HyperDbg Debugger
Loading...
Searching...
No Matches
ExecTrap.h File Reference

Header for the user-mode, kernel-mode execution traps' routines. More...

#include "pch.h"

Go to the source code of this file.

Classes

struct  _USER_KERNEL_EXECUTION_TRAP_STATE
 The status user-mode, kernel-mode execution traps for processes. More...

Macros

#define MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD   100
 maximum number of processes for a simultaneous user-mode, kernel-mode execution trap

Typedefs

typedef struct _USER_KERNEL_EXECUTION_TRAP_STATE USER_KERNEL_EXECUTION_TRAP_STATE
 The status user-mode, kernel-mode execution traps for processes.
typedef struct _USER_KERNEL_EXECUTION_TRAP_STATEPUSER_KERNEL_EXECUTION_TRAP_STATE

Functions

VOID ExecTrapHandleCr3Vmexit (VIRTUAL_MACHINE_STATE *VCpu)
 Handle MOV to CR3 vm-exits for hooking mode execution.
VOID ExecTrapChangeToUserDisabledMbecEptp (VIRTUAL_MACHINE_STATE *VCpu)
 change to user-disabled MBEC EPTP
VOID ExecTrapChangeToKernelDisabledMbecEptp (VIRTUAL_MACHINE_STATE *VCpu)
 change to kernel-disabled MBEC EPTP
VOID ExecTrapRestoreToNormalEptp (VIRTUAL_MACHINE_STATE *VCpu)
 restore to normal EPTP
VOID ExecTrapHandleMoveToAdjustedTrapState (VIRTUAL_MACHINE_STATE *VCpu, DEBUGGER_EVENT_MODE_TYPE TargetMode)
 Restore the execution of the trap to adjusted trap state.
VOID ExecTrapUninitialize ()
 Uinitialize the needed structure for the reversing machine.
BOOLEAN ExecTrapInitialize ()
 Initialize the exec trap based on service request.
VOID ExecTrapApplyMbecConfiguratinFromKernelSide (VIRTUAL_MACHINE_STATE *VCpu)
 Apply the MBEC configuration from the kernel side.
BOOLEAN ExecTrapHandleEptViolationVmexit (VIRTUAL_MACHINE_STATE *VCpu, VMX_EXIT_QUALIFICATION_EPT_VIOLATION *ViolationQualification)
 Handle EPT Violations related to the MBEC hooks.
BOOLEAN ExecTrapAddProcessToWatchingList (UINT32 ProcessId)
 Add the target process to the watching list.
BOOLEAN ExecTrapRemoveProcessFromWatchingList (UINT32 ProcessId)
 Remove the target process from the watching list.

Variables

volatile LONG ExecTrapProcessListLock
 The lock for modifying the list of processes for user-mode, kernel-mode execution traps.

Detailed Description

Header for the user-mode, kernel-mode execution traps' routines.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.4
Date
2023-07-05

Macro Definition Documentation

◆ MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD

#define MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD   100

maximum number of processes for a simultaneous user-mode, kernel-mode execution trap

Typedef Documentation

◆ PUSER_KERNEL_EXECUTION_TRAP_STATE

◆ USER_KERNEL_EXECUTION_TRAP_STATE

The status user-mode, kernel-mode execution traps for processes.

Function Documentation

◆ ExecTrapAddProcessToWatchingList()

BOOLEAN ExecTrapAddProcessToWatchingList ( UINT32 ProcessId)

Add the target process to the watching list.

Parameters
ProcessId
Returns
BOOLEAN
791{
792 UINT32 Index;
793 BOOLEAN Result;
794
796
797 Result = InsertionSortInsertItem(&g_ExecTrapState.InterceptionProcessIds[0],
798 &g_ExecTrapState.NumberOfItems,
800 &Index,
801 (UINT64)ProcessId);
802
804
805 return Result;
806}
volatile LONG ExecTrapProcessListLock
The lock for modifying the list of processes for user-mode, kernel-mode execution traps.
Definition ExecTrap.h:33
#define MAXIMUM_NUMBER_OF_PROCESSES_FOR_USER_KERNEL_EXEC_THREAD
maximum number of processes for a simultaneous user-mode, kernel-mode execution trap
Definition ExecTrap.h:23
BOOLEAN InsertionSortInsertItem(UINT64 ArrayPtr[], UINT32 *NumberOfItems, UINT32 MaxNumOfItems, UINT32 *Index, UINT64 Key)
Function to implement insertion sort.
Definition InsertionSort.c:26
VOID SpinlockLock(volatile LONG *Lock)
Tries to get the lock and won't return until successfully get the lock.
Definition Spinlock.c:53
VOID SpinlockUnlock(volatile LONG *Lock)
Release the lock.
Definition Spinlock.c:162
UCHAR BOOLEAN
Definition BasicTypes.h:35
unsigned int UINT32
Definition BasicTypes.h:54
USER_KERNEL_EXECUTION_TRAP_STATE g_ExecTrapState
State of the trap-flag.
Definition GlobalVariables.h:175

◆ ExecTrapApplyMbecConfiguratinFromKernelSide()

VOID ExecTrapApplyMbecConfiguratinFromKernelSide ( VIRTUAL_MACHINE_STATE * VCpu)

Apply the MBEC configuration from the kernel side.

Parameters
VCpuThe virtual processor's state
Returns
VOID
722{
723 BOOLEAN Result;
724 UINT32 Index;
725
726 //
727 // Acquire the lock for the exec trap process list
728 //
730
731 //
732 // Search the list of processes for the current process's user-execution
733 // trap state
734 //
735 Result = BinarySearchPerformSearchItem(&g_ExecTrapState.InterceptionProcessIds[0],
736 g_ExecTrapState.NumberOfItems,
737 &Index,
738 (UINT64)PsGetCurrentProcessId());
739
740 //
741 // Release the lock for the exec trap process list
742 //
744
745 //
746 // Check whether the procerss is in the list of interceptions or not
747 //
748 if (Result)
749 {
750 //
751 // Enable MBEC to detect execution in user-mode
752 //
754 VCpu->MbecEnabled = TRUE;
755
756 //
757 // Trigger the event
758 //
760 }
761 else if (VCpu->MbecEnabled)
762 {
763 //
764 // In case, the process is changed, we've disable the MBEC
765 //
767 VCpu->MbecEnabled = FALSE;
768 }
769}
BOOLEAN BinarySearchPerformSearchItem(UINT64 ArrayPtr[], UINT32 NumberOfItems, UINT32 *ResultIndex, UINT64 Key)
A utility function to perform the binary search.
Definition BinarySearch.c:46
VOID DispatchEventMode(VIRTUAL_MACHINE_STATE *VCpu, DEBUGGER_EVENT_MODE_TYPE TargetMode)
Handling debugger functions related to user-mode/kernel-mode execution trap events.
Definition Dispatch.c:364
VOID HvSetModeBasedExecutionEnableFlag(BOOLEAN Set)
Set Mode-based Execution Control (MBEC) Enable bit.
Definition Hv.c:721
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
@ DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE
Definition Events.h:210
BOOLEAN MbecEnabled
Definition State.h:322

◆ ExecTrapChangeToKernelDisabledMbecEptp()

VOID ExecTrapChangeToKernelDisabledMbecEptp ( VIRTUAL_MACHINE_STATE * VCpu)

change to kernel-disabled MBEC EPTP

Parameters
VCpuThe virtual processor's state
Returns
VOID
542{
543 //
544 // From Intel Manual:
545 // [Bit 2] If the "mode-based execute control for EPT" VM - execution control is 0, execute access;
546 // indicates whether instruction fetches are allowed from the 2-MByte page controlled by this entry.
547 // If that control is 1, execute access for supervisor-mode linear addresses; indicates whether instruction
548 // fetches are allowed from supervisor - mode linear addresses in the 2 - MByte page controlled by this entry
549 //
550
551 //
552 // Set execute access for PML4s
553 //
554 // for (SIZE_T i = 0; i < VMM_EPT_PML4E_COUNT; i++)
555 // {
556 VCpu->EptPageTable->PML4[0].UserModeExecute = TRUE;
557
558 //
559 // We only set the top-level PML4 for intercepting kernel-mode execution
560 //
561 VCpu->EptPageTable->PML4[0].ExecuteAccess = FALSE;
562 // }
563
564 //
565 // Invalidate the EPT cache
566 //
568
569 //
570 // It's not on normal EPTP
571 //
572 VCpu->NotNormalEptp = TRUE;
573}
UCHAR EptInveptSingleContext(_In_ UINT64 EptPointer)
Invalidates a single context in ept cache table.
Definition Invept.c:40
PVMM_EPT_PAGE_TABLE EptPageTable
Definition State.h:364
BOOLEAN NotNormalEptp
Definition State.h:321
EPT_POINTER EptPointer
Definition State.h:363
EPT_PML4_POINTER PML4[VMM_EPT_PML4E_COUNT]
28.2.2 Describes 512 contiguous 512GB memory regions each with 512 1GB regions.
Definition State.h:111

◆ ExecTrapChangeToUserDisabledMbecEptp()

VOID ExecTrapChangeToUserDisabledMbecEptp ( VIRTUAL_MACHINE_STATE * VCpu)

change to user-disabled MBEC EPTP

Parameters
VCpuThe virtual processor's state
Returns
VOID
501{
502 //
503 // From Intel Manual:
504 // [Bit 2] If the "mode-based execute control for EPT" VM - execution control is 0, execute access;
505 // indicates whether instruction fetches are allowed from the 2-MByte page controlled by this entry.
506 // If that control is 1, execute access for supervisor-mode linear addresses; indicates whether instruction
507 // fetches are allowed from supervisor - mode linear addresses in the 2 - MByte page controlled by this entry
508 //
509
510 //
511 // Set execute access for PML4s
512 //
513 // for (SIZE_T i = 0; i < VMM_EPT_PML4E_COUNT; i++)
514 // {
515 VCpu->EptPageTable->PML4[0].UserModeExecute = FALSE;
516
517 //
518 // We only set the top-level PML4 for intercepting kernel-mode execution
519 //
520 VCpu->EptPageTable->PML4[0].ExecuteAccess = TRUE;
521 // }
522
523 //
524 // Invalidate the EPT cache
525 //
527
528 //
529 // It's not on normal EPTP
530 //
531 VCpu->NotNormalEptp = TRUE;
532}

◆ ExecTrapHandleCr3Vmexit()

VOID ExecTrapHandleCr3Vmexit ( VIRTUAL_MACHINE_STATE * VCpu)

Handle MOV to CR3 vm-exits for hooking mode execution.

Parameters
VCpuThe virtual processor's state
Returns
VOID
779{
781}
VOID ExecTrapApplyMbecConfiguratinFromKernelSide(VIRTUAL_MACHINE_STATE *VCpu)
Apply the MBEC configuration from the kernel side.
Definition ExecTrap.c:721

◆ ExecTrapHandleEptViolationVmexit()

BOOLEAN ExecTrapHandleEptViolationVmexit ( VIRTUAL_MACHINE_STATE * VCpu,
VMX_EXIT_QUALIFICATION_EPT_VIOLATION * ViolationQualification )

Handle EPT Violations related to the MBEC hooks.

Parameters
VCpuThe virtual processor's state
ViolationQualification
Returns
BOOLEAN
657{
658 //
659 // Check if this mechanism is use or not
660 //
662 {
663 return FALSE;
664 }
665
666 if (!ViolationQualification->EptExecutableForUserMode && ViolationQualification->ExecuteAccess)
667 {
668 //
669 // For test purposes
670 //
671 // LogInfo("Reached to the user-mode of the process (0x%x) is executed address: %llx", PsGetCurrentProcessId(), VCpu->LastVmexitRip);
672
673 //
674 // Suppress the RIP increment
675 //
677
678 //
679 // Trigger the event
680 //
682 }
683 else if (!ViolationQualification->EptExecutable && ViolationQualification->ExecuteAccess)
684 {
685 //
686 // For test purposes
687 //
688 // LogInfo("Reached to the kernel-mode of the process (0x%x) is executed address: %llx", PsGetCurrentProcessId(), VCpu->LastVmexitRip);
689
690 //
691 // Suppress the RIP increment
692 //
694
695 //
696 // Trigger the event
697 //
699 }
700 else
701 {
702 //
703 // Unexpected violation
704 //
705 return FALSE;
706 }
707
708 //
709 // It successfully handled by MBEC hooks
710 //
711 return TRUE;
712}
VOID HvSuppressRipIncrement(VIRTUAL_MACHINE_STATE *VCpu)
Suppress the incrementation of RIP.
Definition Hv.c:320
@ DEBUGGER_EVENT_MODE_TYPE_USER_MODE
Definition Events.h:209
BOOLEAN g_ExecTrapInitialized
Showes whether the execution trap handler is allowed to trigger an event or not.
Definition GlobalVariables.h:162

◆ ExecTrapHandleMoveToAdjustedTrapState()

VOID ExecTrapHandleMoveToAdjustedTrapState ( VIRTUAL_MACHINE_STATE * VCpu,
DEBUGGER_EVENT_MODE_TYPE TargetMode )

Restore the execution of the trap to adjusted trap state.

Parameters
VCpuThe virtual processor's state
IsUserModeWhether the execution event caused by a switch from kernel-to-user or otherwise user-to-kernel
Returns
VOID
626{
627 if (TargetMode == DEBUGGER_EVENT_MODE_TYPE_USER_MODE)
628 {
629 //
630 // Change EPT to kernel disabled
631 //
633 }
634 else if (TargetMode == DEBUGGER_EVENT_MODE_TYPE_KERNEL_MODE)
635 {
636 //
637 // Change EPT to user disabled
638 //
640 }
641 else
642 {
643 LogError("Err, Invalid target mode for execution trap: %x", TargetMode);
644 }
645}
VOID ExecTrapChangeToKernelDisabledMbecEptp(VIRTUAL_MACHINE_STATE *VCpu)
change to kernel-disabled MBEC EPTP
Definition ExecTrap.c:541
VOID ExecTrapChangeToUserDisabledMbecEptp(VIRTUAL_MACHINE_STATE *VCpu)
change to user-disabled MBEC EPTP
Definition ExecTrap.c:500
#define LogError(format,...)
Log in the case of error.
Definition HyperDbgHyperLogIntrinsics.h:113

◆ ExecTrapInitialize()

BOOLEAN ExecTrapInitialize ( )

Initialize the exec trap based on service request.

Returns
BOOLEAN
370{
371 //
372 // Check if the exec trap is already initialized
373 //
375 {
376 //
377 // Already initialized
378 //
379 return TRUE;
380 }
381
382 //
383 // Check if MBEC supported by this processors
384 //
385 if (!g_CompatibilityCheck.ModeBasedExecutionSupport)
386 {
387 LogInfo("Your processor doesn't support Mode-Based Execution Controls (MBEC), which is a needed feature for this functionality :(\n"
388 "MBEC is available on processors starting from the 7th generation (Kaby Lake) and onwards");
389 return FALSE;
390 }
391
392 //
393 // Call the function responsible for initializing Mode-based hooks
394 //
396 {
397 //
398 // The initialization was not successful
399 //
400 return FALSE;
401 }
402
403 //
404 // Change EPT on all core's to a MBEC supported EPTP
405 // (No longer needed as the starting phase of the process uses EPT hooks)
406 //
408
409 //
410 // Indicate that the reversing machine is initialized
411 // It should be initialized here BEFORE broadcasting mov 2 cr3 exiting
412 // because an EPT violation might be thrown before we enabled it from
413 // here
414 //
416
417 //
418 // Enable Mode-based execution control by broadcasting MOV to CR3 exiting
419 //
421
422 return TRUE;
423}
BOOLEAN ModeBasedExecHookInitialize()
Initialize the needed structure for hooking mode execution.
Definition ModeBasedExecHook.c:213
#define LogInfo(format,...)
Define log variables.
Definition HyperDbgHyperLogIntrinsics.h:71
IMPORT_EXPORT_VMM VOID BroadcastEnableMovToCr3ExitingOnAllProcessors()
routines for debugging threads (enable mov-to-cr3 exiting)
Definition Broadcast.c:436
VOID BroadcastChangeToMbecSupportedEptpOnAllProcessors()
routines for changing EPTP to an MBEC supported EPTP
Definition Broadcast.c:447
COMPATIBILITY_CHECKS_STATUS g_CompatibilityCheck
Different attributes and compatibility checks of the current processor.
Definition GlobalVariables.h:26

◆ ExecTrapRemoveProcessFromWatchingList()

BOOLEAN ExecTrapRemoveProcessFromWatchingList ( UINT32 ProcessId)

Remove the target process from the watching list.

Parameters
ProcessId
Returns
BOOLEAN
816{
817 UINT32 Index;
818 BOOLEAN Result;
819
821
822 Result = BinarySearchPerformSearchItem(&g_ExecTrapState.InterceptionProcessIds[0],
823 g_ExecTrapState.NumberOfItems,
824 &Index,
825 (UINT64)ProcessId);
826
827 if (Result)
828 {
829 Result = InsertionSortDeleteItem(&g_ExecTrapState.InterceptionProcessIds[0],
830 &g_ExecTrapState.NumberOfItems,
831 Index);
832 }
833
835
836 return Result;
837}
BOOLEAN InsertionSortDeleteItem(UINT64 ArrayPtr[], UINT32 *NumberOfItems, UINT32 Index)
Function to implement insertion sort.
Definition InsertionSort.c:69

◆ ExecTrapRestoreToNormalEptp()

VOID ExecTrapRestoreToNormalEptp ( VIRTUAL_MACHINE_STATE * VCpu)

restore to normal EPTP

Parameters
VCpuThe virtual processor's state
Returns
VOID
481{
482 //
483 // Change EPTP
484 //
485 VmxVmwrite64(VMCS_CTRL_EPT_POINTER, VCpu->EptPointer.AsUInt);
486
487 //
488 // It's on normal EPTP
489 //
490 VCpu->NotNormalEptp = FALSE;
491}
UCHAR VmxVmwrite64(size_t Field, UINT64 FieldValue)
VMX VMWRITE instruction (64-bit).
Definition PlatformIntrinsicsVmx.c:273

◆ ExecTrapUninitialize()

VOID ExecTrapUninitialize ( )

Uinitialize the needed structure for the reversing machine.

should be called from vmx non-root mode

Returns
VOID
433{
434 //
435 // Check if it's already initialized
436 //
438 {
439 return;
440 }
441
442 //
443 // Indicate that the uninitialization phase started
444 //
446
447 //
448 // Disable MOV to CR3 exiting
449 //
451
452 //
453 // Restore to normal EPTP
454 //
456
457 //
458 // Uninitialize the mode-based execution controls
459 //
461
462 //
463 // Indicate that the execution traps are disabled
464 //
466
467 //
468 // Indicate that the uninitialization phase finished
469 //
471}
VOID ModeBasedExecHookUninitialize()
Uinitialize the needed structure for hooking mode execution.
Definition ModeBasedExecHook.c:275
IMPORT_EXPORT_VMM VOID BroadcastDisableMovToCr3ExitingOnAllProcessors()
routines for debugging threads (disable mov-to-cr3 exiting)
Definition Broadcast.c:491
VOID BroadcastRestoreToNormalEptpOnAllProcessors()
routines for restoring EPTP to normal EPTP
Definition Broadcast.c:458
BOOLEAN g_ExecTrapUnInitializationStarted
Showes whether the uninitialization of the exec trap is started or not.
Definition GlobalVariables.h:169

Variable Documentation

◆ ExecTrapProcessListLock

volatile LONG ExecTrapProcessListLock

The lock for modifying the list of processes for user-mode, kernel-mode execution traps.