Trying vmcall from a wow64 process

[soltrac]

Hello,
Maybe it is my inexperience in hypervisors, but I'm not sure if I'm doing this ok.

I'm trying to make your TestHook() hide in a x86 process. I have ported the asm portion of ia32_asm_vmx_call to this to adjust the asm to x86:

.MODEL flat
.CODE
_ia32_asm_vmx_vmcall PROC
vmcall
ret
_ia32_asm_vmx_vmcall ENDP
END

(As you can see, I add _ before the function, if not, the linker wont find it and add the .MODEL flat on the top, that I'm not sure what is for, but I need it because the compiler tells me to add it)

When the application calls the hide operation, it gives me a 0xC000001D: Illegal Instruction after the call to vmcall. In x64 works perfect, so I suppose what I'm trying is not possible or I'm doing it wrong.

Also, __cpuid is detecting the HV on x86.

Any advice?

[wbenny]

Hi, try to define calling convention of ia32_asm_vmx_vmcall as __fastcall in the C/C++ code. __cdecl, which is default, uses stack for passing parameters, whereas __fastcall passes first two in ecx and edx registers (which is where hvpp looks).

Edit: I checked and it isn't entirely right, hvpp looks also at r8 register, which is impossible to set in x86 mode.

My advice would be to write such assembly function, which moves first 3 parameters into some registers and then perform vmcall. Also, do not forget to edit vmexit_custom_handler and make it react to these registers, instead of rcx, rdx & r8

[wbenny]

Also, it might be possible that VMXON failed and hypervisor is not present at all. Does CPUID return the desired faked string value?

[soltrac]

Wow!!! Now it is working, as you told, I just used the x86 regs and made a custom 0xc1 to get those regs. Amazing : )