├── .gitattributes
├── .gitignore
├── VTFrame.sln
└── VTFrame
├── VTFrame.vcxproj
├── VTFrame.vcxproj.filters
└── src
├── APC
├── APC.c
└── APC.h
├── CallBack
├── RemoveCallBack.c
└── RemoveCallBack.h
├── Hook
├── InlineHook.c
├── InlineHook.h
├── PageHook.c
├── PageHook.h
├── SysCall.asm
├── SysCallHook.c
└── SysCallHook.h
├── IDT
├── idt.c
└── idt.h
├── Include
├── CPU.h
├── DriverDef.h
├── Native.h
├── VMCS.h
└── common.h
├── KernelStruct
├── Win10KernelStruct.h
└── Win7KernelStruct.h
├── Monitor
├── Monitor.c
└── Monitor.h
├── MyDriver.c
├── Test
├── Test.c
└── Test.h
├── Util
├── GetUnExportFunAddress.c
├── GetUnExportFunAddress.h
├── LDasm.c
└── LDasm.h
└── VMX
├── ExitHandle.c
├── ExitHandle.h
├── VMX.c
├── VMX.h
├── VmxEvent.h
├── ept.c
├── ept.h
├── vtasm.asm
└── vtasm.h
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 |
4 | # User-specific files
5 | *.suo
6 | *.user
7 | *.userosscache
8 | *.sln.docstates
9 |
10 | # User-specific files (MonoDevelop/Xamarin Studio)
11 | *.userprefs
12 |
13 | # Build results
14 | [Dd]ebug/
15 | [Dd]ebugPublic/
16 | [Rr]elease/
17 | [Rr]eleases/
18 | [Xx]64/
19 | [Xx]86/
20 | [Bb]uild/
21 | bld/
22 | [Bb]in/
23 | [Oo]bj/
24 |
25 | # Visual Studio 2015 cache/options directory
26 | .vs/
27 | # Uncomment if you have tasks that create the project's static files in wwwroot
28 | #wwwroot/
29 |
30 | # MSTest test Results
31 | [Tt]est[Rr]esult*/
32 | [Bb]uild[Ll]og.*
33 |
34 | # NUNIT
35 | *.VisualState.xml
36 | TestResult.xml
37 |
38 | # Build Results of an ATL Project
39 | [Dd]ebugPS/
40 | [Rr]eleasePS/
41 | dlldata.c
42 |
43 | # DNX
44 | project.lock.json
45 | artifacts/
46 |
47 | *_i.c
48 | *_p.c
49 | *_i.h
50 | *.ilk
51 | *.meta
52 | *.obj
53 | *.pch
54 | *.pdb
55 | *.pgc
56 | *.pgd
57 | *.rsp
58 | *.sbr
59 | *.tlb
60 | *.tli
61 | *.tlh
62 | *.tmp
63 | *.tmp_proj
64 | *.log
65 | *.vspscc
66 | *.vssscc
67 | .builds
68 | *.pidb
69 | *.svclog
70 | *.scc
71 |
72 | # Chutzpah Test files
73 | _Chutzpah*
74 |
75 | # Visual C++ cache files
76 | ipch/
77 | *.aps
78 | *.ncb
79 | *.opendb
80 | *.opensdf
81 | *.sdf
82 | *.cachefile
83 | *.VC.db
84 |
85 | # Visual Studio profiler
86 | *.psess
87 | *.vsp
88 | *.vspx
89 | *.sap
90 |
91 | # TFS 2012 Local Workspace
92 | $tf/
93 |
94 | # Guidance Automation Toolkit
95 | *.gpState
96 |
97 | # ReSharper is a .NET coding add-in
98 | _ReSharper*/
99 | *.[Rr]e[Ss]harper
100 | *.DotSettings.user
101 |
102 | # JustCode is a .NET coding add-in
103 | .JustCode
104 |
105 | # TeamCity is a build add-in
106 | _TeamCity*
107 |
108 | # DotCover is a Code Coverage Tool
109 | *.dotCover
110 |
111 | # NCrunch
112 | _NCrunch_*
113 | .*crunch*.local.xml
114 | nCrunchTemp_*
115 |
116 | # MightyMoose
117 | *.mm.*
118 | AutoTest.Net/
119 |
120 | # Web workbench (sass)
121 | .sass-cache/
122 |
123 | # Installshield output folder
124 | [Ee]xpress/
125 |
126 | # DocProject is a documentation generator add-in
127 | DocProject/buildhelp/
128 | DocProject/Help/*.HxT
129 | DocProject/Help/*.HxC
130 | DocProject/Help/*.hhc
131 | DocProject/Help/*.hhk
132 | DocProject/Help/*.hhp
133 | DocProject/Help/Html2
134 | DocProject/Help/html
135 |
136 | # Click-Once directory
137 | publish/
138 |
139 | # Publish Web Output
140 | *.[Pp]ublish.xml
141 | *.azurePubxml
142 |
143 | # TODO: Un-comment the next line if you do not want to checkin
144 | # your web deploy settings because they may include unencrypted
145 | # passwords
146 | #*.pubxml
147 | *.publishproj
148 |
149 | # NuGet Packages
150 | *.nupkg
151 | # The packages folder can be ignored because of Package Restore
152 | **/packages/*
153 | # except build/, which is used as an MSBuild target.
154 | !**/packages/build/
155 | # Uncomment if necessary however generally it will be regenerated when needed
156 | #!**/packages/repositories.config
157 | # NuGet v3's project.json files produces more ignoreable files
158 | *.nuget.props
159 | *.nuget.targets
160 |
161 | # Microsoft Azure Build Output
162 | csx/
163 | *.build.csdef
164 |
165 | # Microsoft Azure Emulator
166 | ecf/
167 | rcf/
168 |
169 | # Windows Store app package directory
170 | AppPackages/
171 | BundleArtifacts/
172 |
173 | # Visual Studio cache files
174 | # files ending in .cache can be ignored
175 | *.[Cc]ache
176 | # but keep track of directories ending in .cache
177 | !*.[Cc]ache/
178 |
179 | # Others
180 | ClientBin/
181 | [Ss]tyle[Cc]op.*
182 | ~$*
183 | *~
184 | *.dbmdl
185 | *.dbproj.schemaview
186 | *.pfx
187 | *.publishsettings
188 | node_modules/
189 | orleans.codegen.cs
190 |
191 | # RIA/Silverlight projects
192 | Generated_Code/
193 |
194 | # Backup & report files from converting an old project file
195 | # to a newer Visual Studio version. Backup files are not needed,
196 | # because we have git ;-)
197 | _UpgradeReport_Files/
198 | Backup*/
199 | UpgradeLog*.XML
200 | UpgradeLog*.htm
201 |
202 | # SQL Server files
203 | *.mdf
204 | *.ldf
205 |
206 | # Business Intelligence projects
207 | *.rdl.data
208 | *.bim.layout
209 | *.bim_*.settings
210 |
211 | # Microsoft Fakes
212 | FakesAssemblies/
213 |
214 | # GhostDoc plugin setting file
215 | *.GhostDoc.xml
216 |
217 | # Node.js Tools for Visual Studio
218 | .ntvs_analysis.dat
219 |
220 | # Visual Studio 6 build log
221 | *.plg
222 |
223 | # Visual Studio 6 workspace options file
224 | *.opt
225 |
226 | # Visual Studio LightSwitch build output
227 | **/*.HTMLClient/GeneratedArtifacts
228 | **/*.DesktopClient/GeneratedArtifacts
229 | **/*.DesktopClient/ModelManifest.xml
230 | **/*.Server/GeneratedArtifacts
231 | **/*.Server/ModelManifest.xml
232 | _Pvt_Extensions
233 |
234 | # LightSwitch generated files
235 | GeneratedArtifacts/
236 | ModelManifest.xml
237 |
238 | # Paket dependency manager
239 | .paket/paket.exe
240 |
241 | # FAKE - F# Make
242 | .fake/
243 |
--------------------------------------------------------------------------------
/VTFrame.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 14
4 | VisualStudioVersion = 14.0.25420.1
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "VTFrame", "VTFrame\VTFrame.vcxproj", "{E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | Win10 Debug|x64 = Win10 Debug|x64
15 | Win10 Debug|x86 = Win10 Debug|x86
16 | Win7 Debug|x64 = Win7 Debug|x64
17 | Win7 Debug|x86 = Win7 Debug|x86
18 | Win7 Release|x64 = Win7 Release|x64
19 | Win7 Release|x86 = Win7 Release|x86
20 | EndGlobalSection
21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
22 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Debug|x64.ActiveCfg = Win7 Debug|x64
23 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Debug|x64.Build.0 = Win7 Debug|x64
24 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Debug|x64.Deploy.0 = Win7 Debug|x64
25 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Debug|x86.ActiveCfg = Win7 Release|x64
26 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Debug|x86.Build.0 = Win7 Release|x64
27 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Debug|x86.Deploy.0 = Win7 Release|x64
28 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Release|x64.ActiveCfg = Win7 Release|x64
29 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Release|x64.Build.0 = Win7 Release|x64
30 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Release|x64.Deploy.0 = Win7 Release|x64
31 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Release|x86.ActiveCfg = Win7 Release|x64
32 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Release|x86.Build.0 = Win7 Release|x64
33 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Release|x86.Deploy.0 = Win7 Release|x64
34 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Win10 Debug|x64.ActiveCfg = Win10 Debug|x64
35 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Win10 Debug|x64.Build.0 = Win10 Debug|x64
36 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Win10 Debug|x64.Deploy.0 = Win10 Debug|x64
37 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Win10 Debug|x86.ActiveCfg = Win10 Debug|x64
38 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64
39 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Win7 Debug|x64.Build.0 = Win7 Debug|x64
40 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64
41 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Win7 Debug|x86.ActiveCfg = Win7 Debug|x64
42 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Win7 Release|x64.ActiveCfg = Win7 Release|x64
43 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Win7 Release|x64.Build.0 = Win7 Release|x64
44 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Win7 Release|x64.Deploy.0 = Win7 Release|x64
45 | {E4B3EF42-64B8-4EC0-96F2-7781C48F00A2}.Win7 Release|x86.ActiveCfg = Win7 Release|x64
46 | EndGlobalSection
47 | GlobalSection(SolutionProperties) = preSolution
48 | HideSolutionNode = FALSE
49 | EndGlobalSection
50 | EndGlobal
51 |
--------------------------------------------------------------------------------
/VTFrame/VTFrame.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Win10 Debug
6 | x64
7 |
8 |
9 | Win7 Debug
10 | x64
11 |
12 |
13 | Win7 Release
14 | x64
15 |
16 |
17 |
18 | {e4b3ef42-64b8-4ec0-96f2-7781c48f00a2}
19 | {dd38f7fc-d7bd-488b-9242-7d8754cde80d}
20 | v4.5
21 | 12.0
22 | Debug
23 | Win32
24 | VTFrame
25 | $(LatestTargetPlatformVersion)
26 |
27 |
28 |
29 | Windows10
30 | true
31 | WindowsKernelModeDriver10.0
32 | Driver
33 | WDM
34 |
35 |
36 | Windows10
37 | true
38 | WindowsKernelModeDriver10.0
39 | Driver
40 | WDM
41 |
42 |
43 | Windows7
44 | true
45 | WindowsKernelModeDriver10.0
46 | Driver
47 | WDM
48 |
49 |
50 | WindowsV6.3
51 | true
52 | WindowsKernelModeDriver10.0
53 | Driver
54 | WDM
55 |
56 |
57 | Windows7
58 | false
59 | WindowsKernelModeDriver10.0
60 | Driver
61 | WDM
62 |
63 |
64 | Windows10
65 | true
66 | WindowsKernelModeDriver10.0
67 | Driver
68 | WDM
69 |
70 |
71 | Windows10
72 | true
73 | WindowsKernelModeDriver10.0
74 | Driver
75 | WDM
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 | DbgengKernelDebugger
87 |
88 |
89 | DbgengKernelDebugger
90 |
91 |
92 | DbgengKernelDebugger
93 | $(SolutionDir)\bin\$(Platform)\$(ConfigurationName)\
94 | $(SolutionDir)\obj\$(Platform)\$(ConfigurationName)\
95 | $(TargetName)
96 | $(IncludePath)
97 |
98 |
99 | DbgengKernelDebugger
100 | $(SolutionDir)\bin\$(Platform)\$(ConfigurationName)\
101 | $(SolutionDir)\obj\$(Platform)\$(ConfigurationName)\
102 | $(TargetName)
103 | $(IncludePath)
104 |
105 |
106 | DbgengKernelDebugger
107 | $(SolutionDir)\bin\$(Platform)\$(ConfigurationName)\
108 | $(SolutionDir)\obj\$(Platform)\$(ConfigurationName)\
109 | $(TargetName)
110 | $(IncludePath)
111 |
112 |
113 | DbgengKernelDebugger
114 |
115 |
116 | DbgengKernelDebugger
117 |
118 |
119 |
120 | Level3
121 |
122 |
123 |
124 |
125 | Level3
126 |
127 |
128 |
129 |
130 | false
131 |
132 |
133 |
134 |
135 | false
136 |
137 |
138 |
139 |
140 | true
141 |
142 |
143 |
144 |
145 | _WIN7;_WIN64;_AMD64_;AMD64;%(PreprocessorDefinitions)
146 |
147 |
148 | FltMgr.lib;%(AdditionalDependencies)
149 |
150 |
151 |
152 |
153 | false
154 | _WIN10;_WIN64;_AMD64_;AMD64;%(PreprocessorDefinitions);
155 |
156 |
157 | sha256
158 |
159 |
160 |
161 |
162 | Level3
163 |
164 |
165 |
166 |
167 | false
168 |
169 |
170 |
171 |
172 | true
173 | _WIN7;_WIN64;_AMD64_;AMD64;%(PreprocessorDefinitions);
174 |
175 |
176 | /INTEGRITYCHECK %(AdditionalOptions)
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
187 |
188 |
189 |
190 |
191 |
192 |
193 |
194 |
195 |
196 |
197 |
198 |
199 |
200 |
201 |
202 |
203 |
204 |
205 |
206 |
207 |
208 |
209 |
210 |
211 |
212 |
213 |
214 |
215 |
216 |
217 |
218 |
219 |
220 |
221 |
222 |
223 |
224 |
225 |
226 |
227 |
228 | Document
229 |
230 |
231 |
232 |
233 |
234 |
235 |
236 |
237 |
--------------------------------------------------------------------------------
/VTFrame/VTFrame.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {3ae28e51-ef9d-4b3b-a231-78c27813e88b}
6 |
7 |
8 | {0e2ecdd5-f4fe-4be8-97f2-560f1a06b5ae}
9 |
10 |
11 | {f97c520f-61da-4845-99b8-8cbed9172f33}
12 |
13 |
14 |
15 |
16 |
17 | VMX
18 |
19 |
20 | VMX
21 |
22 |
23 | VMX
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 | VMX
41 |
42 |
43 | Include
44 |
45 |
46 | Include
47 |
48 |
49 | Include
50 |
51 |
52 | VMX
53 |
54 |
55 | VMX
56 |
57 |
58 | VMX
59 |
60 |
61 |
62 | Include
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
--------------------------------------------------------------------------------
/VTFrame/src/APC/APC.c:
--------------------------------------------------------------------------------
1 | #include "APC.h"
2 | #include "../Hook/PageHook.h"
3 | #include "../Include/common.h"
4 |
5 | NTKERNELAPI NTSTATUS PsLookupThreadByThreadId(HANDLE Id, PETHREAD *Process);
6 | PETHREAD LookupThread(HANDLE Tid)
7 | {
8 | PETHREAD ethread;
9 | if (NT_SUCCESS(PsLookupThreadByThreadId(Tid, ðread)))
10 | return ethread;
11 | else
12 | return NULL;
13 | }
14 |
15 | PEPROCESS LookupProcess(HANDLE pid)
16 | {
17 | PEPROCESS Process;
18 | if (NT_SUCCESS(PsLookupProcessByProcessId(pid, &Process)))
19 | return Process;
20 | else
21 | return NULL;
22 |
23 | }
24 |
25 | PEPROCESS GetProcessByName(UCHAR* ProcessName)
26 | {
27 | ULONG i = 0;
28 | UCHAR szName[16] = { 0 };
29 | //从4到2^18开始枚举进程,步进为4
30 | for (i = 4; i <= 262144; i += 4)
31 | {
32 | PEPROCESS process = LookupProcess((HANDLE)i);
33 | if (process != NULL)
34 | {
35 | if (strcmp(ProcessName, PsGetProcessImageFileName(process)) == 0)
36 | {
37 | return process;
38 | }
39 | }
40 | }
41 | return NULL;
42 |
43 | }
44 |
45 | //APC函数体
46 | VOID APCFuntion(PKAPC pApc, ULONG64 *NormalRoutine, PVOID *NormalContext, PVOID *SystemArgument1, PVOID *SystemArgument2)
47 | {
48 | PRWPM_INFO pInfo = (PRWPM_INFO)(pApc->NormalContext);
49 | __try
50 | {
51 | DbgPrint("APC函数运行中\n");
52 | ULONG temp = *(ULONG*)0x00400000;
53 | ((PFUNCTION)pInfo->fun)(pInfo);
54 | }
55 | __except (1)
56 | {
57 | DbgPrint("错误的内存访问异常\n");;
58 | }
59 | KeSetEvent(&(pInfo->Event), IO_NO_INCREMENT, FALSE);
60 | ExFreePool(pApc);
61 | }
62 |
63 | //插入APC
64 | NTSTATUS InsertKernelApc(PETHREAD Thread, PRWPM_INFO pInfo)
65 | {
66 | NTSTATUS st = STATUS_UNSUCCESSFUL;
67 | PKAPC pApc = 0;
68 | if (MmIsAddressValid(Thread))
69 | {
70 | pApc = MALLOC_NPP(sizeof(KAPC));
71 | if (pApc)
72 | {
73 | LARGE_INTEGER interval = { 0 };
74 |
75 | //APC初始化,内核模式
76 | KeInitializeApc(pApc,
77 | Thread, //插入的线程
78 | OriginalApcEnvironment,
79 | APCFuntion, //APC函数
80 | 0, 0, KernelMode, 0);
81 |
82 | pApc->NormalContext = pInfo;
83 | KeInitializeEvent(&(pInfo->Event), NotificationEvent, TRUE);
84 | KeClearEvent(&(pInfo->Event));
85 | if (KeInsertQueueApc(pApc, 0, 0, 0))
86 | {
87 | interval.QuadPart = -10000;//DELAY_ONE_MILLISECOND;
88 | interval.QuadPart *= 1000;
89 | st = KeWaitForSingleObject(&(pInfo->Event), Executive, KernelMode, 0, &interval);
90 | }
91 | else
92 | {
93 | ExFreePool(pApc);
94 | }
95 | }
96 | }
97 | return st;
98 | }
99 |
100 | ULONG64 ExecFun(PFUNCTION pfun)
101 | {
102 | ULONG i;
103 | ULONG64 ret = 0;
104 | PEPROCESS Process = GetProcessByName("xxx.exe");
105 | if (Process == NULL)
106 | {
107 | DbgPrint("未找到xxx进程\n");
108 | return FALSE;
109 | }
110 | for (i = 4; i < 1048576; i = i + 4)
111 | {
112 | PETHREAD ethrd = LookupThread((HANDLE)i);
113 | if (ethrd != NULL)
114 | {
115 | PEPROCESS eproc = IoThreadToProcess(ethrd);
116 | ObDereferenceObject(ethrd);
117 | if (eproc == Process)
118 | {
119 | PRWPM_INFO pInfo = MALLOC_NPP(sizeof(RWPM_INFO));
120 | pInfo->fun = pfun;
121 | if (NT_SUCCESS(InsertKernelApc(ethrd, pInfo)))
122 | {
123 | FREE(pInfo);
124 | ret = pInfo->ret;
125 | break;
126 | }
127 | }
128 | }
129 | }
130 | return ret;
131 | }
132 |
133 |
134 | VOID Function()
135 | {
136 |
137 |
138 | }
139 |
140 | VOID Function1()
141 | {
142 |
143 | }
144 |
145 | typedef union _FLOAT
146 | {
147 | ULONG32 All;
148 | struct
149 | {
150 | ULONG32 sig : 1;
151 | ULONG32 integer : 8;
152 | ULONG32 xiaoshu : 23;
153 |
154 | } Fields;
155 | } FLOAT, *PFLOAT;
156 |
157 | VOID Function2()
158 | {
159 |
160 |
161 | }
162 |
163 | VOID Function3()
164 | {
165 | }
166 |
167 | VOID Function4()
168 | {
169 |
170 | }
--------------------------------------------------------------------------------
/VTFrame/src/APC/APC.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/APC/APC.h
--------------------------------------------------------------------------------
/VTFrame/src/CallBack/RemoveCallBack.c:
--------------------------------------------------------------------------------
1 | #include "RemoveCallBack.h"
2 |
3 | VOID EnableObType(POBJECT_TYPE ObjectType, BOOLEAN enable)
4 | {
5 | PMY_OBJECT_TYPE myobtype = (PMY_OBJECT_TYPE)ObjectType;
6 | if (enable)
7 | myobtype->TypeInfo.SupportsObjectCallbacks = 1;
8 | else
9 | myobtype->TypeInfo.SupportsObjectCallbacks = 0;
10 | }
11 |
--------------------------------------------------------------------------------
/VTFrame/src/CallBack/RemoveCallBack.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | typedef struct _EX_PUSH_LOCK_2 // 7 elements, 0x8 bytes (sizeof)
4 | {
5 | union // 3 elements, 0x8 bytes (sizeof)
6 | {
7 | struct // 5 elements, 0x8 bytes (sizeof)
8 | {
9 | /*0x000*/ UINT64 Locked : 1; // 0 BitPosition
10 | /*0x000*/ UINT64 Waiting : 1; // 1 BitPosition
11 | /*0x000*/ UINT64 Waking : 1; // 2 BitPosition
12 | /*0x000*/ UINT64 MultipleShared : 1; // 3 BitPosition
13 | /*0x000*/ UINT64 Shared : 60; // 4 BitPosition
14 | };
15 | /*0x000*/ UINT64 Value;
16 | /*0x000*/ VOID* Ptr;
17 | };
18 | }EX_PUSH_LOCK_2, *PEX_PUSH_LOCK_2;
19 | typedef struct _OBJECT_TYPE_INITIALIZER_2 // 25 elements, 0x70 bytes (sizeof)
20 | {
21 | /*0x000*/ UINT16 Length;
22 | union // 2 elements, 0x1 bytes (sizeof)
23 | {
24 | /*0x002*/ UINT8 ObjectTypeFlags;
25 | struct // 7 elements, 0x1 bytes (sizeof)
26 | {
27 | /*0x002*/ UINT8 CaseInsensitive : 1; // 0 BitPosition
28 | /*0x002*/ UINT8 UnnamedObjectsOnly : 1; // 1 BitPosition
29 | /*0x002*/ UINT8 UseDefaultObject : 1; // 2 BitPosition
30 | /*0x002*/ UINT8 SecurityRequired : 1; // 3 BitPosition
31 | /*0x002*/ UINT8 MaintainHandleCount : 1; // 4 BitPosition
32 | /*0x002*/ UINT8 MaintainTypeList : 1; // 5 BitPosition
33 | /*0x002*/ UINT8 SupportsObjectCallbacks : 1; // 6 BitPosition
34 | };
35 | };
36 | /*0x004*/ ULONG32 ObjectTypeCode;
37 | /*0x008*/ ULONG32 InvalidAttributes;
38 | /*0x00C*/ struct _GENERIC_MAPPING GenericMapping; // 4 elements, 0x10 bytes (sizeof)
39 | /*0x01C*/ ULONG32 ValidAccessMask;
40 | /*0x020*/ ULONG32 RetainAccess;
41 | /*0x024*/ enum _POOL_TYPE PoolType;
42 | /*0x028*/ ULONG32 DefaultPagedPoolCharge;
43 | /*0x02C*/ ULONG32 DefaultNonPagedPoolCharge;
44 | /*0x030*/ PVOID DumpProcedure;
45 | /*0x038*/ PVOID OpenProcedure;
46 | /*0x040*/ PVOID CloseProcedure;
47 | /*0x048*/ PVOID DeleteProcedure;
48 | /*0x050*/ PVOID ParseProcedure;
49 | /*0x058*/ PVOID SecurityProcedure;
50 | /*0x060*/ PVOID QueryNameProcedure;
51 | /*0x068*/ PVOID OkayToCloseProcedure;
52 | }OBJECT_TYPE_INITIALIZERX_2, *POBJECT_TYPE_INITIALIZERX_2;
53 | typedef struct _MY_OBJECT_TYPE // 12 elements, 0xD0 bytes (sizeof)
54 | {
55 | /*0x000*/ struct _LIST_ENTRY TypeList; // 2 elements, 0x10 bytes (sizeof)
56 | /*0x010*/ struct _UNICODE_STRING Name; // 3 elements, 0x10 bytes (sizeof)
57 | /*0x020*/ VOID* DefaultObject;
58 | /*0x028*/ UINT8 Index;
59 | /*0x029*/ UINT8 _PADDING0_[0x3];
60 | /*0x02C*/ ULONG32 TotalNumberOfObjects;
61 | /*0x030*/ ULONG32 TotalNumberOfHandles;
62 | /*0x034*/ ULONG32 HighWaterNumberOfObjects;
63 | /*0x038*/ ULONG32 HighWaterNumberOfHandles;
64 | /*0x03C*/ UINT8 _PADDING1_[0x4];
65 | /*0x040*/ struct _OBJECT_TYPE_INITIALIZER_2 TypeInfo; // 25 elements, 0x70 bytes (sizeof)
66 | /*0x0B0*/ struct _EX_PUSH_LOCK_2 TypeLock; // 7 elements, 0x8 bytes (sizeof)
67 | /*0x0B8*/ ULONG32 Key;
68 | /*0x0BC*/ UINT8 _PADDING2_[0x4];
69 | /*0x0C0*/ struct _LIST_ENTRY CallbackList; // 2 elements, 0x10 bytes (sizeof)
70 | }MY_OBJECT_TYPE, *PMY_OBJECT_TYPE;
71 |
72 |
73 | VOID EnableObType(POBJECT_TYPE ObjectType, BOOLEAN enable);
--------------------------------------------------------------------------------
/VTFrame/src/Hook/InlineHook.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/Hook/InlineHook.c
--------------------------------------------------------------------------------
/VTFrame/src/Hook/InlineHook.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/Hook/InlineHook.h
--------------------------------------------------------------------------------
/VTFrame/src/Hook/PageHook.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/Hook/PageHook.c
--------------------------------------------------------------------------------
/VTFrame/src/Hook/PageHook.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 |
5 | typedef struct _HOOK_CONTEXT
6 | {
7 | BOOLEAN Hook; // TRUE to hook page, FALSE to unhook
8 | ULONG64 DataPagePFN; // Physical data page PFN
9 | ULONG64 CodePagePFN; // Physical code page PFN
10 | } HOOK_CONTEXT, *PHOOK_CONTEXT;
11 |
12 | typedef enum _PAGE_TYPE
13 | {
14 | DATA_PAGE = 0,
15 | CODE_PAGE = 1,
16 | } PAGE_TYPE;
17 |
18 | typedef struct _PAGE_HOOK_ENTRY
19 | {
20 | LIST_ENTRY Link;
21 | PVOID OriginalPtr; // Original function VA
22 | PVOID DataPageVA; // Data page VA
23 | ULONG64 DataPagePFN; // Data page PFN
24 | ULONG64 DataPhys;
25 | PVOID CodePageVA; // Executable page VA
26 | ULONG64 CodePagePFN; // Executable page PFN
27 | ULONG OriginalSize; // Size of original data
28 | UCHAR OriginalData[80]; // Original bytes + jump
29 | } PAGE_HOOK_ENTRY, *PPAGE_HOOK_ENTRY;
30 |
31 |
32 | NTSTATUS UnPageHook();
33 | NTSTATUS PHHook(IN PVOID pFunc, IN PVOID pHook);
34 | PPAGE_HOOK_ENTRY PHGetHookEntry(IN PVOID ptr);
35 | NTSTATUS ModifyAddressValue(PVOID address, PVOID pByte, ULONG length);
36 | NTSTATUS ModifyAddressValue2(PVOID address, PVOID pByte, ULONG length, PVOID address1, PVOID pByte1, ULONG length1);
--------------------------------------------------------------------------------
/VTFrame/src/Hook/SysCall.asm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/Hook/SysCall.asm
--------------------------------------------------------------------------------
/VTFrame/src/Hook/SysCallHook.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/Hook/SysCallHook.c
--------------------------------------------------------------------------------
/VTFrame/src/Hook/SysCallHook.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/Hook/SysCallHook.h
--------------------------------------------------------------------------------
/VTFrame/src/IDT/idt.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/IDT/idt.c
--------------------------------------------------------------------------------
/VTFrame/src/IDT/idt.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/IDT/idt.h
--------------------------------------------------------------------------------
/VTFrame/src/Include/CPU.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | #define MSR_APIC_BASE 0x01B
