HyperDbg Debugger
Loading...
Searching...
No Matches
SyscallFootprints.h File Reference

Hide the debugger from SYSCALL anti-debugging and anti-hypervisor methods (headers). More...

Go to the source code of this file.

Classes

struct  _SYSTEM_CODEINTEGRITY_INFORMATION
 System Information for Code Integrity. More...
struct  _SYSTEM_PROCESS_INFORMATION
 System Information for running processes. More...
struct  _SSDT_STRUCT
 SSDT structure. More...
struct  _SYSTEM_MODULE_ENTRY
 Module entry. More...
struct  _SYSTEM_MODULE_INFORMATION
 System Information for modules. More...

Typedefs

typedef enum _SYSTEM_INFORMATION_CLASS SYSTEM_INFORMATION_CLASS
 System information class.
typedef enum _SYSTEM_INFORMATION_CLASSPSYSTEM_INFORMATION_CLASS
typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION SYSTEM_CODEINTEGRITY_INFORMATION
 System Information for Code Integrity.
typedef struct _SYSTEM_CODEINTEGRITY_INFORMATIONPSYSTEM_CODEINTEGRITY_INFORMATION
typedef struct _SYSTEM_PROCESS_INFORMATION SYSTEM_PROCESS_INFORMATION
 System Information for running processes.
typedef struct _SYSTEM_PROCESS_INFORMATIONPSYSTEM_PROCESS_INFORMATION
typedef struct _SSDT_STRUCT SSDT_STRUCT
 SSDT structure.
typedef struct _SSDT_STRUCTPSSDT_STRUCT
typedef struct _SYSTEM_MODULE_ENTRY SYSTEM_MODULE_ENTRY
 Module entry.
typedef struct _SYSTEM_MODULE_ENTRYPSYSTEM_MODULE_ENTRY
typedef struct _SYSTEM_MODULE_INFORMATION SYSTEM_MODULE_INFORMATION
 System Information for modules.
typedef struct _SYSTEM_MODULE_INFORMATIONPSYSTEM_MODULE_INFORMATION
typedef NTSTATUS(NTAPI * ZWQUERYSYSTEMINFORMATION) (IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL)

Enumerations

enum  _SYSTEM_INFORMATION_CLASS {
  SystemProcessInformation = 0x05 , SystemExtendedProcessInformation = 0x39 , SystemFullProcessInformation = 0x94 , SystemModuleInformation = 0x0B ,
  SystemKernelDebuggerInformation = 0x23 , SystemCodeIntegrityInformation = 0x67 , SystemFirmwareTableInformation = 0x4C
}
 System information class. More...

Functions

VOID TransparentHandleNtQuerySystemInformationSyscall (GUEST_REGS *Regs)
 Handle The NtQuerySystemInformation system call when the Transparent mode is enabled.
VOID TransparentHandleNtQueryAttributesFileSyscall (GUEST_REGS *Regs)
 Handle The NtQueryAttributesFile system call when the Transparent mode is enabled.
VOID TransparentHandleNtSystemDebugControlSyscall (GUEST_REGS *Regs)
 Handle The NtSystemDebugControl system call when the Transparent mode is enabled.
VOID TransparentHandleNtOpenDirectoryObjectSyscall (GUEST_REGS *Regs)
 Handle The NtOpenDirectoryObject system call when the Transparent mode is enabled.
VOID TransparentHandleNtQueryInformationProcessSyscall (GUEST_REGS *Regs)
 Handle The NtQueryInformationProcess system call when the Transparent mode is enabled.
VOID TransparentHandleNtOpenFileSyscall (GUEST_REGS *Regs)
 Handle The NtOpenFile system call when the Transparent mode is enabled.
VOID TransparentHandleNtOpenKeySyscall (GUEST_REGS *Regs)
 Handle The NtOpenKey system call when the Transparent mode is enabled.
VOID TransparentHandleNtQueryValueKeySyscall (GUEST_REGS *Regs)
 Handle The NtQueryValueKey system call when the Transparent mode is enabled.
VOID TransparentHandleNtEnumerateKeySyscall (GUEST_REGS *Regs)
 Handle The NtEnumerateKey system call when the Transparent mode is enabled.

Variables

PHANDLE FileHandle
PHANDLE ACCESS_MASK DesiredAccess
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES ObjectAttributes
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK IoStatusBlock
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER AllocationSize
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG FileAttributes
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ShareAccess
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG CreateDisposition
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG ULONG CreateOptions
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG ULONG PVOID EaBuffer
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG ULONG PVOID ULONG EaLength
SYSTEM_CALL_NUMBERS_INFORMATION g_SystemCallNumbersInformation
 System call numbers information.

Detailed Description

Hide the debugger from SYSCALL anti-debugging and anti-hypervisor methods (headers).

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.14
Date
2024-06-08

Typedef Documentation

◆ PSSDT_STRUCT

typedef struct _SSDT_STRUCT * PSSDT_STRUCT

◆ PSYSTEM_CODEINTEGRITY_INFORMATION

◆ PSYSTEM_INFORMATION_CLASS

◆ PSYSTEM_MODULE_ENTRY

◆ PSYSTEM_MODULE_INFORMATION

◆ PSYSTEM_PROCESS_INFORMATION

◆ SSDT_STRUCT

typedef struct _SSDT_STRUCT SSDT_STRUCT

SSDT structure.

◆ SYSTEM_CODEINTEGRITY_INFORMATION

System Information for Code Integrity.

◆ SYSTEM_INFORMATION_CLASS

System information class.

◆ SYSTEM_MODULE_ENTRY

Module entry.

◆ SYSTEM_MODULE_INFORMATION

System Information for modules.

◆ SYSTEM_PROCESS_INFORMATION

System Information for running processes.

◆ ZWQUERYSYSTEMINFORMATION

typedef NTSTATUS(NTAPI * ZWQUERYSYSTEMINFORMATION) (IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL)

Enumeration Type Documentation

◆ _SYSTEM_INFORMATION_CLASS

System information class.

Enumerator
SystemProcessInformation 
SystemExtendedProcessInformation 
SystemFullProcessInformation 
SystemModuleInformation 
SystemKernelDebuggerInformation 
SystemCodeIntegrityInformation 
SystemFirmwareTableInformation 
23{
@ SystemFullProcessInformation
Definition SyscallFootprints.h:26
@ SystemKernelDebuggerInformation
Definition SyscallFootprints.h:28
@ SystemFirmwareTableInformation
Definition SyscallFootprints.h:30
@ SystemModuleInformation
Definition SyscallFootprints.h:27
@ SystemCodeIntegrityInformation
Definition SyscallFootprints.h:29
@ SystemProcessInformation
Definition SyscallFootprints.h:24
@ SystemExtendedProcessInformation
Definition SyscallFootprints.h:25
enum _SYSTEM_INFORMATION_CLASS SYSTEM_INFORMATION_CLASS
System information class.

Function Documentation

◆ TransparentHandleNtEnumerateKeySyscall()

VOID TransparentHandleNtEnumerateKeySyscall ( GUEST_REGS * Regs)

Handle The NtEnumerateKey system call when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
Returns
VOID
767{
768 //
769 // Set up the context parameters for the interception callback
770 //
771 SYSCALL_CALLBACK_CONTEXT_PARAMS ContextParams = {0};
772 ContextParams.OptionalParam1 = Regs->r8;
773 ContextParams.OptionalParam2 = Regs->r9;
774
775 //
776 // Read the 5th argument of the system call from the stack at location %RSP + 0x28
777 //
778 if (g_Callbacks.CheckAccessValidityAndSafety(Regs->rsp + 0x28, sizeof(UINT64)))
779 {
780 g_Callbacks.MemoryMapperReadMemorySafeOnTargetProcess((UINT64)(Regs->rsp + 0x28), &ContextParams.OptionalParam3, sizeof(ULONG));
781 }
782 else
783 {
784 LogInfo("Process 0x%llx on thread %llx executed NtEnumerateKey systemcall but reading the provided arguments from %RSP failed", HANDLE_TO_UINT32(PsGetCurrentProcessId()), HANDLE_TO_UINT32(PsGetCurrentThreadId()));
785 return;
786 }
787
788 //
789 // Read the 6th argument of the system call from the stack at location %RSP + 0x30
790 //
791 if (g_Callbacks.CheckAccessValidityAndSafety(Regs->rsp + 0x30, sizeof(UINT64)))
792 {
793 g_Callbacks.MemoryMapperReadMemorySafeOnTargetProcess((UINT64)(Regs->rsp + 0x30), &ContextParams.OptionalParam4, sizeof(UINT64));
794 }
795 else
796 {
797 LogInfo("Process 0x%llx on thread %llx executed NtEnumerateKey systemcall but reading the provided arguments from %RSP failed", HANDLE_TO_UINT32(PsGetCurrentProcessId()), HANDLE_TO_UINT32(PsGetCurrentThreadId()));
798 return;
799 }
800
801 //
802 // If the call was made without an allocated buffer (with size 0)
803 // we have no need to intercept it
804 //
805 if (ContextParams.OptionalParam3 == 0)
806 {
807 return;
808 }
809
810 //
811 // Set the trap flag to intercept the SYSRET instruction
812 //
813 g_Callbacks.SyscallCallbackSetTrapFlagAfterSyscall(Regs,
814 HANDLE_TO_UINT32(PsGetCurrentProcessId()),
815 HANDLE_TO_UINT32(PsGetCurrentThreadId()),
816 Regs->rax,
817 &ContextParams);
818}
#define HANDLE_TO_UINT32(_var)
Definition MetaMacros.h:39
unsigned long ULONG
Definition BasicTypes.h:31
struct _SYSCALL_CALLBACK_CONTEXT_PARAMS SYSCALL_CALLBACK_CONTEXT_PARAMS
The (optional) context parameters for the transparent-mode.
#define LogInfo(format,...)
Define log variables.
Definition HyperDbgHyperLogIntrinsics.h:71
HYPEREVADE_CALLBACKS g_Callbacks
List of callbacks.
Definition Transparency.h:23
UINT64 OptionalParam4
Definition DataTypes.h:346
UINT64 OptionalParam2
Definition DataTypes.h:344
UINT64 OptionalParam1
Definition DataTypes.h:343
UINT64 OptionalParam3
Definition DataTypes.h:345
UINT64 rsp
Definition BasicTypes.h:145
UINT64 rax
Definition BasicTypes.h:141
UINT64 r9
Definition BasicTypes.h:150
UINT64 r8
Definition BasicTypes.h:149

◆ TransparentHandleNtOpenDirectoryObjectSyscall()

VOID TransparentHandleNtOpenDirectoryObjectSyscall ( GUEST_REGS * Regs)

Handle The NtOpenDirectoryObject system call when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
Returns
VOID
394{
395 //
396 // Set up the context data for the callback after SYSRET
397 //
398 SYSCALL_CALLBACK_CONTEXT_PARAMS ContextParams = {0};
399 ContextParams.OptionalParam1 = Regs->r10;
400
401 //
402 // Check if the pointer given as the 3rd argument to the system call with type POBJECT_ATTRIBUTES is valid
403 //
404 if (g_Callbacks.CheckAccessValidityAndSafety(Regs->r8, sizeof(OBJECT_ATTRIBUTES)))
405 {
406 //
407 // From the POBJECT_ATTRIBUTES structure obtain the wide character string of the requested directory path
408 //
410 PWCH DirPath = (PWCH)PathBuf;
411
412 if (DirPath == NULL)
413 {
414 return;
415 }
416
417 //
418 // If the directory object request is for a listed directory, insert the SYSCALL trap flag and continue execution
419 //
420 for (UINT16 j = 0; j < (sizeof(HV_DIRS) / sizeof(HV_DIRS[0])); j++)
421 {
422 if (wcsstr(DirPath, HV_DIRS[j]))
423 {
424 g_Callbacks.SyscallCallbackSetTrapFlagAfterSyscall(Regs,
425 HANDLE_TO_UINT32(PsGetCurrentProcessId()),
426 HANDLE_TO_UINT32(PsGetCurrentThreadId()),
427 Regs->rax,
428 &ContextParams);
429
430 break;
431 }
432 }
433
434 //
435 // Free the allocated copy of the directory path, obtained from TransparentGetObjectNameFromAttributesVirtualPointer()
436 //
437 PlatformMemFreePool(PathBuf);
438 }
439}
PVOID PlatformMemFreePool(PVOID BufferAddress)
Frees a memory pool.
Definition PlatformMem.c:269
PVOID TransparentGetObjectNameFromAttributesVirtualPointer(UINT64 virtPtr)
Obtain a copy of the PWCHAR wide character string from a OBJECT_ATTRIBUTES structure at a guest virtu...
Definition SyscallFootprints.c:283
unsigned short UINT16
Definition BasicTypes.h:53
void * PVOID
Definition BasicTypes.h:56
UINT64 r10
Definition BasicTypes.h:151

◆ TransparentHandleNtOpenFileSyscall()

VOID TransparentHandleNtOpenFileSyscall ( GUEST_REGS * Regs)

Handle The NtOpenFile system call when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
Returns
VOID
505{
506 //
507 // Check if the user-mode pointer in R8 to a OBJECT_ATTRIBUTES struct is valid
508 //
509 if (g_Callbacks.CheckAccessValidityAndSafety(Regs->r8, sizeof(OBJECT_ATTRIBUTES)))
510 {
511 //
512 // From the OBJECT_ATTRIBUTES struct pointer extract the file path for which this syscall is called
513 //
515 PWCH FileName = (PWCH)NameBuf;
516 if (FileName == NULL)
517 {
518 return;
519 }
520
521 //
522 // Check if the requested file includes any hypervisor specific strings
523 // This also checks parent directory names of the requested file
524 //
525 for (UINT16 j = 0; j < (sizeof(HV_FILES) / sizeof(HV_FILES[0])); j++)
526 {
527 if (wcsstr(FileName, HV_FILES[j]))
528 {
529 LogInfo("A call to NtOpenFile systemcall for a hypervisor specific file was made");
530
531 //
532 // If a match was found, corrupt the user-mode pointers in CPU registers, so that, when the kernel-mode execution continues, it would fail.
533 //
534 Regs->r8 = 0x0;
535 Regs->r10 = 0x0;
536
537 //
538 // Set the trap flag to intercept the SYSRET instruction
539 //
540 SYSCALL_CALLBACK_CONTEXT_PARAMS ContextParams = {0};
541 g_Callbacks.SyscallCallbackSetTrapFlagAfterSyscall(Regs,
542 HANDLE_TO_UINT32(PsGetCurrentProcessId()),
543 HANDLE_TO_UINT32(PsGetCurrentThreadId()),
544 Regs->rax,
545 &ContextParams);
546
547 break;
548 }
549 }
550 //
551 // Clean up the allocated memory
552 //
553 PlatformMemFreePool(NameBuf);
554 }
555}

◆ TransparentHandleNtOpenKeySyscall()

VOID TransparentHandleNtOpenKeySyscall ( GUEST_REGS * Regs)

Handle The NtOpenKey system call when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
Returns
VOID
566{
567 //
568 // Check if the user-mode pointer in R8 to a OBJECT_ATTRIBUTES struct is valid
569 //
570 if (g_Callbacks.CheckAccessValidityAndSafety(Regs->r8, sizeof(OBJECT_ATTRIBUTES)))
571 {
572 //
573 // From the OBJECT_ATTRIBUTES struct pointer extract the registry key path for which this syscall is called
574 //
576 PWCH KeyName = (PWCH)NameBuf;
577
578 if (KeyName == NULL)
579 {
580 LogInfo("BADRET");
581 return;
582 }
583
584 //
585 // Check if the requested registry entry path includes any hypervisor specific strings
586 //
587 for (UINT16 j = 0; j < (sizeof(HV_REGKEYS) / sizeof(HV_REGKEYS[0])); j++)
588 {
589 if (wcsstr(KeyName, HV_REGKEYS[j]) > 0)
590 {
591 //
592 // If a match was found, corrupt the user-mode pointer in CPU registers, so that, when the kernel-mode execution continues, it would fail.
593 //
594 Regs->r8 = 0x0;
595
596 //
597 // Set the trap flag to intercept the SYSRET instruction
598 //
599 SYSCALL_CALLBACK_CONTEXT_PARAMS ContextParams = {0};
600 g_Callbacks.SyscallCallbackSetTrapFlagAfterSyscall(Regs,
601 HANDLE_TO_UINT32(PsGetCurrentProcessId()),
602 HANDLE_TO_UINT32(PsGetCurrentThreadId()),
603 Regs->rax,
604 &ContextParams);
605
606 break;
607 }
608 }
609
610 //
611 // Clean up the allocated memory
612 //
613 PlatformMemFreePool(NameBuf);
614 }
615}

◆ TransparentHandleNtQueryAttributesFileSyscall()

VOID TransparentHandleNtQueryAttributesFileSyscall ( GUEST_REGS * Regs)

Handle The NtQueryAttributesFile system call when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
Returns
VOID
346{
347 SYSCALL_CALLBACK_CONTEXT_PARAMS ContextParams = {0};
348 ContextParams.OptionalParam1 = Regs->rdx;
349
350 //
351 // Check if the pointer given as the 3rd argument to the system call with type POBJECT_ATTRIBUTES is valid
352 //
353 if (g_Callbacks.CheckAccessValidityAndSafety(Regs->r10, sizeof(OBJECT_ATTRIBUTES)))
354 {
355 //
356 // From the POBJECT_ATTRIBUTES structure obtain the wide character string of the requested file path
357 //
359 PWCH FilePath = (PWCH)PathBuf;
360
361 //
362 // If the file Attributes request is for a listed file, insert the SYSCALL trap flag and continue execution
363 //
364 for (UINT16 j = 0; j < (sizeof(HV_FILES) / sizeof(HV_FILES[0])); j++)
365 {
366 if (wcsstr(FilePath, HV_FILES[j]))
367 {
368 g_Callbacks.SyscallCallbackSetTrapFlagAfterSyscall(Regs,
369 HANDLE_TO_UINT32(PsGetCurrentProcessId()),
370 HANDLE_TO_UINT32(PsGetCurrentThreadId()),
371 Regs->rax,
372 &ContextParams);
373
374 break;
375 }
376 }
377
378 //
379 // Free the allocated copy of the directory path, obtained from TransparentGetObjectNameFromAttributesVirtualPointer()
380 //
381 PlatformMemFreePool(PathBuf);
382 }
383}
UINT64 rdx
Definition BasicTypes.h:143

◆ TransparentHandleNtQueryInformationProcessSyscall()

VOID TransparentHandleNtQueryInformationProcessSyscall ( GUEST_REGS * Regs)

Handle The NtQueryInformationProcess system call when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
Returns
VOID
477{
478 //
479 // Set up the context parameters for the interception callback
480 //
481 SYSCALL_CALLBACK_CONTEXT_PARAMS ContextParams = {0};
482 ContextParams.OptionalParam1 = Regs->rdx; // ProcessInformationClass
483 ContextParams.OptionalParam2 = Regs->r8; // BufferPtr
484 ContextParams.OptionalParam3 = Regs->r9; // BufferSize
485
486 //
487 // Set the trap flag to intercept the SYSRET instruction
488 //
489 g_Callbacks.SyscallCallbackSetTrapFlagAfterSyscall(Regs,
490 HANDLE_TO_UINT32(PsGetCurrentProcessId()),
491 HANDLE_TO_UINT32(PsGetCurrentThreadId()),
492 Regs->rax,
493 &ContextParams);
494}

◆ TransparentHandleNtQuerySystemInformationSyscall()

VOID TransparentHandleNtQuerySystemInformationSyscall ( GUEST_REGS * Regs)

Handle The NtQuerySystemInformation system call when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
Returns
VOID
186{
187 SYSCALL_CALLBACK_CONTEXT_PARAMS ContextParams = {0};
188
189 switch (Regs->r10)
190 {
193 {
195 ContextParams.OptionalParam2 = Regs->rdx;
196 ContextParams.OptionalParam3 = Regs->r8 - 0x400;
197
198 g_Callbacks.SyscallCallbackSetTrapFlagAfterSyscall(Regs,
199 HANDLE_TO_UINT32(PsGetCurrentProcessId()),
200 HANDLE_TO_UINT32(PsGetCurrentThreadId()),
201 Regs->rax,
202 &ContextParams);
203
204 break;
205 }
207 {
209 ContextParams.OptionalParam2 = Regs->rdx;
210 ContextParams.OptionalParam3 = Regs->r8;
211
212 g_Callbacks.SyscallCallbackSetTrapFlagAfterSyscall(Regs,
213 HANDLE_TO_UINT32(PsGetCurrentProcessId()),
214 HANDLE_TO_UINT32(PsGetCurrentThreadId()),
215 Regs->rax,
216 &ContextParams);
217
218 break;
219 }
221 {
223 ContextParams.OptionalParam2 = Regs->rdx;
224 ContextParams.OptionalParam3 = Regs->r8;
225
226 g_Callbacks.SyscallCallbackSetTrapFlagAfterSyscall(Regs,
227 HANDLE_TO_UINT32(PsGetCurrentProcessId()),
228 HANDLE_TO_UINT32(PsGetCurrentThreadId()),
229 Regs->rax,
230 &ContextParams);
231 break;
232 }
234 {
236 ContextParams.OptionalParam2 = Regs->rdx;
237 ContextParams.OptionalParam3 = 0x8;
238
239 g_Callbacks.SyscallCallbackSetTrapFlagAfterSyscall(Regs,
240 HANDLE_TO_UINT32(PsGetCurrentProcessId()),
241 HANDLE_TO_UINT32(PsGetCurrentThreadId()),
242 Regs->rax,
243 &ContextParams);
244 break;
245 }
246
247 //
248 // Currently SystemFirmwareTableInformation transparent handler is not implemented
249 // As the queries produce a data buffer too large to safely copy and modify in root-mode
250 //
251
252 // case SystemFirmwareTableInformation:
253 // {
254 //
255 // ContextParams.OptionalParam1 = SystemFirmwareTableInformation;
256 // ContextParams.OptionalParam2 = Regs->rdx;
257 // ContextParams.OptionalParam3 = Regs->r8;
258 // ContextParams.OptionalParam4 = Regs->r9;
259 //
260 // g_Callbacks.SyscallCallbackSetTrapFlagAfterSyscall(Regs,
261 // HANDLE_TO_UINT32(PsGetCurrentProcessId()),
262 // HANDLE_TO_UINT32(PsGetCurrentThreadId()),
263 // Regs->rax,
264 // &ContextParams);
265 // break;
266 // }
267 default:
268 {
269 return;
270 }
271 }
272}

◆ TransparentHandleNtQueryValueKeySyscall()

VOID TransparentHandleNtQueryValueKeySyscall ( GUEST_REGS * Regs)

Handle The NtQueryValueKey system call when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
Returns
VOID
626{
627 //
628 // Check if the user-mode pointer in RDX to a UNICODE_STRING struct is valid
629 //
630 if (g_Callbacks.CheckAccessValidityAndSafety(Regs->rdx, sizeof(UNICODE_STRING)))
631 {
632 UNICODE_STRING NameUString = {0};
633
634 //
635 // Read the UNICODE_STRING structure from a virtual address pointer, pointed to by RDX struct entry
636 //
637 if (!g_Callbacks.MemoryMapperReadMemorySafeOnTargetProcess(Regs->rdx, &NameUString, sizeof(UNICODE_STRING)))
638 return;
639
640 //
641 // Read the PWCH wide char string from the address pointer in the UNICODE_STRING
642 //
643 PVOID NameBuf = PlatformMemAllocateZeroedNonPagedPool(NameUString.Length + sizeof(WCHAR));
644 if (NameBuf == NULL)
645 {
646 return;
647 }
648
649 if (!g_Callbacks.MemoryMapperReadMemorySafeOnTargetProcess((UINT64)NameUString.Buffer, NameBuf, NameUString.Length + sizeof(WCHAR)))
650 {
651 PlatformMemFreePool(NameBuf);
652 return;
653 }
654
655 PWCH KeyName = (PWCH)NameBuf;
656
657 //
658 // If the registry key request was for kay that could contain hypervisor specific information in its data,
659 // the return buffer(%R9) needs to be modified, but the buffer length is in the user mode stack
660 //
661 for (ULONG i = 0; i < (sizeof(TRANSPARENT_DETECTABLE_REGISTRY_KEYS) / sizeof(TRANSPARENT_DETECTABLE_REGISTRY_KEYS[0])); i++)
662 {
663 if (!wcscmp(KeyName, TRANSPARENT_DETECTABLE_REGISTRY_KEYS[i]))
664 {
665 //
666 // If a match is found, set up the context values and set the trap flag for the SYSRET callback
667 //
668
669 SYSCALL_CALLBACK_CONTEXT_PARAMS ContextParams = {0};
670
671 ContextParams.OptionalParam1 = Regs->r8;
672 ContextParams.OptionalParam2 = Regs->r9;
673
674 //
675 // Read the 5th argument of the system call from the stack at location %RSP + 0x28
676 //
677 if (g_Callbacks.CheckAccessValidityAndSafety(Regs->rsp + 0x28, sizeof(UINT64)))
678 {
679 g_Callbacks.MemoryMapperReadMemorySafeOnTargetProcess((UINT64)(Regs->rsp + 0x28), &ContextParams.OptionalParam3, sizeof(ULONG));
680 }
681 else
682 {
683 LogInfo("Process 0x%llx on thread %llx executed NtQueryValueKey systemcall but reading the provided arguments from %RSP failed", HANDLE_TO_UINT32(PsGetCurrentProcessId()), HANDLE_TO_UINT32(PsGetCurrentThreadId()));
684
685 PlatformMemFreePool(NameBuf);
686 return;
687 }
688
689 //
690 // Read the 6th argument of the system call from the stack at location %RSP + 0x30
691 //
692 if (g_Callbacks.CheckAccessValidityAndSafety(Regs->rsp + 0x30, sizeof(UINT64)))
693 {
694 g_Callbacks.MemoryMapperReadMemorySafeOnTargetProcess((UINT64)(Regs->rsp + 0x30), &ContextParams.OptionalParam4, sizeof(UINT64));
695 }
696 else
697 {
698 LogInfo("Process 0x%llx on thread %llx executed NtQueryValueKey systemcall but reading the provided arguments from %RSP failed", HANDLE_TO_UINT32(PsGetCurrentProcessId()), HANDLE_TO_UINT32(PsGetCurrentThreadId()));
699
700 PlatformMemFreePool(NameBuf);
701 return;
702 }
703
704 //
705 // Set the trap flag to intercept the SYSRET instruction
706 //
707 g_Callbacks.SyscallCallbackSetTrapFlagAfterSyscall(Regs,
708 HANDLE_TO_UINT32(PsGetCurrentProcessId()),
709 HANDLE_TO_UINT32(PsGetCurrentThreadId()),
710 Regs->rax,
711 &ContextParams);
712
713 //
714 // Clean-up and return to guest execution
715 //
716 PlatformMemFreePool(NameBuf);
717 return;
718 }
719 }
720
721 //
722 // If the call was for a registry key that contains a hypervisor specific string,
723 // The user-mode caller should just receive an error return code not a modified data buffer
724 //
725 for (UINT16 j = 1; j < (sizeof(HV_REGKEYS) / sizeof(HV_REGKEYS[0])); j++)
726 {
727 if (wcsstr(KeyName, HV_REGKEYS[j]) > 0)
728 {
729 //
730 // When the match is found, corrupt the buffer pointers in the registers
731 // and set the SYSRET callback trap flag
732 //
733 SYSCALL_CALLBACK_CONTEXT_PARAMS ContextParams = {0};
734
735 Regs->rdx = 0x0;
736 Regs->r9 = 0x0;
737
738 //
739 // Set the trap flag to intercept the SYSRET instruction
740 //
741 g_Callbacks.SyscallCallbackSetTrapFlagAfterSyscall(Regs,
742 HANDLE_TO_UINT32(PsGetCurrentProcessId()),
743 HANDLE_TO_UINT32(PsGetCurrentThreadId()),
744 Regs->rax,
745 &ContextParams);
746
747 break;
748 }
749 }
750
751 //
752 // Clean up the allocated memory
753 //
754 PlatformMemFreePool(NameBuf);
755 }
756}
PVOID PlatformMemAllocateZeroedNonPagedPool(SIZE_T NumberOfBytes)
Allocates zeroed non-paged pool memory.
Definition PlatformMem.c:248
struct _UNICODE_STRING UNICODE_STRING
USHORT Length
Definition casting.cpp:26
PWSTR Buffer
Definition casting.cpp:28

◆ TransparentHandleNtSystemDebugControlSyscall()

VOID TransparentHandleNtSystemDebugControlSyscall ( GUEST_REGS * Regs)

Handle The NtSystemDebugControl system call when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
Returns
VOID
450{
451 //
452 // Corrupt the system call arguments, to cause the kernel to return an error
453 //
454 Regs->r9 = 0x0;
455
456 SYSCALL_CALLBACK_CONTEXT_PARAMS ContextParams = {0};
457
458 //
459 // Set the trap flag to intercept the SYSRET instruction
460 //
461 g_Callbacks.SyscallCallbackSetTrapFlagAfterSyscall(Regs,
462 HANDLE_TO_UINT32(PsGetCurrentProcessId()),
463 HANDLE_TO_UINT32(PsGetCurrentThreadId()),
464 Regs->rax,
465 &ContextParams);
466}

Variable Documentation

◆ AllocationSize

PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER AllocationSize

◆ CreateDisposition

PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG CreateDisposition

◆ CreateOptions

PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG ULONG CreateOptions

◆ DesiredAccess

PHANDLE ACCESS_MASK DesiredAccess

◆ EaBuffer

PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG ULONG PVOID EaBuffer

◆ EaLength

PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG ULONG PVOID ULONG EaLength

◆ FileAttributes

PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG FileAttributes

◆ FileHandle

PHANDLE FileHandle

◆ g_SystemCallNumbersInformation

SYSTEM_CALL_NUMBERS_INFORMATION g_SystemCallNumbersInformation

System call numbers information.

◆ IoStatusBlock

PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK IoStatusBlock

◆ ObjectAttributes

PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES ObjectAttributes

◆ ShareAccess

PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ShareAccess