Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


SimpleVisor state after vmlaunch question

Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 236
Hello !

Here https://github.com/ionescu007/SimpleVisor/blob/master/shvvmxhv.c at
line 70 comment:

// If we got here, either VMCS setup failed in some way, or the launch
// did not proceed as planned.



So if CPU successfull switched in non-root mode vmlaunch never returns in
root mode.
I don't really understand why. After launching normal VM vmlaunch should
return in root-mode.

Why such return doesn't happen in case of hyperjacking ?

Comments

  • Mike_LarkinMike_Larkin Member - All Emails Posts: 28
    On Tue, Jan 31, 2017 at 12:24:25PM +0300, Sergey Pisarev wrote:
    > Hello !
    >
    > Here https://github.com/ionescu007/SimpleVisor/blob/master/shvvmxhv.c at
    > line 70 comment:
    >
    > // If we got here, either VMCS setup failed in some way, or the launch
    > // did not proceed as planned.
    >
    >
    >
    > So if CPU successfull switched in non-root mode vmlaunch never returns in
    > root mode.
    > I don't really understand why. After launching normal VM vmlaunch should
    > return in root-mode.
    >
    > Why such return doesn't happen in case of hyperjacking ?

    Hi Sergey,

    If I understand your question correctly, vmlaunch (or for that matter,
    vmresume as well) can fail if you have invalid VMCS state in some way
    (impossible settings/controls, or bad host state values). In this case,
    the VMCS will not be launched, either OF or CF will be set in RFLAGS to
    convey the reason for failure to launch, and control will fall through
    to the instruction following the vmlaunch/vmresume function.

    The Intel SDM describes reasons why launch/resume can fail (there are a bunch
    of things checked - search the SDM for VMfailValid and VMfailInvalid, it's
    explained in vol3, ch30).

    Remember that the "return" from vmlaunch isn't the next instruction, that
    only happens if something went wrong. The "return" is actually to the location
    specified by the VMCS field for host %rip, which in most hypervisors is set
    to the exit handler code (or something that ends up calling the exit handler
    code at some point later).

    Hope this helps.

    -ml

    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev&gt;
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    > Details at <http://www.osr.com/seminars&gt;
    >
    > To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer&gt;
  • Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 236
    Hi Mike

    Thank you for very elaborate answer. So do i understand correctly that
    successful vmlaunch never returns, even in the case of "normal" VM ?

    On Tue, Jan 31, 2017 at 12:40 PM, Mike Larkin wrote:

    > On Tue, Jan 31, 2017 at 12:24:25PM +0300, Sergey Pisarev wrote:
    > > Hello !
    > >
    > > Here https://github.com/ionescu007/SimpleVisor/blob/master/shvvmxhv.c at
    > > line 70 comment:
    > >
    > > // If we got here, either VMCS setup failed in some way, or the launch
    > > // did not proceed as planned.
    > >
    > >
    > >
    > > So if CPU successfull switched in non-root mode vmlaunch never returns in
    > > root mode.
    > > I don't really understand why. After launching normal VM vmlaunch should
    > > return in root-mode.
    > >
    > > Why such return doesn't happen in case of hyperjacking ?
    >
    > Hi Sergey,
    >
    > If I understand your question correctly, vmlaunch (or for that matter,
    > vmresume as well) can fail if you have invalid VMCS state in some way
    > (impossible settings/controls, or bad host state values). In this case,
    > the VMCS will not be launched, either OF or CF will be set in RFLAGS to
    > convey the reason for failure to launch, and control will fall through
    > to the instruction following the vmlaunch/vmresume function.
    >
    > The Intel SDM describes reasons why launch/resume can fail (there are a
    > bunch
    > of things checked - search the SDM for VMfailValid and VMfailInvalid, it's
    > explained in vol3, ch30).
    >
    > Remember that the "return" from vmlaunch isn't the next instruction, that
    > only happens if something went wrong. The "return" is actually to the
    > location
    > specified by the VMCS field for host %rip, which in most hypervisors is set
    > to the exit handler code (or something that ends up calling the exit
    > handler
    > code at some point later).
    >
    > Hope this helps.
    >
    > -ml
    >
    > >
    > > ---
    > > NTDEV is sponsored by OSR
    > >
    > > Visit the list online at: showlists.cfm?list=ntdev>
    > >
    > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > > Details at
    > >
    > > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: showlists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    >
  • Mike_LarkinMike_Larkin Member - All Emails Posts: 28
    On Tue, Jan 31, 2017 at 01:05:21PM +0300, Sergey Pisarev wrote:
    > Hi Mike
    >
    > Thank you for very elaborate answer. So do i understand correctly that
    > successful vmlaunch never returns, even in the case of "normal" VM ?

