_QUALIFICATION = 0x00000738,//(null)
VMCS_OFFSET_IO_RCX = 0x00000740,//(null)
VMCS_OFFSET_IO_RSI = 0x00000748,//(null)
VMCS_OFFSET_IO_RDI = 0x00000750,//(null)
VMCS_OFFSET_IO_RIP = 0x00000758,//(null)
VMCS_OFFSET_GUEST_LINEAR_ADDR = 0x00000760,//(null)
VMCS_OFFSET_GUEST_CR0 = 0x000008a8,//(null)
VMCS_OFFSET_GUEST_CR3 = 0x000008b0,//(null)
VMCS_OFFSET_GUEST_CR4 = 0x000008b8,//(null)
VMCS_OFFSET_GUEST_ES_BASE = 0x000008c0,//(null)
VMCS_OFFSET_GUEST_CS_BASE = 0x000008c8,//(null)
VMCS_OFFSET_GUEST_SS_BASE = 0x000008d0,//(null)
VMCS_OFFSET_GUEST_DS_BASE = 0x000008d8,//(null)
VMCS_OFFSET_GUEST_FS_BASE = 0x000008e0,//(null)
VMCS_OFFSET_GUEST_GS_BASE = 0x000008e8,//(null)
VMCS_OFFSET_GUEST_LDTR_BASE = 0x000008f0,//(null)
VMCS_OFFSET_GUEST_TR_BASE = 0x000008f8,//(null)
VMCS_OFFSET_GUEST_GDTR_BASE = 0x00000900,//(null)
VMCS_OFFSET_GUEST_IDTR_BASE = 0x00000908,//(null)
VMCS_OFFSET_GUEST_DR7 = 0x00000910,//(null)
VMCS_OFFSET_GUEST_RSP = 0x00000918,//(null)
VMCS_OFFSET_GUEST_RIP = 0x00000920,//(null)
VMCS_OFFSET_GUEST_RFLAGS = 0x00000928,//(null)
VMCS_OFFSET_GUEST_PENDING_DEBUG_EXCEPT = 0x00000930,//(null)
VMCS_OFFSET_GUEST_IA32_SYSENTER_ESP = 0x00000938,//(null)
VMCS_OFFSET_GUEST_IA32_SYSENTER_EIP = 0x00000940,//(null)
VMCS_OFFSET_HOST_CR0 = 0x00000a18,//(null)
VMCS_OFFSET_HOST_CR3 = 0x00000a20,//(null)
VMCS_OFFSET_HOST_CR4 = 0x00000a28,//(null)
VMCS_OFFSET_HOST_FS_BASE = 0x00000a30,//(null)
VMCS_OFFSET_HOST_GS_BASE = 0x00000a38,//(null)
VMCS_OFFSET_HOST_TR_BASE = 0x00000a40,//(null)
VMCS_OFFSET_HOST_GDTR_BASE = 0x00000a48,//(null)
VMCS_OFFSET_HOST_IDTR_BASE = 0x00000a50,//(null)
VMCS_OFFSET_HOST_IA32_SYSENTER_ESP = 0x00000a58,//(null)
VMCS_OFFSET_HOST_IA32_SYSENTER_EIP = 0x00000a60,//(null)
VMCS_OFFSET_HOST_RSP = 0x00000a68,//(null)
VMCS_OFFSET_HOST_RIP = 0x00000a70,//(null)
};
};
namespace VMCS_SCAN_DEF10
{
enum NEW_VMCS_10
{
VMCS_OFFSET_VPID = 0x000002f0,//unsigned short
VMCS_OFFSET_POSTED_INTERRUPT_NOTIFICATION_VECTOR = 0x00000044,//unsigned short
// EPTP_INDEX INVALID_FIELD
VMCS_OFFSET_GUEST_ES_SEL = 0x00000200,//unsigned short
VMCS_OFFSET_GUEST_CS_SEL = 0x00000218,//unsigned short
VMCS_OFFSET_GUEST_SS_SEL = 0x00000230,//unsigned short
VMCS_OFFSET_GUEST_DS_SEL = 0x00000248,//unsigned short
VMCS_OFFSET_GUEST_FS_SEL = 0x00000260,//unsigned short
VMCS_OFFSET_GUEST_GS_SEL = 0x00000278,//unsigned short
VMCS_OFFSET_GUEST_LDTR_SEL = 0x00000290,//unsigned short
VMCS_OFFSET_GUEST_TR_SEL = 0x000002a8,//unsigned short
VMCS_OFFSET_GUEST_INTERRUPT_STATUS = 0x000002a8,//unsigned short
VMCS_OFFSET_HOST_ES_SEL = 0x00000300,//unsigned short
VMCS_OFFSET_HOST_CS_SEL = 0x00000304,//unsigned short
VMCS_OFFSET_HOST_SS_SEL = 0x00000308,//unsigned short
VMCS_OFFSET_HOST_DS_SEL = 0x0000030c,//unsigned short
VMCS_OFFSET_HOST_FS_SEL = 0x00000310,//unsigned short
VMCS_OFFSET_HOST_GS_SEL = 0x00000314,//unsigned short
VMCS_OFFSET_HOST_TR_SEL = 0x00000318,//unsigned short
VMCS_OFFSET_IO_BITMAP_A_FULL = 0x000000a0,//unsigned long long
VMCS_OFFSET_IO_BITMAP_A_HIGH = 0x000000a4,//unsigned int
VMCS_OFFSET_IO_BITMAP_B_FULL = 0x000000a8,//unsigned long long
VMCS_OFFSET_IO_BITMAP_B_HIGH = 0x000000ac,//unsigned int
VMCS_OFFSET_MSR_BITMAP_FULL = 0x000000b0,//unsigned long long
VMCS_OFFSET_MSR_BITMAP_HIGH = 0x000000b4,//unsigned int
VMCS_OFFSET_EXIT_MSR_STORE_ADDR_FULL = 0x000000b8,//unsigned long long
VMCS_OFFSET_EXIT_MSR_STORE_ADDR_HIGH = 0x000000bc,//unsigned int
VMCS_OFFSET_EXIT_MSR_LOAD_ADDR_FULL = 0x000000c0,//unsigned long long
VMCS_OFFSET_EXIT_MSR_LOAD_ADDR_HIGH = 0x000000c4,//unsigned int
VMCS_OFFSET_ENTRY_MSR_LOAD_ADDR_FULL = 0x000000c8,//unsigned long long
VMCS_OFFSET_ENTRY_MSR_LOAD_ADDR_HIGH = 0x000000cc,//unsigned int
VMCS_OFFSET_EXECUTIVE_VMCS_PTR_FULL = 0x000000d0,//unsigned long long
VMCS_OFFSET_EXECUTIVE_VMCS_PTR_HIGH = 0x000000d4,//unsigned int
VMCS_OFFSET_TSC_OFFSET_FULL = 0x000000d8,//unsigned long long
VMCS_OFFSET_TSC_OFFSET_HIGH = 0x000000dc,//unsigned int
VMCS_OFFSET_VIRTUAL_APIC_PAGE_ADDR_FULL = 0x000000e0,//unsigned long long
VMCS_OFFSET_VIRTUAL_APIC_PAGE_ADDR_HIGH = 0x000000e4,//unsigned int
VMCS_OFFSET_APIC_ACCESS_ADDR_FULL = 0x00000078,//unsigned long long
VMCS_OFFSET_APIC_ACCESS_ADDR_HIGH = 0x0000007c,//unsigned int
VMCS_OFFSET_POSTED_INTERRUPT_DESCRIPTION_ADDR_FULL = 0x00000050,//unsigned long long
VMCS_OFFSET_POSTED_INTERRUPT_DESCRIPTION_ADDR_HIGH = 0x00000054,//unsigned int
// VM_FUNCTION_CTRL_FULL INVALID_FIELD
// VM_FUNCTION_CTRL_HIGH INVALID_FIELD
VMCS_OFFSET_EPT_POINTER_FULL = 0x000000e8,//unsigned long long
VMCS_OFFSET_EPT_POINTER_HIGH = 0x000000ec,//unsigned int
VMCS_OFFSET_EOI_EXIT_BITMAP_0_FULL = 0x00000058,//unsigned long long
VMCS_OFFSET_EOI_EXIT_BITMAP_0_HIGH = 0x0000005c,//unsigned int
VMCS_OFFSET_EOI_EXIT_BITMAP_1_FULL = 0x00000060,//unsigned long long
VMCS_OFFSET_EOI_EXIT_BITMAP_1_HIGH = 0x00000064,//unsigned int
VMCS_OFFSET_EOI_EXIT_BITMAP_2_FULL = 0x00000068,//unsigned long long
VMCS_OFFSET_EOI_EXIT_BITMAP_2_HIGH = 0x0000006c,//unsigned int
VMCS_OFFSET_EOI_EXIT_BITMAP_3_FULL = 0x00000070,//unsigned long long
VMCS_OFFSET_EOI_EXIT_BITMAP_3_HIGH = 0x00000074,//unsigned int
// EPTP_LIST_ADDRESS_FULL INVALID_FIELD
// EPTP_LIST_ADDRESS_HIGH INVALID_FIELD
// VMREAD_BITMAP_ADDRESS_FULL INVALID_FIELD
// VMREAD_BITMAP_ADDRESS_HIGH INVALID_FIELD
// VMWRITE_BITMAP_ADDRESS_FULL INVALID_FIELD
// VMWRITE_BITMAP_ADDRESS_HIGH INVALID_FIELD
// VE_INFO_ADDRESS_FULL INVALID_FIELD
// VE_INFO_ADDRESS_HIGH INVALID_FIELD
VMCS_OFFSET_GUEST_PHYSICAL_ADDR_FULL = 0x000000f0,//unsigned int
VMCS_OFFSET_GUEST_PHYSICAL_ADDR_HIGH = 0x000000f4,//unsigned int
VMCS_OFFSET_VMCS_LINK_PTR_FULL = 0x000000f8,//unsigned long long
VMCS_OFFSET_VMCS_LINK_PTR_HIGH = 0x000000fc,//unsigned int
VMCS_OFFSET_GUEST_IA32_DEBUGCTL_FULL = 0x00000100,//unsigned long long
VMCS_OFFSET_GUEST_IA32_DEBUGCTL_HIGH = 0x00000104,//unsigned int
VMCS_OFFSET_GUEST_IA32_PAT_FULL = 0x00000108,//unsigned long long
VMCS_OFFSET_GUEST_IA32_PAT_HIGH = 0x0000010c,//unsigned int
VMCS_OFFSET_GUEST_IA32_EFER_FULL = 0x00000110,//unsigned long long
VMCS_OFFSET_GUEST_IA32_EFER_HIGH = 0x00000114,//unsigned int
VMCS_OFFSET_GUEST_IA32_PERF_CTL_FULL = 0x00000118,//unsigned long long
VMCS_OFFSET_GUEST_IA32_PERF_CTL_HIGH = 0x0000011c,//unsigned int
VMCS_OFFSET_GUEST_PDPTE0_FULL = 0x000003a0,//unsigned long long
VMCS_OFFSET_GUEST_PDPTE0_HIGH = 0x000003a4,//unsigned int
VMCS_OFFSET_GUEST_PDPTE1_FULL = 0x000003a8,//unsigned long long
VMCS_OFFSET_GUEST_PDPTE1_HIGH = 0x000003ac,//unsigned int
VMCS_OFFSET_GUEST_PDPTE2_FULL = 0x000003b0,//unsigned long long
VMCS_OFFSET_GUEST_PDPTE2_HIGH = 0x000003b4,//unsigned int
VMCS_OFFSET_GUEST_PDPTE3_FULL = 0x000003b8,//unsigned long long
VMCS_OFFSET_GUEST_PDPTE3_HIGH = 0x000003bc,//unsigned int
VMCS_OFFSET_HOST_IA32_PAT_FULL = 0x00000320,//unsigned long long
VMCS_OFFSET_HOST_IA32_PAT_HIGH = 0x00000324,//unsigned int
VMCS_OFFSET_HOST_IA32_EFER_FULL = 0x00000328,//unsigned long long
VMCS_OFFSET_HOST_IA32_EFER_HIGH = 0x0000032c,//unsigned int
VMCS_OFFSET_HOST_IA32_PERF_CTL_FULL = 0x00000330,//unsigned long long
VMCS_OFFSET_HOST_IA32_PERF_CTL_HIGH = 0x00000334,//unsigned int
VMCS_OFFSET_PIN_VM_EXEC_CONTROLS = 0x00000128,//unsigned int
VMCS_OFFSET_PROC_VM_EXEC_CONTROLS = 0x00000120,//unsigned int
VMCS_OFFSET_EXCEPTION_BITMAP = 0x0000012c,//unsigned int
VMCS_OFFSET_PAGEFAULT_ERRCODE_MASK = 0x00000130,//unsigned int
VMCS_OFFSET_PAGEFAULT_ERRCODE_MATCH = 0x00000134,//unsigned int
VMCS_OFFSET_CR3_TARGET_COUNT = 0x00000138,//unsigned int
VMCS_OFFSET_EXIT_CONTROLS = 0x0000013c,//unsigned int
VMCS_OFFSET_EXIT_MSR_STORE_COUNT = 0x00000140,//unsigned int
VMCS_OFFSET_EXIT_MSR_LOAD_COUNT = 0x00000144,//unsigned int
VMCS_OFFSET_ENTRY_CONTROLS = 0x00000148,//unsigned int
VMCS_OFFSET_ENTRY_MSR_LOAD_COUNT = 0x0000014c,//unsigned int
VMCS_OFFSET_ENTRY_INT_INFO_FIELD = 0x00000150,//unsigned int
VMCS_OFFSET_ENTRY_EXCEPTION_EC = 0x00000154,//unsigned int
VMCS_OFFSET_ENTRY_INSTR_LENGTH = 0x00000158,//unsigned int
VMCS_OFFSET_TPR_THRESHOLD = 0x0000015c,//unsigned int
VMCS_OFFSET_PROC_VM_EXEC_CONTROLS2 = 0x00000124,//unsigned int
VMCS_OFFSET_PLE_GAP = 0x00000048,//unsigned int
VMCS_OFFSET_PLE_WINDOW = 0x0000004c,//unsigned int
VMCS_OFFSET_INSTR_ERROR = 0x0000000c,//unsigned int
VMCS_OFFSET_EXIT_REASON = 0x0000016c,//unsigned int
VMCS_OFFSET_EXIT_INTERRUPT_INFO = 0x00000170,//unsigned int
VMCS_OFFSET_EXIT_INTERRUPT_ERRCODE = 0x00000174,//unsigned int
VMCS_OFFSET_IDT_VECTORING_INFO_FIELD = 0x00000178,//unsigned int
VMCS_OFFSET_IDT_VECTORING_ERRCODE = 0x0000017c,//unsigned int
VMCS_OFFSET_EXIT_INSTR_LEN = 0x00000180,//unsigned int
VMCS_OFFSET_INSTR_INFO = 0x00000184,//unsigned int
VMCS_OFFSET_GUEST_ES_LIMIT = 0x00000210,//unsigned int
VMCS_OFFSET_GUEST_CS_LIMIT = 0x00000228,//unsigned int
VMCS_OFFSET_GUEST_SS_LIMIT = 0x00000240,//unsigned int
VMCS_OFFSET_GUEST_DS_LIMIT = 0x00000258,//unsigned int
VMCS_OFFSET_GUEST_FS_LIMIT = 0x00000270,//unsigned int
VMCS_OFFSET_GUEST_GS_LIMIT = 0x00000288,//unsigned int
VMCS_OFFSET_GUEST_LDTR_LIMIT = 0x000002a0,//unsigned int
VMCS_OFFSET_GUEST_TR_LIMIT = 0x000002b8,//unsigned int
VMCS_OFFSET_GUEST_GDTR_LIMIT = 0x000002d0,//unsigned int
VMCS_OFFSET_GUEST_IDTR_LIMIT = 0x000002d4,//unsigned int
// GUEST_ES_ATTR 5634 MISALIGNED
// GUEST_ES_ATTR 533 FIXED
// reported_index = 215 | found_index = FFFFFFFF
VMCS_OFFSET_GUEST_ES_ATTR = 0x00000215,//unsigned int
// GUEST_CS_ATTR 11778 MISALIGNED
// GUEST_CS_ATTR 557 FIXED
// reported_index = 22D | found_index = FFFFFFFF
VMCS_OFFSET_GUEST_CS_ATTR = 0x0000022d,//unsigned int
// GUEST_SS_ATTR 17922 MISALIGNED
// GUEST_SS_ATTR 581 FIXED
// reported_index = 245 | found_index = FFFFFFFF
VMCS_OFFSET_GUEST_SS_ATTR = 0x00000245,//unsigned int
// GUEST_DS_ATTR 24066 MISALIGNED
// GUEST_DS_ATTR 605 FIXED
// reported_index = 25D | found_index = FFFFFFFF
VMCS_OFFSET_GUEST_DS_ATTR = 0x0000025d,//unsigned int
// GUEST_FS_ATTR 30210 MISALIGNED
// GUEST_FS_ATTR 629 FIXED
// reported_index = 275 | found_index = FFFFFFFF
VMCS_OFFSET_GUEST_FS_ATTR = 0x00000275,//unsigned int
// GUEST_GS_ATTR 36354 MISALIGNED
// GUEST_GS_ATTR 653 FIXED
// reported_index = 28D | found_index = FFFFFFFF
VMCS_OFFSET_GUEST_GS_ATTR = 0x0000028d,//unsigned int
// GUEST_LDTR_ATTR 42498 MISALIGNED
// GUEST_LDTR_ATTR 677 FIXED
// reported_index = 2A5 | found_index = FFFFFFFF
VMCS_OFFSET_GUEST_LDTR_ATTR = 0x000002a5,//unsigned int
// GUEST_TR_ATTR 48642 MISALIGNED
// GUEST_TR_ATTR 701 FIXED
// reported_index = 2BD | found_index = FFFFFFFF
VMCS_OFFSET_GUEST_TR_ATTR = 0x000002bd,//unsigned int
VMCS_OFFSET_GUEST_INTERRUPTIBILITY_INFO = 0x00000188,//unsigned int
VMCS_OFFSET_GUEST_ACTIVITY_STATE = 0x0000018c,//unsigned int
VMCS_OFFSET_GUEST_SMBASE = 0x00000190,//unsigned int
VMCS_OFFSET_GUEST_IA32_SYSENTER_CS = 0x00000194,//unsigned int
VMCS_OFFSET_GUEST_PREEMTION_TIMER = 0x00000160,//unsigned int
VMCS_OFFSET_HOST_IA32_SYSENTER_CS = 0x00000398,//unsigned int
VMCS_OFFSET_CR0_MASK = 0x000003c0,//unsigned long
VMCS_OFFSET_CR4_MASK = 0x000003c8,//unsigned long
VMCS_OFFSET_CR0_READ_SHADOW = 0x000003d0,//unsigned long
VMCS_OFFSET_CR4_READ_SHADOW = 0x000003d8,//unsigned long
VMCS_OFFSET_CR3_TARGET_0 = 0x000003e0,//unsigned long
VMCS_OFFSET_CR3_TARGET_1 = 0x000003e8,//unsigned long
VMCS_OFFSET_CR3_TARGET_2 = 0x000003f0,//unsigned long
VMCS_OFFSET_CR3_TARGET_3 = 0x000003f8,//unsigned long
VMCS_OFFSET_EXIT_QUALIFICATION = 0x00000198,//unsigned long
VMCS_OFFSET_IO_RCX = 0x000001a0,//unsigned long
VMCS_OFFSET_IO_RSI = 0x000001a8,//unsigned long
VMCS_OFFSET_IO_RDI = 0x000001b0,//unsigned long
VMCS_OFFSET_IO_RIP = 0x000001b8,//unsigned long
VMCS_OFFSET_GUEST_LINEAR_ADDR = 0x000001c0,//unsigned long
VMCS_OFFSET_GUEST_CR0 = 0x000002d8,//unsigned long
VMCS_OFFSET_GUEST_CR3 = 0x000002e0,//unsigned long
VMCS_OFFSET_GUEST_CR4 = 0x000002e8,//unsigned long
VMCS_OFFSET_GUEST_ES_BASE = 0x00000208,//unsigned long
VMCS_OFFSET_GUEST_CS_BASE = 0x00000220,//unsigned long
VMCS_OFFSET_GUEST_SS_BASE = 0x00000238,//unsigned long
VMCS_OFFSET_GUEST_DS_BASE = 0x00000250,//unsigned long
VMCS_OFFSET_GUEST_FS_BASE = 0x00000268,//unsigned long
VMCS_OFFSET_GUEST_GS_BASE = 0x00000280,//unsigned long
VMCS_OFFSET_GUEST_LDTR_BASE = 0x00000298,//unsigned long
VMCS_OFFSET_GUEST_TR_BASE = 0x000002b0,//unsigned long
VMCS_OFFSET_GUEST_GDTR_BASE = 0x000002c0,//unsigned long
VMCS_OFFSET_GUEST_IDTR_BASE = 0x000002c8,//unsigned long
VMCS_OFFSET_GUEST_DR7 = 0x000001c8,//unsigned long
VMCS_OFFSET_GUEST_RSP = 0x000001d0,//unsigned long
VMCS_OFFSET_GUEST_RIP = 0x000001d8,//unsigned long
VMCS_OFFSET_GUEST_RFLAGS = 0x000001e0,//unsigned long
VMCS_OFFSET_GUEST_PENDING_DEBUG_EXCEPT = 0x000001e8,//unsigned long
VMCS_OFFSET_GUEST_IA32_SYSENTER_ESP = 0x000001f0,//unsigned long
VMCS_OFFSET_GUEST_IA32_SYSENTER_EIP = 0x000001f8,//unsigned long
VMCS_OFFSET_HOST_CR0 = 0x00000338,//unsigned long
VMCS_OFFSET_HOST_CR3 = 0x00000340,//unsigned long
VMCS_OFFSET_HOST_CR4 = 0x00000348,//unsigned long
VMCS_OFFSET_HOST_FS_BASE = 0x00000350,//unsigned long
VMCS_OFFSET_HOST_GS_BASE = 0x00000358,//unsigned long
VMCS_OFFSET_HOST_TR_BASE = 0x00000360,//unsigned long
VMCS_OFFSET_HOST_GDTR_BASE = 0x00000368,//unsigned long
VMCS_OFFSET_HOST_IDTR_BASE = 0x00000370,//unsigned long
VMCS_OFFSET_HOST_IA32_SYSENTER_ESP = 0x00000378,//unsigned long
VMCS_OFFSET_HOST_IA32_SYSENTER_EIP = 0x00000380,//unsigned long
VMCS_OFFSET_HOST_RSP = 0x00000388,//unsigned long
VMCS_OFFSET_HOST_RIP = 0x00000390,//unsigned long
};
};
接着是扫描的代码
void scan_phy_vmcs()
{
auto PhysicalMemoryBlock = MmGetPhysicalMemoryRanges();
if (PhysicalMemoryBlock == NULL)
{
DBG_PRINT("STATUS_INSUFFICIENT_RESOURCES\r\n");
return;
}
auto i = 0;
while (PhysicalMemoryBlock[i].NumberOfBytes.QuadPart != 0)
{
PHYSICAL_ADDRESS BaseAddress = PhysicalMemoryBlock[i].BaseAddress;
LARGE_INTEGER NumberOfBytes = PhysicalMemoryBlock[i].NumberOfBytes;
DBG_PRINT("BaseAddress: %I64x\n", BaseAddress.QuadPart);
DBG_PRINT("NumberOfBytes: %I64x\n", NumberOfBytes.QuadPart);
while (NumberOfBytes.QuadPart > 0)
{
auto mapped_buffer = (PUCHAR)MmMapIoSpace(BaseAddress, PAGE_SIZE, MmNonCached);
if (mapped_buffer)
{
//DBG_PRINT("Force READ Map %p\r\n", BaseAddress.QuadPart);
auto revision_id = *(PULONG)mapped_buffer;
if (revision_id == 0x10)
{
scan_vmcs_SANDYBRIDGE(mapped_buffer, BaseAddress);
}
if (revision_id == 0x1)
{
scan_vmcs_vmware_nested(mapped_buffer, BaseAddress);
}
MmUnmapIoSpace(mapped_buffer, PAGE_SIZE);
}
BaseAddress.QuadPart += PAGE_SIZE;
NumberOfBytes.QuadPart -= PAGE_SIZE;
}
i++;
}
ExFreePool(PhysicalMemoryBlock);
}
判断VMCS的代码:
void scan_vmcs_SANDYBRIDGE(PUCHAR MapAddress,PHYSICAL_ADDRESS BaseAddress)
{
auto revision_id = *(PULONG)MapAddress;
auto Abort_id = *(PULONG)(MapAddress + 4);
auto HostCr4 = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_HOST_CR4);
auto VmcsLinkPtr = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_VMCS_LINK_PTR_FULL);
auto HostGs = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_HOST_GS_BASE);
auto IDTR_Limit = *(PULONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_GUEST_IDTR_LIMIT);
auto GDTR_Limit = *(PULONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_GUEST_GDTR_LIMIT);
auto HostCr3 = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_HOST_CR3);
auto HostRip = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_HOST_RIP);
auto HostGDTR = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_HOST_GDTR_BASE);
auto HostIDTR = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_HOST_IDTR_BASE);
auto Eptp = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_EPT_POINTER_FULL);
if ((HostCr4 & 0x2000) //HostCR4必然开启VME
&& (VmcsLinkPtr == 0xFFFFFFFFFFFFFFFF)
&& Abort_id == 0
&& ((HostCr4&0xFFFFFFFF)==HostCr4) //hostCr4 检测,防止全FF
/*&& GDTR_Limit==0x7F //这个过滤不一定有效
&& IDTR_Limit==0xFFF*/)
{
vmcs_count++;
DBG_PRINT("Find revision_id =%x\r\n", revision_id);
DBG_PRINT("HostCr4 = %p %p\r\n", HostCr4, __readcr4());
DBG_PRINT("hostCR3 = %p %p\r\n", HostCr3, __readcr3());
DBG_PRINT("VMCS LINK PTR = %p\r\n", VmcsLinkPtr);
DBG_PRINT("Abort_id = %x\r\n", Abort_id);
DBG_PRINT("hostGS = %p %p\r\n", HostGs, __readmsr(0xC0000101));
DBG_PRINT("VMCS: %p\r\n", BaseAddress.QuadPart);
DBG_PRINT("VMCS Host RIP: %p\r\n",
HostRip);
DBG_PRINT("VMCS Host GDTR Base: %p\r\n",
HostGDTR);
DBG_PRINT("VMCS Host IDTR Base: %p\r\n",
HostIDTR);
DBG_PRINT("VMCS Eptp :%p\r\n", Eptp);
}
}
void scan_vmcs_vmware_nested(PUCHAR MapAddress, PHYSICAL_ADDRESS BaseAddress)
{
auto revision_id = *(PULONG)MapAddress;
auto Abort_id = *(PULONG)(MapAddress + 4);
auto HostCr4 = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_HOST_CR4);
auto VmcsLinkPtr = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_VMCS_LINK_PTR_FULL);
auto HostGs = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_HOST_GS_BASE);
auto IDTR_Limit = *(PULONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_GUEST_IDTR_LIMIT);
auto GDTR_Limit = *(PULONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_GUEST_GDTR_LIMIT);
auto HostCr3 = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_HOST_CR3);
auto HostRip = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_HOST_RIP);
auto HostGDTR = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_HOST_GDTR_BASE);
auto HostIDTR = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_HOST_IDTR_BASE);
auto Eptp = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_EPT_POINTER_FULL);
if ((HostCr4 & 0x2000)
&& (VmcsLinkPtr == 0xFFFFFFFFFFFFFFFF)
&& ((HostCr4 & 0xFFFFFFFF) == HostCr4)
&& Abort_id == 0
/*&& GDTR_Limit==0x7F
&& IDTR_Limit==0xFFF*/)
{
DBG_PRINT("Find revision_id =%x\r\n", revision_id);
DBG_PRINT("HostCr4 = %p %p\r\n", HostCr4, __readcr4());
DBG_PRINT("hostCR3 = %p %p\r\n", HostCr3, __readcr3());
DBG_PRINT("VMCS LINK PTR = %p\r\n", VmcsLinkPtr);
DBG_PRINT("Abort_id = %x\r\n", Abort_id);
DBG_PRINT("hostGS = %p %p\r\n", HostGs, __readmsr(0xC0000101));
DBG_PRINT("VMCS: %p\r\n", (BaseAddress).QuadPart);
DBG_PRINT("VMCS Host RIP: %p\r\n",
HostRip);
DBG_PRINT("VMCS Host GDTR Base: %p\r\n",
HostGDTR);
DBG_PRINT("VMCS Host IDTR Base: %p\r\n",
HostIDTR);
DBG_PRINT("VMCS EPT POINTOR :%p\r\n",
Eptp);
}
}
得到HostRip之后,可以尝试去hook HostRip从而展现其他力量了。
比如我搜索出来某东西的VMCS
Find revision_id =10 HostCr4 = 00000000001526F8 00000000001506F8 hostCR3 = 0000000314142000 00000000001AB000 VMCS LINK PTR = FFFFFFFFFFFFFFFF Abort_id = 0 hostGS = FFFFF80079CCA3F8 FFFFF80051591000 VMCS: 0000000313F67000 VMCS Host RIP: FFFFF80079C8B47D VMCS Host GDTR Base: FFFFE000D4030000 VMCS Host IDTR Base: FFFFE000D4040000
然后对这个hostRip的代码做hook就可以XXOO,
当然有时候需要切换hostCR3后才能访问hostRip
参考资料有的,参考blackhat2016某PPT里有提到扫描VMCS,不过老外特么没给代码,而且扯了SMM的手——用SMM上物理内存扫描的话,可以扫到被EPT保护的物理内存内部...
具体pdf名称是:
us-16-Wojtczuk-Analysis-Of-The-Attack-Surface-Of-Windows-10-Virtualization-Based-Security
和一个老的论文:
Hypervisor Memory Forensics
这个需要搜索论文库了,里面是讲了一些理论,但是有用。
最后还有一些参考的东西是google的内存离线分析工程rekall的一些wiki和issues...
讨论技术,吹水扯淡,加我的qq群:48715131
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
你有测试过被检测么?
|
|
|
强啊老V,前几天某次更新之后 魔改版的hyperplatform也启动不了游戏了
 不知道那帮人又检测了什么东西 |
|
|
|
|
|
厉害了wordv
|
|
|
简单来说就是游戏发现系统不支持VT结果扫出VMCS直接崩
|
|
|
你可以用某sys,比如360的VT框架,然后自己hook 360的hostRip
然后处理那些你感兴趣的XXOO,甚至你可以给360弄个EPT出来 在各个处理器上投递cpuid xxx然后vm-exit到你的hook,然后hook里直接vmread/vmwrite修改vt设置ept 很简单的说,是可以得 还可以hook vmware的...hook 微软hyper-v的... 哈哈 |
|
|
之前看雪崩了。。没看到 是啊 直接劫持别人的handler 无解。。。
|
|
|
|
|
|
|
|
|
|
|
|
我提到了,SMM内扫描物理内存
|
|
|
|
|
|
|
