-
-
[分享]amd svm学了一段时间 发下能正常进入和退出的代码。
-
发表于:
2018-6-14 23:56
7022
-
[分享]amd svm学了一段时间 发下能正常进入和退出的代码。
只简单的说下
这个结构最重要
typedef union
{
UINT32 chars;
struct
{
UINT32 intr:1;
UINT32 nmi:1;
UINT32 smi:1;
UINT32 init:1;
UINT32 vintr:1;
UINT32 cr0_w:1;
UINT32 ridtr:1;
UINT32 rgdtr:1;
UINT32 rldtr:1;
UINT32 rtr:1;
UINT32 widtr:1;
UINT32 wgdtr:1;
UINT32 wldtr:1;
UINT32 wtr:1;
UINT32 rdtsc:1;
UINT32 rdpmc:1;
UINT32 pushf:1;
UINT32 popf:1;
UINT32 cpuid:1; //拦截
UINT32 rsm:1;
UINT32 iret:1;
UINT32 intn:1;
UINT32 invd:1;
UINT32 pause:1;
UINT32 hlt:1;
UINT32 invlpg:1;
UINT32 invlpga:1;
UINT32 ioio_port:1;
UINT32 msr_port:1;
UINT32 task_sw:1;
UINT32 ferr_freeze:1;
UINT32 shutdown_events:1;
};
}intercept1;
typedef union
{
UINT32 uchars;
struct
{
UINT32 vmrun:1; //这个必须拦截
UINT32 vmmcall:1; //拦截
UINT32 vmload:1;
UINT32 vmsave:1;
UINT32 stgi:1;
UINT32 clgi:1;
UINT32 skinit:1;
UINT32 rdtscp:1;
UINT32 icebp:1;
UINT32 wbinvd:1;
UINT32 monitor_x:1;
UINT32 mwait_x:1;
UINT32 mwait_x_arm:1;
UINT32 xsetbv:1;
UINT32 res:1;
UINT32 efer:1;
UINT32 cr0_15:16;
};
}intercepe2;
typedef struct
{
USHORT r_cr0_15;
USHORT w_cr0_15;
USHORT r_dr0_15;
USHORT w_dr0_15;
UINT32 vector0_31;
//intercept
intercept1 intercept1;
intercepe2 intercept2;
UCHAR res1[0x28];
USHORT pause_filter_t;
USHORT pause_filter_c;
ULONG64 iopm_base_pa;
ULONG64 msrpm_base_pa;
ULONG64 tsc_offset;
UINT32 guset_asid; //这个值 必须要 值为最大asid数减1
UINT32 tlb_control;
ULONG64 v;
ULONG64 interrupt_shadow;
ULONG64 exitcode;
ULONG64 exitinfo1;
ULONG64 exitinfo2;
ULONG64 exitintinfo;
ULONG64 np_enable;
ULONG64 avic;
ULONG64 ghcb;
ULONG64 eventinj;
ULONG64 n_cr3;
UCHAR res2[0x10];
ULONG64 nrip; //这个值很重要 是GUEST返回到 HOST指令的下一条指令 用来从HOST返回GUEST的时候用
ULONG64 restmp[0x66];
//guest state
vm_segment es;
vm_segment cs;
vm_segment ss;
vm_segment ds;
vm_segment fs; // fs gs这些值 可以通过vmsave获得
vm_segment gs;
vm_segment gdtr;
vm_segment ldtr;
vm_segment idtr;
vm_segment tr;
UCHAR res3[0x2b];
UCHAR cpl;
UINT32 res4;
ULONG64 efer; //貌似efer.svme必须为1 不然执行vmrun guest state检查通不过
UCHAR re5[0x70];
ULONG64 cr4;
ULONG64 cr3;
ULONG64 cr0;
ULONG64 dr7;
ULONG64 dr6;
ULONG64 rflags;
ULONG64 rip;
UCHAR res6[0x58];
ULONG64 rsp;
UCHAR res7[0x18];
ULONG64 rax;
ULONG64 star;
ULONG64 lstar;
ULONG64 cstar;
ULONG64 sfmask;
ULONG64 kernelgsbase;
ULONG64 sysenter_cs;
ULONG64 sysenter_esp;
ULONG64 sysenter_eip;
ULONG64 cr2;
UCHAR res8[0x20];
ULONG64 g_pat;
ULONG64 dbgctl;
ULONG64 br_from;
ULONG64 br_to;
ULONG64 lastexcpfrom;
ULONG64 lastexcpto;
}vmcb;
退出vm时 必须要执行stgi不然会死机
z文件夹为驱动 t文件夹为测试exe ebx ecx edx 为0x19880430为成功
代码 参考nbp和另一个X64位项目 还有amd两本文档
wdk编译通过 并在虚拟机 里跑了几个小时没蓝 虚拟机单核
[课程]Android-CTF解题方法汇总!
最后于 2018-6-15 09:03
被fastkb编辑
,原因:
