Re[4]: HyperVisor : Inspecting instructions

No. I mean that you have complete control over what the code is to be
executed when you perform the vmlaunch/vmresume. You set the full
context for the thread about to run, including the RIP of course. So the
page of code which this RIP points to is under your control and you can
patch that code about to be executed. I was playing around with this for
certain Win32 API calls and would patch the code to perform a vmcall,
instead of the Win32 call, which would cause a vmexit.

Pete

–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: “Amitrajit B”
To: “Windows System Software Devs Interest List”
Sent: 6/16/2016 10:43:58 PM
Subject: Re: Re[2]: [ntdev] HyperVisor : Inspecting instructions

>@Pscott : when you say patch the opcode stream, do this mean one needs
>an agent inside the VM?
>
>On Thu, Jun 16, 2016 at 7:05 PM, PScott
>wrote:
>>Like I said, I have successfully implemented a scheme where I patch
>>the opcode stream being executed and have the code perform a vmcall,
>>which will result in a vmexit, when certain events occur. It is
>>definitely tedious and lengthy. As for patching the general purpose
>>instructions you are requesting, I would think, in theory, it could be
>>done but again, very tedious except in the simplest of cases.
>>
>>Pete
>>
>>–
>>Kernel Drivers
>>Windows File System and Device Driver Consulting
>>http://www.kerneldrivers.com/
>>866.263.9295
>>
>>
>>
>>------ Original Message ------
>>From: “A P”
>>To: “Windows System Software Devs Interest List”
>>Sent: 6/16/2016 6:21:47 PM
>>Subject: Re: [ntdev] HyperVisor : Inspecting instructions
>>
>>>Thanks all.
>>>
>>>@Mike : At this time it is mostly research, I want to be potentially
>>>able to add interceptors for certain instructions and inspect the
>>>data they act on. A few of these are call, ret, jmp, add, sub, mov.
>>>
>>>thats all there is to it now.
>>>
>>>are these instructions mentioned above trappable in VMX/SVM?
>>>
>>>
>>>how do I set a hardware break point for an instruction? since this is
>>>for research, i dont mind the perf hit as long as it is not as bad as
>>>single stepping.
>>>
>>>
>>>On Thu, Jun 16, 2016 at 4:09 PM, Mike Larkin
>>>wrote:
>>>>On Thu, Jun 16, 2016 at 03:59:57PM -0700, A P wrote:
>>>> > Hello all,
>>>> >
>>>> > is it possible for a hypervisor (any type) to inspect specific
>>>> > instructions. Example, say the add or sub or what ever.
>>>> >
>>>> > i am doing some reading, and it looks like one of the differences
>>>>between a
>>>> > hypervisor and emulator is since emulators (potentially) need to
>>>>implement
>>>> > each instruction, they can inspect each instruction easily and
>>>> > (potentially) change it’s behavior.
>>>> >
>>>> > However, in hypervisors, that is not the case, the goal is to
>>>>execute
>>>> > instructions on the native processor hence such inspection is not
>>>>required.
>>>> >
>>>> > But if one wants to do this in a hyperviosr is that possible? I am
>>>>aware of
>>>> > trap flags but I don’t to set the cpu in single step mode to
>>>>achieve this.
>>>> > Any other better suggestions?
>>>>
>>>>It depends on what you are trying to do. Some instructions are
>>>>trappable in
>>>>VMX/SVM operation, but many are not. I can’t think of an arbitarary
>>>>way to
>>>>inspect individual general purpose instructions (like add, sub, etc)
>>>>unless
>>>>they are operating against memory operands and the pages containing
>>>>those
>>>>operands are marked as not present in EPT/NPT (and you are using
>>>>EPT/NPT
>>>>to begin with), and the hypervisor is configured to take #PFs before
>>>>the guest
>>>>sees them. Then you’d at least stand a chance. But that sort of
>>>>construction
>>>>certainly isn’t general-purpose in nature and would obviously
>>>>require you
>>>>to set that up ahead of time.
>>>>
>>>>If it were just a single instruction or two you wanted to trap on,
>>>>you could
>>>>set a hardware breakpoint there and configure the hypervisor to take
>>>>the
>>>>exception before delivery to the guest (eg, exception bitmap
>>>>exiting).
>>>>
>>>>Other instructions that are generally not trappable but cause
>>>>information
>>>>leakage (like SGDT and friends) can be registered for exits, and in
>>>>those
>>>>cases you’ll see those in your exit handler if you enable those exit
>>>>types.
>>>>
>>>>As in many threads on this list, why don’t you say what you are
>>>>trying to do
>>>>at a higher level instead of making everyone guess, though?
>>>>
>>>>-ml
>>>>
>>>> >
>>>> > Al
>>>> >
>>>> > —
>>>> > NTDEV is sponsored by OSR
>>>> >
>>>> > Visit the list online at:
>>>>http:
>>>> >
>>>> > MONTHLY seminars on crash dump analysis, WDF, Windows internals
>>>>and software drivers!
>>>> > Details at http:
>>>> >
>>>> > To unsubscribe, visit the List Server section of OSR Online at
>>>>http:
>>>>
>>>>—
>>>>NTDEV is sponsored by OSR
>>>>
>>>>Visit the list online at:
>>>>http:
>>>>
>>>>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>>>software drivers!
>>>>Details at http:
>>>>
>>>>To unsubscribe, visit the List Server section of OSR Online at
>>>>http:
>>>
>>>— NTDEV is sponsored by OSR Visit the list online at: MONTHLY
>>>seminars on crash dump analysis, WDF, Windows internals and software
>>>drivers! Details at To unsubscribe, visit the List Server section of
>>>OSR Online at
>>
>>—
>>NTDEV is sponsored by OSR
>>
>>Visit the list online at:
>>http:
>>
>>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>software drivers!
>>Details at http:
>>
>>To unsubscribe, visit the List Server section of OSR Online at
>>http:
>
>
>
>–
>
>- ab
>— NTDEV is sponsored by OSR Visit the list online at: MONTHLY
>seminars on crash dump analysis, WDF, Windows internals and software
>drivers! Details at To unsubscribe, visit the List Server section of
>OSR Online at</http:></http:></http:></http:></http:></http:></http:></http:></http:>

