New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doesn't seem to support multiple ept hidden pages #20

Closed
DebugBuggin opened this Issue Dec 5, 2018 · 7 comments

Comments

Projects
None yet
2 participants
@DebugBuggin
Copy link

DebugBuggin commented Dec 5, 2018

Done lot of testing and hiding 1 ept page works fine but if I add any others it doesn't work properly, am I do things improperly or was this a short sight for the example? i'm testing the hppdrv_c

@wbenny

This comment has been minimized.

Copy link
Owner

wbenny commented Dec 5, 2018

The example is really designed to hide just 1 page. For more pages you have to implement some sort of list, and manage all shadow pages in that list.

@wbenny wbenny closed this Dec 5, 2018

@DebugBuggin

This comment has been minimized.

Copy link

DebugBuggin commented Dec 5, 2018

replacing the callback HvppHandleEptViolation with NULL makes it "work" as in not freeze, but the pages when read are 0's so this is great, i'll backup the info it checks for so it shows the proper bytes, thanks.

@DebugBuggin

This comment has been minimized.

Copy link

DebugBuggin commented Dec 7, 2018

your code is complicated, given you use the latest c++, can give you any hints to where I should focus my efforts to get this to work? And is it going to be as difficult as it appears? (as in lot of changes). I appreciate the project a lot by the way, due wish you had done multiple pages out the gate so that it's usable beyond an example.

@wbenny

This comment has been minimized.

Copy link
Owner

wbenny commented Dec 7, 2018

wish you had done multiple pages out the gate so that it's usable beyond an example

My intention is to provide an example, explain and make you familiar with VT-x, and provide "proof-of-concept" project. My intention isn't doing anyone elses work for them.

any hints to where I should focus my efforts to get this to work?

Driver development and more understanding of VT-x.

And is it going to be as difficult as it appears?

No, it's literally just wrapping PageRead & PageExec into a list.

Thank you for the appreciation and I'm sorry if I may sound condescending, but your kind of questions make me wonder whether you shouldn't invest more time into understanding VT-x and probably even C++17 before shooting that high. It takes time, be patient and experiment :)

@DebugBuggin

This comment has been minimized.

Copy link

DebugBuggin commented Dec 7, 2018

wish you had done multiple pages out the gate so that it's usable beyond an example

My intention is to provide an example, explain and make you familiar with VT-x, and provide "proof-of-concept" project. My intention isn't doing anyone elses work for them.

any hints to where I should focus my efforts to get this to work?

Driver development and more understanding of VT-x.

And is it going to be as difficult as it appears?

No, it's literally just wrapping PageRead & PageExec into a list.

Thank you for the appreciation and I'm sorry if I may sound condescending, but your kind of questions make me wonder whether you shouldn't invest more time into understanding VT-x and probably even C++17 before shooting that high. It takes time, be patient and experiment :)

you're absolutely right, i do need to understand it better, I been reading those online tut where the author gives you a great deal of credit. https://rayanfam.com/topics/hypervisor-from-scratch-part-1/

@wbenny

This comment has been minimized.

Copy link
Owner

wbenny commented Dec 7, 2018

Here is the physical memory address of the EPT violation: GuestPhysicalAddress.QuadPart = (LONGLONG)HvppVmRead(VMCS_VMEXIT_GUEST_PHYSICAL_ADDRESS);

I assume your PageRead.QuadPart is page-aligned, therefore, it doesn't match (assuming that it didnt violate on offset 0). Try using PAGE_ALIGN(GuestPhysicalAddress.QuadPart).

@DebugBuggin

This comment has been minimized.

Copy link

DebugBuggin commented Dec 7, 2018

Here is the physical memory address of the EPT violation: GuestPhysicalAddress.QuadPart = (LONGLONG)HvppVmRead(VMCS_VMEXIT_GUEST_PHYSICAL_ADDRESS);

I assume your PageRead.QuadPart is page-aligned, therefore, it doesn't match (assuming that it didnt violate on offset 0). Try using PAGE_ALIGN(GuestPhysicalAddress.QuadPart).

Brilliant!!! That got it fixed, oh man, this is fantastic, Christmas came here =D thank you sir!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment