-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement simple example of syscall interception #8
Comments
I would be interested in how you approach this as there is no trapping support for Intel WRT the syscall instruction. There are ways to do it, but they are not pretty. |
I'm thinking about approach which sets custom MSR_LSTAR and returns the original MSR_LSTAR on RDMSR. That will require writing custom syscall handler. I didn't peek yet into how much work will it take or how ugly solution will that be. |
I don't think you can do MSR_LSTAR hooks unless you somehow disable meltdown patch(or expose your handler to all UM processes, and on every new process creation). I've tried setting MSR_LSTAR many times, but it results in instant BSOD in some random process due to page fault(which i'm assuming is because of the meltdown patch). The code I tested was just a simply jump to the original address that had been stored in MSR_LSTAR. Probably best to just stick with EPT shadowing. |
you can use this project for reference for hooking syscalls, I couldn't get hyperbone to load for me but the author is a genius and his code is very clean and minimum https://github.com/DarthTon/HyperBone |
Resurrecting this thread after I read this post: https://revers.engineering/syscall-hooking-via-extended-feature-enable-register-efer/ Basically, by disabling EFER.SCE flag, you'll get #UD on syscall/sysret instructions, which you can trap and emulate in the hypervisor. It is not a new technique, it has been already used and described e.g. by Nitro, SecVisor, and I'm pretty sure I've seen it in few other papers too in the past. That post just made me realize I have this issue here hanging. Although I'm not in urgent need to have this feature implemented, I leave it here when that time comes. |
redirecting RIP to custom handler at cr3 switching moment is fine when KvaShadow is enabled.
|
But that means you gotta set the CR3 load exiting bit in the proc based controls vmcs field. You're gonna suffer some pretty big performance hits since you'll have to exit on every MOV to CR3 instruction. :( Best solution is to find some way to do this without exiting. I have a solution by manually adding pages to the shadow page tables, but the implementation is pretty heavy and relies on a bunch of undocumented stuff, which is why I favor using the EFER MSR hook. |
No description provided.
The text was updated successfully, but these errors were encountered: