Transparency.h File Reference

hide the debugger from anti-debugging and anti-hypervisor methods (headers) More...

Go to the source code of this file.

Classes
struct	_TRANSPARENCY_MEASUREMENTS
	The measurements from user-mode and kernel-mode. More...
struct	_TRANSPARENCY_PROCESS
	The ProcessList of TRANSPARENCY_MEASUREMENTS is from this architecture. More...

Macros
#define	MSR_IA32_TIME_STAMP_COUNTER   0x10
	IA32_TIME_STAMP_COUNTER MSR (rcx)
#define	RAND_MAX   0x7fff
	Maximum value that can be returned by the rand function.

Typedefs
typedef struct _TRANSPARENCY_MEASUREMENTS	TRANSPARENCY_MEASUREMENTS
	The measurements from user-mode and kernel-mode.
typedef struct _TRANSPARENCY_MEASUREMENTS *	PTRANSPARENCY_MEASUREMENTS
typedef struct _TRANSPARENCY_PROCESS	TRANSPARENCY_PROCESS
	The ProcessList of TRANSPARENCY_MEASUREMENTS is from this architecture.
typedef struct _TRANSPARENCY_PROCESS *	PTRANSPARENCY_PROCESS

Functions
BOOLEAN	TransparentModeStart (VIRTUAL_MACHINE_STATE *VCpu, UINT32 ExitReason)
	VM-Exit handler for different exit reasons.

Detailed Description

hide the debugger from anti-debugging and anti-hypervisor methods (headers)

Author

Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)

Version

0.1

Date

2020-07-07

Copyright

This project is released under the GNU Public License v3.

Macro Definition Documentation

MSR_IA32_TIME_STAMP_COUNTER

#define MSR_IA32_TIME_STAMP_COUNTER   0x10

IA32_TIME_STAMP_COUNTER MSR (rcx)

RAND_MAX

#define RAND_MAX   0x7fff

Maximum value that can be returned by the rand function.

Typedef Documentation

PTRANSPARENCY_MEASUREMENTS

typedef struct _TRANSPARENCY_MEASUREMENTS * PTRANSPARENCY_MEASUREMENTS

PTRANSPARENCY_PROCESS

typedef struct _TRANSPARENCY_PROCESS * PTRANSPARENCY_PROCESS

TRANSPARENCY_MEASUREMENTS

typedef struct _TRANSPARENCY_MEASUREMENTS TRANSPARENCY_MEASUREMENTS

The measurements from user-mode and kernel-mode.

TRANSPARENCY_PROCESS

typedef struct _TRANSPARENCY_PROCESS TRANSPARENCY_PROCESS

The ProcessList of TRANSPARENCY_MEASUREMENTS is from this architecture.

Function Documentation

TransparentModeStart()

BOOLEAN TransparentModeStart	(	VIRTUAL_MACHINE_STATE *	VCpu,
		UINT32	ExitReason )

VM-Exit handler for different exit reasons.

Should be called from vmx-root

Parameters

VCpu	The virtual processor's state
ExitReason	Exit Reason

Returns

BOOLEAN Return True we should emulate RDTSCP or return false if we should not emulate RDTSCP

{
    UINT32      Aux                = 0;
    PLIST_ENTRY TempList           = 0;
    PCHAR       CurrentProcessName = 0;
    UINT32      CurrentProcessId;
    UINT64      CurrrentTime;
    HANDLE      CurrentThreadId;
    BOOLEAN     Result                      = TRUE;
    BOOLEAN     IsProcessOnTransparencyList = FALSE;
 
    //
    // Save the current time
    //
    CurrrentTime = __rdtscp(&Aux);
 
    //
    // Save time of vm-exit on each logical processor separately
    //
    VCpu->TransparencyState.PreviousTimeStampCounter = CurrrentTime;
 
    //
    // Find the current process id and name
    //
    CurrentProcessId   = HANDLE_TO_UINT32(PsGetCurrentProcessId());
    CurrentProcessName = CommonGetProcessNameFromProcessControlBlock(PsGetCurrentProcess());
 
    //
    // Check for process id and process name, if not match then we don't emulate it
    //
    TempList = &g_TransparentModeMeasurements->ProcessList;
    while (&g_TransparentModeMeasurements->ProcessList != TempList->Flink)
    {
        TempList                             = TempList->Flink;
        PTRANSPARENCY_PROCESS ProcessDetails = (PTRANSPARENCY_PROCESS)CONTAINING_RECORD(TempList, TRANSPARENCY_PROCESS, OtherProcesses);
        if (ProcessDetails->TrueIfProcessIdAndFalseIfProcessName)
        {
            //
            // This entry is process id
            //
            if (ProcessDetails->ProcessId == CurrentProcessId)
            {
                //
                // Let the transparency handler to handle it
                //
                IsProcessOnTransparencyList = TRUE;
                break;
            }
        }
        else
        {
            //
            // This entry is a process name
            //
            if (CurrentProcessName != NULL && CommonIsStringStartsWith(CurrentProcessName, ProcessDetails->ProcessName))
            {
                //
                // Let the transparency handler to handle it
                //
                IsProcessOnTransparencyList = TRUE;
                break;
            }
        }
    }
 
    //
    // Check whether we find this process on transparency list or not
    //
    if (!IsProcessOnTransparencyList)
    {
        //
        // No, we didn't let's do the normal tasks
        //
        return TRUE;
    }
 
    //
    // Get current thread Id
    //
    CurrentThreadId = PsGetCurrentThreadId();
 
    //
    // Check whether we are in new thread or in previous thread
    //
    if (VCpu->TransparencyState.ThreadId != CurrentThreadId)
    {
        //
        // It's a new thread Id reset everything
        //
        VCpu->TransparencyState.ThreadId                        = CurrentThreadId;
        VCpu->TransparencyState.RevealedTimeStampCounterByRdtsc = NULL64_ZERO;
        VCpu->TransparencyState.CpuidAfterRdtscDetected         = FALSE;
    }
 
    //
    // Now, it's time to check and play with RDTSC/P and CPUID
    //
 
    if (ExitReason == VMX_EXIT_REASON_EXECUTE_RDTSC || ExitReason == VMX_EXIT_REASON_EXECUTE_RDTSCP)
    {
        if (VCpu->TransparencyState.RevealedTimeStampCounterByRdtsc == NULL64_ZERO)
        {
            //
            // It's a timing and the previous time for the thread is null
            // so we need to save the time (maybe) for future use
            //
            VCpu->TransparencyState.RevealedTimeStampCounterByRdtsc = CurrrentTime;
        }
        else if (VCpu->TransparencyState.CpuidAfterRdtscDetected == TRUE)
        {
            //
            // Someone tries to know about the hypervisor
            // let's play with them
            //
 
            // LogInfo("Possible RDTSC+CPUID+RDTSC");
        }
        else if (VCpu->TransparencyState.RevealedTimeStampCounterByRdtsc != NULL64_ZERO &&
                 VCpu->TransparencyState.CpuidAfterRdtscDetected == FALSE)
        {
            //
            // It's a new rdtscp, let's save the new value
            //
            VCpu->TransparencyState.RevealedTimeStampCounterByRdtsc +=
                TransparentRandn((UINT32)g_TransparentModeMeasurements->CpuidAverage,
                                 (UINT32)g_TransparentModeMeasurements->CpuidStandardDeviation);
            ;
        }
 
        //
        // Adjust the rdtsc based on RevealedTimeStampCounterByRdtsc
        //
        VCpu->Regs->rax = 0x00000000ffffffff &
                          VCpu->TransparencyState.RevealedTimeStampCounterByRdtsc;
 
        VCpu->Regs->rdx = 0x00000000ffffffff &
                          (VCpu->TransparencyState.RevealedTimeStampCounterByRdtsc >> 32);
 
        //
        // Check if we need to adjust rcx as a result of rdtscp
        //
        if (ExitReason == VMX_EXIT_REASON_EXECUTE_RDTSCP)
        {
            VCpu->Regs->rcx = 0x00000000ffffffff & Aux;
        }
        //
        // Shows that vm-exit handler should not emulate the RDTSC/P
        //
        Result = FALSE;
    }
    else if (ExitReason == VMX_EXIT_REASON_EXECUTE_CPUID &&
             VCpu->TransparencyState.RevealedTimeStampCounterByRdtsc != NULL64_ZERO)
    {
        //
        // The guy executed one or more CPUIDs after an rdtscp so we
        //  need to add new cpuid value to previous timer and also
        //  we need to store it somewhere to remember this behavior
        //
        VCpu->TransparencyState.RevealedTimeStampCounterByRdtsc +=
            TransparentRandn((UINT32)g_TransparentModeMeasurements->CpuidAverage,
                             (UINT32)g_TransparentModeMeasurements->CpuidStandardDeviation);
 
        VCpu->TransparencyState.CpuidAfterRdtscDetected = TRUE;
    }
 
    return Result;
}