HyperDbg Debugger
Loading...
Searching...
No Matches
VmxFootprints.c File Reference

Try to hide VMX methods from anti-debugging and anti-hypervisor. More...

#include "pch.h"

Functions

VOID TransparentCheckAndModifyCpuid (PGUEST_REGS Regs, INT32 CpuInfo[])
 Handle Cpuid Vmexits when the Transparent mode is enabled.
BOOLEAN TransparentCheckAndModifyMsrRead (PGUEST_REGS Regs, UINT32 TargetMsr)
 Handle RDMSR VM exits when the Transparent mode is enabled.
BOOLEAN TransparentCheckAndModifyMsrWrite (PGUEST_REGS Regs, UINT32 TargetMsr)
 Handle WRMSR VM exits when the Transparent mode is enabled.
VOID TransparentCheckAndTrapFlagAfterVmexit ()
 Handle anti-debugging method of a trap flag after a VM exit.

Detailed Description

Try to hide VMX methods from anti-debugging and anti-hypervisor.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
jtaw5649
Version
0.14
Date
2025-06-08

Function Documentation

◆ TransparentCheckAndModifyCpuid()

VOID TransparentCheckAndModifyCpuid ( PGUEST_REGS Regs,
INT32 CpuInfo[] )

Handle Cpuid Vmexits when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
CpuInfoThe temporary logical processor registers
Returns
VOID
25{
27 {
28 return;
29 }
30
32 {
33 //
34 // Unset the Hypervisor Present-bit in RCX, which Intel and AMD have both
35 // reserved for this indication
36 //
38 }
40 {
41 //
42 // When transparent, all CPUID leaves in the 0x40000000+ range should contain no usable data
43 //
44 CpuInfo[0] = CpuInfo[1] = CpuInfo[2] = CpuInfo[3] = 0x40000000;
45 }
46}
#define HYPERV_CPUID_INTERFACE
Definition Vmx.h:35
#define HYPERV_HYPERVISOR_PRESENT_BIT
Definition Vmx.h:40
#define CPUID_PROCESSOR_AND_PROCESSOR_FEATURE_IDENTIFIERS
CPUID Features.
Definition Constants.h:701
#define TRANSPARENT_EVADE_MASK_CPUID
Definition Constants.h:684
#define CPUID_HV_VENDOR_AND_MAX_FUNCTIONS
The Microsoft Hypervisor interface defined constants.
Definition Constants.h:676
UINT32 g_TransparentEvadeMask
The enabled transparent-mode feature mask.
Definition Transparency.h:72
UINT64 rax
Definition BasicTypes.h:141

◆ TransparentCheckAndModifyMsrRead()

BOOLEAN TransparentCheckAndModifyMsrRead ( PGUEST_REGS Regs,
UINT32 TargetMsr )

Handle RDMSR VM exits when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
TargetMsrTarget MSR in ECX register
Returns
BOOLEAN Whether the emulation should be further continued or not
58{
60 {
61 UNREFERENCED_PARAMETER(Regs);
62 UNREFERENCED_PARAMETER(TargetMsr);
63
64 return FALSE;
65 }
66
67 //
68 // The MSR range between 40000000H and 400000F0H is reserved and usually used by hypervisors
69 // when the guest operating system is Windows to indicate the OS identifier
70 //
71 // Sina: Needs more investigation since injecting #GP on Nested-virtualization environments
72 // will crash the VM on Meteor Lake processors since the OS expects to use synthetic timers
73 // (HV_REGISTER_STIMER0_CONFIG and HV_REGISTER_STIMER0_COUNT) to receive interrupts
74 // Ref: https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/timers
75 //
76 // if (TargetMsr >= RESERVED_MSR_RANGE_LOW && TargetMsr <= RESERVED_MSR_RANGE_HI)
77 // {
78 // LogInfo("RDMSR attempts to write to a reserved MSR range. MSR: %x",
79 // TargetMsr);
80 //
81 // g_Callbacks.EventInjectGeneralProtection();
82 // return TRUE; // Should not emulate further
83 // }
84 // else
85 // {
86 // //
87 // // Not handled in the transparent-mode
88 // //
89 // return FALSE;
90 // }
91
92 UNREFERENCED_PARAMETER(Regs);
93 UNREFERENCED_PARAMETER(TargetMsr);
94
95 return FALSE;
96}
#define FALSE
Definition BasicTypes.h:113
#define TRANSPARENT_EVADE_MASK_MSR
Definition Constants.h:685

◆ TransparentCheckAndModifyMsrWrite()

BOOLEAN TransparentCheckAndModifyMsrWrite ( PGUEST_REGS Regs,
UINT32 TargetMsr )

Handle WRMSR VM exits when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
TargetMsrTarget MSR in ECX register
Returns
BOOLEAN Whether the emulation should be further continued or not
108{
110 {
111 UNREFERENCED_PARAMETER(Regs);
112 UNREFERENCED_PARAMETER(TargetMsr);
113
114 return FALSE;
115 }
116
117 // if (TargetMsr >= RESERVED_MSR_RANGE_LOW && TargetMsr <= RESERVED_MSR_RANGE_HI)
118 // {
119 // //
120 // // The MSR range between 40000000H and 400000F0H is reserved and usually used by hypervisors
121 // // when the guest operating system is Windows to indicate the OS identifier
122 // //
123 //
124 // LogInfo("WRMSR attempts to write to a reserved MSR range. MSR: %x, rax: %llx, rdx: %llx",
125 // TargetMsr,
126 // Regs->rax,
127 // Regs->rdx);
128 //
129 // g_Callbacks.EventInjectGeneralProtection();
130 //
131 // return TRUE; // Should not emulate further
132 // }
133 // else
134 // {
135 // //
136 // // Not handled in the transparent-mode
137 // //
138 // return FALSE;
139 // }
140
141 UNREFERENCED_PARAMETER(Regs);
142 UNREFERENCED_PARAMETER(TargetMsr);
143
144 return FALSE;
145}

◆ TransparentCheckAndTrapFlagAfterVmexit()

VOID TransparentCheckAndTrapFlagAfterVmexit ( )

Handle anti-debugging method of a trap flag after a VM exit.

Returns
VOID
154{
156 {
157 return;
158 }
159
160 //
161 // If RIP is incremented, then we emulate an instruction, and then
162 // we need to handle the trap flag if it is set in a guest
163 //
164 g_Callbacks.HvHandleTrapFlag();
165}
#define TRANSPARENT_EVADE_MASK_TRAP_FLAG
Definition Constants.h:686
HYPEREVADE_CALLBACKS g_Callbacks
List of callbacks.
Definition Transparency.h:23