New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hypervisor detect #21

Closed
DebugBuggin opened this Issue Dec 7, 2018 · 7 comments

Comments

Projects
None yet
2 participants
@DebugBuggin
Copy link

DebugBuggin commented Dec 7, 2018

this article shows few methods to detect hypervisor. https://rayanfam.com/topics/defeating-malware-anti-vm-techniques-cpuid-based-instructions/

Inside HvppHandleExecuteCpuid I do the following to set the 31st bit to 0

else if(Context->Eax == 1)
	{
		 Context->Ecx |= 0UL << 30;
	}

but this breaks chrome, firefox and many others, they won't connect to the internet. Do you why and a way to fix it?

update: appears it breaks apps regardless if I set anything, I have to cal HvppVmExitPassthrough(Passthrough); but then the context registers aren't set.

@wbenny

This comment has been minimized.

Copy link
Owner

wbenny commented Dec 7, 2018

  1. 0ULL << 30 results in 0. You literally leave Ecx unchanged.
  2. Your intention is probably to call __cpuid and THEN modify the bit in Ecx. Not just modify Ecx.
@DebugBuggin

This comment has been minimized.

Copy link

DebugBuggin commented Dec 7, 2018

my intention is to set 0 to the 31bit of ecx if eax == 1 when someone else calls cpuid; I've done this successfully with your HvppHandleExecuteCpuid callback and tested with usermod app, but my issue is even if I modify no registers it breaks all browser say for example

else if(Context->Eax == 1)
	{

	}

without calling HvppVmExitPassthrough(Passthrough); breaks internet. If I call that function then it doesn't matter if I set context register or not because it doesn't set anything.

@wbenny

This comment has been minimized.

Copy link
Owner

wbenny commented Dec 7, 2018

This is probably because Chrome expects some valid CPUID output in the registers, meanwhile you leave there garbage (unchanged).

@DebugBuggin

This comment has been minimized.

Copy link

DebugBuggin commented Dec 7, 2018

you fixed it! thank you, for everyone you can spoof this hypervisor check with the following

	else if(Context->Eax == 1)
	{
		int cpui[4];
		__cpuid(cpui, 0);
		Context->Eax = cpui[1];
		Context->Ebx = cpui[2];
		Context->Edx = cpui[4];
		Context->Ecx |= 0UL << 30;
	}

@DebugBuggin DebugBuggin closed this Dec 7, 2018

@wbenny

This comment has been minimized.

Copy link
Owner

wbenny commented Dec 7, 2018

I just want to point out again, that 0ULL << 30 results in 0. Your intention is probably to do Context->Ecx &= ~(1ULL << 31) to actually unset the 31st bit.

@DebugBuggin

This comment has been minimized.

Copy link

DebugBuggin commented Dec 7, 2018

the 0UL << 30 worked in testing just now, testing on and off, but will try your way, thanks

@wbenny

This comment has been minimized.

Copy link
Owner

wbenny commented Dec 7, 2018

It worked probably because the bit wasn't even set in the first place. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment