HyperDbg Debugger
Loading...
Searching...
No Matches
Classes | Macros | Typedefs | Functions | Variables
ModeBasedExecHook.h File Reference

Hook headers for Mode-based execution. More...

Go to the source code of this file.

Classes

struct  MODE_BASED_RAM_REGIONS
 The RAM regions. More...
 

Macros

#define MAX_PHYSICAL_RAM_RANGE_COUNT   32
 

Typedefs

typedef struct MODE_BASED_RAM_REGIONS MODE_BASED_RAM_REGIONS
 The RAM regions.
 
typedef struct MODE_BASED_RAM_REGIONSPMODE_BASED_RAM_REGIONS
 

Functions

VOID ModeBasedExecHookEnableOrDisable (VIRTUAL_MACHINE_STATE *VCpu, UINT32 State)
 Enable/disable MBEC.
 
VOID ModeBasedExecHookUninitialize ()
 Uinitialize the needed structure for hooking mode execution.
 
BOOLEAN ModeBasedExecHookInitialize ()
 Initialize the needed structure for hooking mode execution.
 
BOOLEAN ModeBasedExecHookDisableUserModeExecution (PVMM_EPT_PAGE_TABLE EptTable)
 Adjust (unset) user-mode execution bit of target page-table.
 
BOOLEAN ModeBasedExecHookDisableKernelModeExecution (PVMM_EPT_PAGE_TABLE EptTable)
 Adjust (unset) kernel-mode execution bit of target page-table but allow user-mode execution.
 

Variables

MODE_BASED_RAM_REGIONS PhysicalRamRegions [MAX_PHYSICAL_RAM_RANGE_COUNT]
 

Detailed Description

Hook headers for Mode-based execution.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.2
Date
2023-03-17
Copyright
This project is released under the GNU Public License v3.

Macro Definition Documentation

◆ MAX_PHYSICAL_RAM_RANGE_COUNT

#define MAX_PHYSICAL_RAM_RANGE_COUNT   32

Typedef Documentation

◆ MODE_BASED_RAM_REGIONS

typedef struct MODE_BASED_RAM_REGIONS MODE_BASED_RAM_REGIONS

The RAM regions.

◆ PMODE_BASED_RAM_REGIONS

typedef struct MODE_BASED_RAM_REGIONS * PMODE_BASED_RAM_REGIONS

Function Documentation

◆ ModeBasedExecHookDisableKernelModeExecution()

BOOLEAN ModeBasedExecHookDisableKernelModeExecution ( PVMM_EPT_PAGE_TABLE EptTable)

Adjust (unset) kernel-mode execution bit of target page-table but allow user-mode execution.

should be called from vmx non-root mode

Parameters
EptTable
Returns
BOOLEAN
68{
69 //
70 // From Intel Manual:
71 // [Bit 2] If the "mode-based execute control for EPT" VM - execution control is 0, execute access;
72 // indicates whether instruction fetches are allowed from the 2-MByte page controlled by this entry.
73 // If that control is 1, execute access for supervisor-mode linear addresses; indicates whether instruction
74 // fetches are allowed from supervisor - mode linear addresses in the 2 - MByte page controlled by this entry
75 //
76
77 //
78 // Set execute access for PML4s
79 //
80 for (size_t i = 0; i < VMM_EPT_PML4E_COUNT; i++)
81 {
82 EptTable->PML4[i].UserModeExecute = TRUE;
83
84 //
85 // We only set the top-level PML4 for intercepting kernel-mode execution
86 //
87 EptTable->PML4[i].ExecuteAccess = FALSE;
88 }
89
90 //
91 // Set execute access for PML3s
92 //
93 for (size_t i = 0; i < VMM_EPT_PML3E_COUNT; i++)
94 {
95 EptTable->PML3[i].UserModeExecute = TRUE;
96 }
97
98 //
99 // Set execute access for PML2s
100 //
101 for (size_t i = 0; i < VMM_EPT_PML3E_COUNT; i++)
102 {
103 for (size_t j = 0; j < VMM_EPT_PML2E_COUNT; j++)
104 {
105 EptTable->PML2[i][j].UserModeExecute = TRUE;
106 }
107 }
108
109 return TRUE;
110}
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
VMM_EPT_PML4E_COUNT
#define VMM_EPT_PML4E_COUNT
The number of 512GB PML4 entries in the page table.
Definition State.h:78
VMM_EPT_PML3E_COUNT
#define VMM_EPT_PML3E_COUNT
The number of 1GB PDPT entries in the page table per 512GB PML4 entry.
Definition State.h:84
VMM_EPT_PML2E_COUNT
#define VMM_EPT_PML2E_COUNT
Then number of 2MB Page Directory entries in the page table per 1GB PML3 entry.
Definition State.h:91
_VMM_EPT_PAGE_TABLE::PML4
EPT_PML4_POINTER PML4[VMM_EPT_PML4E_COUNT]
28.2.2 Describes 512 contiguous 512GB memory regions each with 512 1GB regions.
Definition State.h:110
_VMM_EPT_PAGE_TABLE::PML3
EPT_PML3_POINTER PML3[VMM_EPT_PML3E_COUNT]
Describes exactly 512 contiguous 1GB memory regions within a our singular 512GB PML4 region.
Definition State.h:116
_VMM_EPT_PAGE_TABLE::PML2
EPT_PML2_ENTRY PML2[VMM_EPT_PML3E_COUNT][VMM_EPT_PML2E_COUNT]
For each 1GB PML3 entry, create 512 2MB entries to map identity. NOTE: We are using 2MB pages as the ...
Definition State.h:124

◆ ModeBasedExecHookDisableUserModeExecution()

BOOLEAN ModeBasedExecHookDisableUserModeExecution ( PVMM_EPT_PAGE_TABLE EptTable)

Adjust (unset) user-mode execution bit of target page-table.

should be called from vmx non-root mode

Parameters
EptTable
Returns
BOOLEAN
24{
25 //
26 // Set execute access for PML4s
27 //
28 for (size_t i = 0; i < VMM_EPT_PML4E_COUNT; i++)
29 {
30 //
31 // We only set the top-level PML4 for intercepting user-mode execution
32 //
33 EptTable->PML4[i].UserModeExecute = FALSE;
34 }
35
36 //
37 // Set execute access for PML3s
38 //
39 for (size_t i = 0; i < VMM_EPT_PML3E_COUNT; i++)
40 {
41 EptTable->PML3[i].UserModeExecute = TRUE;
42 }
43
44 //
45 // Set execute access for PML2s
46 //
47 for (size_t i = 0; i < VMM_EPT_PML3E_COUNT; i++)
48 {
49 for (size_t j = 0; j < VMM_EPT_PML2E_COUNT; j++)
50 {
51 EptTable->PML2[i][j].UserModeExecute = TRUE;
52 }
53 }
54
55 return TRUE;
56}

◆ ModeBasedExecHookEnableOrDisable()

VOID ModeBasedExecHookEnableOrDisable ( VIRTUAL_MACHINE_STATE * VCpu,
UINT32 State )

Enable/disable MBEC.

Parameters
VCpuThe virtual processor's state
Returns
VOID
162{
163 if (State == 0x0)
164 {
165 HvSetModeBasedExecutionEnableFlag(FALSE);
166
167 //
168 // MBEC is not enabled anymore!
169 //
170 VCpu->MbecEnabled = FALSE;
171 }
172 else
173 {
174 HvSetModeBasedExecutionEnableFlag(TRUE);
175 }
176}
HvSetModeBasedExecutionEnableFlag
VOID HvSetModeBasedExecutionEnableFlag(BOOLEAN Set)
Set Mode-based Execution Control (MBEC) Enable bit.
Definition Hv.c:677
_VIRTUAL_MACHINE_STATE::MbecEnabled
BOOLEAN MbecEnabled
Definition State.h:301

◆ ModeBasedExecHookInitialize()

BOOLEAN ModeBasedExecHookInitialize ( )

Initialize the needed structure for hooking mode execution.

should be called from vmx non-root mode

Returns
BOOLEAN
186{
187 ULONG ProcessorsCount;
188
189 //
190 // Get number of processors
191 //
192 ProcessorsCount = KeQueryActiveProcessorCount(0);
193
194 //
195 // Check if MBEC supported by this processors
196 //
197 if (!g_CompatibilityCheck.ModeBasedExecutionSupport)
198 {
199 return FALSE;
200 }
201
202 //
203 // Check if execute-only feature is supported on this processor or not
204 //
205 if (!g_CompatibilityCheck.ExecuteOnlySupport)
206 {
207 return FALSE;
208 }
209
210 //
211 // Check if it's already initialized or not
212 //
213 if (g_ModeBasedExecutionControlState)
214 {
215 return FALSE;
216 }
217
218 //
219 // Enable EPT user-mode execution bit for the target EPTP
220 //
221 for (size_t i = 0; i < ProcessorsCount; i++)
222 {
223 ModeBasedExecHookEnableUsermodeExecution(g_GuestState[i].EptPageTable);
224 }
225
226 //
227 // Invalidate ALL context on all cores (not necessary here because we will change
228 // it later but let's respect memory primitives)
229 //
230 BroadcastNotifyAllToInvalidateEptAllCores();
231
232 //
233 // Indicate that MBEC is initialized
234 //
235 g_ModeBasedExecutionControlState = TRUE;
236
237 return TRUE;
238}
ULONG
unsigned long ULONG
Definition BasicTypes.h:37
BroadcastNotifyAllToInvalidateEptAllCores
VOID BroadcastNotifyAllToInvalidateEptAllCores()
routines to notify to invalidate their ept on all cores
Definition Broadcast.c:119
g_GuestState
VIRTUAL_MACHINE_STATE * g_GuestState
Save the state and variables related to virtualization on each to logical core.
Definition GlobalVariables.h:38
g_ModeBasedExecutionControlState
BOOLEAN g_ModeBasedExecutionControlState
Enable interception of Cr3 for Mode-based Execution detection.
Definition GlobalVariables.h:120
g_CompatibilityCheck
COMPATIBILITY_CHECKS_STATUS g_CompatibilityCheck
Different attributes and compatibility checks of the current processor.
Definition GlobalVariables.h:26
ModeBasedExecHookEnableUsermodeExecution
BOOLEAN ModeBasedExecHookEnableUsermodeExecution(PVMM_EPT_PAGE_TABLE EptTable)
Enables user-mode execution bit of target page-table.
Definition ModeBasedExecHook.c:119
_COMPATIBILITY_CHECKS_STATUS::ModeBasedExecutionSupport
BOOLEAN ModeBasedExecutionSupport
Definition CompatibilityChecks.h:28
_COMPATIBILITY_CHECKS_STATUS::ExecuteOnlySupport
BOOLEAN ExecuteOnlySupport
Definition CompatibilityChecks.h:29

◆ ModeBasedExecHookUninitialize()

VOID ModeBasedExecHookUninitialize ( )

Uinitialize the needed structure for hooking mode execution.

should be called from vmx non-root mode

Returns
VOID
248{
249 //
250 // Broadcast to disable MBEC on all cores
251 //
252 BroadcasDisableMbecOnAllProcessors();
253
254 //
255 // Indicate that MBEC is disabled
256 //
257 g_ModeBasedExecutionControlState = FALSE;
258}
BroadcasDisableMbecOnAllProcessors
VOID BroadcasDisableMbecOnAllProcessors()
routines for disabling MBEC
Definition Broadcast.c:469

Variable Documentation

◆ PhysicalRamRegions

MODE_BASED_RAM_REGIONS PhysicalRamRegions[MAX_PHYSICAL_RAM_RANGE_COUNT]