Skip to content
This repository has been archived by the owner on Sep 1, 2024. It is now read-only.

Enhanced Functionality with Optimized EPT, Boot-time Hooks, and Preliminary Hyper-V Support (Experimental) #19

Merged
merged 172 commits into from
May 2, 2024
Merged

Enhanced Functionality with Optimized EPT, Boot-time Hooks, and Preliminary Hyper-V Support (Experimental) #19

merged 172 commits into from
May 2, 2024

Conversation

memN0ps
Copy link
Owner

@memN0ps memN0ps commented May 2, 2024
edited
Loading

This pull request introduces a series of enhancements and refinements to the UEFI Rust hypervisor, aimed at improving functionality and stability across various components:

  • EPT Management: Transitioned from using separate primary and secondary EPTs (Extended Page Tables) for all threads to a single primary EPT per thread, optimizing memory management.
  • Runtime CPUID Hooks: Implemented hooks in the CPUID instruction at runtime, currently marked as unstable. These hooks are managed through EPT violations and are installed on a shadow copy page via vmcall. While CPUID, INT3, and other instructions could potentially employ similar hooks with minor modifications, MTF (Monitor Trap Flag) is utilized to restore hooks and execute the overwritten bytes. Future updates aim to enhance support for runtime hooks via a CPUID backdoor. Initial attempts to utilize a guest agent for executing kernel code upon EPT violations were set aside in favor of maintaining obfuscation through EPT, minimizing guest exposure.
  • Hook Stability and Overhead: Currently, hooks are unstable and subject to extensive testing before they can be deemed stable for public release. The implementation involves hooks during system boot and includes SSDT hooks, but is anticipated to cause multiple VM exits, though the overhead should not significantly impact performance.
  • Memory Management for Hooks: Accessing the Guest Physical Address (PA) now requires traversing the page tables, a crucial step for effective hook implementation.
  • Build System and Continuous Integration:
    • Adopted cargo-make for project builds, utilizing a Makefile.toml configuration.
    • Updated GitHub workflow YAML files to integrate cargo make.
  • Documentation and Configuration Updates:
    • Revised README.md to reflect the latest changes.
    • Updated workspace settings in config.toml.
  • Debugging Features: Introduced features to selectively enable or disable support for Hyper-V Type 2, primarily for debugging purposes. This update continues to inject #GP faults for invalid or reserved MSR accesses.
  • MSR Hooks: Added functionality to hook the LSTAR register at runtime, allowing for dynamic retrieval and restoration of the ntoskrnl base address.
  • Code Formatting: Updated the project to conform to a modified cargo fmt style.
  • Structural Changes: Implemented various structural changes and refactorings to enhance code organization and maintainability.
  • Dependency Updates: Updated the UEFI crate and other dependent crates to newer versions.
  • Boot Loader Addition: Integrated a new loader to facilitate system startup.

Note: This is partial support for #10 and #18.

These changes lay the groundwork for more robust and flexible hypervisor capabilities, aiming for increased stability and performance in virtualized environments. Further testing and validation are required to ensure that these enhancements meet the necessary standards for reliability and security.

Acknowledgments: Special thanks to Daax's, Satoshi Tanda, Jessiep, and Drew for their contributions and support in this update.

@memN0ps
Added hooks library. Testing required (Unstable)
cb0838c
@memN0ps
Move ept.rs and mtrr.rs from folder
613b813
@memN0ps
Added a const representing PT index max value
b51279b
@memN0ps
Added SSDT/inline hook template, seperate from hv.
a4a33e3
@memN0ps
Added MSR Bitmap to intercept on read/write.
b6dfd8c
@memN0ps
Intercept read and write operations for the IA32_EFER MSR
4a14c43
@memN0ps
Added a IA32_LSTAR shadow & hook copy for reads/writes
9b16ba7 
- https://revers.engineering/patchguard-detection-of-hypervisor-based-instrospection-p2/