@maxim : this is interesting, emulatoin would be slow as hell, but the UI
of the guest seems to work fine on MS Hv, so they surely have done some
magic there

@Pscott : when the process loads, the Hv gets a trigger as part of the
thread switch and cr3/GDT loading. sure at that point the vmexit gets the
control to teh Hv. One can potentially read the pages of the process and
say replace call (E8) with VMCALL which would force a VMExit when a call
gets executed for that page. also to make it transparent to the guest, we
can have two views, one for read write and the other for execute, so that
if some one reads the pages in they wont see the inline patching.

Is this what you are explaining?

On Fri, Jun 17, 2016 at 8:05 AM, PScott wrote:

>
> No. I mean that you have complete control over what the code is to be
> executed when you perform the vmlaunch/vmresume. You set the full context
> for the thread about to run, including the RIP of course. So the page of
> code which this RIP points to is under your control and you can patch that
> code about to be executed. I was playing around with this for certain Win32
> API calls and would patch the code to perform a vmcall, instead of the
> Win32 call, which would cause a vmexit.
>
> Pete
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com http:</http:>
> 866.263.9295
>
>
>
> ------ Original Message ------
> From: “Amitrajit B”
> To: “Windows System Software Devs Interest List”
> Sent: 6/16/2016 10:43:58 PM
> Subject: Re: Re[2]: [ntdev] HyperVisor : Inspecting instructions
>
>
> @Pscott : when you say patch the opcode stream, do this mean one needs an
> agent inside the VM?
>
> On Thu, Jun 16, 2016 at 7:05 PM, PScott wrote:
>
>> Like I said, I have successfully implemented a scheme where I patch the
>> opcode stream being executed and have the code perform a vmcall, which will
>> result in a vmexit, when certain events occur. It is definitely tedious and
>> lengthy. As for patching the general purpose instructions you are
>> requesting, I would think, in theory, it could be done but again, very
>> tedious except in the simplest of cases.
>>
>> Pete
>>
>> –
>> Kernel Drivers
>> Windows File System and Device Driver Consulting
>> http://www.kerneldrivers.com/
>> 866.263.9295
>>
>>
>>
>> ------ Original Message ------
>> From: “A P”
>> To: “Windows System Software Devs Interest List”
>> Sent: 6/16/2016 6:21:47 PM
>> Subject: Re: [ntdev] HyperVisor : Inspecting instructions
>>
>>
>> Thanks all.
>>
>> @Mike : At this time it is mostly research, I want to be potentially able
>> to add interceptors for certain instructions and inspect the data they act
>> on. A few of these are call, ret, jmp, add, sub, mov.
>>
>> thats all there is to it now.
>>
>> are these instructions mentioned above trappable in VMX/SVM?
>>
>>
>> how do I set a hardware break point for an instruction? since this is for
>> research, i dont mind the perf hit as long as it is not as bad as single
>> stepping.
>>
>>
>> On Thu, Jun 16, 2016 at 4:09 PM, Mike Larkin
>> wrote:
>>
>>> On Thu, Jun 16, 2016 at 03:59:57PM -0700, A P wrote:
>>> > Hello all,
>>> >
>>> > is it possible for a hypervisor (any type) to inspect specific
>>> > instructions. Example, say the add or sub or what ever.
>>> >
>>> > i am doing some reading, and it looks like one of the differences
>>> between a
>>> > hypervisor and emulator is since emulators (potentially) need to
>>> implement
>>> > each instruction, they can inspect each instruction easily and
>>> > (potentially) change it’s behavior.
>>> >
>>> > However, in hypervisors, that is not the case, the goal is to execute
>>> > instructions on the native processor hence such inspection is not
>>> required.
>>> >
>>> > But if one wants to do this in a hyperviosr is that possible? I am
>>> aware of
>>> > trap flags but I don’t to set the cpu in single step mode to achieve
>>> this.
>>> > Any other better suggestions?
>>>
>>> It depends on what you are trying to do. Some instructions are trappable
>>> in
>>> VMX/SVM operation, but many are not. I can’t think of an arbitarary way
>>> to
>>> inspect individual general purpose instructions (like add, sub, etc)
>>> unless
>>> they are operating against memory operands and the pages containing those
>>> operands are marked as not present in EPT/NPT (and you are using EPT/NPT
>>> to begin with), and the hypervisor is configured to take #PFs before the
>>> guest
>>> sees them. Then you’d at least stand a chance. But that sort of
>>> construction
>>> certainly isn’t general-purpose in nature and would obviously require you
>>> to set that up ahead of time.
>>>
>>> If it were just a single instruction or two you wanted to trap on, you
>>> could
>>> set a hardware breakpoint there and configure the hypervisor to take the
>>> exception before delivery to the guest (eg, exception bitmap exiting).
>>>
>>> Other instructions that are generally not trappable but cause information
>>> leakage (like SGDT and friends) can be registered for exits, and in those
>>> cases you’ll see those in your exit handler if you enable those exit
>>> types.
>>>
>>> As in many threads on this list, why don’t you say what you are trying
>>> to do
>>> at a higher level instead of making everyone guess, though?
>>>
>>> -ml
>>>
>>> >
>>> > Al
>>> >
>>> > —
>>> > NTDEV is sponsored by OSR
>>> >
>>> > Visit the list online at: <
>>> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>>> >
>>> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>> software drivers!
>>> > Details at http:
>>> >
>>> > To unsubscribe, visit the List Server section of OSR Online at <
>>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> Visit the list online at: <
>>> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>>>
>>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>> software drivers!
>>> Details at http:
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at <
>>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>>
>>
>> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
>> on crash dump analysis, WDF, Windows internals and software drivers!
>> Details at To unsubscribe, visit the List Server section of OSR Online at
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at: <
>> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>
>
>
>
> –
>
> - ab
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:></http:></http:>