5 | #define MSR_IA32_FEATURE_CONTROL 0x03A
6 |
7 | #define MSR_IA32_VMX_BASIC 0x480
8 | #define MSR_IA32_VMX_PINBASED_CTLS 0x481
9 | #define MSR_IA32_VMX_PROCBASED_CTLS 0x482
10 | #define MSR_IA32_VMX_EXIT_CTLS 0x483
11 | #define MSR_IA32_VMX_ENTRY_CTLS 0x484
12 | #define MSR_IA32_VMX_MISC 0x485
13 | #define MSR_IA32_VMX_CR0_FIXED0 0x486
14 | #define MSR_IA32_VMX_CR0_FIXED1 0x487
15 | #define MSR_IA32_VMX_CR4_FIXED0 0x488
16 | #define MSR_IA32_VMX_CR4_FIXED1 0x489
17 | #define MSR_IA32_VMX_VMCS_ENUM 0x48A
18 | #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B
19 | #define MSR_IA32_VMX_EPT_VPID_CAP 0x48C
20 | #define MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48D
21 | #define MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48E
22 | #define MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48F
23 | #define MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490
24 | #define MSR_IA32_VMX_VMFUNC 0x491
25 |
26 | #define MSR_IA32_SYSENTER_CS 0x174
27 | #define MSR_IA32_SYSENTER_ESP 0x175
28 | #define MSR_IA32_SYSENTER_EIP 0x176
29 | #define MSR_IA32_DEBUGCTL 0x1D9
30 |
31 | #define MSR_LSTAR 0xC0000082
32 |
33 | #define MSR_FS_BASE 0xC0000100
34 | #define MSR_GS_BASE 0xC0000101
35 | #define MSR_SHADOW_GS_BASE 0xC0000102 // SwapGS GS shadow
36 |
37 |
38 | #pragma warning(disable: 4214 4201)
39 | typedef struct _CPUID
40 | {
41 | int eax;
42 | int ebx;
43 | int ecx;
44 | int edx;
45 | } CPUID, *PCPUID;
46 |
47 | typedef union _CpuFeaturesEcx {
48 | ULONG32 all;
49 | struct {
50 | ULONG32 sse3 : 1; //!< [0] Streaming SIMD Extensions 3 (SSE3)
51 | ULONG32 pclmulqdq : 1; //!< [1] PCLMULQDQ
52 | ULONG32 dtes64 : 1; //!< [2] 64-bit DS Area
53 | ULONG32 monitor : 1; //!< [3] MONITOR/WAIT
54 | ULONG32 ds_cpl : 1; //!< [4] CPL qualified Debug Store
55 | ULONG32 vmx : 1; //!< [5] Virtual Machine Technology
56 | ULONG32 smx : 1; //!< [6] Safer Mode Extensions
57 | ULONG32 est : 1; //!< [7] Enhanced Intel Speedstep Technology
58 | ULONG32 tm2 : 1; //!< [8] Thermal monitor 2
59 | ULONG32 ssse3 : 1; //!< [9] Supplemental Streaming SIMD Extensions 3
60 | ULONG32 cid : 1; //!< [10] L1 context ID
61 | ULONG32 sdbg : 1; //!< [11] IA32_DEBUG_INTERFACE MSR
62 | ULONG32 fma : 1; //!< [12] FMA extensions using YMM state
63 | ULONG32 cx16 : 1; //!< [13] CMPXCHG16B
64 | ULONG32 xtpr : 1; //!< [14] xTPR Update Control
65 | ULONG32 pdcm : 1; //!< [15] Performance/Debug capability MSR
66 | ULONG32 reserved : 1; //!< [16] Reserved
67 | ULONG32 pcid : 1; //!< [17] Process-context identifiers
68 | ULONG32 dca : 1; //!< [18] prefetch from a memory mapped device
69 | ULONG32 sse4_1 : 1; //!< [19] SSE4.1
70 | ULONG32 sse4_2 : 1; //!< [20] SSE4.2
71 | ULONG32 x2_apic : 1; //!< [21] x2APIC feature
72 | ULONG32 movbe : 1; //!< [22] MOVBE instruction
73 | ULONG32 popcnt : 1; //!< [23] POPCNT instruction
74 | ULONG32 reserved3 : 1; //!< [24] one-shot operation using a TSC deadline
75 | ULONG32 aes : 1; //!< [25] AESNI instruction
76 | ULONG32 xsave : 1; //!< [26] XSAVE/XRSTOR feature
77 | ULONG32 osxsave : 1; //!< [27] enable XSETBV/XGETBV instructions
78 | ULONG32 avx : 1; //!< [28] AVX instruction extensions
79 | ULONG32 f16c : 1; //!< [29] 16-bit floating-point conversion
80 | ULONG32 rdrand : 1; //!< [30] RDRAND instruction
81 | ULONG32 not_used : 1; //!< [31] Always 0 (a.k.a. HypervisorPresent)
82 | } fields;
83 | }CpuFeaturesEcx;
84 |
85 | // RFLAGS
86 | typedef union _EFLAGS
87 | {
88 | ULONG_PTR All;
89 | struct
90 | {
91 | ULONG CF : 1; // [0] Carry flag
92 | ULONG Reserved1 : 1; // [1] Always 1
93 | ULONG PF : 1; // [2] Parity flag
94 | ULONG Reserved2 : 1; // [3] Always 0
95 | ULONG AF : 1; // [4] Borrow flag
96 | ULONG Reserved3 : 1; // [5] Always 0
97 | ULONG ZF : 1; // [6] Zero flag
98 | ULONG SF : 1; // [7] Sign flag
99 | ULONG TF : 1; // [8] Trap flag
100 | ULONG IF : 1; // [9] Interrupt flag
101 | ULONG DF : 1; // [10]
102 | ULONG OF : 1; // [11]
103 | ULONG IOPL : 2; // [12-13] I/O privilege level
104 | ULONG NT : 1; // [14] Nested task flag
105 | ULONG Reserved4 : 1; // [15] Always 0
106 | ULONG RF : 1; // [16] Resume flag
107 | ULONG VM : 1; // [17] Virtual 8086 mode
108 | ULONG AC : 1; // [18] Alignment check
109 | ULONG VIF : 1; // [19] Virtual interrupt flag
110 | ULONG VIP : 1; // [20] Virtual interrupt pending
111 | ULONG ID : 1; // [21] Identification flag
112 | ULONG Reserved5 : 10; // [22-31] Always 0
113 | } Fields;
114 | } EFLAGS, *PEFLAGS;
115 |
116 | // CR0
117 | typedef union _CR0_REG
118 | {
119 | ULONG_PTR All;
120 | struct
121 | {
122 | ULONG PE : 1; // [0] Protected Mode Enabled
123 | ULONG MP : 1; // [1] Monitor Coprocessor FLAG
124 | ULONG EM : 1; // [2] Emulate FLAG
125 | ULONG TS : 1; // [3] Task Switched FLAG
126 | ULONG ET : 1; // [4] Extension Type FLAG
127 | ULONG NE : 1; // [5] Numeric Error
128 | ULONG Reserved1 : 10; // [6-15]
129 | ULONG WP : 1; // [16] Write Protect
130 | ULONG Reserved2 : 1; // [17]
131 | ULONG AM : 1; // [18] Alignment Mask
132 | ULONG Reserved3 : 10; // [19-28]
133 | ULONG NW : 1; // [29] Not Write-Through
134 | ULONG CD : 1; // [30] Cache Disable
135 | ULONG PG : 1; // [31] Paging Enabled
136 | } Fields;
137 | } CR0_REG, *PCR0_REG;
138 |
139 | // CR4
140 | typedef union _CR4_REG
141 | {
142 | ULONG_PTR All;
143 | struct
144 | {
145 | ULONG VME : 1; // [0] Virtual Mode Extensions
146 | ULONG PVI : 1; // [1] Protected-Mode Virtual Interrupts
147 | ULONG TSD : 1; // [2] Time Stamp Disable
148 | ULONG DE : 1; // [3] Debugging Extensions
149 | ULONG PSE : 1; // [4] Page Size Extensions
150 | ULONG PAE : 1; // [5] Physical Address Extension
151 | ULONG MCE : 1; // [6] Machine-Check Enable
152 | ULONG PGE : 1; // [7] Page Global Enable
153 | ULONG PCE : 1; // [8] Performance-Monitoring Counter Enable
154 | ULONG OSFXSR : 1; // [9] OS Support for FXSAVE/FXRSTOR
155 | ULONG OSXMMEXCPT : 1; // [10] OS Support for Unmasked SIMD Exceptions
156 | ULONG Reserved1 : 2; // [11-12]
157 | ULONG VMXE : 1; // [13] Virtual Machine Extensions Enabled
158 | ULONG SMXE : 1; // [14] SMX-Enable Bit
159 | ULONG Reserved2 : 2; // [15-16]
160 | ULONG PCIDE : 1; // [17] PCID Enable
161 | ULONG OSXSAVE : 1; // [18] XSAVE and Processor Extended States-Enable
162 | ULONG Reserved3 : 1; // [19]
163 | ULONG SMEP : 1; // [20] Supervisor Mode Execution Protection Enable
164 | ULONG SMAP : 1; // [21] Supervisor Mode Access Protection Enable
165 | } Fields;
166 | } CR4_REG, *PCR4_REG;
167 |
168 | typedef union _IA32_APIC_BASE
169 | {
170 | ULONG64 All;
171 | struct
172 | {
173 | ULONG64 Reserved1 : 8; // [0-7]
174 | ULONG64 Bootstrap_processor : 1; // [8]
175 | ULONG64 Reserved2 : 1; // [9]
176 | ULONG64 Enable_x2apic_mode : 1; // [10]
177 | ULONG64 Enable_xapic_global : 1; // [11]
178 | ULONG64 Apic_base : 24; // [12-35]
179 | } Fields;
180 | } IA32_APIC_BASE, *PIA32_APIC_BASE;
181 |
182 | typedef union _IA32_VMX_BASIC_MSR
183 | {
184 | ULONG64 All;
185 | struct
186 | {
187 | ULONG32 RevisionIdentifier : 31; // [0-30]
188 | ULONG32 Reserved1 : 1; // [31]
189 | ULONG32 RegionSize : 12; // [32-43]
190 | ULONG32 RegionClear : 1; // [44]
191 | ULONG32 Reserved2 : 3; // [45-47]
192 | ULONG32 SupportedIA64 : 1; // [48]
193 | ULONG32 SupportedDualMoniter : 1; // [49]
194 | ULONG32 MemoryType : 4; // [50-53]
195 | ULONG32 VmExitReport : 1; // [54]
196 | ULONG32 VmxCapabilityHint : 1; // [55]
197 | ULONG32 Reserved3 : 8; // [56-63]
198 | } Fields;
199 | } IA32_VMX_BASIC_MSR, *PIA32_VMX_BASIC_MSR;
200 |
201 | typedef union _IA32_VMX_PROCBASED_CTLS_MSR
202 | {
203 | ULONG64 All;
204 | struct
205 | {
206 | ULONG64 Reserved0 : 32; // [0-31]
207 | ULONG64 Reserved1 : 2; // [32 + 0-1]
208 | ULONG64 InterruptWindowExiting : 1; // [32 + 2]
209 | ULONG64 UseTSCOffseting : 1; // [32 + 3]
210 | ULONG64 Reserved2 : 3; // [32 + 4-6]
211 | ULONG64 HLTExiting : 1; // [32 + 7]
212 | ULONG64 Reserved3 : 1; // [32 + 8]
213 | ULONG64 INVLPGExiting : 1; // [32 + 9]
214 | ULONG64 MWAITExiting : 1; // [32 + 10]
215 | ULONG64 RDPMCExiting : 1; // [32 + 11]
216 | ULONG64 RDTSCExiting : 1; // [32 + 12]
217 | ULONG64 Reserved4 : 2; // [32 + 13-14]
218 | ULONG64 CR3LoadExiting : 1; // [32 + 15]
219 | ULONG64 CR3StoreExiting : 1; // [32 + 16]
220 | ULONG64 Reserved5 : 2; // [32 + 17-18]
221 | ULONG64 CR8LoadExiting : 1; // [32 + 19]
222 | ULONG64 CR8StoreExiting : 1; // [32 + 20]
223 | ULONG64 UseTPRShadowExiting : 1; // [32 + 21]
224 | ULONG64 NMIWindowExiting : 1; // [32 + 22]
225 | ULONG64 MovDRExiting : 1; // [32 + 23]
226 | ULONG64 UnconditionalIOExiting : 1; // [32 + 24]
227 | ULONG64 UseIOBitmaps : 1; // [32 + 25]
228 | ULONG64 Reserved6 : 1; // [32 + 26]
229 | ULONG64 MonitorTrapFlag : 1; // [32 + 27]
230 | ULONG64 UseMSRBitmaps : 1; // [32 + 28]
231 | ULONG64 MONITORExiting : 1; // [32 + 29]
232 | ULONG64 PAUSEExiting : 1; // [32 + 30]
233 | ULONG64 ActivateSecondaryControl : 1; // [32 + 31] Does VMX_PROCBASED_CTLS2_MSR exist
234 | } Fields;
235 | } IA32_VMX_PROCBASED_CTLS_MSR, *PIA32_VMX_PROCBASED_CTLS_MSR;
236 |
237 | typedef union _IA32_VMX_PROCBASED_CTLS2_MSR
238 | {
239 | ULONG64 All;
240 | struct
241 | {
242 | ULONG64 Reserved0 : 32; // [0-31]
243 | ULONG64 VirtualizeAPICAccesses : 1; // [32 + 0]
244 | ULONG64 EnableEPT : 1; // [32 + 1]
245 | ULONG64 DescriptorTableExiting : 1; // [32 + 2]
246 | ULONG64 EnableRDTSCP : 1; // [32 + 3]
247 | ULONG64 VirtualizeX2APICMode : 1; // [32 + 4]
248 | ULONG64 EnableVPID : 1; // [32 + 5]
249 | ULONG64 WBINVDExiting : 1; // [32 + 6]
250 | ULONG64 UnrestrictedGuest : 1; // [32 + 7]
251 | ULONG64 APICRegisterVirtualization : 1; // [32 + 8]
252 | ULONG64 VirtualInterruptDelivery : 1; // [32 + 9]
253 | ULONG64 PAUSELoopExiting : 1; // [32 + 10]
254 | ULONG64 RDRANDExiting : 1; // [32 + 11]
255 | ULONG64 EnableINVPCID : 1; // [32 + 12]
256 | ULONG64 EnableVMFunctions : 1; // [32 + 13]
257 | ULONG64 VMCSShadowing : 1; // [32 + 14]
258 | ULONG64 Reserved1 : 1; // [32 + 15]
259 | ULONG64 RDSEEDExiting : 1; // [32 + 16]
260 | ULONG64 Reserved2 : 1; // [32 + 17]
261 | ULONG64 EPTViolation : 1; // [32 + 18]
262 | ULONG64 Reserved3 : 1; // [32 + 19]
263 | ULONG64 EnableXSAVESXSTORS : 1; // [32 + 20]
264 | } Fields;
265 | } IA32_VMX_PROCBASED_CTLS2_MSR, *PIA32_VMX_PROCBASED_CTLS2_MSR;
266 |
267 | typedef union _IA32_FEATURE_CONTROL_MSR
268 | {
269 | ULONG64 All;
270 | struct
271 | {
272 | ULONG64 Lock : 1; // [0]
273 | ULONG64 EnableSMX : 1; // [1]
274 | ULONG64 EnableVmxon : 1; // [2]
275 | ULONG64 Reserved2 : 5; // [3-7]
276 | ULONG64 EnableLocalSENTER : 7; // [8-14]
277 | ULONG64 EnableGlobalSENTER : 1; // [15]
278 | ULONG64 Reserved3a : 16; //
279 | ULONG64 Reserved3b : 32; // [16-63]
280 | } Fields;
281 | } IA32_FEATURE_CONTROL_MSR, *PIA32_FEATURE_CONTROL_MSR;
282 |
283 | typedef union _IA32_VMX_EPT_VPID_CAP_MSR
284 | {
285 | ULONG64 All;
286 | struct
287 | {
288 | ULONG64 ExecuteOnly : 1; // Bit 0 defines if the EPT implementation supports execute-only translation
289 | ULONG64 Reserved1 : 31; // Undefined
290 | ULONG64 Reserved2 : 8; // Undefined
291 | ULONG64 IndividualAddressInvVpid : 1; // Bit 40 defines if type 0 INVVPID instructions are supported
292 | ULONG64 Reserved3 : 23;
293 | } Fields;
294 | } IA32_VMX_EPT_VPID_CAP_MSR, *PIA32_VMX_EPT_VPID_CAP_MSR;
295 | #pragma warning(disable: 4214 4201)
296 |
--------------------------------------------------------------------------------
/VTFrame/src/Include/DriverDef.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/Include/DriverDef.h
--------------------------------------------------------------------------------
/VTFrame/src/Include/Native.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/Include/Native.h
--------------------------------------------------------------------------------
/VTFrame/src/Include/VMCS.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 |
5 | // VMCS data fields
6 | typedef enum _VMCS_ENCODING
7 | {
8 | VIRTUAL_PROCESSOR_ID = 0x00000000, // 16-Bit Control Field
9 | POSTED_INTERRUPT_NOTIFICATION = 0x00000002,
10 | EPTP_INDEX = 0x00000004,
11 | GUEST_ES_SELECTOR = 0x00000800, // 16-Bit Guest-State Fields
12 | GUEST_CS_SELECTOR = 0x00000802,
13 | GUEST_SS_SELECTOR = 0x00000804,
14 | GUEST_DS_SELECTOR = 0x00000806,
15 | GUEST_FS_SELECTOR = 0x00000808,
16 | GUEST_GS_SELECTOR = 0x0000080a,
17 | GUEST_LDTR_SELECTOR = 0x0000080c,
18 | GUEST_TR_SELECTOR = 0x0000080e,
19 | GUEST_INTERRUPT_STATUS = 0x00000810,
20 | HOST_ES_SELECTOR = 0x00000c00, // 16-Bit Host-State Fields
21 | HOST_CS_SELECTOR = 0x00000c02,
22 | HOST_SS_SELECTOR = 0x00000c04,
23 | HOST_DS_SELECTOR = 0x00000c06,
24 | HOST_FS_SELECTOR = 0x00000c08,
25 | HOST_GS_SELECTOR = 0x00000c0a,
26 | HOST_TR_SELECTOR = 0x00000c0c,
27 | IO_BITMAP_A = 0x00002000, // 64-Bit Control Fields
28 | IO_BITMAP_A_HIGH = 0x00002001,
29 | IO_BITMAP_B = 0x00002002,
30 | IO_BITMAP_B_HIGH = 0x00002003,
31 | MSR_BITMAP = 0x00002004,
32 | MSR_BITMAP_HIGH = 0x00002005,
33 | VM_EXIT_MSR_STORE_ADDR = 0x00002006,
34 | VM_EXIT_MSR_STORE_ADDR_HIGH = 0x00002007,
35 | VM_EXIT_MSR_LOAD_ADDR = 0x00002008,
36 | VM_EXIT_MSR_LOAD_ADDR_HIGH = 0x00002009,
37 | VM_ENTRY_MSR_LOAD_ADDR = 0x0000200a,
38 | VM_ENTRY_MSR_LOAD_ADDR_HIGH = 0x0000200b,
39 | EXECUTIVE_VMCS_POINTER = 0x0000200c,
40 | EXECUTIVE_VMCS_POINTER_HIGH = 0x0000200d,
41 | TSC_OFFSET = 0x00002010,
42 | TSC_OFFSET_HIGH = 0x00002011,
43 | VIRTUAL_APIC_PAGE_ADDR = 0x00002012,
44 | VIRTUAL_APIC_PAGE_ADDR_HIGH = 0x00002013,
45 | APIC_ACCESS_ADDR = 0x00002014,
46 | APIC_ACCESS_ADDR_HIGH = 0x00002015,
47 | EPT_POINTER = 0x0000201a,
48 | EPT_POINTER_HIGH = 0x0000201b,
49 | EOI_EXIT_BITMAP_0 = 0x0000201c,
50 | EOI_EXIT_BITMAP_0_HIGH = 0x0000201d,
51 | EOI_EXIT_BITMAP_1 = 0x0000201e,
52 | EOI_EXIT_BITMAP_1_HIGH = 0x0000201f,
53 | EOI_EXIT_BITMAP_2 = 0x00002020,
54 | EOI_EXIT_BITMAP_2_HIGH = 0x00002021,
55 | EOI_EXIT_BITMAP_3 = 0x00002022,
56 | EOI_EXIT_BITMAP_3_HIGH = 0x00002023,
57 | EPTP_LIST_ADDRESS = 0x00002024,
58 | EPTP_LIST_ADDRESS_HIGH = 0x00002025,
59 | VMREAD_BITMAP_ADDRESS = 0x00002026,
60 | VMREAD_BITMAP_ADDRESS_HIGH = 0x00002027,
61 | VMWRITE_BITMAP_ADDRESS = 0x00002028,
62 | VMWRITE_BITMAP_ADDRESS_HIGH = 0x00002029,
63 | VIRTUALIZATION_EXCEPTION_INFO_ADDDRESS = 0x0000202a,
64 | VIRTUALIZATION_EXCEPTION_INFO_ADDDRESS_HIGH = 0x0000202b,
65 | XSS_EXITING_BITMAP = 0x0000202c,
66 | XSS_EXITING_BITMAP_HIGH = 0x0000202d,
67 | GUEST_PHYSICAL_ADDRESS = 0x00002400, // 64-Bit Read-Only Data Field
68 | GUEST_PHYSICAL_ADDRESS_HIGH = 0x00002401,
69 | VMCS_LINK_POINTER = 0x00002800, // 64-Bit Guest-State Fields
70 | VMCS_LINK_POINTER_HIGH = 0x00002801,
71 | GUEST_IA32_DEBUGCTL = 0x00002802,
72 | GUEST_IA32_DEBUGCTL_HIGH = 0x00002803,
73 | GUEST_IA32_PAT = 0x00002804,
74 | GUEST_IA32_PAT_HIGH = 0x00002805,
75 | GUEST_IA32_EFER = 0x00002806,
76 | GUEST_IA32_EFER_HIGH = 0x00002807,
77 | GUEST_IA32_PERF_GLOBAL_CTRL = 0x00002808,
78 | GUEST_IA32_PERF_GLOBAL_CTRL_HIGH = 0x00002809,
79 | GUEST_PDPTR0 = 0x0000280a,
80 | GUEST_PDPTR0_HIGH = 0x0000280b,
81 | GUEST_PDPTR1 = 0x0000280c,
82 | GUEST_PDPTR1_HIGH = 0x0000280d,
83 | GUEST_PDPTR2 = 0x0000280e,
84 | GUEST_PDPTR2_HIGH = 0x0000280f,
85 | GUEST_PDPTR3 = 0x00002810,
86 | GUEST_PDPTR3_HIGH = 0x00002811,
87 | HOST_IA32_PAT = 0x00002c00, // 64-Bit Host-State Fields
88 | HOST_IA32_PAT_HIGH = 0x00002c01,
89 | HOST_IA32_EFER = 0x00002c02,
90 | HOST_IA32_EFER_HIGH = 0x00002c03,
91 | HOST_IA32_PERF_GLOBAL_CTRL = 0x00002c04,
92 | HOST_IA32_PERF_GLOBAL_CTRL_HIGH = 0x00002c05,
93 | PIN_BASED_VM_EXEC_CONTROL = 0x00004000, // 32-Bit Control Fields
94 | CPU_BASED_VM_EXEC_CONTROL = 0x00004002,
95 | EXCEPTION_BITMAP = 0x00004004,
96 | PAGE_FAULT_ERROR_CODE_MASK = 0x00004006,
97 | PAGE_FAULT_ERROR_CODE_MATCH = 0x00004008,
98 | CR3_TARGET_COUNT = 0x0000400a,
99 | VM_EXIT_CONTROLS = 0x0000400c,
100 | VM_EXIT_MSR_STORE_COUNT = 0x0000400e,
101 | VM_EXIT_MSR_LOAD_COUNT = 0x00004010,
102 | VM_ENTRY_CONTROLS = 0x00004012,
103 | VM_ENTRY_MSR_LOAD_COUNT = 0x00004014,
104 | VM_ENTRY_INTR_INFO_FIELD = 0x00004016,
105 | VM_ENTRY_EXCEPTION_ERROR_CODE = 0x00004018,
106 | VM_ENTRY_INSTRUCTION_LEN = 0x0000401a,
107 | TPR_THRESHOLD = 0x0000401c,
108 | SECONDARY_VM_EXEC_CONTROL = 0x0000401e,
109 | PLE_GAP = 0x00004020,
110 | PLE_WINDOW = 0x00004022,
111 | VM_INSTRUCTION_ERROR = 0x00004400, // 32-Bit Read-Only Data Fields
112 | VM_EXIT_REASON = 0x00004402,
113 | VM_EXIT_INTR_INFO = 0x00004404,
114 | VM_EXIT_INTR_ERROR_CODE = 0x00004406,
115 | IDT_VECTORING_INFO_FIELD = 0x00004408,
116 | IDT_VECTORING_ERROR_CODE = 0x0000440a,
117 | VM_EXIT_INSTRUCTION_LEN = 0x0000440c,
118 | VMX_INSTRUCTION_INFO = 0x0000440e,
119 | GUEST_ES_LIMIT = 0x00004800, // 32-Bit Guest-State Fields
120 | GUEST_CS_LIMIT = 0x00004802,
121 | GUEST_SS_LIMIT = 0x00004804,
122 | GUEST_DS_LIMIT = 0x00004806,
123 | GUEST_FS_LIMIT = 0x00004808,
124 | GUEST_GS_LIMIT = 0x0000480a,
125 | GUEST_LDTR_LIMIT = 0x0000480c,
126 | GUEST_TR_LIMIT = 0x0000480e,
127 | GUEST_GDTR_LIMIT = 0x00004810,
128 | GUEST_IDTR_LIMIT = 0x00004812,
129 | GUEST_ES_AR_BYTES = 0x00004814,
130 | GUEST_CS_AR_BYTES = 0x00004816,
131 | GUEST_SS_AR_BYTES = 0x00004818,
132 | GUEST_DS_AR_BYTES = 0x0000481a,
133 | GUEST_FS_AR_BYTES = 0x0000481c,
134 | GUEST_GS_AR_BYTES = 0x0000481e,
135 | GUEST_LDTR_AR_BYTES = 0x00004820,
136 | GUEST_TR_AR_BYTES = 0x00004822,
137 | GUEST_INTERRUPTIBILITY_INFO = 0x00004824,
138 | GUEST_ACTIVITY_STATE = 0x00004826,
139 | GUEST_SMBASE = 0x00004828,
140 | GUEST_SYSENTER_CS = 0x0000482a,
141 | VMX_PREEMPTION_TIMER_VALUE = 0x0000482e,
142 | HOST_IA32_SYSENTER_CS = 0x00004c00, // 32-Bit Host-State Field
143 | CR0_GUEST_HOST_MASK = 0x00006000, // Natural-Width Control Fields
144 | CR4_GUEST_HOST_MASK = 0x00006002,
145 | CR0_READ_SHADOW = 0x00006004,
146 | CR4_READ_SHADOW = 0x00006006,
147 | CR3_TARGET_VALUE0 = 0x00006008,
148 | CR3_TARGET_VALUE1 = 0x0000600a,
149 | CR3_TARGET_VALUE2 = 0x0000600c,
150 | CR3_TARGET_VALUE3 = 0x0000600e,
151 | EXIT_QUALIFICATION = 0x00006400, // Natural-Width Read-Only Data Fields
152 | IO_RCX = 0x00006402,
153 | IO_RSI = 0x00006404,
154 | IO_RDI = 0x00006406,
155 | IO_RIP = 0x00006408,
156 | GUEST_LINEAR_ADDRESS = 0x0000640a,
157 | GUEST_CR0 = 0x00006800, // Natural-Width Guest-State Fields
158 | GUEST_CR3 = 0x00006802,
159 | GUEST_CR4 = 0x00006804,
160 | GUEST_ES_BASE = 0x00006806,
161 | GUEST_CS_BASE = 0x00006808,
162 | GUEST_SS_BASE = 0x0000680a,
163 | GUEST_DS_BASE = 0x0000680c,
164 | GUEST_FS_BASE = 0x0000680e,
165 | GUEST_GS_BASE = 0x00006810,
166 | GUEST_LDTR_BASE = 0x00006812,
167 | GUEST_TR_BASE = 0x00006814,
168 | GUEST_GDTR_BASE = 0x00006816,
169 | GUEST_IDTR_BASE = 0x00006818,
170 | GUEST_DR7 = 0x0000681a,
171 | GUEST_RSP = 0x0000681c,
172 | GUEST_RIP = 0x0000681e,
173 | GUEST_RFLAGS = 0x00006820,
174 | GUEST_PENDING_DBG_EXCEPTIONS = 0x00006822,
175 | GUEST_SYSENTER_ESP = 0x00006824,
176 | GUEST_SYSENTER_EIP = 0x00006826,
177 | HOST_CR0 = 0x00006c00, // Natural-Width Host-State Fields
178 | HOST_CR3 = 0x00006c02,
179 | HOST_CR4 = 0x00006c04,
180 | HOST_FS_BASE = 0x00006c06,
181 | HOST_GS_BASE = 0x00006c08,
182 | HOST_TR_BASE = 0x00006c0a,
183 | HOST_GDTR_BASE = 0x00006c0c,
184 | HOST_IDTR_BASE = 0x00006c0e,
185 | HOST_IA32_SYSENTER_ESP = 0x00006c10,
186 | HOST_IA32_SYSENTER_EIP = 0x00006c12,
187 | HOST_RSP = 0x00006c14,
188 | HOST_RIP = 0x00006c16
189 | } VMCS_ENCODING;
190 |
191 | ///
192 | /// Read VMCS field
193 | ///
194 | /// Field encoding
195 | /// Data
196 | inline ULONG_PTR VmcsRead(IN ULONG VmcsFieldId)
197 | {
198 | ULONG_PTR FieldData = 0;
199 | __vmx_vmread(VmcsFieldId, &FieldData);
200 | return FieldData;
201 | }
202 |
--------------------------------------------------------------------------------
/VTFrame/src/Include/common.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/Include/common.h
--------------------------------------------------------------------------------
/VTFrame/src/KernelStruct/Win10KernelStruct.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/KernelStruct/Win10KernelStruct.h
--------------------------------------------------------------------------------
/VTFrame/src/KernelStruct/Win7KernelStruct.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/KernelStruct/Win7KernelStruct.h
--------------------------------------------------------------------------------
/VTFrame/src/Monitor/Monitor.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/Monitor/Monitor.c
--------------------------------------------------------------------------------
/VTFrame/src/Monitor/Monitor.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 |
5 | NTSTATUS addDriverMonitor();
6 | NTSTATUS removeDriverMonitor();
7 |
--------------------------------------------------------------------------------
/VTFrame/src/MyDriver.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/MyDriver.c
--------------------------------------------------------------------------------
/VTFrame/src/Test/Test.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/Test/Test.c
--------------------------------------------------------------------------------
/VTFrame/src/Test/Test.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include "../Debug/DebugAPI.h"
4 |
5 | typedef
6 | NTSTATUS
7 | (*OriDbgkpQueueMessagex)(
8 | IN PEPROCESS Process,
9 | IN PETHREAD Thread,
10 | IN OUT PDBGKM_MSG ApiMsg,
11 | IN ULONG Flags,
12 | IN PDEBUG_OBJECT TargetDebugObject
13 | );
14 | OriDbgkpQueueMessagex OriDbgkpQueueMessage;
15 |
16 | VOID TestSSDTHook();
17 | VOID UnloadTest();
18 | VOID TestCallBack();
19 | VOID TestInlineHook();
20 | VOID TestPageHook();
21 |
22 | extern ULONG64 oriDbgkForwardException;
23 | extern ULONG64 GetTrap03Address();
24 | ULONG64 TestFn(ULONG64 in1, ULONG64 in2);
--------------------------------------------------------------------------------
/VTFrame/src/Util/GetUnExportFunAddress.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/Util/GetUnExportFunAddress.c
--------------------------------------------------------------------------------
/VTFrame/src/Util/GetUnExportFunAddress.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/Util/GetUnExportFunAddress.h
--------------------------------------------------------------------------------
/VTFrame/src/Util/LDasm.c:
--------------------------------------------------------------------------------
1 | /*
2 | *
3 | * Copyright (c) 2009-2011
4 | * vol4ok PGP KEY ID: 26EC143CCDC61C9D
5 | *
6 |
7 | This program is free software: you can redistribute it and/or modify
8 | it under the terms of the GNU General Public License as published by
9 | the Free Software Foundation, either version 3 of the License, or
10 | (at your option) any later version.
11 |
12 | This program is distributed in the hope that it will be useful,
13 | but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 | GNU General Public License for more details.
16 |
17 | You should have received a copy of the GNU General Public License
18 | along with this program. If not, see .
19 |
20 | */
21 |
22 | #include "LDasm.h"
23 |
24 | /*
25 | Instruction format:
26 |
27 | | prefix | REX | opcode | modR/M | SIB | disp8/16/32 | imm8/16/32/64 |
28 |
29 | */
30 |
31 | #define OP_NONE 0x00
32 | #define OP_INVALID 0x80
33 |
34 | #define OP_DATA_I8 0x01
35 | #define OP_DATA_I16 0x02
36 | #define OP_DATA_I16_I32 0x04
37 | #define OP_DATA_I16_I32_I64 0x08
38 | #define OP_EXTENDED 0x10
39 | #define OP_RELATIVE 0x20
40 | #define OP_MODRM 0x40
41 | #define OP_PREFIX 0x80
42 |
43 |
44 | static unsigned char flags_table[256] =
45 | {
46 | /* 00 */ OP_MODRM,
47 | /* 01 */ OP_MODRM,
48 | /* 02 */ OP_MODRM,
49 | /* 03 */ OP_MODRM,
50 | /* 04 */ OP_DATA_I8,
51 | /* 05 */ OP_DATA_I16_I32,
52 | /* 06 */ OP_NONE,
53 | /* 07 */ OP_NONE,
54 | /* 08 */ OP_MODRM,
55 | /* 09 */ OP_MODRM,
56 | /* 0A */ OP_MODRM,
57 | /* 0B */ OP_MODRM,
58 | /* 0C */ OP_DATA_I8,
59 | /* 0D */ OP_DATA_I16_I32,
60 | /* 0E */ OP_NONE,
61 | /* 0F */ OP_NONE,
62 |
63 | /* 10 */ OP_MODRM,
64 | /* 11 */ OP_MODRM,
65 | /* 12 */ OP_MODRM,
66 | /* 13 */ OP_MODRM,
67 | /* 14 */ OP_DATA_I8,
68 | /* 15 */ OP_DATA_I16_I32,
69 | /* 16 */ OP_NONE,
70 | /* 17 */ OP_NONE,
71 | /* 18 */ OP_MODRM,
72 | /* 19 */ OP_MODRM,
73 | /* 1A */ OP_MODRM,
74 | /* 1B */ OP_MODRM,
75 | /* 1C */ OP_DATA_I8,
76 | /* 1D */ OP_DATA_I16_I32,
77 | /* 1E */ OP_NONE,
78 | /* 1F */ OP_NONE,
79 |
80 | /* 20 */ OP_MODRM,
81 | /* 21 */ OP_MODRM,
82 | /* 22 */ OP_MODRM,
83 | /* 23 */ OP_MODRM,
84 | /* 24 */ OP_DATA_I8,
85 | /* 25 */ OP_DATA_I16_I32,
86 | /* 26 */ OP_PREFIX,
87 | /* 27 */ OP_NONE,
88 | /* 28 */ OP_MODRM,
89 | /* 29 */ OP_MODRM,
90 | /* 2A */ OP_MODRM,
91 | /* 2B */ OP_MODRM,
92 | /* 2C */ OP_DATA_I8,
93 | /* 2D */ OP_DATA_I16_I32,
94 | /* 2E */ OP_PREFIX,
95 | /* 2F */ OP_NONE,
96 |
97 | /* 30 */ OP_MODRM,
98 | /* 31 */ OP_MODRM,
99 | /* 32 */ OP_MODRM,
100 | /* 33 */ OP_MODRM,
101 | /* 34 */ OP_DATA_I8,
102 | /* 35 */ OP_DATA_I16_I32,
103 | /* 36 */ OP_PREFIX,
104 | /* 37 */ OP_NONE,
105 | /* 38 */ OP_MODRM,
106 | /* 39 */ OP_MODRM,
107 | /* 3A */ OP_MODRM,
108 | /* 3B */ OP_MODRM,
109 | /* 3C */ OP_DATA_I8,
110 | /* 3D */ OP_DATA_I16_I32,
111 | /* 3E */ OP_PREFIX,
112 | /* 3F */ OP_NONE,
113 |
114 | /* 40 */ OP_NONE,
115 | /* 41 */ OP_NONE,
116 | /* 42 */ OP_NONE,
117 | /* 43 */ OP_NONE,
118 | /* 44 */ OP_NONE,
119 | /* 45 */ OP_NONE,
120 | /* 46 */ OP_NONE,
121 | /* 47 */ OP_NONE,
122 | /* 48 */ OP_NONE,
123 | /* 49 */ OP_NONE,
124 | /* 4A */ OP_NONE,
125 | /* 4B */ OP_NONE,
126 | /* 4C */ OP_NONE,
127 | /* 4D */ OP_NONE,
128 | /* 4E */ OP_NONE,
129 | /* 4F */ OP_NONE,
130 |
131 | /* 50 */ OP_NONE,
132 | /* 51 */ OP_NONE,
133 | /* 52 */ OP_NONE,
134 | /* 53 */ OP_NONE,
135 | /* 54 */ OP_NONE,
136 | /* 55 */ OP_NONE,
137 | /* 56 */ OP_NONE,
138 | /* 57 */ OP_NONE,
139 | /* 58 */ OP_NONE,
140 | /* 59 */ OP_NONE,
141 | /* 5A */ OP_NONE,
142 | /* 5B */ OP_NONE,
143 | /* 5C */ OP_NONE,
144 | /* 5D */ OP_NONE,
145 | /* 5E */ OP_NONE,
146 | /* 5F */ OP_NONE,
147 | /* 60 */ OP_NONE,
148 |
149 | /* 61 */ OP_NONE,
150 | /* 62 */ OP_MODRM,
151 | /* 63 */ OP_MODRM,
152 | /* 64 */ OP_PREFIX,
153 | /* 65 */ OP_PREFIX,
154 | /* 66 */ OP_PREFIX,
155 | /* 67 */ OP_PREFIX,
156 | /* 68 */ OP_DATA_I16_I32,
157 | /* 69 */ OP_MODRM | OP_DATA_I16_I32,
158 | /* 6A */ OP_DATA_I8,
159 | /* 6B */ OP_MODRM | OP_DATA_I8,
160 | /* 6C */ OP_NONE,
161 | /* 6D */ OP_NONE,
162 | /* 6E */ OP_NONE,
163 | /* 6F */ OP_NONE,
164 |
165 | /* 70 */ OP_RELATIVE | OP_DATA_I8,
166 | /* 71 */ OP_RELATIVE | OP_DATA_I8,
167 | /* 72 */ OP_RELATIVE | OP_DATA_I8,
168 | /* 73 */ OP_RELATIVE | OP_DATA_I8,
169 | /* 74 */ OP_RELATIVE | OP_DATA_I8,
170 | /* 75 */ OP_RELATIVE | OP_DATA_I8,
171 | /* 76 */ OP_RELATIVE | OP_DATA_I8,
172 | /* 77 */ OP_RELATIVE | OP_DATA_I8,
173 | /* 78 */ OP_RELATIVE | OP_DATA_I8,
174 | /* 79 */ OP_RELATIVE | OP_DATA_I8,
175 | /* 7A */ OP_RELATIVE | OP_DATA_I8,
176 | /* 7B */ OP_RELATIVE | OP_DATA_I8,
177 | /* 7C */ OP_RELATIVE | OP_DATA_I8,
178 | /* 7D */ OP_RELATIVE | OP_DATA_I8,
179 | /* 7E */ OP_RELATIVE | OP_DATA_I8,
180 | /* 7F */ OP_RELATIVE | OP_DATA_I8,
181 |
182 | /* 80 */ OP_MODRM | OP_DATA_I8,
183 | /* 81 */ OP_MODRM | OP_DATA_I16_I32,
184 | /* 82 */ OP_MODRM | OP_DATA_I8,
185 | /* 83 */ OP_MODRM | OP_DATA_I8,
186 | /* 84 */ OP_MODRM,
187 | /* 85 */ OP_MODRM,
188 | /* 86 */ OP_MODRM,
189 | /* 87 */ OP_MODRM,
190 | /* 88 */ OP_MODRM,
191 | /* 89 */ OP_MODRM,
192 | /* 8A */ OP_MODRM,
193 | /* 8B */ OP_MODRM,
194 | /* 8C */ OP_MODRM,
195 | /* 8D */ OP_MODRM,
196 | /* 8E */ OP_MODRM,
197 | /* 8F */ OP_MODRM,
198 |
199 | /* 90 */ OP_NONE,
200 | /* 91 */ OP_NONE,
201 | /* 92 */ OP_NONE,
202 | /* 93 */ OP_NONE,
203 | /* 94 */ OP_NONE,
204 | /* 95 */ OP_NONE,
205 | /* 96 */ OP_NONE,
206 | /* 97 */ OP_NONE,
207 | /* 98 */ OP_NONE,
208 | /* 99 */ OP_NONE,
209 | /* 9A */ OP_DATA_I16 | OP_DATA_I16_I32,
210 | /* 9B */ OP_NONE,
211 | /* 9C */ OP_NONE,
212 | /* 9D */ OP_NONE,
213 | /* 9E */ OP_NONE,
214 | /* 9F */ OP_NONE,
215 |
216 | /* A0 */ OP_DATA_I8,
217 | /* A1 */ OP_DATA_I16_I32_I64,
218 | /* A2 */ OP_DATA_I8,
219 | /* A3 */ OP_DATA_I16_I32_I64,
220 | /* A4 */ OP_NONE,
221 | /* A5 */ OP_NONE,
222 | /* A6 */ OP_NONE,
223 | /* A7 */ OP_NONE,
224 | /* A8 */ OP_DATA_I8,
225 | /* A9 */ OP_DATA_I16_I32,
226 | /* AA */ OP_NONE,
227 | /* AB */ OP_NONE,
228 | /* AC */ OP_NONE,
229 | /* AD */ OP_NONE,
230 | /* AE */ OP_NONE,
231 | /* AF */ OP_NONE,
232 |
233 | /* B0 */ OP_DATA_I8,
234 | /* B1 */ OP_DATA_I8,
235 | /* B2 */ OP_DATA_I8,
236 | /* B3 */ OP_DATA_I8,
237 | /* B4 */ OP_DATA_I8,
238 | /* B5 */ OP_DATA_I8,
239 | /* B6 */ OP_DATA_I8,
240 | /* B7 */ OP_DATA_I8,
241 | /* B8 */ OP_DATA_I16_I32_I64,
242 | /* B9 */ OP_DATA_I16_I32_I64,
243 | /* BA */ OP_DATA_I16_I32_I64,
244 | /* BB */ OP_DATA_I16_I32_I64,
245 | /* BC */ OP_DATA_I16_I32_I64,
246 | /* BD */ OP_DATA_I16_I32_I64,
247 | /* BE */ OP_DATA_I16_I32_I64,
248 | /* BF */ OP_DATA_I16_I32_I64,
249 |
250 | /* C0 */ OP_MODRM | OP_DATA_I8,
251 | /* C1 */ OP_MODRM | OP_DATA_I8,
252 | /* C2 */ OP_DATA_I16,
253 | /* C3 */ OP_NONE,
254 | /* C4 */ OP_MODRM,
255 | /* C5 */ OP_MODRM,
256 | /* C6 */ OP_MODRM | OP_DATA_I8,
257 | /* C7 */ OP_MODRM | OP_DATA_I16_I32,
258 | /* C8 */ OP_DATA_I8 | OP_DATA_I16,
259 | /* C9 */ OP_NONE,
260 | /* CA */ OP_DATA_I16,
261 | /* CB */ OP_NONE,
262 | /* CC */ OP_NONE,
263 | /* CD */ OP_DATA_I8,
264 | /* CE */ OP_NONE,
265 | /* CF */ OP_NONE,
266 |
267 | /* D0 */ OP_MODRM,
268 | /* D1 */ OP_MODRM,
269 | /* D2 */ OP_MODRM,
270 | /* D3 */ OP_MODRM,
271 | /* D4 */ OP_DATA_I8,
272 | /* D5 */ OP_DATA_I8,
273 | /* D6 */ OP_NONE,
274 | /* D7 */ OP_NONE,
275 | /* D8 */ OP_MODRM,
276 | /* D9 */ OP_MODRM,
277 | /* DA */ OP_MODRM,
278 | /* DB */ OP_MODRM,
279 | /* DC */ OP_MODRM,
280 | /* DD */ OP_MODRM,
281 | /* DE */ OP_MODRM,
282 | /* DF */ OP_MODRM,
283 |
284 | /* E0 */ OP_RELATIVE | OP_DATA_I8,
285 | /* E1 */ OP_RELATIVE | OP_DATA_I8,
286 | /* E2 */ OP_RELATIVE | OP_DATA_I8,
287 | /* E3 */ OP_RELATIVE | OP_DATA_I8,
288 | /* E4 */ OP_DATA_I8,
289 | /* E5 */ OP_DATA_I8,
290 | /* E6 */ OP_DATA_I8,
291 | /* E7 */ OP_DATA_I8,
292 | /* E8 */ OP_RELATIVE | OP_DATA_I16_I32,
293 | /* E9 */ OP_RELATIVE | OP_DATA_I16_I32,
294 | /* EA */ OP_DATA_I16 | OP_DATA_I16_I32,
295 | /* EB */ OP_RELATIVE | OP_DATA_I8,
296 | /* EC */ OP_NONE,
297 | /* ED */ OP_NONE,
298 | /* EE */ OP_NONE,
299 | /* EF */ OP_NONE,
300 |
301 | /* F0 */ OP_PREFIX,
302 | /* F1 */ OP_NONE,
303 | /* F2 */ OP_PREFIX,
304 | /* F3 */ OP_PREFIX,
305 | /* F4 */ OP_NONE,
306 | /* F5 */ OP_NONE,
307 | /* F6 */ OP_MODRM,
308 | /* F7 */ OP_MODRM,
309 | /* F8 */ OP_NONE,
310 | /* F9 */ OP_NONE,
311 | /* FA */ OP_NONE,
312 | /* FB */ OP_NONE,
313 | /* FC */ OP_NONE,
314 | /* FD */ OP_NONE,
315 | /* FE */ OP_MODRM,
316 | /* FF */ OP_MODRM
317 | };
318 |
319 | static unsigned char flags_table_ex[256] =
320 | {
321 | /* 0F00 */ OP_MODRM,
322 | /* 0F01 */ OP_MODRM,
323 | /* 0F02 */ OP_MODRM,
324 | /* 0F03 */ OP_MODRM,
325 | /* 0F04 */ OP_INVALID,
326 | /* 0F05 */ OP_NONE,
327 | /* 0F06 */ OP_NONE,
328 | /* 0F07 */ OP_NONE,
329 | /* 0F08 */ OP_NONE,
330 | /* 0F09 */ OP_NONE,
331 | /* 0F0A */ OP_INVALID,
332 | /* 0F0B */ OP_NONE,
333 | /* 0F0C */ OP_INVALID,
334 | /* 0F0D */ OP_MODRM,
335 | /* 0F0E */ OP_INVALID,
336 | /* 0F0F */ OP_MODRM | OP_DATA_I8, //3Dnow
337 |
338 | /* 0F10 */ OP_MODRM,
339 | /* 0F11 */ OP_MODRM,
340 | /* 0F12 */ OP_MODRM,
341 | /* 0F13 */ OP_MODRM,
342 | /* 0F14 */ OP_MODRM,
343 | /* 0F15 */ OP_MODRM,
344 | /* 0F16 */ OP_MODRM,
345 | /* 0F17 */ OP_MODRM,
346 | /* 0F18 */ OP_MODRM,
347 | /* 0F19 */ OP_INVALID,
348 | /* 0F1A */ OP_INVALID,
349 | /* 0F1B */ OP_INVALID,
350 | /* 0F1C */ OP_INVALID,
351 | /* 0F1D */ OP_INVALID,
352 | /* 0F1E */ OP_INVALID,
353 | /* 0F1F */ OP_NONE,
354 |
355 | /* 0F20 */ OP_MODRM,
356 | /* 0F21 */ OP_MODRM,
357 | /* 0F22 */ OP_MODRM,
358 | /* 0F23 */ OP_MODRM,
359 | /* 0F24 */ OP_MODRM | OP_EXTENDED, //SSE5
360 | /* 0F25 */ OP_INVALID,
361 | /* 0F26 */ OP_MODRM,
362 | /* 0F27 */ OP_INVALID,
363 | /* 0F28 */ OP_MODRM,
364 | /* 0F29 */ OP_MODRM,
365 | /* 0F2A */ OP_MODRM,
366 | /* 0F2B */ OP_MODRM,
367 | /* 0F2C */ OP_MODRM,
368 | /* 0F2D */ OP_MODRM,
369 | /* 0F2E */ OP_MODRM,
370 | /* 0F2F */ OP_MODRM,
371 |
372 | /* 0F30 */ OP_NONE,
373 | /* 0F31 */ OP_NONE,
374 | /* 0F32 */ OP_NONE,
375 | /* 0F33 */ OP_NONE,
376 | /* 0F34 */ OP_NONE,
377 | /* 0F35 */ OP_NONE,
378 | /* 0F36 */ OP_INVALID,
379 | /* 0F37 */ OP_NONE,
380 | /* 0F38 */ OP_MODRM | OP_EXTENDED,
381 | /* 0F39 */ OP_INVALID,
382 | /* 0F3A */ OP_MODRM | OP_EXTENDED | OP_DATA_I8,
383 | /* 0F3B */ OP_INVALID,
384 | /* 0F3C */ OP_INVALID,
385 | /* 0F3D */ OP_INVALID,
386 | /* 0F3E */ OP_INVALID,
387 | /* 0F3F */ OP_INVALID,
388 |
389 | /* 0F40 */ OP_MODRM,
390 | /* 0F41 */ OP_MODRM,
391 | /* 0F42 */ OP_MODRM,
392 | /* 0F43 */ OP_MODRM,
393 | /* 0F44 */ OP_MODRM,
394 | /* 0F45 */ OP_MODRM,
395 | /* 0F46 */ OP_MODRM,
396 | /* 0F47 */ OP_MODRM,
397 | /* 0F48 */ OP_MODRM,
398 | /* 0F49 */ OP_MODRM,
399 | /* 0F4A */ OP_MODRM,
400 | /* 0F4B */ OP_MODRM,
401 | /* 0F4C */ OP_MODRM,
402 | /* 0F4D */ OP_MODRM,
403 | /* 0F4E */ OP_MODRM,
404 | /* 0F4F */ OP_MODRM,
405 |
406 | /* 0F50 */ OP_MODRM,
407 | /* 0F51 */ OP_MODRM,
408 | /* 0F52 */ OP_MODRM,
409 | /* 0F53 */ OP_MODRM,
410 | /* 0F54 */ OP_MODRM,
411 | /* 0F55 */ OP_MODRM,
412 | /* 0F56 */ OP_MODRM,
413 | /* 0F57 */ OP_MODRM,
414 | /* 0F58 */ OP_MODRM,
415 | /* 0F59 */ OP_MODRM,
416 | /* 0F5A */ OP_MODRM,
417 | /* 0F5B */ OP_MODRM,
418 | /* 0F5C */ OP_MODRM,
419 | /* 0F5D */ OP_MODRM,
420 | /* 0F5E */ OP_MODRM,
421 | /* 0F5F */ OP_MODRM,
422 |
423 | /* 0F60 */ OP_MODRM,
424 | /* 0F61 */ OP_MODRM,
425 | /* 0F62 */ OP_MODRM,
426 | /* 0F63 */ OP_MODRM,
427 | /* 0F64 */ OP_MODRM,
428 | /* 0F65 */ OP_MODRM,
429 | /* 0F66 */ OP_MODRM,
430 | /* 0F67 */ OP_MODRM,
431 | /* 0F68 */ OP_MODRM,
432 | /* 0F69 */ OP_MODRM,
433 | /* 0F6A */ OP_MODRM,
434 | /* 0F6B */ OP_MODRM,
435 | /* 0F6C */ OP_MODRM,
436 | /* 0F6D */ OP_MODRM,
437 | /* 0F6E */ OP_MODRM,
438 | /* 0F6F */ OP_MODRM,
439 |
440 | /* 0F70 */ OP_MODRM | OP_DATA_I8,
441 | /* 0F71 */ OP_MODRM | OP_DATA_I8,
