首页
论坛
专栏
课程

[系统底层] [原创]年末系列3:揪出物理内存里的VMCS

2017-1-25 15:42 6634

[系统底层] [原创]年末系列3:揪出物理内存里的VMCS

2017-1-25 15:42
6634
众所周知,大家都喜欢VT来VT去,但是由于某些VT不支持nested造成了很多工作上的问题。
于是想了一想,想要hook 其他人VT的HostRip处理VM-EXIT不就可以暴力XXOO了么。

于是参考intel-vt的初始化代码,发现VT的初始化设置的VMCS都是一PAGE_SIZE的内存块
,这个内存块有一定的特征形式
于是脑洞大开,写了个搜索VMWARE NESTED和_SANDYBRIDGE的VMCS的代码
简单粗暴了点...
VMCS的结构偏移定义是自己挖掘的...
//首先是VMCS_1是VMWARE的NESTED
VMCS_10是SANDY结构的
使用的都是I7系列CPU
	namespace VMCS_SCAN_DEF1
	{
		enum NEW_VMCS_1
		{
			VMCS_OFFSET_VPID = 0x00000e68,//(null)
		 // POSTED_INTERRUPT_NOTIFICATION_VECTOR	INVALID_FIELD
		 // EPTP_INDEX	INVALID_FIELD
		 VMCS_OFFSET_GUEST_ES_SEL = 0x00000f20,//(null)
		 VMCS_OFFSET_GUEST_CS_SEL = 0x00000f22,//(null)
		 VMCS_OFFSET_GUEST_SS_SEL = 0x00000f24,//(null)
		 VMCS_OFFSET_GUEST_DS_SEL = 0x00000f26,//(null)
		 VMCS_OFFSET_GUEST_FS_SEL = 0x00000f28,//(null)
		 VMCS_OFFSET_GUEST_GS_SEL = 0x00000f2a,//(null)
		 VMCS_OFFSET_GUEST_LDTR_SEL = 0x00000f2c,//(null)
		 VMCS_OFFSET_GUEST_TR_SEL = 0x00000f2e,//(null)
		 VMCS_OFFSET_GUEST_INTERRUPT_STATUS = 0x00000f2e,//(null)
		 VMCS_OFFSET_HOST_ES_SEL = 0x00000f7c,//(null)
		 VMCS_OFFSET_HOST_CS_SEL = 0x00000f7e,//(null)
		 VMCS_OFFSET_HOST_SS_SEL = 0x00000f80,//(null)
		 VMCS_OFFSET_HOST_DS_SEL = 0x00000f82,//(null)
		 VMCS_OFFSET_HOST_FS_SEL = 0x00000f84,//(null)
		 VMCS_OFFSET_HOST_GS_SEL = 0x00000f86,//(null)
		 VMCS_OFFSET_HOST_TR_SEL = 0x00000f88,//(null)
		 VMCS_OFFSET_IO_BITMAP_A_FULL = 0x00000008,//(null)
		 VMCS_OFFSET_IO_BITMAP_A_HIGH = 0x0000000c,//(null)
		 VMCS_OFFSET_IO_BITMAP_B_FULL = 0x00000010,//(null)
		 VMCS_OFFSET_IO_BITMAP_B_HIGH = 0x00000014,//(null)
		 VMCS_OFFSET_MSR_BITMAP_FULL = 0x00000018,//(null)
		 VMCS_OFFSET_MSR_BITMAP_HIGH = 0x0000001c,//(null)
		 VMCS_OFFSET_EXIT_MSR_STORE_ADDR_FULL = 0x00000020,//(null)
		 VMCS_OFFSET_EXIT_MSR_STORE_ADDR_HIGH = 0x00000024,//(null)
		 VMCS_OFFSET_EXIT_MSR_LOAD_ADDR_FULL = 0x00000028,//(null)
		 VMCS_OFFSET_EXIT_MSR_LOAD_ADDR_HIGH = 0x0000002c,//(null)
		 VMCS_OFFSET_ENTRY_MSR_LOAD_ADDR_FULL = 0x00000030,//(null)
		 VMCS_OFFSET_ENTRY_MSR_LOAD_ADDR_HIGH = 0x00000034,//(null)
		 VMCS_OFFSET_EXECUTIVE_VMCS_PTR_FULL = 0x00000038,//(null)
		 VMCS_OFFSET_EXECUTIVE_VMCS_PTR_HIGH = 0x0000003c,//(null)
		 VMCS_OFFSET_TSC_OFFSET_FULL = 0x00000048,//(null)
		 VMCS_OFFSET_TSC_OFFSET_HIGH = 0x0000004c,//(null)
		 VMCS_OFFSET_VIRTUAL_APIC_PAGE_ADDR_FULL = 0x00000050,//(null)
		 VMCS_OFFSET_VIRTUAL_APIC_PAGE_ADDR_HIGH = 0x00000054,//(null)
	  // APIC_ACCESS_ADDR_FULL	INVALID_FIELD
	  // APIC_ACCESS_ADDR_HIGH	INVALID_FIELD
	  // POSTED_INTERRUPT_DESCRIPTION_ADDR_FULL	INVALID_FIELD
	  // POSTED_INTERRUPT_DESCRIPTION_ADDR_HIGH	INVALID_FIELD
	  VMCS_OFFSET_VM_FUNCTION_CTRL_FULL = 0x00000068,//(null)
	  VMCS_OFFSET_VM_FUNCTION_CTRL_HIGH = 0x0000006c,//(null)
	  VMCS_OFFSET_EPT_POINTER_FULL = 0x00000070,//(null)
	  VMCS_OFFSET_EPT_POINTER_HIGH = 0x00000074,//(null)
   // EOI_EXIT_BITMAP_0_FULL	INVALID_FIELD
   // EOI_EXIT_BITMAP_0_HIGH	INVALID_FIELD
   // EOI_EXIT_BITMAP_1_FULL	INVALID_FIELD
   // EOI_EXIT_BITMAP_1_HIGH	INVALID_FIELD
   // EOI_EXIT_BITMAP_2_FULL	INVALID_FIELD
   // EOI_EXIT_BITMAP_2_HIGH	INVALID_FIELD
   // EOI_EXIT_BITMAP_3_FULL	INVALID_FIELD
   // EOI_EXIT_BITMAP_3_HIGH	INVALID_FIELD
   VMCS_OFFSET_EPTP_LIST_ADDRESS_FULL = 0x00000098,//(null)
   VMCS_OFFSET_EPTP_LIST_ADDRESS_HIGH = 0x0000009c,//(null)
// VMREAD_BITMAP_ADDRESS_FULL	INVALID_FIELD
// VMREAD_BITMAP_ADDRESS_HIGH	INVALID_FIELD
// VMWRITE_BITMAP_ADDRESS_FULL	INVALID_FIELD
// VMWRITE_BITMAP_ADDRESS_HIGH	INVALID_FIELD
// VE_INFO_ADDRESS_FULL	INVALID_FIELD
// VE_INFO_ADDRESS_HIGH	INVALID_FIELD
VMCS_OFFSET_GUEST_PHYSICAL_ADDR_FULL = 0x00000178,//(null)
VMCS_OFFSET_GUEST_PHYSICAL_ADDR_HIGH = 0x0000017c,//(null)
VMCS_OFFSET_VMCS_LINK_PTR_FULL = 0x000002e8,//(null)
VMCS_OFFSET_VMCS_LINK_PTR_HIGH = 0x000002ec,//(null)
VMCS_OFFSET_GUEST_IA32_DEBUGCTL_FULL = 0x000002f0,//(null)
VMCS_OFFSET_GUEST_IA32_DEBUGCTL_HIGH = 0x000002f4,//(null)
VMCS_OFFSET_GUEST_IA32_PAT_FULL = 0x000002f8,//(null)
VMCS_OFFSET_GUEST_IA32_PAT_HIGH = 0x000002fc,//(null)
VMCS_OFFSET_GUEST_IA32_EFER_FULL = 0x00000300,//(null)
VMCS_OFFSET_GUEST_IA32_EFER_HIGH = 0x00000304,//(null)
VMCS_OFFSET_GUEST_IA32_PERF_CTL_FULL = 0x00000308,//(null)
VMCS_OFFSET_GUEST_IA32_PERF_CTL_HIGH = 0x0000030c,//(null)
VMCS_OFFSET_GUEST_PDPTE0_FULL = 0x00000310,//(null)
VMCS_OFFSET_GUEST_PDPTE0_HIGH = 0x00000314,//(null)
VMCS_OFFSET_GUEST_PDPTE1_FULL = 0x00000318,//(null)
VMCS_OFFSET_GUEST_PDPTE1_HIGH = 0x0000031c,//(null)
VMCS_OFFSET_GUEST_PDPTE2_FULL = 0x00000320,//(null)
VMCS_OFFSET_GUEST_PDPTE2_HIGH = 0x00000324,//(null)
VMCS_OFFSET_GUEST_PDPTE3_FULL = 0x00000328,//(null)
VMCS_OFFSET_GUEST_PDPTE3_HIGH = 0x0000032c,//(null)
VMCS_OFFSET_HOST_IA32_PAT_FULL = 0x00000458,//(null)
VMCS_OFFSET_HOST_IA32_PAT_HIGH = 0x0000045c,//(null)
VMCS_OFFSET_HOST_IA32_EFER_FULL = 0x00000460,//(null)
VMCS_OFFSET_HOST_IA32_EFER_HIGH = 0x00000464,//(null)
VMCS_OFFSET_HOST_IA32_PERF_CTL_FULL = 0x00000468,//(null)
VMCS_OFFSET_HOST_IA32_PERF_CTL_HIGH = 0x0000046c,//(null)
VMCS_OFFSET_PIN_VM_EXEC_CONTROLS = 0x00000b88,//(null)
VMCS_OFFSET_PROC_VM_EXEC_CONTROLS = 0x00000b8c,//(null)
VMCS_OFFSET_EXCEPTION_BITMAP = 0x00000b90,//(null)
VMCS_OFFSET_PAGEFAULT_ERRCODE_MASK = 0x00000b94,//(null)
VMCS_OFFSET_PAGEFAULT_ERRCODE_MATCH = 0x00000b98,//(null)
VMCS_OFFSET_CR3_TARGET_COUNT = 0x00000b9c,//(null)
VMCS_OFFSET_EXIT_CONTROLS = 0x00000ba0,//(null)
VMCS_OFFSET_EXIT_MSR_STORE_COUNT = 0x00000ba4,//(null)
VMCS_OFFSET_EXIT_MSR_LOAD_COUNT = 0x00000ba8,//(null)
VMCS_OFFSET_ENTRY_CONTROLS = 0x00000bac,//(null)
VMCS_OFFSET_ENTRY_MSR_LOAD_COUNT = 0x00000bb0,//(null)
VMCS_OFFSET_ENTRY_INT_INFO_FIELD = 0x00000bb4,//(null)
VMCS_OFFSET_ENTRY_EXCEPTION_EC = 0x00000bb8,//(null)
VMCS_OFFSET_ENTRY_INSTR_LENGTH = 0x00000bbc,//(null)
VMCS_OFFSET_TPR_THRESHOLD = 0x00000bc0,//(null)
VMCS_OFFSET_PROC_VM_EXEC_CONTROLS2 = 0x00000bc4,//(null)
// PLE_GAP	INVALID_FIELD
// PLE_WINDOW	INVALID_FIELD
VMCS_OFFSET_INSTR_ERROR = 0x0000000c,//(null)
VMCS_OFFSET_EXIT_REASON = 0x00000c44,//(null)
VMCS_OFFSET_EXIT_INTERRUPT_INFO = 0x00000c48,//(null)
VMCS_OFFSET_EXIT_INTERRUPT_ERRCODE = 0x00000c4c,//(null)
VMCS_OFFSET_IDT_VECTORING_INFO_FIELD = 0x00000c50,//(null)
VMCS_OFFSET_IDT_VECTORING_ERRCODE = 0x00000c54,//(null)
VMCS_OFFSET_EXIT_INSTR_LEN = 0x00000c58,//(null)
VMCS_OFFSET_INSTR_INFO = 0x00000c5c,//(null)
VMCS_OFFSET_GUEST_ES_LIMIT = 0x00000cf8,//(null)
VMCS_OFFSET_GUEST_CS_LIMIT = 0x00000cfc,//(null)
VMCS_OFFSET_GUEST_SS_LIMIT = 0x00000d00,//(null)
VMCS_OFFSET_GUEST_DS_LIMIT = 0x00000d04,//(null)
VMCS_OFFSET_GUEST_FS_LIMIT = 0x00000d08,//(null)
VMCS_OFFSET_GUEST_GS_LIMIT = 0x00000d0c,//(null)
VMCS_OFFSET_GUEST_LDTR_LIMIT = 0x00000d10,//(null)
VMCS_OFFSET_GUEST_TR_LIMIT = 0x00000d14,//(null)
VMCS_OFFSET_GUEST_GDTR_LIMIT = 0x00000d18,//(null)
VMCS_OFFSET_GUEST_IDTR_LIMIT = 0x00000d1c,//(null)
VMCS_OFFSET_GUEST_ES_ATTR = 0x00000d20,//(null)
VMCS_OFFSET_GUEST_CS_ATTR = 0x00000d24,//(null)
VMCS_OFFSET_GUEST_SS_ATTR = 0x00000d28,//(null)
VMCS_OFFSET_GUEST_DS_ATTR = 0x00000d2c,//(null)
VMCS_OFFSET_GUEST_FS_ATTR = 0x00000d30,//(null)
VMCS_OFFSET_GUEST_GS_ATTR = 0x00000d34,//(null)
VMCS_OFFSET_GUEST_LDTR_ATTR = 0x00000d38,//(null)
VMCS_OFFSET_GUEST_TR_ATTR = 0x00000d3c,//(null)
VMCS_OFFSET_GUEST_INTERRUPTIBILITY_INFO = 0x00000d40,//(null)
VMCS_OFFSET_GUEST_ACTIVITY_STATE = 0x00000d44,//(null)
VMCS_OFFSET_GUEST_SMBASE = 0x00000d48,//(null)
VMCS_OFFSET_GUEST_IA32_SYSENTER_CS = 0x00000d4c,//(null)
// GUEST_PREEMTION_TIMER	INVALID_FIELD
VMCS_OFFSET_HOST_IA32_SYSENTER_CS = 0x00000db0,//(null)
VMCS_OFFSET_CR0_MASK = 0x000005c8,//(null)
VMCS_OFFSET_CR4_MASK = 0x000005d0,//(null)
VMCS_OFFSET_CR0_READ_SHADOW = 0x000005d8,//(null)
VMCS_OFFSET_CR4_READ_SHADOW = 0x000005e0,//(null)
VMCS_OFFSET_CR3_TARGET_0 = 0x000005e8,//(null)
VMCS_OFFSET_CR3_TARGET_1 = 0x000005f0,//(null)
VMCS_OFFSET_CR3_TARGET_2 = 0x000005f8,//(null)
VMCS_OFFSET_CR3_TARGET_3 = 0x00000600,//(null)
VMCS_OFFSET_EXIT_QUALIFICATION = 0x00000738,//(null)
VMCS_OFFSET_IO_RCX = 0x00000740,//(null)
VMCS_OFFSET_IO_RSI = 0x00000748,//(null)
VMCS_OFFSET_IO_RDI = 0x00000750,//(null)
VMCS_OFFSET_IO_RIP = 0x00000758,//(null)
VMCS_OFFSET_GUEST_LINEAR_ADDR = 0x00000760,//(null)
VMCS_OFFSET_GUEST_CR0 = 0x000008a8,//(null)
VMCS_OFFSET_GUEST_CR3 = 0x000008b0,//(null)
VMCS_OFFSET_GUEST_CR4 = 0x000008b8,//(null)
VMCS_OFFSET_GUEST_ES_BASE = 0x000008c0,//(null)
VMCS_OFFSET_GUEST_CS_BASE = 0x000008c8,//(null)
VMCS_OFFSET_GUEST_SS_BASE = 0x000008d0,//(null)
VMCS_OFFSET_GUEST_DS_BASE = 0x000008d8,//(null)
VMCS_OFFSET_GUEST_FS_BASE = 0x000008e0,//(null)
VMCS_OFFSET_GUEST_GS_BASE = 0x000008e8,//(null)
VMCS_OFFSET_GUEST_LDTR_BASE = 0x000008f0,//(null)
VMCS_OFFSET_GUEST_TR_BASE = 0x000008f8,//(null)
VMCS_OFFSET_GUEST_GDTR_BASE = 0x00000900,//(null)
VMCS_OFFSET_GUEST_IDTR_BASE = 0x00000908,//(null)
VMCS_OFFSET_GUEST_DR7 = 0x00000910,//(null)
VMCS_OFFSET_GUEST_RSP = 0x00000918,//(null)
VMCS_OFFSET_GUEST_RIP = 0x00000920,//(null)
VMCS_OFFSET_GUEST_RFLAGS = 0x00000928,//(null)
VMCS_OFFSET_GUEST_PENDING_DEBUG_EXCEPT = 0x00000930,//(null)
VMCS_OFFSET_GUEST_IA32_SYSENTER_ESP = 0x00000938,//(null)
VMCS_OFFSET_GUEST_IA32_SYSENTER_EIP = 0x00000940,//(null)
VMCS_OFFSET_HOST_CR0 = 0x00000a18,//(null)
VMCS_OFFSET_HOST_CR3 = 0x00000a20,//(null)
VMCS_OFFSET_HOST_CR4 = 0x00000a28,//(null)
VMCS_OFFSET_HOST_FS_BASE = 0x00000a30,//(null)
VMCS_OFFSET_HOST_GS_BASE = 0x00000a38,//(null)
VMCS_OFFSET_HOST_TR_BASE = 0x00000a40,//(null)
VMCS_OFFSET_HOST_GDTR_BASE = 0x00000a48,//(null)
VMCS_OFFSET_HOST_IDTR_BASE = 0x00000a50,//(null)
VMCS_OFFSET_HOST_IA32_SYSENTER_ESP = 0x00000a58,//(null)
VMCS_OFFSET_HOST_IA32_SYSENTER_EIP = 0x00000a60,//(null)
VMCS_OFFSET_HOST_RSP = 0x00000a68,//(null)
VMCS_OFFSET_HOST_RIP = 0x00000a70,//(null)
		};
	};
	namespace VMCS_SCAN_DEF10
	{
		enum NEW_VMCS_10
		{
			VMCS_OFFSET_VPID = 0x000002f0,//unsigned short
			VMCS_OFFSET_POSTED_INTERRUPT_NOTIFICATION_VECTOR = 0x00000044,//unsigned short
		 // EPTP_INDEX	INVALID_FIELD
		 VMCS_OFFSET_GUEST_ES_SEL = 0x00000200,//unsigned short
		 VMCS_OFFSET_GUEST_CS_SEL = 0x00000218,//unsigned short
		 VMCS_OFFSET_GUEST_SS_SEL = 0x00000230,//unsigned short
		 VMCS_OFFSET_GUEST_DS_SEL = 0x00000248,//unsigned short
		 VMCS_OFFSET_GUEST_FS_SEL = 0x00000260,//unsigned short
		 VMCS_OFFSET_GUEST_GS_SEL = 0x00000278,//unsigned short
		 VMCS_OFFSET_GUEST_LDTR_SEL = 0x00000290,//unsigned short
		 VMCS_OFFSET_GUEST_TR_SEL = 0x000002a8,//unsigned short
		 VMCS_OFFSET_GUEST_INTERRUPT_STATUS = 0x000002a8,//unsigned short
		 VMCS_OFFSET_HOST_ES_SEL = 0x00000300,//unsigned short
		 VMCS_OFFSET_HOST_CS_SEL = 0x00000304,//unsigned short
		 VMCS_OFFSET_HOST_SS_SEL = 0x00000308,//unsigned short
		 VMCS_OFFSET_HOST_DS_SEL = 0x0000030c,//unsigned short
		 VMCS_OFFSET_HOST_FS_SEL = 0x00000310,//unsigned short
		 VMCS_OFFSET_HOST_GS_SEL = 0x00000314,//unsigned short
		 VMCS_OFFSET_HOST_TR_SEL = 0x00000318,//unsigned short
		 VMCS_OFFSET_IO_BITMAP_A_FULL = 0x000000a0,//unsigned long long
		 VMCS_OFFSET_IO_BITMAP_A_HIGH = 0x000000a4,//unsigned int
		 VMCS_OFFSET_IO_BITMAP_B_FULL = 0x000000a8,//unsigned long long
		 VMCS_OFFSET_IO_BITMAP_B_HIGH = 0x000000ac,//unsigned int
		 VMCS_OFFSET_MSR_BITMAP_FULL = 0x000000b0,//unsigned long long
		 VMCS_OFFSET_MSR_BITMAP_HIGH = 0x000000b4,//unsigned int
		 VMCS_OFFSET_EXIT_MSR_STORE_ADDR_FULL = 0x000000b8,//unsigned long long
		 VMCS_OFFSET_EXIT_MSR_STORE_ADDR_HIGH = 0x000000bc,//unsigned int
		 VMCS_OFFSET_EXIT_MSR_LOAD_ADDR_FULL = 0x000000c0,//unsigned long long
		 VMCS_OFFSET_EXIT_MSR_LOAD_ADDR_HIGH = 0x000000c4,//unsigned int
		 VMCS_OFFSET_ENTRY_MSR_LOAD_ADDR_FULL = 0x000000c8,//unsigned long long
		 VMCS_OFFSET_ENTRY_MSR_LOAD_ADDR_HIGH = 0x000000cc,//unsigned int
		 VMCS_OFFSET_EXECUTIVE_VMCS_PTR_FULL = 0x000000d0,//unsigned long long
		 VMCS_OFFSET_EXECUTIVE_VMCS_PTR_HIGH = 0x000000d4,//unsigned int
		 VMCS_OFFSET_TSC_OFFSET_FULL = 0x000000d8,//unsigned long long
		 VMCS_OFFSET_TSC_OFFSET_HIGH = 0x000000dc,//unsigned int
		 VMCS_OFFSET_VIRTUAL_APIC_PAGE_ADDR_FULL = 0x000000e0,//unsigned long long
		 VMCS_OFFSET_VIRTUAL_APIC_PAGE_ADDR_HIGH = 0x000000e4,//unsigned int
		 VMCS_OFFSET_APIC_ACCESS_ADDR_FULL = 0x00000078,//unsigned long long
		 VMCS_OFFSET_APIC_ACCESS_ADDR_HIGH = 0x0000007c,//unsigned int
		 VMCS_OFFSET_POSTED_INTERRUPT_DESCRIPTION_ADDR_FULL = 0x00000050,//unsigned long long
		 VMCS_OFFSET_POSTED_INTERRUPT_DESCRIPTION_ADDR_HIGH = 0x00000054,//unsigned int
	  // VM_FUNCTION_CTRL_FULL	INVALID_FIELD
	  // VM_FUNCTION_CTRL_HIGH	INVALID_FIELD
	  VMCS_OFFSET_EPT_POINTER_FULL = 0x000000e8,//unsigned long long
	  VMCS_OFFSET_EPT_POINTER_HIGH = 0x000000ec,//unsigned int
	  VMCS_OFFSET_EOI_EXIT_BITMAP_0_FULL = 0x00000058,//unsigned long long
	  VMCS_OFFSET_EOI_EXIT_BITMAP_0_HIGH = 0x0000005c,//unsigned int
	  VMCS_OFFSET_EOI_EXIT_BITMAP_1_FULL = 0x00000060,//unsigned long long
	  VMCS_OFFSET_EOI_EXIT_BITMAP_1_HIGH = 0x00000064,//unsigned int
	  VMCS_OFFSET_EOI_EXIT_BITMAP_2_FULL = 0x00000068,//unsigned long long
	  VMCS_OFFSET_EOI_EXIT_BITMAP_2_HIGH = 0x0000006c,//unsigned int
	  VMCS_OFFSET_EOI_EXIT_BITMAP_3_FULL = 0x00000070,//unsigned long long
	  VMCS_OFFSET_EOI_EXIT_BITMAP_3_HIGH = 0x00000074,//unsigned int
   // EPTP_LIST_ADDRESS_FULL	INVALID_FIELD
   // EPTP_LIST_ADDRESS_HIGH	INVALID_FIELD
   // VMREAD_BITMAP_ADDRESS_FULL	INVALID_FIELD
   // VMREAD_BITMAP_ADDRESS_HIGH	INVALID_FIELD
   // VMWRITE_BITMAP_ADDRESS_FULL	INVALID_FIELD
   // VMWRITE_BITMAP_ADDRESS_HIGH	INVALID_FIELD
   // VE_INFO_ADDRESS_FULL	INVALID_FIELD
   // VE_INFO_ADDRESS_HIGH	INVALID_FIELD
   VMCS_OFFSET_GUEST_PHYSICAL_ADDR_FULL = 0x000000f0,//unsigned int
   VMCS_OFFSET_GUEST_PHYSICAL_ADDR_HIGH = 0x000000f4,//unsigned int
   VMCS_OFFSET_VMCS_LINK_PTR_FULL = 0x000000f8,//unsigned long long
   VMCS_OFFSET_VMCS_LINK_PTR_HIGH = 0x000000fc,//unsigned int
   VMCS_OFFSET_GUEST_IA32_DEBUGCTL_FULL = 0x00000100,//unsigned long long
   VMCS_OFFSET_GUEST_IA32_DEBUGCTL_HIGH = 0x00000104,//unsigned int
   VMCS_OFFSET_GUEST_IA32_PAT_FULL = 0x00000108,//unsigned long long
   VMCS_OFFSET_GUEST_IA32_PAT_HIGH = 0x0000010c,//unsigned int
   VMCS_OFFSET_GUEST_IA32_EFER_FULL = 0x00000110,//unsigned long long
   VMCS_OFFSET_GUEST_IA32_EFER_HIGH = 0x00000114,//unsigned int
   VMCS_OFFSET_GUEST_IA32_PERF_CTL_FULL = 0x00000118,//unsigned long long
   VMCS_OFFSET_GUEST_IA32_PERF_CTL_HIGH = 0x0000011c,//unsigned int
   VMCS_OFFSET_GUEST_PDPTE0_FULL = 0x000003a0,//unsigned long long
   VMCS_OFFSET_GUEST_PDPTE0_HIGH = 0x000003a4,//unsigned int
   VMCS_OFFSET_GUEST_PDPTE1_FULL = 0x000003a8,//unsigned long long
   VMCS_OFFSET_GUEST_PDPTE1_HIGH = 0x000003ac,//unsigned int
   VMCS_OFFSET_GUEST_PDPTE2_FULL = 0x000003b0,//unsigned long long
   VMCS_OFFSET_GUEST_PDPTE2_HIGH = 0x000003b4,//unsigned int
   VMCS_OFFSET_GUEST_PDPTE3_FULL = 0x000003b8,//unsigned long long
   VMCS_OFFSET_GUEST_PDPTE3_HIGH = 0x000003bc,//unsigned int
   VMCS_OFFSET_HOST_IA32_PAT_FULL = 0x00000320,//unsigned long long
   VMCS_OFFSET_HOST_IA32_PAT_HIGH = 0x00000324,//unsigned int
   VMCS_OFFSET_HOST_IA32_EFER_FULL = 0x00000328,//unsigned long long
   VMCS_OFFSET_HOST_IA32_EFER_HIGH = 0x0000032c,//unsigned int
   VMCS_OFFSET_HOST_IA32_PERF_CTL_FULL = 0x00000330,//unsigned long long
   VMCS_OFFSET_HOST_IA32_PERF_CTL_HIGH = 0x00000334,//unsigned int
   VMCS_OFFSET_PIN_VM_EXEC_CONTROLS = 0x00000128,//unsigned int
   VMCS_OFFSET_PROC_VM_EXEC_CONTROLS = 0x00000120,//unsigned int
   VMCS_OFFSET_EXCEPTION_BITMAP = 0x0000012c,//unsigned int
   VMCS_OFFSET_PAGEFAULT_ERRCODE_MASK = 0x00000130,//unsigned int
   VMCS_OFFSET_PAGEFAULT_ERRCODE_MATCH = 0x00000134,//unsigned int
   VMCS_OFFSET_CR3_TARGET_COUNT = 0x00000138,//unsigned int
   VMCS_OFFSET_EXIT_CONTROLS = 0x0000013c,//unsigned int
   VMCS_OFFSET_EXIT_MSR_STORE_COUNT = 0x00000140,//unsigned int
   VMCS_OFFSET_EXIT_MSR_LOAD_COUNT = 0x00000144,//unsigned int
   VMCS_OFFSET_ENTRY_CONTROLS = 0x00000148,//unsigned int
   VMCS_OFFSET_ENTRY_MSR_LOAD_COUNT = 0x0000014c,//unsigned int
   VMCS_OFFSET_ENTRY_INT_INFO_FIELD = 0x00000150,//unsigned int
   VMCS_OFFSET_ENTRY_EXCEPTION_EC = 0x00000154,//unsigned int
   VMCS_OFFSET_ENTRY_INSTR_LENGTH = 0x00000158,//unsigned int
   VMCS_OFFSET_TPR_THRESHOLD = 0x0000015c,//unsigned int
   VMCS_OFFSET_PROC_VM_EXEC_CONTROLS2 = 0x00000124,//unsigned int
   VMCS_OFFSET_PLE_GAP = 0x00000048,//unsigned int
   VMCS_OFFSET_PLE_WINDOW = 0x0000004c,//unsigned int
   VMCS_OFFSET_INSTR_ERROR = 0x0000000c,//unsigned int
   VMCS_OFFSET_EXIT_REASON = 0x0000016c,//unsigned int
   VMCS_OFFSET_EXIT_INTERRUPT_INFO = 0x00000170,//unsigned int
   VMCS_OFFSET_EXIT_INTERRUPT_ERRCODE = 0x00000174,//unsigned int
   VMCS_OFFSET_IDT_VECTORING_INFO_FIELD = 0x00000178,//unsigned int
   VMCS_OFFSET_IDT_VECTORING_ERRCODE = 0x0000017c,//unsigned int
   VMCS_OFFSET_EXIT_INSTR_LEN = 0x00000180,//unsigned int
   VMCS_OFFSET_INSTR_INFO = 0x00000184,//unsigned int
   VMCS_OFFSET_GUEST_ES_LIMIT = 0x00000210,//unsigned int
   VMCS_OFFSET_GUEST_CS_LIMIT = 0x00000228,//unsigned int
   VMCS_OFFSET_GUEST_SS_LIMIT = 0x00000240,//unsigned int
   VMCS_OFFSET_GUEST_DS_LIMIT = 0x00000258,//unsigned int
   VMCS_OFFSET_GUEST_FS_LIMIT = 0x00000270,//unsigned int
   VMCS_OFFSET_GUEST_GS_LIMIT = 0x00000288,//unsigned int
   VMCS_OFFSET_GUEST_LDTR_LIMIT = 0x000002a0,//unsigned int
   VMCS_OFFSET_GUEST_TR_LIMIT = 0x000002b8,//unsigned int
   VMCS_OFFSET_GUEST_GDTR_LIMIT = 0x000002d0,//unsigned int
   VMCS_OFFSET_GUEST_IDTR_LIMIT = 0x000002d4,//unsigned int
   // GUEST_ES_ATTR	5634	MISALIGNED
   // GUEST_ES_ATTR	533	FIXED
   // reported_index = 215 | found_index = FFFFFFFF
   VMCS_OFFSET_GUEST_ES_ATTR = 0x00000215,//unsigned int
   // GUEST_CS_ATTR	11778	MISALIGNED
   // GUEST_CS_ATTR	557	FIXED
   // reported_index = 22D | found_index = FFFFFFFF
   VMCS_OFFSET_GUEST_CS_ATTR = 0x0000022d,//unsigned int
   // GUEST_SS_ATTR	17922	MISALIGNED
   // GUEST_SS_ATTR	581	FIXED
   // reported_index = 245 | found_index = FFFFFFFF
   VMCS_OFFSET_GUEST_SS_ATTR = 0x00000245,//unsigned int
   // GUEST_DS_ATTR	24066	MISALIGNED
   // GUEST_DS_ATTR	605	FIXED
   // reported_index = 25D | found_index = FFFFFFFF
   VMCS_OFFSET_GUEST_DS_ATTR = 0x0000025d,//unsigned int
   // GUEST_FS_ATTR	30210	MISALIGNED
   // GUEST_FS_ATTR	629	FIXED
   // reported_index = 275 | found_index = FFFFFFFF
   VMCS_OFFSET_GUEST_FS_ATTR = 0x00000275,//unsigned int
   // GUEST_GS_ATTR	36354	MISALIGNED
   // GUEST_GS_ATTR	653	FIXED
   // reported_index = 28D | found_index = FFFFFFFF
   VMCS_OFFSET_GUEST_GS_ATTR = 0x0000028d,//unsigned int
   // GUEST_LDTR_ATTR	42498	MISALIGNED
   // GUEST_LDTR_ATTR	677	FIXED
   // reported_index = 2A5 | found_index = FFFFFFFF
   VMCS_OFFSET_GUEST_LDTR_ATTR = 0x000002a5,//unsigned int
   // GUEST_TR_ATTR	48642	MISALIGNED
   // GUEST_TR_ATTR	701	FIXED
   // reported_index = 2BD | found_index = FFFFFFFF
   VMCS_OFFSET_GUEST_TR_ATTR = 0x000002bd,//unsigned int
   VMCS_OFFSET_GUEST_INTERRUPTIBILITY_INFO = 0x00000188,//unsigned int
   VMCS_OFFSET_GUEST_ACTIVITY_STATE = 0x0000018c,//unsigned int
   VMCS_OFFSET_GUEST_SMBASE = 0x00000190,//unsigned int
   VMCS_OFFSET_GUEST_IA32_SYSENTER_CS = 0x00000194,//unsigned int
   VMCS_OFFSET_GUEST_PREEMTION_TIMER = 0x00000160,//unsigned int
   VMCS_OFFSET_HOST_IA32_SYSENTER_CS = 0x00000398,//unsigned int
   VMCS_OFFSET_CR0_MASK = 0x000003c0,//unsigned long
   VMCS_OFFSET_CR4_MASK = 0x000003c8,//unsigned long
   VMCS_OFFSET_CR0_READ_SHADOW = 0x000003d0,//unsigned long
   VMCS_OFFSET_CR4_READ_SHADOW = 0x000003d8,//unsigned long
   VMCS_OFFSET_CR3_TARGET_0 = 0x000003e0,//unsigned long
   VMCS_OFFSET_CR3_TARGET_1 = 0x000003e8,//unsigned long
   VMCS_OFFSET_CR3_TARGET_2 = 0x000003f0,//unsigned long
   VMCS_OFFSET_CR3_TARGET_3 = 0x000003f8,//unsigned long
   VMCS_OFFSET_EXIT_QUALIFICATION = 0x00000198,//unsigned long
   VMCS_OFFSET_IO_RCX = 0x000001a0,//unsigned long
   VMCS_OFFSET_IO_RSI = 0x000001a8,//unsigned long
   VMCS_OFFSET_IO_RDI = 0x000001b0,//unsigned long
   VMCS_OFFSET_IO_RIP = 0x000001b8,//unsigned long
   VMCS_OFFSET_GUEST_LINEAR_ADDR = 0x000001c0,//unsigned long
   VMCS_OFFSET_GUEST_CR0 = 0x000002d8,//unsigned long
   VMCS_OFFSET_GUEST_CR3 = 0x000002e0,//unsigned long
   VMCS_OFFSET_GUEST_CR4 = 0x000002e8,//unsigned long
   VMCS_OFFSET_GUEST_ES_BASE = 0x00000208,//unsigned long
   VMCS_OFFSET_GUEST_CS_BASE = 0x00000220,//unsigned long
   VMCS_OFFSET_GUEST_SS_BASE = 0x00000238,//unsigned long
   VMCS_OFFSET_GUEST_DS_BASE = 0x00000250,//unsigned long
   VMCS_OFFSET_GUEST_FS_BASE = 0x00000268,//unsigned long
   VMCS_OFFSET_GUEST_GS_BASE = 0x00000280,//unsigned long
   VMCS_OFFSET_GUEST_LDTR_BASE = 0x00000298,//unsigned long
   VMCS_OFFSET_GUEST_TR_BASE = 0x000002b0,//unsigned long
   VMCS_OFFSET_GUEST_GDTR_BASE = 0x000002c0,//unsigned long
   VMCS_OFFSET_GUEST_IDTR_BASE = 0x000002c8,//unsigned long
   VMCS_OFFSET_GUEST_DR7 = 0x000001c8,//unsigned long
   VMCS_OFFSET_GUEST_RSP = 0x000001d0,//unsigned long
   VMCS_OFFSET_GUEST_RIP = 0x000001d8,//unsigned long
   VMCS_OFFSET_GUEST_RFLAGS = 0x000001e0,//unsigned long
   VMCS_OFFSET_GUEST_PENDING_DEBUG_EXCEPT = 0x000001e8,//unsigned long
   VMCS_OFFSET_GUEST_IA32_SYSENTER_ESP = 0x000001f0,//unsigned long
   VMCS_OFFSET_GUEST_IA32_SYSENTER_EIP = 0x000001f8,//unsigned long
   VMCS_OFFSET_HOST_CR0 = 0x00000338,//unsigned long
   VMCS_OFFSET_HOST_CR3 = 0x00000340,//unsigned long
   VMCS_OFFSET_HOST_CR4 = 0x00000348,//unsigned long
   VMCS_OFFSET_HOST_FS_BASE = 0x00000350,//unsigned long
   VMCS_OFFSET_HOST_GS_BASE = 0x00000358,//unsigned long
   VMCS_OFFSET_HOST_TR_BASE = 0x00000360,//unsigned long
   VMCS_OFFSET_HOST_GDTR_BASE = 0x00000368,//unsigned long
   VMCS_OFFSET_HOST_IDTR_BASE = 0x00000370,//unsigned long
   VMCS_OFFSET_HOST_IA32_SYSENTER_ESP = 0x00000378,//unsigned long
   VMCS_OFFSET_HOST_IA32_SYSENTER_EIP = 0x00000380,//unsigned long
   VMCS_OFFSET_HOST_RSP = 0x00000388,//unsigned long
   VMCS_OFFSET_HOST_RIP = 0x00000390,//unsigned long
		};
	};


接着是扫描的代码
	void scan_phy_vmcs()
		{
			auto PhysicalMemoryBlock = MmGetPhysicalMemoryRanges();
			if (PhysicalMemoryBlock == NULL)
			{
				DBG_PRINT("STATUS_INSUFFICIENT_RESOURCES\r\n");
				return;
			}
			auto i = 0;
			while (PhysicalMemoryBlock[i].NumberOfBytes.QuadPart != 0)
			{
				PHYSICAL_ADDRESS BaseAddress = PhysicalMemoryBlock[i].BaseAddress;
				LARGE_INTEGER NumberOfBytes = PhysicalMemoryBlock[i].NumberOfBytes;

				DBG_PRINT("BaseAddress: %I64x\n", BaseAddress.QuadPart);
				DBG_PRINT("NumberOfBytes: %I64x\n", NumberOfBytes.QuadPart);

				while (NumberOfBytes.QuadPart > 0)
				{
					auto mapped_buffer = (PUCHAR)MmMapIoSpace(BaseAddress, PAGE_SIZE, MmNonCached);
					if (mapped_buffer)
					{
						//DBG_PRINT("Force READ Map %p\r\n", BaseAddress.QuadPart);
						auto revision_id = *(PULONG)mapped_buffer;
						if (revision_id == 0x10)
						{
							scan_vmcs_SANDYBRIDGE(mapped_buffer, BaseAddress);
						}
						if (revision_id == 0x1)
						{
							scan_vmcs_vmware_nested(mapped_buffer, BaseAddress);
						}
						MmUnmapIoSpace(mapped_buffer, PAGE_SIZE);
					}
					BaseAddress.QuadPart += PAGE_SIZE;
					NumberOfBytes.QuadPart -= PAGE_SIZE;
				}
				i++;
			}
			ExFreePool(PhysicalMemoryBlock);
		}


判断VMCS的代码:
void scan_vmcs_SANDYBRIDGE(PUCHAR MapAddress,PHYSICAL_ADDRESS BaseAddress)
		{
			auto revision_id = *(PULONG)MapAddress;
			auto Abort_id = *(PULONG)(MapAddress + 4);
			auto HostCr4 = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_HOST_CR4);
			auto VmcsLinkPtr = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_VMCS_LINK_PTR_FULL);
			auto HostGs = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_HOST_GS_BASE);
			auto IDTR_Limit = *(PULONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_GUEST_IDTR_LIMIT);
			auto GDTR_Limit = *(PULONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_GUEST_GDTR_LIMIT);
			auto HostCr3 = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_HOST_CR3);
			auto HostRip = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_HOST_RIP);
			auto HostGDTR = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_HOST_GDTR_BASE);
			auto HostIDTR = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_HOST_IDTR_BASE);
			auto Eptp = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF10::NEW_VMCS_10::VMCS_OFFSET_EPT_POINTER_FULL);
			if ((HostCr4 & 0x2000) //HostCR4必然开启VME
				&& (VmcsLinkPtr == 0xFFFFFFFFFFFFFFFF)
				&& Abort_id == 0
				&& ((HostCr4&0xFFFFFFFF)==HostCr4) //hostCr4 检测,防止全FF
				/*&& GDTR_Limit==0x7F //这个过滤不一定有效
				&& IDTR_Limit==0xFFF*/)
			{
				vmcs_count++;
				DBG_PRINT("Find revision_id =%x\r\n", revision_id);
				DBG_PRINT("HostCr4 = %p %p\r\n", HostCr4, __readcr4());
				DBG_PRINT("hostCR3 = %p %p\r\n", HostCr3, __readcr3());
				DBG_PRINT("VMCS LINK PTR = %p\r\n", VmcsLinkPtr);
				DBG_PRINT("Abort_id = %x\r\n", Abort_id);
				DBG_PRINT("hostGS = %p %p\r\n", HostGs, __readmsr(0xC0000101));
				DBG_PRINT("VMCS: %p\r\n", BaseAddress.QuadPart);

				DBG_PRINT("VMCS Host RIP: %p\r\n",
					HostRip);
				DBG_PRINT("VMCS Host GDTR Base: %p\r\n",
					HostGDTR);
				DBG_PRINT("VMCS Host IDTR Base: %p\r\n",
					HostIDTR);

				DBG_PRINT("VMCS Eptp :%p\r\n", Eptp);
			}
		}
		void scan_vmcs_vmware_nested(PUCHAR MapAddress, PHYSICAL_ADDRESS BaseAddress)
		{
			auto revision_id = *(PULONG)MapAddress;
			auto Abort_id = *(PULONG)(MapAddress + 4);
			auto HostCr4 = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_HOST_CR4);
			auto VmcsLinkPtr = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_VMCS_LINK_PTR_FULL);
			auto HostGs = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_HOST_GS_BASE);
			auto IDTR_Limit = *(PULONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_GUEST_IDTR_LIMIT);
			auto GDTR_Limit = *(PULONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_GUEST_GDTR_LIMIT);
			auto HostCr3 = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_HOST_CR3);
			auto HostRip = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_HOST_RIP);
			auto HostGDTR = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_HOST_GDTR_BASE);
			auto HostIDTR = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_HOST_IDTR_BASE);
			auto Eptp = *(PULONGLONG)(MapAddress + ddk::VMCS_SCAN_DEF1::NEW_VMCS_1::VMCS_OFFSET_EPT_POINTER_FULL);

			if ((HostCr4 & 0x2000)
				&& (VmcsLinkPtr == 0xFFFFFFFFFFFFFFFF)
				&& ((HostCr4 & 0xFFFFFFFF) == HostCr4)
				&& Abort_id == 0
				/*&& GDTR_Limit==0x7F
				&& IDTR_Limit==0xFFF*/)
			{
				DBG_PRINT("Find revision_id =%x\r\n", revision_id);
				DBG_PRINT("HostCr4 = %p %p\r\n", HostCr4, __readcr4());
				DBG_PRINT("hostCR3 = %p %p\r\n", HostCr3, __readcr3());
				DBG_PRINT("VMCS LINK PTR = %p\r\n", VmcsLinkPtr);
				DBG_PRINT("Abort_id = %x\r\n", Abort_id);
				DBG_PRINT("hostGS = %p %p\r\n", HostGs, __readmsr(0xC0000101));
				DBG_PRINT("VMCS: %p\r\n", (BaseAddress).QuadPart);

				DBG_PRINT("VMCS Host RIP: %p\r\n",
					HostRip);
				DBG_PRINT("VMCS Host GDTR Base: %p\r\n",
					HostGDTR);
				DBG_PRINT("VMCS Host IDTR Base: %p\r\n",
					HostIDTR);
				DBG_PRINT("VMCS EPT POINTOR :%p\r\n",
					Eptp);
			}
		}


得到HostRip之后,可以尝试去hook HostRip从而展现其他力量了。

比如我搜索出来某东西的VMCS

Find revision_id =10
HostCr4 = 00000000001526F8 00000000001506F8
hostCR3 = 0000000314142000 00000000001AB000
VMCS LINK PTR = FFFFFFFFFFFFFFFF
Abort_id = 0
hostGS = FFFFF80079CCA3F8 FFFFF80051591000
VMCS: 0000000313F67000
VMCS Host RIP: FFFFF80079C8B47D
VMCS Host GDTR Base: FFFFE000D4030000
VMCS Host IDTR Base: FFFFE000D4040000


然后对这个hostRip的代码做hook就可以XXOO,
当然有时候需要切换hostCR3后才能访问hostRip

参考资料有的,参考blackhat2016某PPT里有提到扫描VMCS,不过老外特么没给代码,而且扯了SMM的手——用SMM上物理内存扫描的话,可以扫到被EPT保护的物理内存内部...
具体pdf名称是:
us-16-Wojtczuk-Analysis-Of-The-Attack-Surface-Of-Windows-10-Virtualization-Based-Security
和一个老的论文:
Hypervisor Memory Forensics
这个需要搜索论文库了,里面是讲了一些理论,但是有用。

最后还有一些参考的东西是google的内存离线分析工程rekall的一些wiki和issues...



讨论技术,吹水扯淡,加我的qq群:48715131

[公告]安全服务和外包项目请将项目需求发到看雪企服平台:https://qifu.kanxue.com

最新回复 (16)
cvcvxk 10 2017-1-25 15:46
2
0
VMCS搜索有时会搜出大量无效的VMCS,所以还需要多做一些判断,通常是搜一次,然后写一些条件再搜一次。
次元有名 1 2017-1-25 15:49
3
0
前排出售广告位
killpy 2 2017-1-25 15:58
4
0
狂顶啊 另外你的颠覆技术 被腾讯检测了 有方法破吗
cvcvxk 10 2017-1-25 16:10
5
0
你有测试过被检测么?
hzqst 3 2017-1-25 16:17
6
0
强啊老V,前几天某次更新之后 魔改版的hyperplatform也启动不了游戏了

不知道那帮人又检测了什么东西
yy虫子yy 2017-1-25 16:22
7
0
简单来说,就是VT被占坑后,从占坑者身上暴力挖出一个坑来寄生
VT的初始化工作都由占坑者完成了,寄生后直接坐享其成,就可以随便XXOO
空白即是正义 2017-1-25 16:30
8
0
厉害了wordv
空白即是正义 2017-1-25 16:44
9
0
简单来说就是游戏发现系统不支持VT结果扫出VMCS直接崩
cvcvxk 10 2017-1-25 16:48
10
0
你可以用某sys,比如360的VT框架,然后自己hook 360的hostRip
然后处理那些你感兴趣的XXOO,甚至你可以给360弄个EPT出来


在各个处理器上投递cpuid xxx然后vm-exit到你的hook,然后hook里直接vmread/vmwrite修改vt设置ept
很简单的说,是可以得

还可以hook vmware的...hook 微软hyper-v的...
哈哈
空白即是正义 2017-1-25 18:52
11
0
之前看雪崩了。。没看到 是啊 直接劫持别人的handler 无解。。。
yy虫子yy 2017-1-25 20:00
12
0
确实,与其自主做xxoo送给*P检测,不如让xxoo借尸还魂,还可以隐藏得更深
天涯何处 2017-1-26 21:11
13
0
都是套路玩得深啊!
z张冰 2017-1-29 18:50
14
0
用ept隐藏了的怎么挖?
cvcvxk 10 2017-1-29 21:14
15
0
我提到了,SMM内扫描物理内存
flukeshen 2017-2-7 10:55
16
0
暴力蛤膜,膜拜V大!
OnlyForU 2017-4-2 22:40
17
0
膜拜V大!
游客
登录 | 注册 方可回帖
返回