HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
Vmcall.c File Reference

The main VMCALL and Hypercall handler. More...

#include "pch.h"

Functions

_Use_decl_annotations_ NTSTATUS VmxHypervVmcallHandler (VIRTUAL_MACHINE_STATE *VCpu, PGUEST_REGS GuestRegs)
 Handle vm-exits of VMCALLs.
 
_Use_decl_annotations_ NTSTATUS VmxHandleVmcallVmExit (VIRTUAL_MACHINE_STATE *VCpu)
 Handle vm-exits of VMCALLs.
 
NTSTATUS VmxVmcallDirectVmcallHandler (VIRTUAL_MACHINE_STATE *VCpu, UINT64 VmcallNumber, DIRECT_VMCALL_PARAMETERS *DirectVmcallOptions)
 Direct Vmcall Handler.
 
_Use_decl_annotations_ NTSTATUS VmxVmcallHandler (VIRTUAL_MACHINE_STATE *VCpu, UINT64 VmcallNumber, UINT64 OptionalParam1, UINT64 OptionalParam2, UINT64 OptionalParam3)
 Main Vmcall Handler.
 
NTSTATUS VmcallTest (_In_ UINT64 Param1, _In_ UINT64 Param2, _In_ UINT64 Param3)
 Test Vmcall (VMCALL_TEST)
 

Detailed Description

The main VMCALL and Hypercall handler.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-04-11
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ VmcallTest()

NTSTATUS VmcallTest ( _In_ UINT64 Param1,
_In_ UINT64 Param2,
_In_ UINT64 Param3 )

Test Vmcall (VMCALL_TEST)

Test function which shows a message to test a successful VMCALL.

Parameters
Param1
Param2
Param3
Returns
NTSTATUS
484{
485 LogDebugInfo("VmcallTest called with @Param1 = 0x%llx , @Param2 = 0x%llx , @Param3 = 0x%llx",
486 Param1,
487 Param2,
488 Param3);
489
490 //
491 // Send one byte buffer to show that Hypervisor
492 // is successfully loaded
493 //
494 LogCallbackSendBuffer(OPERATION_HYPERVISOR_DRIVER_IS_SUCCESSFULLY_LOADED,
495 "$",
496 sizeof(CHAR),
497 TRUE);
498
499 return STATUS_SUCCESS;
500}
TRUE
#define TRUE
Definition BasicTypes.h:55
CHAR
char CHAR
Definition BasicTypes.h:31
LogCallbackSendBuffer
BOOLEAN LogCallbackSendBuffer(_In_ UINT32 OperationCode, _In_reads_bytes_(BufferLength) PVOID Buffer, _In_ UINT32 BufferLength, _In_ BOOLEAN Priority)
routines callback for sending buffer
Definition Callback.c:123
OPERATION_HYPERVISOR_DRIVER_IS_SUCCESSFULLY_LOADED
#define OPERATION_HYPERVISOR_DRIVER_IS_SUCCESSFULLY_LOADED
Definition Constants.h:380
LogDebugInfo
#define LogDebugInfo(format,...)
Log, initialize boot information and debug information.
Definition HyperDbgHyperLogIntrinsics.h:155

◆ VmxHandleVmcallVmExit()

_Use_decl_annotations_ NTSTATUS VmxHandleVmcallVmExit ( VIRTUAL_MACHINE_STATE * VCpu)

Handle vm-exits of VMCALLs.

Parameters
VCpuThe virtual processor's state
Returns
NTSTATUS
75{
76 BOOLEAN IsHyperDbgVmcall = FALSE;
77 GUEST_REGS * GuestRegs = VCpu->Regs;
78
79 IsHyperDbgVmcall = (GuestRegs->r10 == 0x48564653 && GuestRegs->r11 == 0x564d43414c4c && GuestRegs->r12 == 0x4e4f485950455256);
80 //
81 // Check if it's our routines that request the VMCALL, or it relates to the Hyper-V
82 //
83 if (IsHyperDbgVmcall)
84 {
85 GuestRegs->rax = VmxVmcallHandler(VCpu,
86 GuestRegs->rcx,
87 GuestRegs->rdx,
88 GuestRegs->r8,
89 GuestRegs->r9);
90 }
91 else
92 {
93 return VmxHypervVmcallHandler(VCpu, GuestRegs);
94 }
95
96 return STATUS_SUCCESS;
97}
BOOLEAN
UCHAR BOOLEAN
Definition BasicTypes.h:39
FALSE
#define FALSE
Definition BasicTypes.h:54
VmxVmcallHandler
_Use_decl_annotations_ NTSTATUS VmxVmcallHandler(VIRTUAL_MACHINE_STATE *VCpu, UINT64 VmcallNumber, UINT64 OptionalParam1, UINT64 OptionalParam2, UINT64 OptionalParam3)
Main Vmcall Handler.
Definition Vmcall.c:132
VmxHypervVmcallHandler
_Use_decl_annotations_ NTSTATUS VmxHypervVmcallHandler(VIRTUAL_MACHINE_STATE *VCpu, PGUEST_REGS GuestRegs)
Handle vm-exits of VMCALLs.
Definition Vmcall.c:24
_VIRTUAL_MACHINE_STATE::Regs
GUEST_REGS * Regs
Definition State.h:305
GUEST_REGS
Definition BasicTypes.h:70
GUEST_REGS::rax
UINT64 rax
Definition BasicTypes.h:75
GUEST_REGS::r12
UINT64 r12
Definition BasicTypes.h:87
GUEST_REGS::r9
UINT64 r9
Definition BasicTypes.h:84
GUEST_REGS::r8
UINT64 r8
Definition BasicTypes.h:83
GUEST_REGS::r10
UINT64 r10
Definition BasicTypes.h:85
GUEST_REGS::rcx
UINT64 rcx
Definition BasicTypes.h:76
GUEST_REGS::r11
UINT64 r11
Definition BasicTypes.h:86
GUEST_REGS::rdx
UINT64 rdx
Definition BasicTypes.h:77

◆ VmxHypervVmcallHandler()

_Use_decl_annotations_ NTSTATUS VmxHypervVmcallHandler ( VIRTUAL_MACHINE_STATE * VCpu,
PGUEST_REGS GuestRegs )

Handle vm-exits of VMCALLs.

Parameters
VCpuThe virtual processor's state
GuestRegs
Returns
NTSTATUS
25{
26 UINT64 GuestRsp = NULL64_ZERO;
27 HYPERCALL_INPUT_VALUE InputValue = {.Flags = GuestRegs->rcx};
28
29 switch (InputValue.Fields.CallCode)
30 {
31 case HvSwitchVirtualAddressSpace:
32 case HvFlushVirtualAddressSpace:
33 case HvFlushVirtualAddressList:
34 case HvCallFlushVirtualAddressSpaceEx:
35 case HvCallFlushVirtualAddressListEx:
36
37 VpidInvvpidAllContext();
38 break;
39
40 case HvCallFlushGuestPhysicalAddressSpace:
41 case HvCallFlushGuestPhysicalAddressList:
42
43 EptInveptSingleContext(VCpu->EptPointer.AsUInt);
44 break;
45 }
46
47 //
48 // Save the guest rsp as it will be modified during the Hyper-V's
49 // VMCALL process
50 //
51 GuestRsp = GuestRegs->rsp;
52
53 //
54 // Let the top-level hypervisor to manage it
55 //
56 AsmHypervVmcall((UINT64)GuestRegs);
57
58 //
59 // Restore the guest's RSP
60 //
61 GuestRegs->rsp = GuestRsp;
62
63 return STATUS_SUCCESS;
64}
NULL64_ZERO
#define NULL64_ZERO
Definition BasicTypes.h:52
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
AsmHypervVmcall
void AsmHypervVmcall(unsigned long long GuestRegisters)
Hyper-v vmcall handler.
EptInveptSingleContext
UCHAR EptInveptSingleContext(_In_ UINT64 EptPointer)
Invalidates a single context in ept cache table.
Definition Invept.c:40
HvSwitchVirtualAddressSpace
@ HvSwitchVirtualAddressSpace
Definition Vmx.h:173
HvCallFlushVirtualAddressListEx
@ HvCallFlushVirtualAddressListEx
Definition Vmx.h:189
HvFlushVirtualAddressList
@ HvFlushVirtualAddressList
Definition Vmx.h:175
HvFlushVirtualAddressSpace
@ HvFlushVirtualAddressSpace
Definition Vmx.h:174
HvCallFlushVirtualAddressSpaceEx
@ HvCallFlushVirtualAddressSpaceEx
Definition Vmx.h:188
HvCallFlushGuestPhysicalAddressList
@ HvCallFlushGuestPhysicalAddressList
Definition Vmx.h:280
HvCallFlushGuestPhysicalAddressSpace
@ HvCallFlushGuestPhysicalAddressSpace
Definition Vmx.h:279
VpidInvvpidAllContext
VOID VpidInvvpidAllContext()
INVVPID All Contexts.
Definition Vpid.c:74
_VIRTUAL_MACHINE_STATE::EptPointer
EPT_POINTER EptPointer
Definition State.h:341
GUEST_REGS::rsp
UINT64 rsp
Definition BasicTypes.h:79
_HYPERCALL_INPUT_VALUE
Hypercalls for Hyper-V.
Definition Vmx.h:150
_HYPERCALL_INPUT_VALUE::CallCode
UINT64 CallCode
Definition Vmx.h:154
_HYPERCALL_INPUT_VALUE::Fields
struct _HYPERCALL_INPUT_VALUE::@48 Fields
_HYPERCALL_INPUT_VALUE::Flags
UINT64 Flags
Definition Vmx.h:151

◆ VmxVmcallDirectVmcallHandler()

NTSTATUS VmxVmcallDirectVmcallHandler ( VIRTUAL_MACHINE_STATE * VCpu,
UINT64 VmcallNumber,
DIRECT_VMCALL_PARAMETERS * DirectVmcallOptions )

Direct Vmcall Handler.

Parameters
VCpuThe virtual processor's state
VmcallNumberThe number of the VMCALL
DirectVmcallOptions
Returns
NTSTATUS
112{
113 return VmxVmcallHandler(VCpu,
114 VmcallNumber,
115 DirectVmcallOptions->OptionalParam1,
116 DirectVmcallOptions->OptionalParam2,
117 DirectVmcallOptions->OptionalParam3);
118}
_DIRECT_VMCALL_PARAMETERS::OptionalParam2
UINT64 OptionalParam2
Definition DataTypes.h:296
_DIRECT_VMCALL_PARAMETERS::OptionalParam3
UINT64 OptionalParam3
Definition DataTypes.h:297
_DIRECT_VMCALL_PARAMETERS::OptionalParam1
UINT64 OptionalParam1
Definition DataTypes.h:295

◆ VmxVmcallHandler()

_Use_decl_annotations_ NTSTATUS VmxVmcallHandler ( VIRTUAL_MACHINE_STATE * VCpu,
UINT64 VmcallNumber,
UINT64 OptionalParam1,
UINT64 OptionalParam2,
UINT64 OptionalParam3 )

Main Vmcall Handler.

Parameters
VCpuThe virtual processor's state
VmcallNumber
OptionalParam1
OptionalParam2
OptionalParam3
Returns
NTSTATUS
137{
138 NTSTATUS VmcallStatus = STATUS_UNSUCCESSFUL;
139
140 //
141 // Check for top-level driver's VMCALLs
142 //
143 if (VmcallNumber > TOP_LEVEL_DRIVERS_VMCALL_STARTING_NUMBER && VmcallNumber <= TOP_LEVEL_DRIVERS_VMCALL_ENDING_NUMBER)
144 {
145 if (VmmCallbackVmcallHandler(VCpu->CoreId, VmcallNumber, OptionalParam1, OptionalParam2, OptionalParam3))
146 {
147 return STATUS_SUCCESS;
148 }
149 else
150 {
151 return STATUS_UNSUCCESSFUL;
152 }
153 }
154
155 //
156 // Only 32bit of Vmcall is valid, this way we can use the upper 32 bit of the Vmcall
157 //
158 switch (VmcallNumber)
159 {
160 case VMCALL_TEST:
161 {
162 VmcallStatus = VmcallTest(OptionalParam1, OptionalParam2, OptionalParam3);
163 break;
164 }
165 case VMCALL_VMXOFF:
166 {
167 VmxVmxoff(VCpu);
168 VmcallStatus = STATUS_SUCCESS;
169
170 break;
171 }
172 case VMCALL_CHANGE_PAGE_ATTRIB:
173 {
174 BOOLEAN HookResult = FALSE;
175 CR3_TYPE ProcCr3 = {.Flags = OptionalParam3};
176
177 HookResult = EptHookPerformPageHookMonitorAndInlineHook(VCpu,
178 (PVOID)OptionalParam1 /* hook details */,
179 ProcCr3 /* Process cr3 */,
180 (UINT32)OptionalParam2 /* PageHookMask */);
181
182 VmcallStatus = (HookResult == TRUE) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
183
184 break;
185 }
186 case VMCALL_INVEPT_SINGLE_CONTEXT:
187 {
188 EptInveptSingleContext(OptionalParam1);
189 VmcallStatus = STATUS_SUCCESS;
190 break;
191 }
192 case VMCALL_INVEPT_ALL_CONTEXTS:
193 {
194 EptInveptAllContexts();
195 VmcallStatus = STATUS_SUCCESS;
196 break;
197 }
198 case VMCALL_UNHOOK_ALL_PAGES:
199 {
200 EptHookRestoreAllHooksToOriginalEntry(VCpu);
201 VmcallStatus = STATUS_SUCCESS;
202 break;
203 }
204 case VMCALL_UNHOOK_SINGLE_PAGE:
205 {
206 if (EptHookRestoreSingleHookToOriginalEntry(VCpu, OptionalParam1, OptionalParam2))
207 VmcallStatus = STATUS_SUCCESS;
208 else
209 VmcallStatus = STATUS_UNSUCCESSFUL;
210
211 break;
212 }
213 case VMCALL_ENABLE_SYSCALL_HOOK_EFER:
214 {
215 SyscallHookConfigureEFER(VCpu, TRUE);
216 VmcallStatus = STATUS_SUCCESS;
217 break;
218 }
219 case VMCALL_DISABLE_SYSCALL_HOOK_EFER:
220 {
221 SyscallHookConfigureEFER(VCpu, FALSE);
222 VmcallStatus = STATUS_SUCCESS;
223 break;
224 }
225 case VMCALL_CHANGE_MSR_BITMAP_READ:
226 {
227 MsrHandlePerformMsrBitmapReadChange(VCpu, (UINT32)OptionalParam1);
228 VmcallStatus = STATUS_SUCCESS;
229 break;
230 }
231 case VMCALL_CHANGE_MSR_BITMAP_WRITE:
232 {
233 MsrHandlePerformMsrBitmapWriteChange(VCpu, (UINT32)OptionalParam1);
234 VmcallStatus = STATUS_SUCCESS;
235 break;
236 }
237 case VMCALL_SET_RDTSC_EXITING:
238 {
239 HvSetRdtscExiting(VCpu, TRUE);
240 VmcallStatus = STATUS_SUCCESS;
241 break;
242 }
243 case VMCALL_SET_RDPMC_EXITING:
244 {
245 HvSetPmcVmexit(TRUE);
246 VmcallStatus = STATUS_SUCCESS;
247 break;
248 }
249 case VMCALL_SET_EXCEPTION_BITMAP:
250 {
251 HvSetExceptionBitmap(VCpu, (UINT32)OptionalParam1);
252 VmcallStatus = STATUS_SUCCESS;
253 break;
254 }
255 case VMCALL_ENABLE_MOV_TO_DEBUG_REGS_EXITING:
256 {
257 HvSetMovDebugRegsExiting(VCpu, TRUE);
258 VmcallStatus = STATUS_SUCCESS;
259 break;
260 }
261 case VMCALL_ENABLE_EXTERNAL_INTERRUPT_EXITING:
262 {
263 HvSetExternalInterruptExiting(VCpu, TRUE);
264 VmcallStatus = STATUS_SUCCESS;
265 break;
266 }
267 case VMCALL_CHANGE_IO_BITMAP:
268 {
269 IoHandlePerformIoBitmapChange(VCpu, (UINT32)OptionalParam1);
270 VmcallStatus = STATUS_SUCCESS;
271 break;
272 }
273 case VMCALL_SET_HIDDEN_CC_BREAKPOINT:
274 {
275 BOOLEAN HookResult = FALSE;
276 CR3_TYPE ProcCr3 = {.Flags = OptionalParam2};
277
278 HookResult = EptHookPerformPageHook(VCpu,
279 (PVOID)OptionalParam1, /* TargetAddress */
280 ProcCr3); /* process cr3 */
281
282 VmcallStatus = (HookResult == TRUE) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
283
284 break;
285 }
286 case VMCALL_DISABLE_EXTERNAL_INTERRUPT_EXITING_ONLY_TO_CLEAR_INTERRUPT_COMMANDS:
287 {
288 ProtectedHvExternalInterruptExitingForDisablingInterruptCommands(VCpu);
289 VmcallStatus = STATUS_SUCCESS;
290 break;
291 }
292 case VMCALL_UNSET_RDTSC_EXITING:
293 {
294 HvSetRdtscExiting(VCpu, FALSE);
295 VmcallStatus = STATUS_SUCCESS;
296 break;
297
298 break;
299 }
300 case VMCALL_UNSET_RDPMC_EXITING:
301 {
302 HvSetPmcVmexit(FALSE);
303 VmcallStatus = STATUS_SUCCESS;
304 break;
305 }
306 case VMCALL_DISABLE_MOV_TO_DEBUG_REGS_EXITING:
307 {
308 HvSetMovDebugRegsExiting(VCpu, FALSE);
309 VmcallStatus = STATUS_SUCCESS;
310 break;
311 }
312 case VMCALL_RESET_MSR_BITMAP_READ:
313 {
314 MsrHandlePerformMsrBitmapReadReset(VCpu);
315 VmcallStatus = STATUS_SUCCESS;
316 break;
317 }
318 case VMCALL_RESET_MSR_BITMAP_WRITE:
319 {
320 MsrHandlePerformMsrBitmapWriteReset(VCpu);
321 VmcallStatus = STATUS_SUCCESS;
322 break;
323 }
324 case VMCALL_RESET_EXCEPTION_BITMAP_ONLY_ON_CLEARING_EXCEPTION_EVENTS:
325 {
326 ProtectedHvResetExceptionBitmapToClearEvents(VCpu);
327 VmcallStatus = STATUS_SUCCESS;
328 break;
329 }
330 case VMCALL_RESET_IO_BITMAP:
331 {
332 IoHandlePerformIoBitmapReset(VCpu);
333 VmcallStatus = STATUS_SUCCESS;
334 break;
335 }
336 case VMCALL_ENABLE_MOV_TO_CONTROL_REGS_EXITING:
337 {
338 HvSetMovControlRegsExiting(TRUE, OptionalParam1, OptionalParam2);
339 VmcallStatus = STATUS_SUCCESS;
340 break;
341 }
342 case VMCALL_DISABLE_MOV_TO_CONTROL_REGS_EXITING:
343 {
344 HvSetMovControlRegsExiting(FALSE, OptionalParam1, OptionalParam2);
345 VmcallStatus = STATUS_SUCCESS;
346 break;
347 }
348 case VMCALL_ENABLE_MOV_TO_CR3_EXITING:
349 {
350 HvSetMovToCr3Vmexit(VCpu, TRUE);
351 VmcallStatus = STATUS_SUCCESS;
352 break;
353 }
354 case VMCALL_DISABLE_MOV_TO_CR3_EXITING:
355 {
356 HvSetMovToCr3Vmexit(VCpu, FALSE);
357 VmcallStatus = STATUS_SUCCESS;
358 break;
359 }
360 case VMCALL_UNSET_EXCEPTION_BITMAP:
361 {
362 HvUnsetExceptionBitmap(VCpu, (UINT32)OptionalParam1);
363 VmcallStatus = STATUS_SUCCESS;
364 break;
365 }
366 case VMCALL_SET_VM_ENTRY_LOAD_DEBUG_CONTROLS:
367 {
368 HvSetLoadDebugControls(TRUE);
369 VmcallStatus = STATUS_SUCCESS;
370 break;
371 }
372 case VMCALL_UNSET_VM_ENTRY_LOAD_DEBUG_CONTROLS:
373 {
374 HvSetLoadDebugControls(FALSE);
375 VmcallStatus = STATUS_SUCCESS;
376 break;
377 }
378 case VMCALL_SET_VM_EXIT_SAVE_DEBUG_CONTROLS:
379 {
380 HvSetSaveDebugControls(TRUE);
381 VmcallStatus = STATUS_SUCCESS;
382 break;
383 }
384 case VMCALL_UNSET_VM_EXIT_SAVE_DEBUG_CONTROLS:
385 {
386 HvSetSaveDebugControls(FALSE);
387 VmcallStatus = STATUS_SUCCESS;
388 break;
389 }
390 case VMCALL_SET_VM_EXIT_ON_NMIS:
391 {
392 HvSetNmiExiting(TRUE);
393 VmcallStatus = STATUS_SUCCESS;
394 break;
395 }
396 case VMCALL_UNSET_VM_EXIT_ON_NMIS:
397 {
398 HvSetNmiExiting(FALSE);
399 VmcallStatus = STATUS_SUCCESS;
400 break;
401 }
402 case VMCALL_DISABLE_RDTSC_EXITING_ONLY_FOR_TSC_EVENTS:
403 {
404 ProtectedHvDisableRdtscExitingForDisablingTscCommands(VCpu);
405 VmcallStatus = STATUS_SUCCESS;
406 break;
407 }
408 case VMCALL_DISABLE_MOV_TO_HW_DR_EXITING_ONLY_FOR_DR_EVENTS:
409 {
410 ProtectedHvDisableMovDebugRegsExitingForDisablingDrCommands(VCpu);
411 VmcallStatus = STATUS_SUCCESS;
412 break;
413 }
414 case VMCALL_DISABLE_MOV_TO_CR_EXITING_ONLY_FOR_CR_EVENTS:
415 {
416 ProtectedHvDisableMovControlRegsExitingForDisablingCrCommands(VCpu, OptionalParam1, OptionalParam2);
417 VmcallStatus = STATUS_SUCCESS;
418 break;
419 }
420 case VMCALL_ENABLE_DIRTY_LOGGING_MECHANISM:
421 {
422 if (DirtyLoggingEnable(VCpu))
423 {
424 VmcallStatus = STATUS_SUCCESS;
425 }
426 else
427 {
428 VmcallStatus = STATUS_UNSUCCESSFUL;
429 }
430
431 break;
432 }
433 case VMCALL_DISABLE_DIRTY_LOGGING_MECHANISM:
434 {
435 DirtyLoggingDisable(VCpu);
436
437 VmcallStatus = STATUS_SUCCESS;
438 break;
439 }
440 case VMCALL_CHANGE_TO_MBEC_SUPPORTED_EPTP:
441 {
442 ExecTrapChangeToUserDisabledMbecEptp(VCpu);
443
444 VmcallStatus = STATUS_SUCCESS;
445 break;
446 }
447 case VMCALL_RESTORE_TO_NORMAL_EPTP:
448 {
449 ExecTrapRestoreToNormalEptp(VCpu);
450
451 VmcallStatus = STATUS_SUCCESS;
452 break;
453 }
454 case VMCALL_DISABLE_OR_ENABLE_MBEC:
455 {
456 ModeBasedExecHookEnableOrDisable(VCpu, (UINT32)OptionalParam1);
457
458 VmcallStatus = STATUS_SUCCESS;
459 break;
460 }
461 default:
462 {
463 LogError("Err, unsupported VMCALL");
464 VmcallStatus = STATUS_UNSUCCESSFUL;
465 break;
466 }
467 }
468
469 return VmcallStatus;
470}
UINT32
unsigned int UINT32
Definition BasicTypes.h:48
VmmCallbackVmcallHandler
BOOLEAN VmmCallbackVmcallHandler(UINT32 CoreId, UINT64 VmcallNumber, UINT64 OptionalParam1, UINT64 OptionalParam2, UINT64 OptionalParam3)
routine callback to handle external VMCALLs
Definition Callback.c:200
TOP_LEVEL_DRIVERS_VMCALL_ENDING_NUMBER
#define TOP_LEVEL_DRIVERS_VMCALL_ENDING_NUMBER
The start number of VMCALL number allowed to be used by top-level drivers.
Definition Constants.h:348
TOP_LEVEL_DRIVERS_VMCALL_STARTING_NUMBER
#define TOP_LEVEL_DRIVERS_VMCALL_STARTING_NUMBER
The start number of VMCALL number allowed to be used by top-level drivers.
Definition Constants.h:341
DirtyLoggingDisable
VOID DirtyLoggingDisable(VIRTUAL_MACHINE_STATE *VCpu)
Disables the dirty logging mechanism in VMX-root mode.
Definition DirtyLogging.c:156
DirtyLoggingEnable
BOOLEAN DirtyLoggingEnable(VIRTUAL_MACHINE_STATE *VCpu)
Enables the dirty logging mechanism in VMX-root mode.
Definition DirtyLogging.c:105
SyscallHookConfigureEFER
VOID SyscallHookConfigureEFER(VIRTUAL_MACHINE_STATE *VCpu, BOOLEAN EnableEFERSyscallHook)
This function enables or disables EFER syscall hoo.
Definition EferHook.c:31
EptHookRestoreSingleHookToOriginalEntry
BOOLEAN EptHookRestoreSingleHookToOriginalEntry(VIRTUAL_MACHINE_STATE *VCpu, SIZE_T PhysicalAddress, UINT64 OriginalEntry)
Remove and Invalidate Hook in TLB (Hidden Detours and if counter of hidden breakpoint is zero)
Definition EptHook.c:656
EptHookRestoreAllHooksToOriginalEntry
VOID EptHookRestoreAllHooksToOriginalEntry(VIRTUAL_MACHINE_STATE *VCpu)
Remove and Invalidate Hook in TLB.
Definition EptHook.c:704
EptHookPerformPageHook
BOOLEAN EptHookPerformPageHook(VIRTUAL_MACHINE_STATE *VCpu, PVOID TargetAddress, CR3_TYPE ProcessCr3)
The main function that performs EPT page hook with hidden breakpoint.
Definition EptHook.c:474
EptHookPerformPageHookMonitorAndInlineHook
BOOLEAN EptHookPerformPageHookMonitorAndInlineHook(VIRTUAL_MACHINE_STATE *VCpu, PVOID HookingDetails, CR3_TYPE ProcessCr3, UINT32 PageHookMask)
The main function that performs EPT page hook with hidden detours and monitor.
Definition EptHook.c:980
ExecTrapRestoreToNormalEptp
VOID ExecTrapRestoreToNormalEptp(VIRTUAL_MACHINE_STATE *VCpu)
restore to normal EPTP
Definition ExecTrap.c:671
ExecTrapChangeToUserDisabledMbecEptp
VOID ExecTrapChangeToUserDisabledMbecEptp(VIRTUAL_MACHINE_STATE *VCpu)
change to user-disabled MBEC EPTP
Definition ExecTrap.c:711
HvSetPmcVmexit
VOID HvSetPmcVmexit(BOOLEAN Set)
Set vm-exit for rdpmc instructions.
Definition Hv.c:509
HvSetNmiExiting
VOID HvSetNmiExiting(BOOLEAN Set)
Set the NMI Exiting.
Definition Hv.c:953
HvUnsetExceptionBitmap
VOID HvUnsetExceptionBitmap(VIRTUAL_MACHINE_STATE *VCpu, UINT32 IdtIndex)
Unset exception bitmap in VMCS.
Definition Hv.c:1039
HvSetMovDebugRegsExiting
VOID HvSetMovDebugRegsExiting(VIRTUAL_MACHINE_STATE *VCpu, BOOLEAN Set)
Set or unset the Mov to Debug Registers Exiting.
Definition Hv.c:1121
HvSetSaveDebugControls
VOID HvSetSaveDebugControls(BOOLEAN Set)
Set SAVE DEBUG CONTROLS on Vm-exit controls.
Definition Hv.c:433
HvSetExternalInterruptExiting
VOID HvSetExternalInterruptExiting(VIRTUAL_MACHINE_STATE *VCpu, BOOLEAN Set)
Set the External Interrupt Exiting.
Definition Hv.c:1055
HvSetMovControlRegsExiting
VOID HvSetMovControlRegsExiting(BOOLEAN Set, UINT64 ControlRegister, UINT64 MaskRegister)
Set vm-exit for mov-to-cr0/4.
Definition Hv.c:543
HvSetRdtscExiting
VOID HvSetRdtscExiting(VIRTUAL_MACHINE_STATE *VCpu, BOOLEAN Set)
Set the RDTSC/P Exiting.
Definition Hv.c:1108
HvSetMovToCr3Vmexit
VOID HvSetMovToCr3Vmexit(VIRTUAL_MACHINE_STATE *VCpu, BOOLEAN Set)
Set vm-exit for mov-to-cr3.
Definition Hv.c:558
HvSetLoadDebugControls
VOID HvSetLoadDebugControls(BOOLEAN Set)
Set LOAD DEBUG CONTROLS on Vm-entry controls.
Definition Hv.c:402
HvSetExceptionBitmap
VOID HvSetExceptionBitmap(VIRTUAL_MACHINE_STATE *VCpu, UINT32 IdtIndex)
Set exception bitmap in VMCS.
Definition Hv.c:1022
LogError
#define LogError(format,...)
Log in the case of error.
Definition HyperDbgHyperLogIntrinsics.h:113
EptInveptAllContexts
UCHAR EptInveptAllContexts()
Invalidates all contexts in EPT cache table.
Definition Invept.c:54
IoHandlePerformIoBitmapReset
VOID IoHandlePerformIoBitmapReset(VIRTUAL_MACHINE_STATE *VCpu)
Reset I/O Bitmap.
Definition IoHandler.c:268
IoHandlePerformIoBitmapChange
VOID IoHandlePerformIoBitmapChange(VIRTUAL_MACHINE_STATE *VCpu, UINT32 Port)
Change I/O Bitmap.
Definition IoHandler.c:241
ModeBasedExecHookEnableOrDisable
VOID ModeBasedExecHookEnableOrDisable(VIRTUAL_MACHINE_STATE *VCpu, UINT32 State)
Enable/disable MBEC.
Definition ModeBasedExecHook.c:161
MsrHandlePerformMsrBitmapWriteChange
VOID MsrHandlePerformMsrBitmapWriteChange(VIRTUAL_MACHINE_STATE *VCpu, UINT32 MsrMask)
Change MSR Bitmap for write.
Definition MsrHandlers.c:469
MsrHandlePerformMsrBitmapWriteReset
VOID MsrHandlePerformMsrBitmapWriteReset(VIRTUAL_MACHINE_STATE *VCpu)
Reset MSR Bitmap for write.
Definition MsrHandlers.c:500
MsrHandlePerformMsrBitmapReadChange
VOID MsrHandlePerformMsrBitmapReadChange(VIRTUAL_MACHINE_STATE *VCpu, UINT32 MsrMask)
Change MSR Bitmap for read.
Definition MsrHandlers.c:422
MsrHandlePerformMsrBitmapReadReset
VOID MsrHandlePerformMsrBitmapReadReset(VIRTUAL_MACHINE_STATE *VCpu)
Reset MSR Bitmap for read.
Definition MsrHandlers.c:453
ProtectedHvDisableRdtscExitingForDisablingTscCommands
VOID ProtectedHvDisableRdtscExitingForDisablingTscCommands(VIRTUAL_MACHINE_STATE *VCpu)
Clear events of !tsc.
Definition ProtectedHv.c:570
ProtectedHvResetExceptionBitmapToClearEvents
VOID ProtectedHvResetExceptionBitmapToClearEvents(VIRTUAL_MACHINE_STATE *VCpu)
Reset exception bitmap in VMCS because of clearing !exception commands.
Definition ProtectedHv.c:141
ProtectedHvExternalInterruptExitingForDisablingInterruptCommands
VOID ProtectedHvExternalInterruptExitingForDisablingInterruptCommands(VIRTUAL_MACHINE_STATE *VCpu)
Clear events of !interrupt.
Definition ProtectedHv.c:269
ProtectedHvDisableMovControlRegsExitingForDisablingCrCommands
VOID ProtectedHvDisableMovControlRegsExitingForDisablingCrCommands(VIRTUAL_MACHINE_STATE *VCpu, UINT64 ControlRegister, UINT64 MaskRegister)
Clear events of !crwrite.
Definition ProtectedHv.c:609
ProtectedHvDisableMovDebugRegsExitingForDisablingDrCommands
VOID ProtectedHvDisableMovDebugRegsExitingForDisablingDrCommands(VIRTUAL_MACHINE_STATE *VCpu)
Clear events of !dr.
Definition ProtectedHv.c:595
VmcallTest
NTSTATUS VmcallTest(_In_ UINT64 Param1, _In_ UINT64 Param2, _In_ UINT64 Param3)
Test Vmcall (VMCALL_TEST)
Definition Vmcall.c:481
VMCALL_SET_VM_ENTRY_LOAD_DEBUG_CONTROLS
#define VMCALL_SET_VM_ENTRY_LOAD_DEBUG_CONTROLS
VMCALL to set VM-entry LOAD DEBUG CONTROLS.
Definition Vmcall.h:200
VMCALL_UNSET_VM_ENTRY_LOAD_DEBUG_CONTROLS
#define VMCALL_UNSET_VM_ENTRY_LOAD_DEBUG_CONTROLS
VMCALL to unset VM-entry LOAD DEBUG CONTROLS.
Definition Vmcall.h:208
VMCALL_DISABLE_MOV_TO_DEBUG_REGS_EXITING
#define VMCALL_DISABLE_MOV_TO_DEBUG_REGS_EXITING
VMCALL to disable mov to debug registers exiting.
Definition Vmcall.h:148
VMCALL_INVEPT_ALL_CONTEXTS
#define VMCALL_INVEPT_ALL_CONTEXTS
VMCALL to invalidate EPT (All Contexts)
Definition Vmcall.h:40
VMCALL_SET_RDPMC_EXITING
#define VMCALL_SET_RDPMC_EXITING
VMCALL to enable rdpmc exiting in primary cpu-based controls.
Definition Vmcall.h:94
VMCALL_SET_VM_EXIT_SAVE_DEBUG_CONTROLS
#define VMCALL_SET_VM_EXIT_SAVE_DEBUG_CONTROLS
VMCALL to set VM-exit SAVE DEBUG CONTROLS.
Definition Vmcall.h:216
VMCALL_RESET_MSR_BITMAP_WRITE
#define VMCALL_RESET_MSR_BITMAP_WRITE
VMCALL to reset MSR Bitmap Write.
Definition Vmcall.h:160
VMCALL_DISABLE_DIRTY_LOGGING_MECHANISM
#define VMCALL_DISABLE_DIRTY_LOGGING_MECHANISM
VMCALL to disable dirty logging (PML) mechanism.
Definition Vmcall.h:280
VMCALL_CHANGE_PAGE_ATTRIB
#define VMCALL_CHANGE_PAGE_ATTRIB
VMCALL to Hook Change the attribute bits of the EPT Table.
Definition Vmcall.h:34
VMCALL_RESET_EXCEPTION_BITMAP_ONLY_ON_CLEARING_EXCEPTION_EVENTS
#define VMCALL_RESET_EXCEPTION_BITMAP_ONLY_ON_CLEARING_EXCEPTION_EVENTS
VMCALL to reset exception bitmap on VMCS.
Definition Vmcall.h:168
VMCALL_RESET_MSR_BITMAP_READ
#define VMCALL_RESET_MSR_BITMAP_READ
VMCALL to reset MSR Bitmap Read.
Definition Vmcall.h:154
VMCALL_INVEPT_SINGLE_CONTEXT
#define VMCALL_INVEPT_SINGLE_CONTEXT
VMCALL to invalidate EPT (A Single Context)
Definition Vmcall.h:46
VMCALL_UNSET_EXCEPTION_BITMAP
#define VMCALL_UNSET_EXCEPTION_BITMAP
VMCALL to unset exception bitmap on VMCS.
Definition Vmcall.h:192
VMCALL_SET_VM_EXIT_ON_NMIS
#define VMCALL_SET_VM_EXIT_ON_NMIS
VMCALL to cause vm-exit on NMIs.
Definition Vmcall.h:230
VMCALL_VMXOFF
#define VMCALL_VMXOFF
VMCALL to Call VMXOFF to turn off the hypervisor.
Definition Vmcall.h:28
VMCALL_CHANGE_MSR_BITMAP_WRITE
#define VMCALL_CHANGE_MSR_BITMAP_WRITE
VMCALL to change MSR Bitmap Write.
Definition Vmcall.h:82
VMCALL_ENABLE_DIRTY_LOGGING_MECHANISM
#define VMCALL_ENABLE_DIRTY_LOGGING_MECHANISM
VMCALL to enable dirty logging (PML) mechanism.
Definition Vmcall.h:274
VMCALL_TEST
#define VMCALL_TEST
VMCALL to test hypervisor.
Definition Vmcall.h:22
VMCALL_ENABLE_MOV_TO_CR3_EXITING
#define VMCALL_ENABLE_MOV_TO_CR3_EXITING
VMCALL to enable cr3 exiting.
Definition Vmcall.h:180
VMCALL_DISABLE_MOV_TO_CONTROL_REGS_EXITING
#define VMCALL_DISABLE_MOV_TO_CONTROL_REGS_EXITING
VMCALL to disable mov to CR exiting.
Definition Vmcall.h:261
VMCALL_SET_RDTSC_EXITING
#define VMCALL_SET_RDTSC_EXITING
VMCALL to enable rdtsc/rdtscp exiting in primary cpu-based controls.
Definition Vmcall.h:88
VMCALL_CHANGE_IO_BITMAP
#define VMCALL_CHANGE_IO_BITMAP
VMCALL to change I/O Bitmaps (A & B)
Definition Vmcall.h:118
VMCALL_UNSET_VM_EXIT_ON_NMIS
#define VMCALL_UNSET_VM_EXIT_ON_NMIS
VMCALL to not cause vm-exit on NMIs.
Definition Vmcall.h:236
VMCALL_SET_EXCEPTION_BITMAP
#define VMCALL_SET_EXCEPTION_BITMAP
VMCALL to set exception bitmap on VMCS.
Definition Vmcall.h:100
VMCALL_UNHOOK_ALL_PAGES
#define VMCALL_UNHOOK_ALL_PAGES
VMCALL to remove a all physical addresses from hook list.
Definition Vmcall.h:52
VMCALL_SET_HIDDEN_CC_BREAKPOINT
#define VMCALL_SET_HIDDEN_CC_BREAKPOINT
VMCALL to put hidden breakpoints (using EPT)
Definition Vmcall.h:124
VMCALL_RESTORE_TO_NORMAL_EPTP
#define VMCALL_RESTORE_TO_NORMAL_EPTP
VMCALL to restore EPTP to normal EPTP.
Definition Vmcall.h:292
VMCALL_DISABLE_OR_ENABLE_MBEC
#define VMCALL_DISABLE_OR_ENABLE_MBEC
VMCALL to enable/disable MBEC.
Definition Vmcall.h:298
VMCALL_ENABLE_SYSCALL_HOOK_EFER
#define VMCALL_ENABLE_SYSCALL_HOOK_EFER
VMCALL to enable syscall hook using EFER SCE bit.
Definition Vmcall.h:64
VMCALL_UNSET_VM_EXIT_SAVE_DEBUG_CONTROLS
#define VMCALL_UNSET_VM_EXIT_SAVE_DEBUG_CONTROLS
VMCALL to unset VM-exit SAVE DEBUG CONTROLS.
Definition Vmcall.h:224
VMCALL_ENABLE_MOV_TO_DEBUG_REGS_EXITING
#define VMCALL_ENABLE_MOV_TO_DEBUG_REGS_EXITING
VMCALL to enable mov to debug registers exiting.
Definition Vmcall.h:106
VMCALL_UNSET_RDTSC_EXITING
#define VMCALL_UNSET_RDTSC_EXITING
VMCALL to disable rdtsc/rdtscp exiting in primary cpu-based controls.
Definition Vmcall.h:130
VMCALL_UNSET_RDPMC_EXITING
#define VMCALL_UNSET_RDPMC_EXITING
VMCALL to disable rdpmc exiting in primary cpu-based controls.
Definition Vmcall.h:142
VMCALL_ENABLE_EXTERNAL_INTERRUPT_EXITING
#define VMCALL_ENABLE_EXTERNAL_INTERRUPT_EXITING
VMCALL to enable external interrupt exiting.
Definition Vmcall.h:112
VMCALL_DISABLE_SYSCALL_HOOK_EFER
#define VMCALL_DISABLE_SYSCALL_HOOK_EFER
VMCALL to disable syscall hook using EFER SCE bit.
Definition Vmcall.h:70
VMCALL_CHANGE_TO_MBEC_SUPPORTED_EPTP
#define VMCALL_CHANGE_TO_MBEC_SUPPORTED_EPTP
VMCALL to change EPTP to an MBEC-supported EPTP.
Definition Vmcall.h:286
VMCALL_DISABLE_MOV_TO_CR_EXITING_ONLY_FOR_CR_EVENTS
#define VMCALL_DISABLE_MOV_TO_CR_EXITING_ONLY_FOR_CR_EVENTS
VMCALL to clear mov 2 cr exiting bit ONLY in the case of disabling the events for !...
Definition Vmcall.h:268
VMCALL_ENABLE_MOV_TO_CONTROL_REGS_EXITING
#define VMCALL_ENABLE_MOV_TO_CONTROL_REGS_EXITING
VMCALL to enable mov to CR exiting.
Definition Vmcall.h:255
VMCALL_DISABLE_RDTSC_EXITING_ONLY_FOR_TSC_EVENTS
#define VMCALL_DISABLE_RDTSC_EXITING_ONLY_FOR_TSC_EVENTS
VMCALL to clear rdtsc exiting bit ONLY in the case of disabling the events for !tsc command.
Definition Vmcall.h:243
VMCALL_DISABLE_EXTERNAL_INTERRUPT_EXITING_ONLY_TO_CLEAR_INTERRUPT_COMMANDS
#define VMCALL_DISABLE_EXTERNAL_INTERRUPT_EXITING_ONLY_TO_CLEAR_INTERRUPT_COMMANDS
VMCALL to disable external interrupt exiting only to clear !interrupt commands.
Definition Vmcall.h:136
VMCALL_RESET_IO_BITMAP
#define VMCALL_RESET_IO_BITMAP
VMCALL to reset I/O Bitmaps (A & B)
Definition Vmcall.h:174
VMCALL_UNHOOK_SINGLE_PAGE
#define VMCALL_UNHOOK_SINGLE_PAGE
VMCALL to restore a single EPT entry and invalidate EPT cache.
Definition Vmcall.h:58
VMCALL_DISABLE_MOV_TO_HW_DR_EXITING_ONLY_FOR_DR_EVENTS
#define VMCALL_DISABLE_MOV_TO_HW_DR_EXITING_ONLY_FOR_DR_EVENTS
VMCALL to clear mov 2 hw dr exiting bit ONLY in the case of disabling the events for !...
Definition Vmcall.h:250
VMCALL_DISABLE_MOV_TO_CR3_EXITING
#define VMCALL_DISABLE_MOV_TO_CR3_EXITING
VMCALL to disable cr3 exiting.
Definition Vmcall.h:186
VMCALL_CHANGE_MSR_BITMAP_READ
#define VMCALL_CHANGE_MSR_BITMAP_READ
VMCALL to change MSR Bitmap Read.
Definition Vmcall.h:76
VmxVmxoff
VOID VmxVmxoff(VIRTUAL_MACHINE_STATE *VCpu)
Prepare and execute Vmxoff instruction.
Definition Vmx.c:1101
STATUS_UNSUCCESSFUL
#define STATUS_UNSUCCESSFUL
Definition Windows.h:172
_CR3_TYPE
CR3 Structure.
Definition BasicTypes.h:130
_CR3_TYPE::Flags
UINT64 Flags
Definition BasicTypes.h:133
_VIRTUAL_MACHINE_STATE::CoreId
UINT32 CoreId
Definition State.h:306