442 | /* 0F72 */ OP_MODRM | OP_DATA_I8,
443 | /* 0F73 */ OP_MODRM | OP_DATA_I8,
444 | /* 0F74 */ OP_MODRM,
445 | /* 0F75 */ OP_MODRM,
446 | /* 0F76 */ OP_MODRM,
447 | /* 0F77 */ OP_NONE,
448 | /* 0F78 */ OP_MODRM,
449 | /* 0F79 */ OP_MODRM,
450 | /* 0F7A */ OP_INVALID,
451 | /* 0F7B */ OP_INVALID,
452 | /* 0F7C */ OP_MODRM,
453 | /* 0F7D */ OP_MODRM,
454 | /* 0F7E */ OP_MODRM,
455 | /* 0F7F */ OP_MODRM,
456 |
457 | /* 0F80 */ OP_RELATIVE | OP_DATA_I16_I32,
458 | /* 0F81 */ OP_RELATIVE | OP_DATA_I16_I32,
459 | /* 0F82 */ OP_RELATIVE | OP_DATA_I16_I32,
460 | /* 0F83 */ OP_RELATIVE | OP_DATA_I16_I32,
461 | /* 0F84 */ OP_RELATIVE | OP_DATA_I16_I32,
462 | /* 0F85 */ OP_RELATIVE | OP_DATA_I16_I32,
463 | /* 0F86 */ OP_RELATIVE | OP_DATA_I16_I32,
464 | /* 0F87 */ OP_RELATIVE | OP_DATA_I16_I32,
465 | /* 0F88 */ OP_RELATIVE | OP_DATA_I16_I32,
466 | /* 0F89 */ OP_RELATIVE | OP_DATA_I16_I32,
467 | /* 0F8A */ OP_RELATIVE | OP_DATA_I16_I32,
468 | /* 0F8B */ OP_RELATIVE | OP_DATA_I16_I32,
469 | /* 0F8C */ OP_RELATIVE | OP_DATA_I16_I32,
470 | /* 0F8D */ OP_RELATIVE | OP_DATA_I16_I32,
471 | /* 0F8E */ OP_RELATIVE | OP_DATA_I16_I32,
472 | /* 0F8F */ OP_RELATIVE | OP_DATA_I16_I32,
473 |
474 | /* 0F90 */ OP_MODRM,
475 | /* 0F91 */ OP_MODRM,
476 | /* 0F92 */ OP_MODRM,
477 | /* 0F93 */ OP_MODRM,
478 | /* 0F94 */ OP_MODRM,
479 | /* 0F95 */ OP_MODRM,
480 | /* 0F96 */ OP_MODRM,
481 | /* 0F97 */ OP_MODRM,
482 | /* 0F98 */ OP_MODRM,
483 | /* 0F99 */ OP_MODRM,
484 | /* 0F9A */ OP_MODRM,
485 | /* 0F9B */ OP_MODRM,
486 | /* 0F9C */ OP_MODRM,
487 | /* 0F9D */ OP_MODRM,
488 | /* 0F9E */ OP_MODRM,
489 | /* 0F9F */ OP_MODRM,
490 |
491 | /* 0FA0 */ OP_NONE,
492 | /* 0FA1 */ OP_NONE,
493 | /* 0FA2 */ OP_NONE,
494 | /* 0FA3 */ OP_MODRM,
495 | /* 0FA4 */ OP_MODRM | OP_DATA_I8,
496 | /* 0FA5 */ OP_MODRM,
497 | /* 0FA6 */ OP_INVALID,
498 | /* 0FA7 */ OP_INVALID,
499 | /* 0FA8 */ OP_NONE,
500 | /* 0FA9 */ OP_NONE,
501 | /* 0FAA */ OP_NONE,
502 | /* 0FAB */ OP_MODRM,
503 | /* 0FAC */ OP_MODRM | OP_DATA_I8,
504 | /* 0FAD */ OP_MODRM,
505 | /* 0FAE */ OP_MODRM,
506 | /* 0FAF */ OP_MODRM,
507 |
508 | /* 0FB0 */ OP_MODRM,
509 | /* 0FB1 */ OP_MODRM,
510 | /* 0FB2 */ OP_MODRM,
511 | /* 0FB3 */ OP_MODRM,
512 | /* 0FB4 */ OP_MODRM,
513 | /* 0FB5 */ OP_MODRM,
514 | /* 0FB6 */ OP_MODRM,
515 | /* 0FB7 */ OP_MODRM,
516 | /* 0FB8 */ OP_MODRM,
517 | /* 0FB9 */ OP_MODRM,
518 | /* 0FBA */ OP_MODRM | OP_DATA_I8,
519 | /* 0FBB */ OP_MODRM,
520 | /* 0FBC */ OP_MODRM,
521 | /* 0FBD */ OP_MODRM,
522 | /* 0FBE */ OP_MODRM,
523 | /* 0FBF */ OP_MODRM,
524 |
525 | /* 0FC0 */ OP_MODRM,
526 | /* 0FC1 */ OP_MODRM,
527 | /* 0FC2 */ OP_MODRM | OP_DATA_I8,
528 | /* 0FC3 */ OP_MODRM,
529 | /* 0FC4 */ OP_MODRM | OP_DATA_I8,
530 | /* 0FC5 */ OP_MODRM | OP_DATA_I8,
531 | /* 0FC6 */ OP_MODRM | OP_DATA_I8,
532 | /* 0FC7 */ OP_MODRM,
533 | /* 0FC8 */ OP_NONE,
534 | /* 0FC9 */ OP_NONE,
535 | /* 0FCA */ OP_NONE,
536 | /* 0FCB */ OP_NONE,
537 | /* 0FCC */ OP_NONE,
538 | /* 0FCD */ OP_NONE,
539 | /* 0FCE */ OP_NONE,
540 | /* 0FCF */ OP_NONE,
541 |
542 | /* 0FD0 */ OP_MODRM,
543 | /* 0FD1 */ OP_MODRM,
544 | /* 0FD2 */ OP_MODRM,
545 | /* 0FD3 */ OP_MODRM,
546 | /* 0FD4 */ OP_MODRM,
547 | /* 0FD5 */ OP_MODRM,
548 | /* 0FD6 */ OP_MODRM,
549 | /* 0FD7 */ OP_MODRM,
550 | /* 0FD8 */ OP_MODRM,
551 | /* 0FD9 */ OP_MODRM,
552 | /* 0FDA */ OP_MODRM,
553 | /* 0FDB */ OP_MODRM,
554 | /* 0FDC */ OP_MODRM,
555 | /* 0FDD */ OP_MODRM,
556 | /* 0FDE */ OP_MODRM,
557 | /* 0FDF */ OP_MODRM,
558 |
559 | /* 0FE0 */ OP_MODRM,
560 | /* 0FE1 */ OP_MODRM,
561 | /* 0FE2 */ OP_MODRM,
562 | /* 0FE3 */ OP_MODRM,
563 | /* 0FE4 */ OP_MODRM,
564 | /* 0FE5 */ OP_MODRM,
565 | /* 0FE6 */ OP_MODRM,
566 | /* 0FE7 */ OP_MODRM,
567 | /* 0FE8 */ OP_MODRM,
568 | /* 0FE9 */ OP_MODRM,
569 | /* 0FEA */ OP_MODRM,
570 | /* 0FEB */ OP_MODRM,
571 | /* 0FEC */ OP_MODRM,
572 | /* 0FED */ OP_MODRM,
573 | /* 0FEE */ OP_MODRM,
574 | /* 0FEF */ OP_MODRM,
575 |
576 | /* 0FF0 */ OP_MODRM,
577 | /* 0FF1 */ OP_MODRM,
578 | /* 0FF2 */ OP_MODRM,
579 | /* 0FF3 */ OP_MODRM,
580 | /* 0FF4 */ OP_MODRM,
581 | /* 0FF5 */ OP_MODRM,
582 | /* 0FF6 */ OP_MODRM,
583 | /* 0FF7 */ OP_MODRM,
584 | /* 0FF8 */ OP_MODRM,
585 | /* 0FF9 */ OP_MODRM,
586 | /* 0FFA */ OP_MODRM,
587 | /* 0FFB */ OP_MODRM,
588 | /* 0FFC */ OP_MODRM,
589 | /* 0FFD */ OP_MODRM,
590 | /* 0FFE */ OP_MODRM,
591 | /* 0FFF */ OP_INVALID,
592 | };
593 |
594 | unsigned char cflags( UCHAR op )
595 | {
596 | return flags_table[op];
597 | }
598 |
599 |
600 | unsigned char cflags_ex( UCHAR op )
601 | {
602 | return flags_table_ex[op];
603 | }
604 |
605 | unsigned int __fastcall ldasm( void *code, ldasm_data *ld, ULONG is64 )
606 | /*
607 | Description:
608 | Disassemble one instruction
609 |
610 | Arguments:
611 | code - pointer to the code for disassemble
612 | ld - pointer to structure ldasm_data
613 | is64 - set this flag for 64-bit code, and clear for 32-bit
614 |
615 | Return:
616 | length of instruction
617 | */
618 | {
619 | UCHAR *p = (UCHAR*)code;
620 | UCHAR s, op, f;
621 | UCHAR rexw, pr_66, pr_67;
622 |
623 | s = rexw = pr_66 = pr_67 = 0;
624 |
625 | /* dummy check */
626 | if (!code || !ld)
627 | return 0;
628 |
629 | /* init output data */
630 | memset( ld, 0, sizeof( ldasm_data ) );
631 |
632 | /* phase 1: parse prefixies */
633 | while (cflags( *p ) & OP_PREFIX) {
634 | if (*p == 0x66)
635 | pr_66 = 1;
636 | if (*p == 0x67)
637 | pr_67 = 1;
638 | p++; s++;
639 | ld->flags |= F_PREFIX;
640 | if (s == 15) {
641 | ld->flags |= F_INVALID;
642 | return s;
643 | }
644 | }
645 |
646 | /* parse REX prefix */
647 | if (is64 && *p >> 4 == 4) {
648 | ld->rex = *p;
649 | rexw = (ld->rex >> 3) & 1;
650 | ld->flags |= F_REX;
651 | p++; s++;
652 | }
653 |
654 | /* can be only one REX prefix */
655 | if (is64 && *p >> 4 == 4) {
656 | ld->flags |= F_INVALID;
657 | s++;
658 | return s;
659 | }
660 |
661 | /* phase 2: parse opcode */
662 | ld->opcd_offset = (UCHAR)(p - (UCHAR*)code);
663 | ld->opcd_size = 1;
664 | op = *p++; s++;
665 |
666 | /* is 2 byte opcode? */
667 | if (op == 0x0F) {
668 | op = *p++; s++;
669 | ld->opcd_size++;
670 | f = cflags_ex( op );
671 | if (f & OP_INVALID) {
672 | ld->flags |= F_INVALID;
673 | return s;
674 | }
675 | /* for SSE instructions */
676 | if (f & OP_EXTENDED) {
677 | op = *p++; s++;
678 | ld->opcd_size++;
679 | }
680 | }
681 | else {
682 | f = cflags( op );
683 | /* pr_66 = pr_67 for opcodes A0-A3 */
684 | if (op >= 0xA0 && op <= 0xA3)
685 | pr_66 = pr_67;
686 | }
687 |
688 | /* phase 3: parse ModR/M, SIB and DISP */
689 | if (f & OP_MODRM) {
690 | UCHAR mod = (*p >> 6);
691 | UCHAR ro = (*p & 0x38) >> 3;
692 | UCHAR rm = (*p & 7);
693 |
694 | ld->modrm = *p++; s++;
695 | ld->flags |= F_MODRM;
696 |
697 | /* in F6,F7 opcodes immediate data present if R/O == 0 */
698 | if (op == 0xF6 && (ro == 0 || ro == 1))
699 | f |= OP_DATA_I8;
700 | if (op == 0xF7 && (ro == 0 || ro == 1))
701 | f |= OP_DATA_I16_I32_I64;
702 |
703 | /* is SIB byte exist? */
704 | if (mod != 3 && rm == 4 && !(!is64 && pr_67)) {
705 | ld->sib = *p++; s++;
706 | ld->flags |= F_SIB;
707 |
708 | /* if base == 5 and mod == 0 */
709 | if ((ld->sib & 7) == 5 && mod == 0) {
710 | ld->disp_size = 4;
711 | }
712 | }
713 |
714 | switch (mod) {
715 | case 0:
716 | if (is64) {
717 | if (rm == 5) {
718 | ld->disp_size = 4;
719 | if (is64)
720 | ld->flags |= F_RELATIVE;
721 | }
722 | }
723 | else if (pr_67) {
724 | if (rm == 6)
725 | ld->disp_size = 2;
726 | }
727 | else {
728 | if (rm == 5)
729 | ld->disp_size = 4;
730 | }
731 | break;
732 | case 1:
733 | ld->disp_size = 1;
734 | break;
735 | case 2:
736 | if (is64)
737 | ld->disp_size = 4;
738 | else if (pr_67)
739 | ld->disp_size = 2;
740 | else
741 | ld->disp_size = 4;
742 | break;
743 | }
744 |
745 | if (ld->disp_size) {
746 | ld->disp_offset = (UCHAR)(p - (UCHAR *)code);
747 | p += ld->disp_size;
748 | s += ld->disp_size;
749 | ld->flags |= F_DISP;
750 | }
751 | }
752 |
753 | /* phase 4: parse immediate data */
754 | if (rexw && f & OP_DATA_I16_I32_I64)
755 | ld->imm_size = 8;
756 | else if (f & OP_DATA_I16_I32 || f & OP_DATA_I16_I32_I64)
757 | ld->imm_size = 4 - (pr_66 << 1);
758 |
759 | /* if exist, add OP_DATA_I16 and OP_DATA_I8 size */
760 | ld->imm_size += f & 3;
761 |
762 | if (ld->imm_size) {
763 | s += ld->imm_size;
764 | ld->imm_offset = (UCHAR)(p - (UCHAR *)code);
765 | ld->flags |= F_IMM;
766 | if (f & OP_RELATIVE)
767 | ld->flags |= F_RELATIVE;
768 | }
769 |
770 | /* instruction is too long */
771 | if (s > 15)
772 | ld->flags |= F_INVALID;
773 |
774 | return s;
775 | }
776 |
777 | // Get function size
778 | unsigned long __fastcall SizeOfProc( void *Proc )
779 | {
780 | ULONG Length;
781 | UCHAR* pOpcode;
782 | ULONG Result = 0;
783 | ldasm_data data = { 0 };
784 |
785 | do
786 | {
787 | Length = ldasm( (UCHAR*)Proc, &data, TRUE );
788 |
789 | pOpcode = (UCHAR*)Proc + data.opcd_offset;
790 | Result += Length;
791 |
792 | if ((Length == 1) && (*pOpcode == 0xCC))
793 | break;
794 |
795 | /*if ((Length == 1) && (*pOpcode == 0xC3))
796 | break;
797 |
798 | if ((Length == 3) && (*pOpcode == 0xC2))
799 | break;*/
800 |
801 | Proc = (void*)((size_t)Proc + Length);
802 |
803 | } while (Length);
804 |
805 | return Result;
806 | }
807 |
808 | // If function address is jmp - get jmp destination
809 | void* __fastcall ResolveJmp( void *Proc )
810 | {
811 | ULONG Length;
812 | UCHAR* pOpcode;
813 | ldasm_data data = { 0 };
814 |
815 | Length = ldasm( (UCHAR*)Proc, &data, TRUE );
816 | pOpcode = (UCHAR*)Proc + data.opcd_offset;
817 |
818 | // Recursive unwind
819 | if (Length == 5 && data.opcd_size == 1 && *pOpcode == 0xE9)
820 | {
821 | ULONG delta = *(ULONG*)((size_t)Proc + data.opcd_size);
822 | return ResolveJmp( (void*)((size_t)Proc + delta + Length) );
823 | }
824 |
825 | return Proc;
826 | }
827 |
--------------------------------------------------------------------------------
/VTFrame/src/Util/LDasm.h:
--------------------------------------------------------------------------------
1 | #ifndef _LDASM_
2 | #define _LDASM_
3 |
4 | #include
5 |
6 | #ifdef __cplusplus
7 | extern "C"
8 | {
9 | #endif
10 |
11 | #define F_INVALID 0x01
12 | #define F_PREFIX 0x02
13 | #define F_REX 0x04
14 | #define F_MODRM 0x08
15 | #define F_SIB 0x10
16 | #define F_DISP 0x20
17 | #define F_IMM 0x40
18 | #define F_RELATIVE 0x80
19 |
20 | typedef struct _ldasm_data
21 | {
22 | UCHAR flags;
23 | UCHAR rex;
24 | UCHAR modrm;
25 | UCHAR sib;
26 | UCHAR opcd_offset;
27 | UCHAR opcd_size;
28 | UCHAR disp_offset;
29 | UCHAR disp_size;
30 | UCHAR imm_offset;
31 | UCHAR imm_size;
32 | } ldasm_data;
33 |
34 | unsigned int __fastcall ldasm( void *code, ldasm_data *ld, ULONG is64 );
35 | unsigned long __fastcall SizeOfProc( void *Proc );
36 | void* __fastcall ResolveJmp( void *Proc );
37 |
38 | #ifdef __cplusplus
39 | }
40 | #endif
41 |
42 | #endif//_LDASM_
--------------------------------------------------------------------------------
/VTFrame/src/VMX/ExitHandle.c:
--------------------------------------------------------------------------------
1 | #include "ExitHandle.h"
2 |
3 | #include "../Include/VMCS.h"
4 | #include "VmxEvent.h"
5 | #include "../VMX/vtasm.h"
6 | #include "ept.h"
7 |
8 | extern ULONG64 KiSystemCall64Ptr; // 原始的系统调用地址
9 | extern ULONG64 KiServiceCopyEndPtr; // KiSystemServiceCopyEnd地址
10 | extern VOID SyscallEntryPoint();
11 |
12 | ULONG64 real_Cr3 = 0;
13 | ULONG64 fake_Cr3 = 0;
14 | BOOLEAN cr3bool = FALSE;
15 | BOOLEAN int1bool = FALSE;
16 | ULONG64 phyOri = 0;
17 |
18 | //调用此方法的事件都是VMM模拟执行,直接跳到下一条指令处执行
19 | //更改发生Exit事件处的RIP=指令地址+指令长度
20 | inline VOID VmxpAdvanceEIP(IN PGUEST_STATE GuestState)
21 | {
22 | GuestState->GuestRip += VmcsRead(VM_EXIT_INSTRUCTION_LEN);
23 | __vmx_vmwrite(GUEST_RIP, GuestState->GuestRip);
24 | }
25 |
26 | //开启MTF
27 | inline VOID ToggleMTF(IN BOOLEAN State)
28 | {
29 | VMX_CPU_BASED_CONTROLS vmCpuCtlRequested = { 0 };
30 | __vmx_vmread(CPU_BASED_VM_EXEC_CONTROL, (size_t*)&vmCpuCtlRequested.All);
31 | vmCpuCtlRequested.Fields.MonitorTrapFlag = State;
32 | __vmx_vmwrite(CPU_BASED_VM_EXEC_CONTROL, vmCpuCtlRequested.All);
33 | }
34 |
35 |
36 | VOID VmExitEvent(IN PGUEST_STATE GuestState)
37 | {
38 | UNREFERENCED_PARAMETER(GuestState);
39 | INTERRUPT_INFO_FIELD Event = { 0 };
40 | ULONG64 ErrorCode = 0,ErrorAddress = 0;
41 | // ULONG InstructionLength = (ULONG)VmcsRead(VM_EXIT_INSTRUCTION_LEN);
42 |
43 |
44 | //读取错误信息
45 | Event.All = (ULONG32)VmcsRead(VM_EXIT_INTR_INFO);
46 |
47 | //错误码
48 | ErrorCode = VmcsRead(VM_EXIT_INTR_ERROR_CODE);
49 |
50 | //发生错误的地址
51 | ErrorAddress = VmcsRead(EXIT_QUALIFICATION);
52 |
53 | //是否有错误码
54 | if (Event.Fields.ErrorCodeValid)
55 | __vmx_vmwrite(VM_ENTRY_EXCEPTION_ERROR_CODE, ErrorCode);//写入原始错误码
56 |
57 |
58 | switch (Event.Fields.Type)
59 | {
60 |
61 | case INTERRUPT_HARDWARE_EXCEPTION:
62 | //INT 1中断
63 | if (Event.Fields.Vector == VECTOR_DEBUG_EXCEPTION)
64 | {
65 | //1 调试异常 转发到0f
66 | INTERRUPT_INJECT_INFO_FIELD InjectEvent = { 0 };
67 |
68 | InjectEvent.Fields.Type = INTERRUPT_HARDWARE_EXCEPTION;
69 | InjectEvent.Fields.DeliverErrorCode = 0;
70 | InjectEvent.Fields.Valid = 1;
71 | if (int1bool)
72 | InjectEvent.Fields.Vector = 0x0f;
73 | else
74 | InjectEvent.Fields.Vector = 0x01;
75 |
76 | DbgPrint("VTFrame: Cr3 %p produce int 1 transfer to %p Current Eip:%p\n",VmcsRead(GUEST_CR3),0x0f,VmcsRead(GUEST_RIP));
77 | __vmx_vmwrite(VM_ENTRY_INTR_INFO_FIELD, InjectEvent.All);
78 |
79 | break;
80 | }
81 |
82 | }
83 | }
84 |
85 |
86 | VOID VmExitVmCall(IN PGUEST_STATE GuestState)
87 | {
88 |
89 | EPT_CTX ctx = { 0 };
90 | //获取第一个参数,功能类型编号
91 | ULONG32 HypercallNumber = (ULONG32)(GuestState->GpRegs->Rcx & 0xFFFF);
92 |
93 | //判断VMCALL类型
94 | switch (HypercallNumber)
95 | {
96 | //VT卸载
97 | case VTFrame_UNLOAD:
98 | {
99 | GuestState->ExitPending = TRUE;
100 | break;
101 | }
102 | //页面异常
103 | case VTFrame_HOOK_PAGE:
104 | {
105 | ULONG64 data = GuestState->GpRegs->Rdx;
106 | ULONG64 code = GuestState->GpRegs->R8;
107 | PteModify(data, code);
108 | __invept(INV_ALL_CONTEXTS, &ctx);
109 | break;
110 | }
111 | case VTFrame_UNHOOK_PAGE:
112 | {
113 | ULONG64 data = GuestState->GpRegs->Rdx;
114 | UnPteModify(data);
115 | break;
116 | }
117 | //SYSCALL HOOK
118 | case VTFrame_HOOK_LSTAR:
119 | {
120 | //保存原始MSR_LSTAR寄存器
121 | GuestState->Vcpu->OriginalLSTAR = GuestState->GpRegs->Rdx;
122 | __writemsr(MSR_LSTAR, (ULONG64)SyscallEntryPoint);
123 | break;
124 | }
125 | case VTFrame_UNHOOK_LSTAR:
126 | {
127 | __writemsr(MSR_LSTAR, GuestState->Vcpu->OriginalLSTAR);
128 | GuestState->Vcpu->OriginalLSTAR = 0;
129 | break;
130 | }
131 | //Test
132 | case VTFrame_Test:
133 | {
134 | //CR3切换
135 | fake_Cr3 = (ULONG64)GuestState->GpRegs->R8;
136 | real_Cr3 = (ULONG64)GuestState->GpRegs->Rdx;
137 | cr3bool = TRUE;
138 | int1bool = TRUE;
139 | break;
140 | }
141 | default:
142 | {
143 | DbgPrint("VTFrame:不支持的VMCALL类型\n");
144 | break;
145 | }
146 | }
147 |
148 | VmxpAdvanceEIP(GuestState);
149 | }
150 |
151 | //必须处理的事件,我们不关心
152 | VOID VmExitRdtsc(IN PGUEST_STATE GuestState)
153 | {
154 | ULARGE_INTEGER tsc = { 0 };
155 | tsc.QuadPart = __rdtsc();
156 | GuestState->GpRegs->Rdx = tsc.HighPart;
157 | GuestState->GpRegs->Rax = tsc.LowPart;
158 |
159 | VmxpAdvanceEIP(GuestState);
160 | }
161 |
162 | //必须处理的事件,我们不关心
163 | VOID VmExitRdtscp(IN PGUEST_STATE GuestState)
164 | {
165 | unsigned int tscAux = 0;
166 |
167 | ULARGE_INTEGER tsc = { 0 };
168 | tsc.QuadPart = __rdtscp(&tscAux);
169 | GuestState->GpRegs->Rdx = tsc.HighPart;
170 | GuestState->GpRegs->Rax = tsc.LowPart;
171 | GuestState->GpRegs->Rcx = tscAux;
172 |
173 | VmxpAdvanceEIP(GuestState);
174 | }
175 |
176 | VOID VmExitCPUID(IN PGUEST_STATE GuestState)
177 | {
178 | //CPUID cpu_info = { 0 };
179 | unsigned int cpu_info[4] = {0};
180 | //rax function_id rcx sub_function_id
181 | __cpuidex((int*)cpu_info, (int)GuestState->GpRegs->Rax, (int)GuestState->GpRegs->Rcx);
182 |
183 | if ((int)GuestState->GpRegs->Rax == 1)
184 | {
185 | CpuFeaturesEcx ecx = {0};
186 | ecx.all = cpu_info[2];
187 | ecx.fields.not_used = TRUE;
188 | cpu_info[2] = ecx.all;
189 | }
190 |
191 | GuestState->GpRegs->Rax = cpu_info[0];
192 | GuestState->GpRegs->Rbx = cpu_info[1];
193 | GuestState->GpRegs->Rcx = cpu_info[2];
194 | GuestState->GpRegs->Rdx = cpu_info[3];
195 |
196 | VmxpAdvanceEIP(GuestState);
197 | }
198 |
199 | //必须处理的事件,我们不关心
200 | VOID VmExitINVD(IN PGUEST_STATE GuestState)
201 | {
202 | __wbinvd();
203 | VmxpAdvanceEIP(GuestState);
204 | }
205 |
206 | PULONG_PTR VmmpSelectRegister(ULONG index, PGUEST_STATE guest_context)
207 | {
208 | PULONG_PTR register_used = NULL;
209 | switch (index)
210 | {
211 | case 0: register_used = &guest_context->GpRegs->Rax; break;
212 | case 1: register_used = &guest_context->GpRegs->Rcx; break;
213 | case 2: register_used = &guest_context->GpRegs->Rdx; break;
214 | case 3: register_used = &guest_context->GpRegs->Rbx; break;
215 | case 4: register_used = &guest_context->GpRegs->Rsp; break;
216 | case 5: register_used = &guest_context->GpRegs->Rbp; break;
217 | case 6: register_used = &guest_context->GpRegs->Rsi; break;
218 | case 7: register_used = &guest_context->GpRegs->Rdi; break;
219 | //仅仅X64支持
220 | case 8: register_used = &guest_context->GpRegs->R8; break;
221 | case 9: register_used = &guest_context->GpRegs->R9; break;
222 | case 10: register_used = &guest_context->GpRegs->R10; break;
223 | case 11: register_used = &guest_context->GpRegs->R11; break;
224 | case 12: register_used = &guest_context->GpRegs->R12; break;
225 | case 13: register_used = &guest_context->GpRegs->R13; break;
226 | case 14: register_used = &guest_context->GpRegs->R14; break;
227 | case 15: register_used = &guest_context->GpRegs->R15; break;
228 | default: DbgPrint("VmmpSelectRegister错误的寄存器索引\n"); break;
229 | }
230 |
231 | return register_used;
232 | }
233 |
234 |
235 | //CR寄存器访问
236 | VOID VmExitCR(IN PGUEST_STATE GuestState)
237 | {
238 | PMOV_CR_QUALIFICATION data = (PMOV_CR_QUALIFICATION)&GuestState->ExitQualification;
239 | PULONG64 regPtr = VmmpSelectRegister((ULONG)data->Fields.Register, GuestState);
240 |
241 | EPT_CTX ctx = { 0 };
242 |
243 | switch (data->Fields.AccessType)
244 | {
245 | //CR寄存器写入
246 | case TYPE_MOV_TO_CR:
247 | switch (data->Fields.ControlRegister)
248 | {
249 | case 0:
250 | __vmx_vmwrite(GUEST_CR0, *regPtr);
251 | __vmx_vmwrite(CR0_READ_SHADOW, *regPtr);
252 | break;
253 | case 3:
254 | __invvpid(INV_ALL_CONTEXTS,&ctx);
255 | __vmx_vmwrite(GUEST_CR3, *regPtr);
256 | break;
257 | case 4:
258 | __vmx_vmwrite(GUEST_CR4, *regPtr);
259 | __vmx_vmwrite(CR4_READ_SHADOW, *regPtr);
260 | break;
261 | default:
262 | DPRINT("HyperBone: CPU %d: %s: Unsupported register %d\n", CPU_IDX, __FUNCTION__, data->Fields.ControlRegister);
263 | ASSERT(FALSE);
264 | break;
265 | }
266 | break;
267 | //CR寄存器读取
268 | case TYPE_MOV_FROM_CR:
269 |
270 | switch (data->Fields.ControlRegister)
271 | {
272 | case 0:
273 | __vmx_vmread(GUEST_CR0, regPtr);
274 | break;
275 | case 3:
276 | __vmx_vmread(GUEST_CR3, regPtr);
277 | break;
278 | case 4:
279 | __vmx_vmread(GUEST_CR4, regPtr);
280 | break;
281 | default:
282 | DPRINT("HyperBone: CPU %d: %s: Unsupported register %d\n", CPU_IDX, __FUNCTION__, data->Fields.ControlRegister);
283 | ASSERT(FALSE);
284 | break;
285 | }
286 | break;
287 | default:
288 | DPRINT("HyperBone: CPU %d: %s: Unsupported operation %d\n", CPU_IDX, __FUNCTION__, data->Fields.AccessType);
289 | ASSERT(FALSE);
290 | break;
291 | }
292 |
293 | VmxpAdvanceEIP(GuestState);
294 | }
295 |
296 |
297 |
298 | //DR寄存器访问
299 | VOID VmExitDR(IN PGUEST_STATE GuestState)
300 | {
301 |
302 | PMOV_DR_QUALIFICATION data = (PMOV_DR_QUALIFICATION)&GuestState->ExitQualification;
303 |
304 | PULONG64 regPtr = VmmpSelectRegister((ULONG)data->Fields.Register, GuestState);
305 |
306 | switch (data->Fields.AccessType)
307 | {
308 | case TYPE_MOV_TO_DR:
309 | switch (data->Fields.Debugl_Register)
310 | {
311 | case 0: __writedr(0, *regPtr); break;;
312 | case 1: __writedr(1, *regPtr); break;
313 | case 2: __writedr(2, *regPtr); break;
314 | case 3: __writedr(3, *regPtr); break;
315 | case 4: __writedr(4, *regPtr); break;
316 | case 5: __writedr(5, *regPtr); break;
317 | case 6: __writedr(6, *regPtr); break;
318 | case 7: __vmx_vmwrite(GUEST_DR7, *regPtr); break;
319 | default: break;
320 | }
321 | break;
322 |
323 | case TYPE_MOV_FROM_DR:
324 | switch (data->Fields.Debugl_Register)
325 | {
326 | case 0: *regPtr = __readdr(0); break;
327 | case 1: *regPtr = __readdr(1); break;
328 | case 2: *regPtr = __readdr(2); break;
329 | case 3: *regPtr = __readdr(3); break;
330 | case 4: *regPtr = __readdr(4); break;
331 | case 5: *regPtr = __readdr(5); break;
332 | case 6: *regPtr = __readdr(6); break;
333 | case 7: *regPtr = VmcsRead(GUEST_DR7); break;
334 | default: break;
335 | }
336 | break;
337 |
338 | default:
339 | DbgPrint("错误的操作\n"); break;
340 | }
341 |
342 | VmxpAdvanceEIP(GuestState);
343 | }
344 |
345 | //MSR读取
346 | VOID VmExitMSRRead(IN PGUEST_STATE GuestState)
347 | {
348 | LARGE_INTEGER MsrValue = { 0 };
349 | //获取要读取的MSR代号
350 | ULONG32 ecx = (ULONG32)GuestState->GpRegs->Rcx;
351 |
352 | switch (ecx)
353 | {
354 |
355 | //对系统调用MSR的读取
356 | case MSR_LSTAR:
357 | MsrValue.QuadPart = __readmsr(MSR_LSTAR);
358 |
359 | //一直让它读取到原来的MSR_LSTAR寄存器的值
360 | /*if (GuestState->Vcpu->OriginalLSTAR == 0)
361 | {
362 | MsrValue.QuadPart = __readmsr(MSR_LSTAR);
363 | }else
364 | {
365 | MsrValue.QuadPart = GuestState->Vcpu->OriginalLSTAR;
366 | }*/
367 | break;
368 |
369 | case MSR_GS_BASE:
370 | MsrValue.QuadPart = VmcsRead(GUEST_GS_BASE);
371 | break;
372 | case MSR_FS_BASE:
373 | MsrValue.QuadPart = VmcsRead(GUEST_FS_BASE);
374 | break;
375 | case MSR_IA32_DEBUGCTL:
376 | MsrValue.QuadPart = VmcsRead(GUEST_IA32_DEBUGCTL);
377 | break;
378 |
379 | // Report VMX as locked
380 | case MSR_IA32_FEATURE_CONTROL:
381 | DbgPrint("MSR_IA32_FEATURE_CONTROL读取\n");
382 | MsrValue.QuadPart = __readmsr(ecx);
383 | PIA32_FEATURE_CONTROL_MSR pMSR = (PIA32_FEATURE_CONTROL_MSR)&MsrValue.QuadPart;
384 | pMSR->Fields.EnableVmxon = FALSE;
385 | pMSR->Fields.Lock = TRUE;
386 | break;
387 |
388 | // Virtualize VMX register access
389 | case MSR_IA32_VMX_BASIC:
390 | case MSR_IA32_VMX_PINBASED_CTLS:
391 | case MSR_IA32_VMX_PROCBASED_CTLS:
392 | case MSR_IA32_VMX_EXIT_CTLS:
393 | case MSR_IA32_VMX_ENTRY_CTLS:
394 | case MSR_IA32_VMX_MISC:
395 | case MSR_IA32_VMX_CR0_FIXED0:
396 | case MSR_IA32_VMX_CR0_FIXED1:
397 | case MSR_IA32_VMX_CR4_FIXED0:
398 | case MSR_IA32_VMX_CR4_FIXED1:
399 | case MSR_IA32_VMX_VMCS_ENUM:
400 | case MSR_IA32_VMX_PROCBASED_CTLS2:
401 | case MSR_IA32_VMX_EPT_VPID_CAP:
402 | case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
403 | case MSR_IA32_VMX_TRUE_PROCBASED_CTLS:
404 | case MSR_IA32_VMX_TRUE_EXIT_CTLS:
405 | case MSR_IA32_VMX_TRUE_ENTRY_CTLS:
406 | case MSR_IA32_VMX_VMFUNC:
407 | DbgPrint("其它VMX相关MSR寄存器的读取:%x\n", ecx);
408 | break;
409 |
410 | default:
411 | DbgPrint("其它MSR寄存器的读取:%x\n", ecx);
412 |
413 | MsrValue.QuadPart = __readmsr(ecx);
414 | }
415 |
416 | GuestState->GpRegs->Rax = MsrValue.LowPart;
417 | GuestState->GpRegs->Rdx = MsrValue.HighPart;
418 |
419 | VmxpAdvanceEIP(GuestState);
420 | }
421 |
422 | //MSR写入
423 | VOID VmExitMSRWrite(IN PGUEST_STATE GuestState)
424 | {
425 | LARGE_INTEGER MsrValue = { 0 };
426 | ULONG32 ecx = (ULONG32)GuestState->GpRegs->Rcx;
427 |
428 | MsrValue.LowPart = (ULONG32)GuestState->GpRegs->Rax;
429 | MsrValue.HighPart = (ULONG32)GuestState->GpRegs->Rdx;
430 |
431 | switch (ecx)
432 | {
433 | //对其系统调用MSR寄存器写入
434 | case MSR_LSTAR:
435 |
436 | __writemsr(MSR_LSTAR, MsrValue.QuadPart);
437 |
438 | //如果我们未开启系统调用HOOK,则OriginalLSTAR为0,让其写入
439 | //如果我们已经开启了系统调用HOOK,则让它的写入不做任何处理,程序不会出错,但是没有效果
440 | /*if (GuestState->Vcpu->OriginalLSTAR == 0)
441 | __writemsr(MSR_LSTAR, MsrValue.QuadPart);
442 | else
443 | {
444 | __writemsr(MSR_LSTAR, MsrValue.QuadPart);
445 | DbgPrint("对MSR_LSTAR的写入已被拦截");
446 | }*/
447 |
448 | break;
449 | case MSR_GS_BASE:
450 | __vmx_vmwrite(GUEST_GS_BASE, MsrValue.QuadPart);
451 | break;
452 | case MSR_FS_BASE:
453 | __vmx_vmwrite(GUEST_FS_BASE, MsrValue.QuadPart);
454 | break;
455 | case MSR_IA32_DEBUGCTL:
456 | __vmx_vmwrite(GUEST_IA32_DEBUGCTL, MsrValue.QuadPart);
457 | __writemsr(MSR_IA32_DEBUGCTL, MsrValue.QuadPart);
458 | break;
459 |
460 | // Virtualize VMX register access
461 | case MSR_IA32_VMX_BASIC:
462 | case MSR_IA32_VMX_PINBASED_CTLS:
463 | case MSR_IA32_VMX_PROCBASED_CTLS:
464 | case MSR_IA32_VMX_EXIT_CTLS:
465 | case MSR_IA32_VMX_ENTRY_CTLS:
466 | case MSR_IA32_VMX_MISC:
467 | case MSR_IA32_VMX_CR0_FIXED0:
468 | case MSR_IA32_VMX_CR0_FIXED1:
469 | case MSR_IA32_VMX_CR4_FIXED0:
470 | case MSR_IA32_VMX_CR4_FIXED1:
471 | case MSR_IA32_VMX_VMCS_ENUM:
472 | case MSR_IA32_VMX_PROCBASED_CTLS2:
473 | case MSR_IA32_VMX_EPT_VPID_CAP:
474 | case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
475 | case MSR_IA32_VMX_TRUE_PROCBASED_CTLS:
476 | case MSR_IA32_VMX_TRUE_EXIT_CTLS:
477 | case MSR_IA32_VMX_TRUE_ENTRY_CTLS:
478 | case MSR_IA32_VMX_VMFUNC:
479 | DbgPrint("其它VMX相关MSR寄存器的写入,%x\n",ecx);
480 | break;
481 |
482 | default:
483 | DbgPrint("其它MSR寄存器的写入,%x\n",ecx);
484 | __writemsr(ecx, MsrValue.QuadPart);
485 | }
486 |
487 | VmxpAdvanceEIP(GuestState);
488 | }
489 |
490 |
491 |
492 | //VMM主要处理
493 | EXTERN_C VOID VmxpExitHandler(IN PMYCONTEXT Context)
494 | {
495 | GUEST_STATE guestContext = { 0 };
496 |
497 | //提升IRQL到最高,VMM需要有最高等级的CPU控制权
498 | KeRaiseIrql(HIGH_LEVEL, &guestContext.GuestIrql);
499 |
500 | //因为调用了Native函数,所以原始的RCX在堆栈中,将它获取出来
501 | Context->Rcx = *(PULONG64)((ULONG_PTR)Context + sizeof(MYCONTEXT) - sizeof(ULONG64)*2);
502 |
503 | PVCPU Vcpu = &g_data->cpu_data[CPU_IDX];
504 |
505 | //获取处理Exit事件时必须的一些参数
506 | guestContext.Vcpu = Vcpu;
507 | guestContext.GuestEFlags.All = VmcsRead(GUEST_RFLAGS);
508 | //客户机RIP
509 | guestContext.GuestRip = VmcsRead(GUEST_RIP);
510 | guestContext.GuestRsp = VmcsRead(GUEST_RSP);
511 | guestContext.ExitReason = VmcsRead(VM_EXIT_REASON) & 0xFFFF;
512 | guestContext.ExitQualification = VmcsRead(EXIT_QUALIFICATION);
513 | //访问那个线性地址导致的vm-exit
514 | guestContext.LinearAddress = VmcsRead(GUEST_LINEAR_ADDRESS);
515 | //访问那个物理地址导致的vm-exit
516 | guestContext.PhysicalAddress.QuadPart = VmcsRead(GUEST_PHYSICAL_ADDRESS);
517 | guestContext.GpRegs = Context;
518 | //卸载VT的标志
519 | guestContext.ExitPending = FALSE;
520 |
521 | switch (guestContext.ExitReason)
522 | {
523 | //必须处理
524 | case EXIT_REASON_CPUID:
525 | {
526 | VmExitCPUID(&guestContext);
527 | break;
528 | }
529 | case EXIT_REASON_INVD:
530 | {
531 | VmExitINVD(&guestContext);
532 | break;
533 | }
534 | //开启后处理
535 | case EXIT_REASON_MSR_READ:
536 | {
537 | VmExitMSRRead(&guestContext);
538 | break;
539 | }
540 | case EXIT_REASON_MSR_WRITE:
541 | {
542 | VmExitMSRWrite(&guestContext);
543 | break;
544 | }
545 | //自己什么时候使用什么时候处理
546 | case EXIT_REASON_VMCALL:
547 | {
548 | VmExitVmCall(&guestContext);
549 | break;
550 | }
551 | //开启后处理CR
552 | case EXIT_REASON_CR_ACCESS:
553 | {
554 | VmExitCR(&guestContext);
555 | break;
556 | }
557 | //开启后处理DR
558 | case EXIT_REASON_DR_ACCESS:
559 | {
560 | VmExitDR(&guestContext);
561 | break;
562 | }
563 | case EXIT_REASON_GETSEC:
564 | {
565 | VmExitRdtsc(&guestContext);
566 | break;
567 | }
568 | case EXIT_REASON_RDTSCP:
569 | {
570 | VmExitRdtscp(&guestContext);
571 | break;
572 | }
573 | //开启EPT HOOK后处理
574 | case EXIT_REASON_EPT_VIOLATION:
575 | {
576 | VmExitEptViolation(&guestContext);
577 | break;
578 | }
579 | //开启EPT HOOK后处理
580 | case EXIT_REASON_EPT_MISCONFIG:
581 | {
582 | VmExitEptMisconfig(&guestContext);
583 | break;
584 | }
585 | //自己什么时候使用什么时候处理
586 | case EXIT_REASOM_MTF:
587 | {
588 | VmExitMTF(&guestContext);
589 | break;
590 | }
591 | //开启异常捕获后处理
592 | case EXIT_REASON_EXCEPTION_NMI:
593 | {
594 | VmExitEvent(&guestContext);
595 | break;
596 | }
597 | default: {
598 | DbgPrint("其它的VMExit事件类型:%llx,GuestRip:%llx\n", guestContext.ExitReason, guestContext.GuestRip);
599 | break;
600 | }
601 | }
602 |
603 | //如果ExitPending为TRUE则表示需要处理VT的卸载
604 | if (guestContext.ExitPending)
605 | {
606 | _lgdt(&Vcpu->HostState.SpecialRegisters.Gdtr.Limit);
607 | __lidt(&Vcpu->HostState.SpecialRegisters.Idtr.Limit);
608 | __writecr3(VmcsRead(GUEST_CR3));
609 | Context->Rsp = guestContext.GuestRsp;
610 | //Context->Rip = (ULONG64)guestContext.GuestRip;
611 | __vmx_off();
612 | Vcpu->VmxState = VMX_STATE_OFF;
613 | }
614 | else
615 | {
616 | Context->Rsp += sizeof(Context->Rcx);
617 | }
618 |
619 | KeLowerIrql(guestContext.GuestIrql);
620 | }
621 |
622 |
623 |
--------------------------------------------------------------------------------
/VTFrame/src/VMX/ExitHandle.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include "VMX.h"
4 |
5 | NTKERNELAPI UCHAR* PsGetProcessImageFileName(PEPROCESS process);
6 |
7 | EXTERN_C VOID VmxpExitHandler(IN PMYCONTEXT Context);
8 | inline VOID ToggleMTF(IN BOOLEAN State);
9 | VOID VmExitMTF(IN PGUEST_STATE GuestState);
10 | VOID VmExitMSRWrite(IN PGUEST_STATE GuestState);
11 | VOID VmExitMSRRead(IN PGUEST_STATE GuestState);
12 | VOID VmExitCR(IN PGUEST_STATE GuestState);
13 | VOID VmExitDR(IN PGUEST_STATE GuestState);
14 | VOID VmExitINVD(IN PGUEST_STATE GuestState);
15 | VOID VmExitCPUID(IN PGUEST_STATE GuestState);
16 | VOID VmExitRdtscp(IN PGUEST_STATE GuestState);
17 | VOID VmExitRdtsc(IN PGUEST_STATE GuestState);
18 | VOID VmExitVmCall(IN PGUEST_STATE GuestState);
19 | VOID VmExitEptMisconfig(IN PGUEST_STATE GuestState);
20 | VOID VmExitEptViolation(IN PGUEST_STATE GuestState);
21 | //VOID VmxInjectEvent(INTERRUPT_TYPE InterruptType, VECTOR_EXCEPTION Vector, ULONG WriteLength,ULONG valid);
22 | inline VOID VmxpAdvanceEIP(IN PGUEST_STATE GuestState);
--------------------------------------------------------------------------------
/VTFrame/src/VMX/VMX.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/VMX/VMX.c
--------------------------------------------------------------------------------
/VTFrame/src/VMX/VMX.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/VMX/VMX.h
--------------------------------------------------------------------------------
/VTFrame/src/VMX/VmxEvent.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | typedef union _INTERRUPT_INFO_FIELD
5 | {
6 | ULONG32 All;
7 | struct
8 | {
9 | ULONG32 Vector : 8;
10 | ULONG32 Type : 3;
11 | ULONG32 ErrorCodeValid : 1;
12 | ULONG32 NMIUnblocking : 1;
13 | ULONG32 Reserved : 18;
14 | ULONG32 Valid : 1;
15 | } Fields;
16 | } INTERRUPT_INFO_FIELD, *PINTERRUPT_INFO_FIELD;
17 |
18 | typedef union _INTERRUPT_INJECT_INFO_FIELD
19 | {
20 | ULONG32 All;
21 | struct
22 | {
23 | ULONG32 Vector : 8;
24 | ULONG32 Type : 3;
25 | ULONG32 DeliverErrorCode : 1;
26 | ULONG32 Reserved : 19;
27 | ULONG32 Valid : 1;
28 | } Fields;
29 | } INTERRUPT_INJECT_INFO_FIELD, *PINTERRUPT_INJECT_INFO_FIELD;
30 |
31 | typedef enum _INTERRUPT_TYPE
32 | {
33 | INTERRUPT_EXTERNAL = 0,
34 | INTERRUPT_NMI = 2,
35 | INTERRUPT_HARDWARE_EXCEPTION = 3,
36 | INTERRUPT_SOFTWARE = 4,
37 | INTERRUPT_PRIVILIGED_EXCEPTION = 5,
38 | INTERRUPT_SOFTWARE_EXCEPTION = 6,
39 | INTERRUPT_OTHER_EVENT = 7
40 | } INTERRUPT_TYPE;
41 |
42 | typedef enum _VECTOR_EXCEPTION
43 | {
44 | VECTOR_DIVIDE_ERROR_EXCEPTION = 0,
45 | VECTOR_DEBUG_EXCEPTION = 1,
46 | VECTOR_NMI_INTERRUPT = 2,
47 | VECTOR_BREAKPOINT_EXCEPTION = 3,
48 | VECTOR_OVERFLOW_EXCEPTION = 4,
49 | VECTOR_BOUND_EXCEPTION = 5,
50 | VECTOR_INVALID_OPCODE_EXCEPTION = 6,
51 | VECTOR_DEVICE_NOT_AVAILABLE_EXCEPTION = 7,
52 | VECTOR_DOUBLE_FAULT_EXCEPTION = 8,
53 | VECTOR_COPROCESSOR_SEGMENT_OVERRUN = 9,
54 | VECTOR_INVALID_TSS_EXCEPTION = 10,
55 | VECTOR_SEGMENT_NOT_PRESENT = 11,
56 | VECTOR_STACK_FAULT_EXCEPTION = 12,
57 | VECTOR_GENERAL_PROTECTION_EXCEPTION = 13,
58 | VECTOR_PAGE_FAULT_EXCEPTION = 14,
59 | VECTOR_X87_FLOATING_POINT_ERROR = 16,
60 | VECTOR_ALIGNMENT_CHECK_EXCEPTION = 17,
61 | VECTOR_MACHINE_CHECK_EXCEPTION = 18,
62 | VECTOR_SIMD_FLOATING_POINT_EXCEPTION = 19,
63 | VECTOR_VIRTUALIZATION_EXCEPTION = 20
64 | } VECTOR_EXCEPTION;
65 |
66 | ///
67 | /// Inject interrupt or exception into guest
68 | ///
69 | /// INterrupt type
70 | /// IDT index
71 | /// Intruction length skip
72 | VOID VmxInjectEvent( INTERRUPT_TYPE InterruptType, VECTOR_EXCEPTION Vector, ULONG WriteLength );
--------------------------------------------------------------------------------
/VTFrame/src/VMX/ept.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/VMX/ept.c
--------------------------------------------------------------------------------
/VTFrame/src/VMX/ept.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/VMX/ept.h
--------------------------------------------------------------------------------
/VTFrame/src/VMX/vtasm.asm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zanpocc/VTFrame/2b366ef19e77aa8b5967f677040452c83186a22f/VTFrame/src/VMX/vtasm.asm
--------------------------------------------------------------------------------
/VTFrame/src/VMX/vtasm.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "VMX.h"
3 |
4 | VOID AsmVmmEntryPoint();
5 | VOID VmxVMEntry();
6 | VOID VmxpResume();
7 | VOID VmxVMCleanup();
8 | void __stdcall AsmWriteCR2(_In_ ULONG_PTR cr2_value);
9 | VOID VmRestoreContext(CONTEXT* _Context);
--------------------------------------------------------------------------------