    Execution will not continue to the next instruction unless an error occurred.

    Technically, one could set the host %rip setting to also be the next
    instruction after vmlaunch, but then you'd need to take care to also ensure
    that the host %rflags setting to have cleared CF and OF to be able to tell
    if you continued to the next instruction because of failure, or because you
    exited there. Generally you set host %rip to point to some other function, then
    you can be sure that if you ended up in that function, you certainly at least
    passed the host state area and VMCS controls check part of the vmlaunch.

    The SDM explains this in far more detail, along with all the checks that are
    performed.

    It may be worth noting that AMD SVM behaves slightly differently here -
    the equivalent instruction (vmrun) always returns to the subsequent instruction
    and you don't put a "host %rip" value into the VMCB. You just check for an
    error condition after each vmrun to determine if you entered the VM or failed
    for some reason.

    -ml


    >
    > On Tue, Jan 31, 2017 at 12:40 PM, Mike Larkin <[email protected]> wrote:
    >
    > > On Tue, Jan 31, 2017 at 12:24:25PM +0300, Sergey Pisarev wrote:
    > > > Hello !
    > > >
    > > > Here https://github.com/ionescu007/SimpleVisor/blob/master/shvvmxhv.c at
    > > > line 70 comment:
    > > >
    > > > // If we got here, either VMCS setup failed in some way, or the launch
    > > > // did not proceed as planned.
    > > >
    > > >
    > > >
    > > > So if CPU successfull switched in non-root mode vmlaunch never returns in
    > > > root mode.
    > > > I don't really understand why. After launching normal VM vmlaunch should
    > > > return in root-mode.
    > > >
    > > > Why such return doesn't happen in case of hyperjacking ?
    > >
    > > Hi Sergey,
    > >
    > > If I understand your question correctly, vmlaunch (or for that matter,
    > > vmresume as well) can fail if you have invalid VMCS state in some way
    > > (impossible settings/controls, or bad host state values). In this case,
    > > the VMCS will not be launched, either OF or CF will be set in RFLAGS to
    > > convey the reason for failure to launch, and control will fall through
    > > to the instruction following the vmlaunch/vmresume function.
    > >
    > > The Intel SDM describes reasons why launch/resume can fail (there are a
    > > bunch
    > > of things checked - search the SDM for VMfailValid and VMfailInvalid, it's
    > > explained in vol3, ch30).
    > >
    > > Remember that the "return" from vmlaunch isn't the next instruction, that
    > > only happens if something went wrong. The "return" is actually to the
    > > location
    > > specified by the VMCS field for host %rip, which in most hypervisors is set
    > > to the exit handler code (or something that ends up calling the exit
    > > handler
    > > code at some point later).
    > >
    > > Hope this helps.
    > >
    > > -ml
    > >
    > > >
    > > > ---
    > > > NTDEV is sponsored by OSR
    > > >
    > > > Visit the list online at: > showlists.cfm?list=ntdev>
    > > >
    > > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > > software drivers!
    > > > Details at <http://www.osr.com/seminars&gt;
    > > >
    > > > To unsubscribe, visit the List Server section of OSR Online at <
    > > http://www.osronline.com/page.cfm?name=ListServer&gt;
    > >
    > > ---
    > > NTDEV is sponsored by OSR
    > >
    > > Visit the list online at: > showlists.cfm?list=ntdev>
    > >
    > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > > software drivers!
    > > Details at <http://www.osr.com/seminars&gt;
    > >
    > > To unsubscribe, visit the List Server section of OSR Online at <
    > > http://www.osronline.com/page.cfm?name=ListServer&gt;
    > >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev&gt;
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    > Details at <http://www.osr.com/seminars&gt;
    >
    > To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer&gt;
  • Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 236
    Thank you very much Mike !

    Great elaborate explanation. I think now i understand how things work.

    Some things, at least :)

    On Tue, Jan 31, 2017 at 1:21 PM, Mike Larkin wrote:

    > On Tue, Jan 31, 2017 at 01:05:21PM +0300, Sergey Pisarev wrote:
    > > Hi Mike
    > >
    > > Thank you for very elaborate answer. So do i understand correctly that
    > > successful vmlaunch never returns, even in the case of "normal" VM ?
    >
    > Execution will not continue to the next instruction unless an error
    > occurred.
    >
    > Technically, one could set the host %rip setting to also be the next
    > instruction after vmlaunch, but then you'd need to take care to also ensure
    > that the host %rflags setting to have cleared CF and OF to be able to tell
    > if you continued to the next instruction because of failure, or because you
    > exited there. Generally you set host %rip to point to some other function,
    > then
    > you can be sure that if you ended up in that function, you certainly at
    > least
    > passed the host state area and VMCS controls check part of the vmlaunch.
    >
    > The SDM explains this in far more detail, along with all the checks that
    > are
    > performed.
    >
    > It may be worth noting that AMD SVM behaves slightly differently here -
    > the equivalent instruction (vmrun) always returns to the subsequent
    > instruction
    > and you don't put a "host %rip" value into the VMCB. You just check for an
    > error condition after each vmrun to determine if you entered the VM or
    > failed
    > for some reason.
    >
    > -ml
    >
    >
    > >
    > > On Tue, Jan 31, 2017 at 12:40 PM, Mike Larkin
    > wrote:
    > >
    > > > On Tue, Jan 31, 2017 at 12:24:25PM +0300, Sergey Pisarev wrote:
    > > > > Hello !
    > > > >
    > > > > Here https://github.com/ionescu007/SimpleVisor/blob/master/
    > shvvmxhv.c at
    > > > > line 70 comment:
    > > > >
    > > > > // If we got here, either VMCS setup failed in some way, or the
    > launch
    > > > > // did not proceed as planned.
    > > > >
    > > > >
    > > > >
    > > > > So if CPU successfull switched in non-root mode vmlaunch never
    > returns in
    > > > > root mode.
    > > > > I don't really understand why. After launching normal VM vmlaunch
    > should
    > > > > return in root-mode.
    > > > >
    > > > > Why such return doesn't happen in case of hyperjacking ?
    > > >
    > > > Hi Sergey,
    > > >
    > > > If I understand your question correctly, vmlaunch (or for that matter,
    > > > vmresume as well) can fail if you have invalid VMCS state in some way
    > > > (impossible settings/controls, or bad host state values). In this case,
    > > > the VMCS will not be launched, either OF or CF will be set in RFLAGS to
    > > > convey the reason for failure to launch, and control will fall through
    > > > to the instruction following the vmlaunch/vmresume function.
    > > >
    > > > The Intel SDM describes reasons why launch/resume can fail (there are a
    > > > bunch
    > > > of things checked - search the SDM for VMfailValid and VMfailInvalid,
    > it's
    > > > explained in vol3, ch30).
    > > >
    > > > Remember that the "return" from vmlaunch isn't the next instruction,
    > that
    > > > only happens if something went wrong. The "return" is actually to the
    > > > location
    > > > specified by the VMCS field for host %rip, which in most hypervisors
    > is set
    > > > to the exit handler code (or something that ends up calling the exit
    > > > handler
    > > > code at some point later).
    > > >
    > > > Hope this helps.
    > > >
    > > > -ml
    > > >
    > > > >
    > > > > ---
    > > > > NTDEV is sponsored by OSR
    > > > >
    > > > > Visit the list online at: > > showlists.cfm?list=ntdev>
    > > > >
    > > > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > > > software drivers!
    > > > > Details at
    > > > >
    > > > > To unsubscribe, visit the List Server section of OSR Online at <
    > > > http://www.osronline.com/page.cfm?name=ListServer&gt;
    > > >
    > > > ---
    > > > NTDEV is sponsored by OSR
    > > >
    > > > Visit the list online at: > > showlists.cfm?list=ntdev>
    > > >
    > > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > > > software drivers!
    > > > Details at
    > > >
    > > > To unsubscribe, visit the List Server section of OSR Online at <
    > > > http://www.osronline.com/page.cfm?name=ListServer&gt;
    > > >
    > >
    > > ---
    > > NTDEV is sponsored by OSR
    > >
    > > Visit the list online at: showlists.cfm?list=ntdev>
    > >
    > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > > Details at
    > >
    > > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: showlists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA