-
-
Uefi劫持Hyper-V,hook vmexit实现ept hook
-
发表于: 2024-6-20 18:57
-
原版地址:https://github.com/uefibootkit/Voyager
原版只支持到win 10 2004,我只更新了win 10 22H2的特征码,如果其他系统版本没效果请自行更新,找BlImgAllocateImageBuffer的特征就行。
另外原版的没有ept hook(hyper-v是开启ept的),我加了个支持Intel的ept,代码写的仓促,应该有bug,移除hook只是删掉了链表里面的数据,链表并没有删掉,还有拆成4KB的2MB大页面也没恢复,已经拆开过的ept页面在删除链表数据之后应该是不触发ept违规的,有能力的自己改一下。
ept部分代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 | if (vmexit_reason == VMX_EXIT_REASON_EPT_VIOLATION) { vmx_exit_qualification_ept_violation QualificationEptViolation = { 0 }; __vmx_vmread(VMCS_EXIT_QUALIFICATION, (size_t*)&QualificationEptViolation); auto Physical = 0ui64; if (QualificationEptViolation.caused_by_translation) __vmx_vmread(VMCS_GUEST_PHYSICAL_ADDRESS, (size_t*)&Physical); else __vmx_vmread(VMCS_EXIT_GUEST_LINEAR_ADDRESS, (size_t*)&Physical); ept_pointer ept = { 0 }; __vmx_vmread(VMCS_CTRL_EPT_POINTER, (size_t*)&ept); mm::phys_addr_t phy = { Physical }; auto pml4 = (ept_pml4e*)mm::map_page(ept.page_frame_number << 12, mm::map_type_t::map_src); auto pdpte = (ept_pdpte*)mm::map_page(pml4[phy.pml4_index].page_frame_number << 12, mm::map_type_t::map_src); auto pde2mb = (epde_2mb*)mm::map_page(pdpte[phy.pdpt_index].page_frame_number << 12, mm::map_type_t::map_src); if (!pde2mb[phy.pd_index].large_page) { auto pte = (ept_pte*)mm::map_page(((ept_pde*)pde2mb)[phy.pd_index].page_frame_number << 12, mm::map_type_t::map_src); if (pte) { auto pfn_1 = 0ui64; auto pfn_2 = 0ui64; SpinlockLock(&mm::SpinLock); PLIST_ENTRY Entry = mm::ListHead.Flink; while (Entry != &mm::ListHead) { PLIST_ENTRY NextEntry = Entry->Flink; mm::HOOK_INFO* data = CONTAINING_RECORD(Entry, mm::HOOK_INFO, List); if (data->Physical_1 == (Physical & ~0xFFF)) { pfn_1 = data->Physical_1 >> 12; pfn_2 = data->Physical_2 >> 12; break; } Entry = NextEntry; } SpinlockUnlock(&mm::SpinLock); if (pfn_1 && pfn_2) { if (QualificationEptViolation.execute_access) { pte[phy.pt_index].read_access = 0; pte[phy.pt_index].write_access = 0; pte[phy.pt_index].execute_access = 1; pte[phy.pt_index].page_frame_number = pfn_2; } else { pte[phy.pt_index].read_access = 1; pte[phy.pt_index].write_access = 1; pte[phy.pt_index].execute_access = 0; pte[phy.pt_index].page_frame_number = pfn_1; } invept_descriptor Descriptor = { 0 }; mm::AsmInvept(invept_all_context, &Descriptor); return; } } } } |
原理:通过挂载自己的bootmgfw.efi,在高版本win10中,hook winload.efi里面的BlLdrLoadImage在加载hv.exe的时候添加新区段,将payload映射到里面,随后hook vmexit函数,hook BlImgAllocateImageBuffer是为了修改加载的hv.exe的Iamge大小,hook完成之后调用原bootmgfw入口正常启动系统。
支持库太大了,自行到git编译相关库
https://github.com/ionescu007/VisualUefi
https://github.com/ionescu007/edk2
另外需要装nasm
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