- https://mellownight.github.io/AetherVisor
@memN0ps
Set lock bit, indicating that feature control is locked on reads
ea5b797
@memN0ps
Bugs Fix: Store LSTAR first time on read. If hook 0, then write original
20ead43
@memN0ps
Bug fix: intercept LSTAR not EFER lmao
0842df6
@memN0ps
updated comment
82e0aa1
@memN0ps
Update shared.rs
9600685
@memN0ps
Check if it's the first time we're intercepting a write to LSTAR.
4d9f5c2
@memN0ps
Update msr.rs
5e4d615
@memN0ps
The first intercept will be on write during the init phase of ntoskrnl.
5a1e680 
At this point `original_lstar` should not be 0 at all because `MsrAccessType::Write` on msr::IA32_LSTAR stores it in there.
@memN0ps
Update msr.rs
92ea8d8
@memN0ps
Update msr.rs
683b917
@memN0ps
Update msr.rs
f5445a1
@memN0ps
Get ntoskrl.exe base address using LSTAR MSR. Credits jessie (jessiep_)
f682f64 
Will edit this to go somewhere else later and do a refactor. vmread is called each time, only need to do once. Need to make more memory safe is possible.
@memN0ps
Update README.md
71665d5
@memN0ps
Cargo fmt, error handling and refactor of get image addy base functions
8ba60c9
@memN0ps
Moved hooks back to hypervisor directory
b741bf1 
The ntoskrnl.exe base address is retrieved via vmexit so it requires hooks to be called from there.
@memN0ps
Separated hooks in tests folder: Called from UEFI visor or
1bc86da 
- Might have to use vmcalls/hypercalls to perform these hooks using an interface as doing at run-time is dirty.
@memN0ps
Syscall hook test added. (Tests have not been run yet)
a9917c1
@memN0ps
Rename folders only: uefi (illusion), kernel (matrix)
b148a14
@memN0ps
Update UEFI crate version
8fe61d7
@memN0ps
Changed MSR hooking (masking) to support unhooking (unmasking)
fd0eaac
@memN0ps
Pass in Vm instance to msr.rs vmexit handling.
12b9b89
@memN0ps
Removed kernel dir
3de134e
@memN0ps
Added Windows hook tests as a feature and move around some code
3f91a95
@memN0ps
attempt another hook NtQuerySystemInformation
9b27a9d
@memN0ps
Update vmcall.rs
acb456a
@memN0ps
bug fix?
bcf49c1
@memN0ps
Update ept.rs
6a367d4
@memN0ps
log attempt other functions for testing
aa766af
@memN0ps
This should be enabled AFAIK? (Bug fixed required)
bb38ae0
@memN0ps
Support for hypercalls under Hyper-V
36ac442
@memN0ps
Fixed MSR Ranges but triple fault for Hyper-V?
dc906ac
@memN0ps
Updated
6a4b18d
@memN0ps
Added a feature to run under Hyper-V for debugging
83b7588
@memN0ps
CPUID and VMCALL Hyper-V feature (disable on baremetal)
cbe4540
@memN0ps
Updated
4fb4a2e
@memN0ps
cpuid hyper-v attempt1
4cfa7bc
@memN0ps
removed hyper-v feature
b7dc12a
@memN0ps
Revert "removed hyper-v feature"
ac42135 
This reverts commit b7dc12a.
@memN0ps
Update cpuid.rs
f3779a7
@memN0ps
Update msr.rs
88fe021
@memN0ps
Update logs.txt
e648647
@memN0ps
Added Hyper-V feature flag for hv and UEFI module
d0641bc
@memN0ps
Bug: hlt called on hyper-v (needs fixing) spoof cpuid?
f5eb45a
@memN0ps
Removed rustfmt::skip & added max_width =150
a4e37e1
@memN0ps
Added fn_call_width = 150
0ed9f42
@memN0ps
Update README.md
f4a5fa0
@memN0ps
trace each vmexit reason
a9e8bc8
@memN0ps
Update README.md
d92b576
@memN0ps
Update rust.yml
a611504
@memN0ps
Update rust.yml
237e339
@memN0ps
Update README.md
ba97e10
@memN0ps memN0ps merged commit af3928f into main May 2, 2024
1 check passed
@memN0ps memN0ps deleted the development branch May 3, 2024 23:52
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@memN0ps