HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
ModeBasedExecHook.c File Reference

Implementation of hooks based on Mode-based execution. More...

#include "pch.h"

Functions

BOOLEAN ModeBasedExecHookDisableUserModeExecution (PVMM_EPT_PAGE_TABLE EptTable)
 Adjust (unset) user-mode execution bit of target page-table.
 
BOOLEAN ModeBasedExecHookDisableKernelModeExecution (PVMM_EPT_PAGE_TABLE EptTable)
 Adjust (unset) kernel-mode execution bit of target page-table but allow user-mode execution.
 
BOOLEAN ModeBasedExecHookEnableUsermodeExecution (PVMM_EPT_PAGE_TABLE EptTable)
 Enables user-mode execution bit of target page-table.
 
VOID ModeBasedExecHookEnableOrDisable (VIRTUAL_MACHINE_STATE *VCpu, UINT32 State)
 Enable/disable MBEC.
 
BOOLEAN ModeBasedExecHookInitialize ()
 Initialize the needed structure for hooking mode execution.
 
VOID ModeBasedExecHookUninitialize ()
 Uinitialize the needed structure for hooking mode execution.
 

Detailed Description

Implementation of hooks based on Mode-based execution.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.2
Date
2023-03-16
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ ModeBasedExecHookDisableKernelModeExecution()

BOOLEAN ModeBasedExecHookDisableKernelModeExecution ( PVMM_EPT_PAGE_TABLE EptTable)

Adjust (unset) kernel-mode execution bit of target page-table but allow user-mode execution.

should be called from vmx non-root mode

Parameters
EptTable
Returns
BOOLEAN
68{
69 //
70 // From Intel Manual:
71 // [Bit 2] If the "mode-based execute control for EPT" VM - execution control is 0, execute access;
72 // indicates whether instruction fetches are allowed from the 2-MByte page controlled by this entry.
73 // If that control is 1, execute access for supervisor-mode linear addresses; indicates whether instruction
74 // fetches are allowed from supervisor - mode linear addresses in the 2 - MByte page controlled by this entry
75 //
76
77 //
78 // Set execute access for PML4s
79 //
80 for (size_t i = 0; i < VMM_EPT_PML4E_COUNT; i++)
81 {
82 EptTable->PML4[i].UserModeExecute = TRUE;
83
84 //
85 // We only set the top-level PML4 for intercepting kernel-mode execution
86 //
87 EptTable->PML4[i].ExecuteAccess = FALSE;
88 }
89
90 //
91 // Set execute access for PML3s
92 //
93 for (size_t i = 0; i < VMM_EPT_PML3E_COUNT; i++)
94 {
95 EptTable->PML3[i].UserModeExecute = TRUE;
96 }
97
98 //
99 // Set execute access for PML2s
100 //
101 for (size_t i = 0; i < VMM_EPT_PML3E_COUNT; i++)
102 {
103 for (size_t j = 0; j < VMM_EPT_PML2E_COUNT; j++)
104 {
105 EptTable->PML2[i][j].UserModeExecute = TRUE;
106 }
107 }
108
109 return TRUE;
110}
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
VMM_EPT_PML4E_COUNT
#define VMM_EPT_PML4E_COUNT
The number of 512GB PML4 entries in the page table.
Definition State.h:78
VMM_EPT_PML3E_COUNT
#define VMM_EPT_PML3E_COUNT
The number of 1GB PDPT entries in the page table per 512GB PML4 entry.
Definition State.h:84
VMM_EPT_PML2E_COUNT
#define VMM_EPT_PML2E_COUNT
Then number of 2MB Page Directory entries in the page table per 1GB PML3 entry.
Definition State.h:91
_VMM_EPT_PAGE_TABLE::PML4
EPT_PML4_POINTER PML4[VMM_EPT_PML4E_COUNT]
28.2.2 Describes 512 contiguous 512GB memory regions each with 512 1GB regions.
Definition State.h:110
_VMM_EPT_PAGE_TABLE::PML3
EPT_PML3_POINTER PML3[VMM_EPT_PML3E_COUNT]
Describes exactly 512 contiguous 1GB memory regions within a our singular 512GB PML4 region.
Definition State.h:116
_VMM_EPT_PAGE_TABLE::PML2
EPT_PML2_ENTRY PML2[VMM_EPT_PML3E_COUNT][VMM_EPT_PML2E_COUNT]
For each 1GB PML3 entry, create 512 2MB entries to map identity. NOTE: We are using 2MB pages as the ...
Definition State.h:124

◆ ModeBasedExecHookDisableUserModeExecution()

BOOLEAN ModeBasedExecHookDisableUserModeExecution ( PVMM_EPT_PAGE_TABLE EptTable)

Adjust (unset) user-mode execution bit of target page-table.

should be called from vmx non-root mode

Parameters
EptTable
Returns
BOOLEAN
24{
25 //
26 // Set execute access for PML4s
27 //
28 for (size_t i = 0; i < VMM_EPT_PML4E_COUNT; i++)
29 {
30 //
31 // We only set the top-level PML4 for intercepting user-mode execution
32 //
33 EptTable->PML4[i].UserModeExecute = FALSE;
34 }
35
36 //
37 // Set execute access for PML3s
38 //
39 for (size_t i = 0; i < VMM_EPT_PML3E_COUNT; i++)
40 {
41 EptTable->PML3[i].UserModeExecute = TRUE;
42 }
43
44 //
45 // Set execute access for PML2s
46 //
47 for (size_t i = 0; i < VMM_EPT_PML3E_COUNT; i++)
48 {
49 for (size_t j = 0; j < VMM_EPT_PML2E_COUNT; j++)
50 {
51 EptTable->PML2[i][j].UserModeExecute = TRUE;
52 }
53 }
54
55 return TRUE;
56}

◆ ModeBasedExecHookEnableOrDisable()

VOID ModeBasedExecHookEnableOrDisable ( VIRTUAL_MACHINE_STATE * VCpu,
UINT32 State )

Enable/disable MBEC.

Parameters
VCpuThe virtual processor's state
Returns
VOID
162{
163 if (State == 0x0)
164 {
165 HvSetModeBasedExecutionEnableFlag(FALSE);
166
167 //
168 // MBEC is not enabled anymore!
169 //
170 VCpu->MbecEnabled = FALSE;
171 }
172 else
173 {
174 HvSetModeBasedExecutionEnableFlag(TRUE);
175 }
176}
HvSetModeBasedExecutionEnableFlag
VOID HvSetModeBasedExecutionEnableFlag(BOOLEAN Set)
Set Mode-based Execution Control (MBEC) Enable bit.
Definition Hv.c:677
_VIRTUAL_MACHINE_STATE::MbecEnabled
BOOLEAN MbecEnabled
Definition State.h:301

◆ ModeBasedExecHookEnableUsermodeExecution()

BOOLEAN ModeBasedExecHookEnableUsermodeExecution ( PVMM_EPT_PAGE_TABLE EptTable)

Enables user-mode execution bit of target page-table.

Parameters
EptTable
Returns
BOOLEAN
120{
121 //
122 // Set execute access for PML4s
123 //
124 for (size_t i = 0; i < VMM_EPT_PML4E_COUNT; i++)
125 {
126 //
127 // We only set the top-level PML4 for intercepting user-mode execution
128 //
129 EptTable->PML4[i].UserModeExecute = TRUE;
130 }
131
132 //
133 // Set execute access for PML3s
134 //
135 for (size_t i = 0; i < VMM_EPT_PML3E_COUNT; i++)
136 {
137 EptTable->PML3[i].UserModeExecute = TRUE;
138 }
139
140 //
141 // Set execute access for PML2s
142 //
143 for (size_t i = 0; i < VMM_EPT_PML3E_COUNT; i++)
144 {
145 for (size_t j = 0; j < VMM_EPT_PML2E_COUNT; j++)
146 {
147 EptTable->PML2[i][j].UserModeExecute = TRUE;
148 }
149 }
150
151 return TRUE;
152}

◆ ModeBasedExecHookInitialize()

BOOLEAN ModeBasedExecHookInitialize ( )

Initialize the needed structure for hooking mode execution.

should be called from vmx non-root mode

Returns
BOOLEAN
186{
187 ULONG ProcessorsCount;
188
189 //
190 // Get number of processors
191 //
192 ProcessorsCount = KeQueryActiveProcessorCount(0);
193
194 //
195 // Check if MBEC supported by this processors
196 //
197 if (!g_CompatibilityCheck.ModeBasedExecutionSupport)
198 {
199 return FALSE;
200 }
201
202 //
203 // Check if execute-only feature is supported on this processor or not
204 //
205 if (!g_CompatibilityCheck.ExecuteOnlySupport)
206 {
207 return FALSE;
208 }
209
210 //
211 // Check if it's already initialized or not
212 //
213 if (g_ModeBasedExecutionControlState)
214 {
215 return FALSE;
216 }
217
218 //
219 // Enable EPT user-mode execution bit for the target EPTP
220 //
221 for (size_t i = 0; i < ProcessorsCount; i++)
222 {
223 ModeBasedExecHookEnableUsermodeExecution(g_GuestState[i].EptPageTable);
224 }
225
226 //
227 // Invalidate ALL context on all cores (not necessary here because we will change
228 // it later but let's respect memory primitives)
229 //
230 BroadcastNotifyAllToInvalidateEptAllCores();
231
232 //
233 // Indicate that MBEC is initialized
234 //
235 g_ModeBasedExecutionControlState = TRUE;
236
237 return TRUE;
238}
ULONG
unsigned long ULONG
Definition BasicTypes.h:37
BroadcastNotifyAllToInvalidateEptAllCores
VOID BroadcastNotifyAllToInvalidateEptAllCores()
routines to notify to invalidate their ept on all cores
Definition Broadcast.c:119
g_GuestState
VIRTUAL_MACHINE_STATE * g_GuestState
Save the state and variables related to virtualization on each to logical core.
Definition GlobalVariables.h:38
g_ModeBasedExecutionControlState
BOOLEAN g_ModeBasedExecutionControlState
Enable interception of Cr3 for Mode-based Execution detection.
Definition GlobalVariables.h:120
g_CompatibilityCheck
COMPATIBILITY_CHECKS_STATUS g_CompatibilityCheck
Different attributes and compatibility checks of the current processor.
Definition GlobalVariables.h:26
ModeBasedExecHookEnableUsermodeExecution
BOOLEAN ModeBasedExecHookEnableUsermodeExecution(PVMM_EPT_PAGE_TABLE EptTable)
Enables user-mode execution bit of target page-table.
Definition ModeBasedExecHook.c:119
_COMPATIBILITY_CHECKS_STATUS::ModeBasedExecutionSupport
BOOLEAN ModeBasedExecutionSupport
Definition CompatibilityChecks.h:28
_COMPATIBILITY_CHECKS_STATUS::ExecuteOnlySupport
BOOLEAN ExecuteOnlySupport
Definition CompatibilityChecks.h:29

◆ ModeBasedExecHookUninitialize()

VOID ModeBasedExecHookUninitialize ( )

Uinitialize the needed structure for hooking mode execution.

should be called from vmx non-root mode

Returns
VOID
248{
249 //
250 // Broadcast to disable MBEC on all cores
251 //
252 BroadcasDisableMbecOnAllProcessors();
253
254 //
255 // Indicate that MBEC is disabled
256 //
257 g_ModeBasedExecutionControlState = FALSE;
258}
BroadcasDisableMbecOnAllProcessors
VOID BroadcasDisableMbecOnAllProcessors()
routines for disabling MBEC
Definition Broadcast.c:469