On Fri, Jun 17, 2016 at 11:07:11AM -0700, A P wrote:

@maxim : this is interesting, emulatoin would be slow as hell, but the UI
of the guest seems to work fine on MS Hv, so they surely have done some
magic there

@Pscott : when the process loads, the Hv gets a trigger as part of the
thread switch and cr3/GDT loading. sure at that point the vmexit gets the
control to teh Hv. One can potentially read the pages of the process and
say replace call (E8) with VMCALL which would force a VMExit when a call
gets executed for that page. also to make it transparent to the guest, we
can have two views, one for read write and the other for execute, so that
if some one reads the pages in they wont see the inline patching.

Is this what you are explaining?

So now it’s clear. You want to use this to evade patchguard, right?

-ml

On Fri, Jun 17, 2016 at 8:05 AM, PScott wrote:
>
> >
> > No. I mean that you have complete control over what the code is to be
> > executed when you perform the vmlaunch/vmresume. You set the full context
> > for the thread about to run, including the RIP of course. So the page of
> > code which this RIP points to is under your control and you can patch that
> > code about to be executed. I was playing around with this for certain Win32
> > API calls and would patch the code to perform a vmcall, instead of the
> > Win32 call, which would cause a vmexit.
> >
> > Pete
> >
> > –
> > Kernel Drivers
> > Windows File System and Device Driver Consulting
> > www.KernelDrivers.com http:</http:>
> > 866.263.9295
> >
> >
> >
> > ------ Original Message ------
> > From: “Amitrajit B”
> > To: “Windows System Software Devs Interest List”
> > Sent: 6/16/2016 10:43:58 PM
> > Subject: Re: Re[2]: [ntdev] HyperVisor : Inspecting instructions
> >
> >
> > @Pscott : when you say patch the opcode stream, do this mean one needs an
> > agent inside the VM?
> >
> > On Thu, Jun 16, 2016 at 7:05 PM, PScott wrote:
> >
> >> Like I said, I have successfully implemented a scheme where I patch the
> >> opcode stream being executed and have the code perform a vmcall, which will
> >> result in a vmexit, when certain events occur. It is definitely tedious and
> >> lengthy. As for patching the general purpose instructions you are
> >> requesting, I would think, in theory, it could be done but again, very
> >> tedious except in the simplest of cases.
> >>
> >> Pete
> >>
> >> –
> >> Kernel Drivers
> >> Windows File System and Device Driver Consulting
> >> http://www.kerneldrivers.com/
> >> 866.263.9295
> >>
> >>
> >>
> >> ------ Original Message ------
> >> From: “A P”
> >> To: “Windows System Software Devs Interest List”
> >> Sent: 6/16/2016 6:21:47 PM
> >> Subject: Re: [ntdev] HyperVisor : Inspecting instructions
> >>
> >>
> >> Thanks all.
> >>
> >> @Mike : At this time it is mostly research, I want to be potentially able
> >> to add interceptors for certain instructions and inspect the data they act
> >> on. A few of these are call, ret, jmp, add, sub, mov.
> >>
> >> thats all there is to it now.
> >>
> >> are these instructions mentioned above trappable in VMX/SVM?
> >>
> >>
> >> how do I set a hardware break point for an instruction? since this is for
> >> research, i dont mind the perf hit as long as it is not as bad as single
> >> stepping.
> >>
> >>
> >> On Thu, Jun 16, 2016 at 4:09 PM, Mike Larkin
> >> wrote:
> >>
> >>> On Thu, Jun 16, 2016 at 03:59:57PM -0700, A P wrote:
> >>> > Hello all,
> >>> >
> >>> > is it possible for a hypervisor (any type) to inspect specific
> >>> > instructions. Example, say the add or sub or what ever.
> >>> >
> >>> > i am doing some reading, and it looks like one of the differences
> >>> between a
> >>> > hypervisor and emulator is since emulators (potentially) need to
> >>> implement
> >>> > each instruction, they can inspect each instruction easily and
> >>> > (potentially) change it’s behavior.
> >>> >
> >>> > However, in hypervisors, that is not the case, the goal is to execute
> >>> > instructions on the native processor hence such inspection is not
> >>> required.
> >>> >
> >>> > But if one wants to do this in a hyperviosr is that possible? I am
> >>> aware of
> >>> > trap flags but I don’t to set the cpu in single step mode to achieve
> >>> this.
> >>> > Any other better suggestions?
> >>>
> >>> It depends on what you are trying to do. Some instructions are trappable
> >>> in
> >>> VMX/SVM operation, but many are not. I can’t think of an arbitarary way
> >>> to
> >>> inspect individual general purpose instructions (like add, sub, etc)
> >>> unless
> >>> they are operating against memory operands and the pages containing those
> >>> operands are marked as not present in EPT/NPT (and you are using EPT/NPT
> >>> to begin with), and the hypervisor is configured to take #PFs before the
> >>> guest
> >>> sees them. Then you’d at least stand a chance. But that sort of
> >>> construction
> >>> certainly isn’t general-purpose in nature and would obviously require you
> >>> to set that up ahead of time.
> >>>
> >>> If it were just a single instruction or two you wanted to trap on, you
> >>> could
> >>> set a hardware breakpoint there and configure the hypervisor to take the
> >>> exception before delivery to the guest (eg, exception bitmap exiting).
> >>>
> >>> Other instructions that are generally not trappable but cause information
> >>> leakage (like SGDT and friends) can be registered for exits, and in those
> >>> cases you’ll see those in your exit handler if you enable those exit
> >>> types.
> >>>
> >>> As in many threads on this list, why don’t you say what you are trying
> >>> to do
> >>> at a higher level instead of making everyone guess, though?
> >>>
> >>> -ml
> >>>
> >>> >
> >>> > Al
> >>> >
> >>> > —
> >>> > NTDEV is sponsored by OSR
> >>> >
> >>> > Visit the list online at: <
> >>> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
> >>> >
> >>> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> >>> software drivers!
> >>> > Details at http:
> >>> >
> >>> > To unsubscribe, visit the List Server section of OSR Online at <
> >>> http://www.osronline.com/page.cfm?name=ListServer&gt;
> >>>
> >>> —
> >>> NTDEV is sponsored by OSR
> >>>
> >>> Visit the list online at: <
> >>> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
> >>>
> >>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> >>> software drivers!
> >>> Details at http:
> >>>
> >>> To unsubscribe, visit the List Server section of OSR Online at <
> >>> http://www.osronline.com/page.cfm?name=ListServer&gt;
> >>>
> >>
> >> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> >> on crash dump analysis, WDF, Windows internals and software drivers!
> >> Details at To unsubscribe, visit the List Server section of OSR Online at
> >>
> >>
> >> —
> >> NTDEV is sponsored by OSR
> >>
> >> Visit the list online at: <
> >> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
> >>
> >> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> >> software drivers!
> >> Details at http:
> >>
> >> To unsubscribe, visit the List Server section of OSR Online at <
> >> http://www.osronline.com/page.cfm?name=ListServer&gt;
> >>
> >
> >
> >
> > –
> >
> > - ab
> > — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> > on crash dump analysis, WDF, Windows internals and software drivers!
> > Details at To unsubscribe, visit the List Server section of OSR Online at
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > Visit the list online at: <
> > http://www.osronline.com/showlists.cfm?list=ntdev&gt;
> >
> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> > software drivers!
> > Details at http:
> >
> > To unsubscribe, visit the List Server section of OSR Online at <
> > http://www.osronline.com/page.cfm?name=ListServer&gt;
> >
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></http:></http:></http:></http:>

>@maxim : this is interesting, emulatoin would be slow as hell

Depends on what level.

If they hook the whole EngBitBlt path in the guest, converting it to 1 vmcall, and then the server side executes the same EngBitBlt on the in-memory screen - it will not.

At least there will be no VGA register accesses, with a vmexit per each.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

A P wrote:

@Mike : At this time it is mostly research, I want to be potentially
able to add interceptors for certain instructions and inspect the data
they act on. A few of these are call, ret, jmp, add, sub, mov.

Then you need to use an emulator. QEMU, maybe?

are these instructions mentioned above trappable in VMX/SVM?

No. The VM runs at full CPU speed, and only stops when there is an
exception.

how do I set a hardware break point for an instruction? since this is
for research, i dont mind the perf hit as long as it is not as bad as
single stepping.

You can set a hardware breakpoint at a specific address. You can’t set
a breakpoint for certain instructions.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

@Mike : No, I have no such intention. Lets not jump to conclusions here.
The learned say that one man’s hero is another man’s terrorist, so
typecasting and stereo typing based one just a paragraph of discussion is
perhaps not advicable. If memory serves, you were the CTO of Ringcube, if
so, then when you were developing your product,I am sure some one else must
have made a similar comment

As I said this is about research, not for any products, and this is
certainly not abt evading any existing security technology

On Fri, Jun 17, 2016 at 11:26 AM, Maxim S. Shatskih
wrote:

> >@maxim : this is interesting, emulatoin would be slow as hell
>
> Depends on what level.
>
> If they hook the whole EngBitBlt path in the guest, converting it to 1
> vmcall, and then the server side executes the same EngBitBlt on the
> in-memory screen - it will not.
>
> At least there will be no VGA register accesses, with a vmexit per each.
>
> –
> Maxim S. Shatskih
> Microsoft MVP on File System And Storage
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

On Fri, Jun 17, 2016 at 11:43:16AM -0700, A P wrote:

@Mike : No, I have no such intention. Lets not jump to conclusions here.
The learned say that one man’s hero is another man’s terrorist, so
typecasting and stereo typing based one just a paragraph of discussion is
perhaps not advicable. If memory serves, you were the CTO of Ringcube, if
so, then when you were developing your product,I am sure some one else must
have made a similar comment

Yep, that was me. We tried an approach like this and shelved it when we
determined it was unsupportable and unmaintainable.

If you really want to go down this path, you’ll also need to consider:

* self modifying code
* code that gets paged out after you patched it and gets paged back in
with a fresh copy of the page from disk later
* other code that detects your patching and unpatches it
* making sure you support VMX and SVM (unless you don’t care about AMD)

… etc.

If you’re just trying to understand how to force exits on a *particular*
instruction (eg an instruction at address X), then you’ve been presented with
advice on how to do that (several ways). If you are still looking for a way
to generically patch all instructions of a given type, then you’re going to
be looking at a full fledged binary translator of some kind, as has been
pointed out here.

If you are instead trying to present different views of memory when read
vs when executed, there are far easier ways to do that than by using VMX/SVM
(I only mention this because you talked about “not seeing patches when read”
earlier)

Good luck with your project.

-ml

As I said this is about research, not for any products, and this is
certainly not abt evading any existing security technology

On Fri, Jun 17, 2016 at 11:26 AM, Maxim S. Shatskih
> wrote:
>
> > >@maxim : this is interesting, emulatoin would be slow as hell
> >
> > Depends on what level.
> >
> > If they hook the whole EngBitBlt path in the guest, converting it to 1
> > vmcall, and then the server side executes the same EngBitBlt on the
> > in-memory screen - it will not.
> >
> > At least there will be no VGA register accesses, with a vmexit per each.
> >
> > –
> > Maxim S. Shatskih
> > Microsoft MVP on File System And Storage
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > Visit the list online at: <
> > http://www.osronline.com/showlists.cfm?list=ntdev&gt;
> >
> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> > software drivers!
> > Details at http:
> >
> > To unsubscribe, visit the List Server section of OSR Online at <
> > http://www.osronline.com/page.cfm?name=ListServer&gt;
> >
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></http:>

On Fri, Jun 17, 2016 at 12:08:27PM -0700, Mike Larkin wrote:

On Fri, Jun 17, 2016 at 11:43:16AM -0700, A P wrote:
> @Mike : No, I have no such intention. Lets not jump to conclusions here.
> The learned say that one man’s hero is another man’s terrorist, so
> typecasting and stereo typing based one just a paragraph of discussion is
> perhaps not advicable. If memory serves, you were the CTO of Ringcube, if
> so, then when you were developing your product,I am sure some one else must
> have made a similar comment

Yep, that was me. We tried an approach like this and shelved it when we
determined it was unsupportable and unmaintainable.

If you really want to go down this path, you’ll also need to consider:

* self modifying code
* code that gets paged out after you patched it and gets paged back in
with a fresh copy of the page from disk later
* other code that detects your patching and unpatches it
* making sure you support VMX and SVM (unless you don’t care about AMD)

… etc.

If you’re just trying to understand how to force exits on a *particular*
instruction (eg an instruction at address X), then you’ve been presented with
advice on how to do that (several ways). If you are still looking for a way
to generically patch all instructions of a given type, then you’re going to
be looking at a full fledged binary translator of some kind, as has been
pointed out here.

If you are instead trying to present different views of memory when read
vs when executed, there are far easier ways to do that than by using VMX/SVM
(I only mention this because you talked about “not seeing patches when read”
earlier)

Good luck with your project.

-ml

PS - I know you asked about GP instructions like or/and/sub, but if you
wanted to instrument and monitor branching, you could use IPT instead. It
doesn’t catch the instructions listed above but it can be used to monitor
program flow.

>
> As I said this is about research, not for any products, and this is
> certainly not abt evading any existing security technology
>
> On Fri, Jun 17, 2016 at 11:26 AM, Maxim S. Shatskih
> > wrote:
> >
> > > >@maxim : this is interesting, emulatoin would be slow as hell
> > >
> > > Depends on what level.
> > >
> > > If they hook the whole EngBitBlt path in the guest, converting it to 1
> > > vmcall, and then the server side executes the same EngBitBlt on the
> > > in-memory screen - it will not.
> > >
> > > At least there will be no VGA register accesses, with a vmexit per each.
> > >
> > > –
> > > Maxim S. Shatskih
> > > Microsoft MVP on File System And Storage
> > > xxxxx@storagecraft.com
> > > http://www.storagecraft.com
> > >
> > >
> > > —
> > > NTDEV is sponsored by OSR
> > >
> > > Visit the list online at: <
> > > http://www.osronline.com/showlists.cfm?list=ntdev&gt;
> > >
> > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> > > software drivers!
> > > Details at http:
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at <
> > > http://www.osronline.com/page.cfm?name=ListServer&gt;
> > >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > Visit the list online at: http:
> >
> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> > Details at http:
> >
> > To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></http:>

> i am doing some reading, and it looks like one of the differences between

a hypervisor and emulator is since emulators (potentially) need to implement
each instruction, they can inspect each instruction easily and (potentially) change it’s behavior.

Well,I would not try making a clear distcinction between these two, in the first place. On my books, you can think of emulator as of a specific form of Type 2 hypervisor in a sense that it emulates the target instruction set entirely in a software. However, as long as the instruction sets of the host and guest targets are compatible with one another you can implement any combination of emulation and native execution in your hypervisor.

For example, you can pre-scan the userland code that you are about to execute for INT N and SYSENTER instructions, replace these opcodes with traps (like, for example, INT 3) to make sure that a guest’s userland does not attempt making a system call to the host’s kernel, and then natively execute the guest’s userland code on the CPU(BTW, I heard that VMWare workstation does something more or less similar to that). Another example is libvirt that relies upon QEMU software emulation when it comes to executing the real-mode code while and KVM (which makes use of hardware-assisted virtualisation extensions) when executing the protected-mode one…

Anton Bassov