Thank you very much Mike !
Great elaborate explanation. I think now i understand how things work.
Some things, at least
On Tue, Jan 31, 2017 at 1:21 PM, Mike Larkin wrote:
> On Tue, Jan 31, 2017 at 01:05:21PM +0300, Sergey Pisarev wrote:
> > Hi Mike
> >
> > Thank you for very elaborate answer. So do i understand correctly that
> > successful vmlaunch never returns, even in the case of “normal” VM ?
>
> Execution will not continue to the next instruction unless an error
> occurred.
>
> Technically, one could set the host %rip setting to also be the next
> instruction after vmlaunch, but then you’d need to take care to also ensure
> that the host %rflags setting to have cleared CF and OF to be able to tell
> if you continued to the next instruction because of failure, or because you
> exited there. Generally you set host %rip to point to some other function,
> then
> you can be sure that if you ended up in that function, you certainly at
> least
> passed the host state area and VMCS controls check part of the vmlaunch.
>
> The SDM explains this in far more detail, along with all the checks that
> are
> performed.
>
> It may be worth noting that AMD SVM behaves slightly differently here -
> the equivalent instruction (vmrun) always returns to the subsequent
> instruction
> and you don’t put a “host %rip” value into the VMCB. You just check for an
> error condition after each vmrun to determine if you entered the VM or
> failed
> for some reason.
>
> -ml
>
>
> >
> > On Tue, Jan 31, 2017 at 12:40 PM, Mike Larkin
> wrote:
> >
> > > On Tue, Jan 31, 2017 at 12:24:25PM +0300, Sergey Pisarev wrote:
> > > > Hello !
> > > >
> > > > Here https://github.com/ionescu007/SimpleVisor/blob/master/
> shvvmxhv.c at
> > > > line 70 comment:
> > > >
> > > > // If we got here, either VMCS setup failed in some way, or the
> launch
> > > > // did not proceed as planned.
> > > >
> > > >
> > > >
> > > > So if CPU successfull switched in non-root mode vmlaunch never
> returns in
> > > > root mode.
> > > > I don’t really understand why. After launching normal VM vmlaunch
> should
> > > > return in root-mode.
> > > >
> > > > Why such return doesn’t happen in case of hyperjacking ?
> > >
> > > Hi Sergey,
> > >
> > > If I understand your question correctly, vmlaunch (or for that matter,
> > > vmresume as well) can fail if you have invalid VMCS state in some way
> > > (impossible settings/controls, or bad host state values). In this case,
> > > the VMCS will not be launched, either OF or CF will be set in RFLAGS to
> > > convey the reason for failure to launch, and control will fall through
> > > to the instruction following the vmlaunch/vmresume function.
> > >
> > > The Intel SDM describes reasons why launch/resume can fail (there are a
> > > bunch
> > > of things checked - search the SDM for VMfailValid and VMfailInvalid,
> it’s
> > > explained in vol3, ch30).
> > >
> > > Remember that the “return” from vmlaunch isn’t the next instruction,
> that
> > > only happens if something went wrong. The “return” is actually to the
> > > location
> > > specified by the VMCS field for host %rip, which in most hypervisors
> is set
> > > to the exit handler code (or something that ends up calling the exit
> > > handler
> > > code at some point later).
> > >
> > > Hope this helps.
> > >
> > > -ml
> > >
> > > >
> > > > —
> > > > NTDEV is sponsored by OSR
> > > >
> > > > Visit the list online at: http:> > > showlists.cfm?list=ntdev>
> > > >
> > > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> > > software drivers!
> > > > Details at http:
> > > >
> > > > To unsubscribe, visit the List Server section of OSR Online at <
> > > http://www.osronline.com/page.cfm?name=ListServer>
> > >
> > > —
> > > NTDEV is sponsored by OSR
> > >
> > > Visit the list online at: http:> > > showlists.cfm?list=ntdev>
> > >
> > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> > > software drivers!
> > > Details at http:
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at <
> > > http://www.osronline.com/page.cfm?name=ListServer>
> > >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > Visit the list online at: http:> showlists.cfm?list=ntdev>
> >
> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> > Details at http:
> >
> > To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:></http:></http:></http:></http:></http:></http:>