• 03 March 2025 (9 messages)
  • @6176993302 #8861 12:08 PM, 03 Mar 2025
    guys who hav calculated the number of CPU cycles needed to set up a monitor point ?
  • CPU cycles? Why? I mean, it’s a pointless metric
  • @6176993302 #8863 12:20 PM, 03 Mar 2025
    mmmm well probably in my case i should consider this metric because i want to monitor in a "synchrone way" the page table entries of a virtual address , for example lets suppose that to Monitor an entry this will take a long time so everything will be non consistent if the os mean while changed the config entries while setting the monitor
  • @6176993302 #8864 12:20 PM, 03 Mar 2025
    im not sure about this just im trying to be open mind to any problem of synchro that may happen
  • @honorary_bot #8865 12:25 PM, 03 Mar 2025
    I see your point. Those are the implementation details which I'm not aware of then. HyperDbg aside, whenever you have a switch to a VMX root mode (where the hypervisor lives), VMX guest mode (with the OS) is not running. Think of the same CPU just switching between different modes. But again, it should be implementation specific and I'm not an expert in HyperDbg
  • @honorary_bot #8866 12:27 PM, 03 Mar 2025
    What I do in my debugger is "break-in" first - i.e. freeze vmx guest execution on all cores, and then set up breakpoints etc. This way the OS is not running and I may expect what you call a synchronized execution.
  • @6176993302 #8867 12:29 PM, 03 Mar 2025
    this idea is great to freez execution on all cores while setting up the breakpoints i will have a look into the implementation of the break in first , to add it to my project
  • @6176993302 #8868 12:30 PM, 03 Mar 2025
    actually im turning hyperdbg from "debugger project" to " EDR/seucrity monitor solution " xd
  • @timetravel3 #8869 08:07 PM, 03 Mar 2025
    Joined.
  • 04 March 2025 (4 messages)
  • @brightersideee #8870 12:52 AM, 04 Mar 2025
    Joined.
  • Couldn't you fix it by using spinlock functions? 🤔

    https://docs.hyperdbg.org/commands/scripting-language/functions/spinlocks
    spinlocks | HyperDbg Documentation

    Functions related to spinlocks

  • For HyperDbg, it's the same for breakpoints. Once we want to halt the entire execution, one of the cores triggers NMIs in all of the cores, and NMIs will cause a VM-exit on all cores. Then we spin on a core-specific spinlock so all of the cores are halted and the user could apply the breakpoint.
  • 05 March 2025 (11 messages)
  • @6176993302 ↶ Reply to #8871 #8874 12:59 AM, 05 Mar 2025
    I will look for this solution too ... meanwhile I will assume that no synchro problem will occur and let's see what will happen ... page tables are a real headache xd
  • @6176993302 #8875 01:12 AM, 05 Mar 2025
    Btw sometimes when I try to remove a single hook by calling "ConfigureEptHookUnhookSingleAddress , it doesn't succeed in the first occurrence , i have to call it in a while loop what can be the root cause of this behavior, a synchrone problem between cores ?
  • Yeah, agree. There are also a couple of interlocked (exchange) atomic functions, you might also use them for fixing some synchronization scenarios:

    https://docs.hyperdbg.org/commands/scripting-language/functions/interlocked
    interlocked | HyperDbg Documentation

    Interlocked and atomic functions

  • Well, it should generally remove the hook on the first try unless there is a bug. One possible scenario occurs when the target generates a high rate of events, and at some point, an event is triggered on a neighboring core while you simultaneously remove the event on another core. As a result, the event may still occur even after it has been deleted.
  • This scenario won't happen in HyperDbg's debugger mode because all cores are halted using an NMI (when not in VMX-root mode). If a core is caught with an NMI in VMX-root mode, HyperDbg allows it to complete the VM-exit before triggering a second VM-exit to halt the core. So, you're basically sure that the neighboring cores aren't triggering an event while you're removing the hook.
  • @6176993302 #8879 10:10 PM, 05 Mar 2025
    mmmmmmmmm i have to investigate this issue , what startegy i should follow to keep track of where the unhooked process was stopped
  • @6176993302 #8880 10:11 PM, 05 Mar 2025
    basically i will not work with "event" concept in my malware edr solution xd i will try to use the memory monitoring features of hyperdbg as an API
  • You can check for this flag on all vCPUs. It's not 100% accurate as you might catch the flag (before or after) this flag is set to TRUE/FALSE but should be enough for a test.
  • @6176993302 #8882 10:55 PM, 05 Mar 2025
    okaaaaaay
  • @6176993302 #8883 10:55 PM, 05 Mar 2025
    got it it got it
  • @6176993302 #8884 10:55 PM, 05 Mar 2025
    yes it may help as in indication of the current mode
  • 06 March 2025 (58 messages)
  • @instw0 #8885 09:09 AM, 06 Mar 2025
    When will remote debugging via ethernet be available?
  • Probably not soon. It's so hard to implement communication for HyperDbg over Ethernet since it needs to support different PCIe devices like Intel e1000 NIC and other NIC vendor like Realtek. And the only reference that I know for it, is the Linux kernel.
  • In Windows SDK we can find the implementation of RealTek driver for KDnet which is fine but they also have the implementation of Intel NIC but for some unknown reasons, their solution doesn't have some of the header files and it's not compilable.
  • If you guys know a clean (preferably OS-independent) implementation of Intel e1000 or other NIC vendors that can be compiled and used as a module that is also not dependent to certain OS functions, pls send it to me.
  • @HughEverett #8889 08:44 PM, 06 Mar 2025
    Other than that, another option is having the transportation layer over USB. From what I know, USB is not exported as a PCIe interface (even though xHCI seems to be a part of PCIe) but I'm not sure how to communicate with USB and how USB relates to xHCI over PCIe. And I don't know if the implementation of USB is vendor-specific (like different NICs) or not?
  • Maybe @honorary_bot knows the answer to these questions. 🤔
  • Its not, because there is a host controller interface standard for that. You probably don't want USB2 (ehci debug port extension), because there are no EHCI controllers around and no devices supporting that anymore. But USB3+ which has XHCI controller have USB DbC feature for debugging, though HCI revision should be >0.99 or Skylake+ PCH.
  • I mean, both XHCI and EHCI are PCI devices of some sort
  • So the communication is over normal PCIe BARs?
  • @honorary_bot #8894 08:48 PM, 06 Mar 2025
    Simply put - yes
  • @honorary_bot #8895 08:50 PM, 06 Mar 2025
    e1000 is relatively easy to implement btw, but I'm not sure about environment independent version. Usually you have at least some kind of execution environment with runtime.
  • The problem is that in VMX-root mode, we couldn't rely on any Windows-specific functions since paging is disabled (RFLAGs'IF). So, that's why a platform-independent implementation is needed.
  • @honorary_bot #8897 08:51 PM, 06 Mar 2025
    Realtek is weird, in my case it randomly works for seemungly the same devices
  • So, do you think the easiest option for us (which we don't need to go through different vendors) is xHCI?
  • What I mean is if I were to share my driver, it would still utilize a lot of runtime functions and different subsystems. You would need to adapt your project for that way too much.
  • No, rather e1000
  • XHCI has some bugs, working them around will take time
  • @honorary_bot #8902 08:53 PM, 06 Mar 2025
    There is no defined role detection mechanism when DbC enabled, that's why it's startup is not reliable
  • and other than that, I've heard USB is a pooling mode device. Is it true? In that case if it's over PCIe then we don't have MSI/MSI-X?
  • @honorary_bot #8904 08:54 PM, 06 Mar 2025
    I had to use Beagle device to try and fix that and still it's not 100% success rate.
  • I don't use interrupts in my hypervisor at all, my drivers use polling mode.
  • @honorary_bot #8907 08:55 PM, 06 Mar 2025
    XHCI DbC feature is cool, because you can share your XHCI device with the OS
  • @honorary_bot #8908 08:55 PM, 06 Mar 2025
    XHCI marks your port busy
  • @honorary_bot #8909 08:56 PM, 06 Mar 2025
    In the case with NIC, I just take it over and hide from the OS, because you can't share it
  • @honorary_bot #8910 08:57 PM, 06 Mar 2025
    BTW, even if the device supports SR-IOV, you can't just steal it and virtualize. PF and VF functions look different and have different drivers, so the OS will not be happy with that
  • The problem with e1000 is that we could only use over virtual devices (e.g., VMware's nested virtualization or KVM's nVMX). I'm not sure if regular Intel NICs also have a legacy e1000 mode or not.
  • Let's put it this way, all my NUCs from Sandy Bridge to RPL platforms work :)
  • @honorary_bot #8913 08:58 PM, 06 Mar 2025
    *with the internal intel NIC
  • @honorary_bot #8914 08:58 PM, 06 Mar 2025
    Work without driver modification
  • By SR-IOV you mean if the NIC have different functions (as functions in BDF?)?
  • @honorary_bot #8916 08:59 PM, 06 Mar 2025
    I only developed it once and never adjusted
  • Yeah, not just nics, but in general. SR-IOV is not a silver bullet for our use case.
  • I don't understand. Is it like a legacy feature in all Intel NICs?
  • @HughEverett #8919 09:00 PM, 06 Mar 2025
    Because as far as I know, e1000 is not a real NIC, it's just Intel's standard way of communication for NICs.
  • @honorary_bot #8920 09:00 PM, 06 Mar 2025
    It's not a feature or something. You have a family of NICs that have the same programming interface.
  • Exactly
  • @honorary_bot #8922 09:00 PM, 06 Mar 2025
    Well, it is a set of real NICs that are programmed with this interface
  • Ah, okay got it. So, basically most of Intel's NICs also support the same interface similar to e1000.
  • This is really good 👌
  • @honorary_bot #8925 09:01 PM, 06 Mar 2025
    If a NIC has a super new cool feature, it is programmed in its PHY, so that you need a special driver. But if you don't care and just want to send and receive packets - e1000 is the answer.
  • Most client desktop NICs
  • @honorary_bot #8927 09:02 PM, 06 Mar 2025
    Because there are NICs like 800 series, 700 series, I350 etc - those are more server ones (and expensive). They have a different programming interface, though it is also documented.
  • @honorary_bot #8928 09:03 PM, 06 Mar 2025
    Whenever I didn't have a working NIC, I would use a discrete one - Intel Gigabit CT Desktop Adapter
  • @honorary_bot #8929 09:03 PM, 06 Mar 2025
    It works and it used to be relatively cheap
  • That's great.
  • @HughEverett #8931 09:05 PM, 06 Mar 2025
    Anyway, thank you @honorary_bot very much for all the valuable information. 🙏
  • @honorary_bot #8932 09:05 PM, 06 Mar 2025
    My pleasure!
  • @honorary_bot #8933 09:06 PM, 06 Mar 2025
    I now dream of implementing a USB4 \ Thunderbolt support, but its... It's not gonna be easy.
  • @honorary_bot #8934 09:06 PM, 06 Mar 2025
    The worst one for me was the FireWire
  • @honorary_bot #8935 09:07 PM, 06 Mar 2025
    Not recommended for driver development :)
  • Thunderbolt? Isn't it like a normal PCIe BAR driver development? Does it need anything special other than using the same PCIe drivers?
  • @honorary_bot #8937 09:14 PM, 06 Mar 2025
    Well BARs are just a placeholders for the MMIO interface of the device, right? Every device or host controller has it's own interface and programming stack. And if e1000 is just a bunch of MMIO regs with descriptors that would point to your ethernet frame data, then for FireWire for example you need to also implement a 1394 stack to be useful.
  • @honorary_bot #8938 09:15 PM, 06 Mar 2025
    For USB4 you would need to implement a whole bunch of protocols and entities, it's kinda complicated
  • oh got it.
  • @HughEverett #8940 09:15 PM, 06 Mar 2025
    👍
  • @HyperDbgBot #8941 b o t 09:18 PM, 06 Mar 2025
    [discord] <btylor0> Is there any support for debugging a VM with nested virtualization. The use case being having a HyperDbg cloud instance or proxmox server KVM instance running host windows, running vmware target
  • HyperDbg is developed and well tested on VMware's nested virtualization (Workstation and ESXi), and physical machines. Other nested virtualization environments either not work or will crash at some points. But, it's on the todo list to support them in the future.
  • 07 March 2025 (29 messages)
  • @HyperDbgBot #8943 b o t 02:00 AM, 07 Mar 2025
    [discord] <btylor0> Using vmware workstation pro 17.5.x+ there is an option for BIOS or UEFI, for EfiGuard to work I need to use UEFI but it seems it keeps hitting a driver verifier dma violation (just running the VM for the first time before EfiGuard is downloaded). It also only happens when the IOMMU processor setting is enabled, which works fine on the BIOS mode. Has anybody had this issue?
  • @HyperDbgBot #8944 b o t 03:09 AM, 07 Mar 2025
    [discord] <btylor0> Windows 11 worked, but 10 doesn't seem to with UEFI mode. Now I'm having an issue with connecting. EfiGuard is loaded on the VM and says its loaded correctly and that DSE is disabled, when I connect it gives:

    err, OpenSCManager failed (5)
    unable to install VMM driver
    err, OpenSCManager failed (5)
    failed to install or load the driver
    Fix for OpenSCManager was to change hyperdbg-cli properties to run as admin
  • @lorenov0 #8945 05:00 AM, 07 Mar 2025
    Joined.
  • Not sure if I understand what you mean. But I don't know if emulating IOMMU in VMware Workstation does anything special or what its functionality is since they don't support PCIe passthrough in VMware Workstation. I could imagine what it could do on an ESXi machine but not in VMware Workstation. They also don't reveal VT-d support (emulation) to the guest. 🤔
  • So, the problem is that you use EfiGuard on VMware workstation and it works on HyperDbg running in Windows 11 but not in Windows 10? Am I get it correctly?
  • @HyperDbgBot #8948 b o t 11:55 AM, 07 Mar 2025
    [discord] <btylor0> That was the issue, I would just get BSODS with the virtualization and UEFI mode in the VM settings, it wouldn't boot. I'm not sure what the issue was, but win 11 fixed it, everything is new releases, including the ISOs from windows insider preview so that might have been it.
  • @6176993302 #8949 12:38 PM, 07 Mar 2025
    Guys one synchronization problem I'm trying to find the best solution for :

    1- let's say are monitoring a PML4 entry , the goal is track any possible changes in the address translation /presence of an equivalent physical address etc.

    2- let's say that os decided to paged out the page so it will try to set present bit to zero (PML4E.presentbit ==0) , okay we will have an EPT violation with write access, everything looks fine until now all we have to do is to read the new content of the PML4E in the MFT exit handler (after the execution of the assembly instruction that attempts to make the change) to analyze the change

    3- now in the mft handler I will try to unmonitor all related entries since they are not relevant anymore after the paged was paged out (pdpe , pde, pte), the problem is that all I can do is to unhook these entries for a single core since we are in vmx root mode and we cannot synchronize via dpc and for other cores the ept config is the same so any further write access will not reflect reality and it will be a mess , what is the best solution we can think of
  • @HyperDbgBot #8950 b o t 12:47 PM, 07 Mar 2025
    [discord] <btylor0> spinlock
  • You're probably talking about flushing the EPT translation cache. You'd have to broadcast invvpid or invept (depending on the implementation) for all cores using either IPI or some software defined mailbox (synchronizing and checking messages manually).
  • @6176993302 #8952 01:26 PM, 07 Mar 2025
    yes exactly i want o broadcast this event for all cores to flash their EPT translation cache and restore the original configuration however from my understanding we cannot use IPI so im afraid that some miss synchro in that time window
  • @honorary_bot #8953 01:31 PM, 07 Mar 2025
    I see, this is hyperdbg implementation specific, summon @HughEverett
  • Yes, but the problem here is that HyperDbg uses NMIs to halt all cores in VMX-root mode (and VMX non-root) mode. This is find but the problem is other cores might be in the middle of handling a VM-exit which is related to current EPT violation (that we want to remove the hook as a result of MTF). This is not possible in HyperDbg as we will end up removing hooks (internal HyperDbg structures that store the details of each hook). It might not be an issue in most of the HyperDbg events but in events with a high rate of execution, it's problematic.
  • @HughEverett #8955 01:40 PM, 07 Mar 2025
    If you see HyperDbg documentation for removing events using the 'events' command this problem is described.
  • @honorary_bot #8956 01:40 PM, 07 Mar 2025
    How about using IPI with INIT? By design it forces cores to vmexit
  • Unless they were in VMX root of course, but in this case you can synchronize them with a barrier
  • This problem does not make sense in VMI mode, because basically everything is running so it never happens but in case of Debugger mode, we just disable the event (by event I mean HyperDbg defined events not Intel events) and then clear them later using DPCs.
  • Do you mean if the core is in VMX root non-root mode?
  • If a core was in VMX guest, it will vmexit with INIT exit reason, it will not restart the core
  • Well, our solution is almost similar. We will broadcast NMIs to all cores. (NMIs will cause VM-exit in cores that are not in VMX root-mode) and will cause a HOST_IDT catch of the NMI if the core is in VMX root-mode. The problem here is not related to Intel, it's possible to invalidate all of the cores by broadcasting, the problem is that HyperDbg also needs to keep the track of EPT hooks in its internal structures, that's why we won't broadcast all of the INVEPTs (or INVVPIDs) immediately but in theory it's possible but the way that we solved this problem is we disabled the event and invalidate entries at the next DPC.
  • @honorary_bot #8963 01:49 PM, 07 Mar 2025
    I see
  • I think the solution to this problem is that you disable the event (the Event structure of HyperDbg). It could be done by simply using the same functions that we use for removing events (using the 'events' command). It disables the event for you and later removes it when the state of the system is safe. Meanwhile, EPT violations might happen but HyperDbg won't notify you because you already flagged the event for disabling it.
  • @6176993302 #8965 01:53 PM, 07 Mar 2025
    i got your idea bro (wait until the system in a safe stat then remove the event)
  • @6176993302 #8966 01:56 PM, 07 Mar 2025
    but in my design of my edr im almost working without events concept (defined by hyperdbg for sure) so i think the best thing i can do is to define some sort of pending list of hooks that the handler will check and clear before it start handling a new MFT exit , i know it may cost some performance
  • @6176993302 #8967 01:56 PM, 07 Mar 2025
    but tha my shitty edr design was like that xd
  • Yes, that's also possible. Usually these logical concepts are handled in hyperkd.sys (which you're not using it) and hyperhv.dll remains as a bare bone for the hypervisor functionalities.
  • @6176993302 #8969 02:02 PM, 07 Mar 2025
    yes you are right i have read some part of the code source of hyperkd and i saw the logic handling of similiar type of scenarios
  • @6176993302 ↶ Reply to #8968 #8970 02:02 PM, 07 Mar 2025
    hyperhv.dll is the best API for hypervisor functionalities for me its like a complete framework to build your own hypervisor specifications
  • @senyaa_1 #8971 08:17 PM, 07 Mar 2025
    Joined.
  • 08 March 2025 (32 messages)
  • @imdebugger #8972 01:11 AM, 08 Mar 2025
    Joined.
  • @6176993302 #8973 02:05 AM, 08 Mar 2025
    guys , any idea why this function should not be called from VMX root mode , what are the risks exactly? (maybe it will cause some event handling related to cr3??!) UINT64
    PhysicalAddressToVirtualAddressByCr3(PVOID PhysicalAddress, CR3_TYPE TargetCr3)
    {
    CR3_TYPE CurrentProcessCr3;
    UINT64 VirtualAddress;
    PHYSICAL_ADDRESS PhysicalAddr;

    //
    // Switch to new process's memory layout
    //
    CurrentProcessCr3 = SwitchToProcessMemoryLayoutByCr3(TargetCr3);

    //
    // Validate if process id is valid
    //
    if (CurrentProcessCr3.Flags == NULL64_ZERO)
    {
    //
    // Pid is invalid
    //
    return NULL64_ZERO;
    }

    //
    // Read the virtual address based on new cr3
    //
    PhysicalAddr.QuadPart = (LONGLONG)PhysicalAddress;
    VirtualAddress = (UINT64)MmGetVirtualForPhysical(PhysicalAddr);

    //
    // Restore the original process
    //
    SwitchToPreviousProcess(CurrentProcessCr3);

    return VirtualAddress;
    }
  • It's because the hypervisor (in this case hyperhv.dll) might not be mapped in the target process memory layout. Most of the cases, it won't be problematic but I see random cases where the HyperDbg codes are not mapped into certain CR3s.
  • @6176993302 #8975 02:15 PM, 08 Mar 2025
    Well in my case this will cause me a problem because if i cannot use PhysicalAddresdToVirtualAddressByCr3() (from the view of the kernel) i will not have a mapped virtual address that i will use to read the new content of page table entries to analyze the new change in the MFT handler so i know what i should do (re translate the addresd, unmonitor something etc)
  • @6176993302 #8976 02:16 PM, 08 Mar 2025
    Because in the end the cpu need a virtual address to access the content of a memory, he cannot work with the physical
  • @6176993302 #8977 02:25 PM, 08 Mar 2025
    Or i have to supposed that function will always return me a valid virtual address from the kernel view equivalent to a page table entry physicsl address ?
  • Well, I'm not sure if I understand what you mean but CPU in the end needs a physical address to access memory (EPT is all about converting Guest PA to host PA).
  • Are you talking about regular OS page tables or EPT page tables?
  • @HughEverett #8980 11:06 PM, 08 Mar 2025
    🤔
  • @6176993302 #8981 11:07 PM, 08 Mar 2025
    No I'm talking about regular page tables
  • @6176993302 #8982 11:08 PM, 08 Mar 2025
    I'm trying to monitor the os page tables entries using ept
  • @6176993302 #8983 11:08 PM, 08 Mar 2025
    I will give you an example...
  • @6176993302 #8984 11:10 PM, 08 Mar 2025
    Let's say we have a user mode virtual address 0x7ff5729 , in the initial phase this virtual address has 0x1000 as en equivalent physical address
  • @6176993302 #8985 11:12 PM, 08 Mar 2025
    However at some point the OS decided to paged out the page so i should not monitor anymore the physical address 0x1000 and in parallel I should monitor in real time all "os" page tables entries involved in the address translation (pml4e , pdpe, pde, pte)
  • @6176993302 #8986 11:13 PM, 08 Mar 2025
    The problem is that I need to read the content of these entries in VMX-root mode and I have only physical addresses
  • @6176993302 #8987 11:14 PM, 08 Mar 2025
    And the is a problem since the cpu need a virtual address to access the content of a page table entry (aka to deference the pointer)
  • @6176993302 #8988 11:14 PM, 08 Mar 2025
    I don't know if the problem is cleat
  • @6176993302 #8989 11:14 PM, 08 Mar 2025
    Clear* now?
  • There are plenty of functions in MemoryMapper.c for reading physical memory, in this case you should use this one.
  • This function gets a physical address as the input and saves the content of memory to the target virtual address.
  • As a general rule, those functions that have 'Safe' in their function name are safe to be used in VMX-root mode.
  • @6176993302 #8993 11:37 PM, 08 Mar 2025
    I hope they are safe to use in vmx root mode ..
  • @6176993302 #8994 11:37 PM, 08 Mar 2025
    I will test it
  • @6176993302 #8995 11:37 PM, 08 Mar 2025
    For sure
  • Yes, these 'Safe' functions are all okay to be used in VMX-root. You can also use them simultaneously in different cores (there is no overlap).
  • @6176993302 #8997 11:39 PM, 08 Mar 2025
    Got it i will try to understand how they work internally because I have implemented similar function but it only works on vmx no root mode since it use Mmcopymemory (<= APC_LEVEL)
  • No, MmCopyMemory does not work on MMIO ranges where its not mapped in the page table. It's always better to use internal HyperDbg functions for reading physical memory.
  • @HughEverett #8999 11:42 PM, 08 Mar 2025
    Other than that, there are a couple of VMCALLs for reading physical memory (from VMX non-root mode), you could use them as well.
  • @6176993302 #9000 11:45 PM, 08 Mar 2025
    Mmmmm okay bro got it I will try to read the source code of these functions and use them in my edr and let's see how things will go ^^
  • @6176993302 #9001 11:45 PM, 08 Mar 2025
    Btw I was reading your blog about pfn stuffs
  • @6176993302 #9002 11:46 PM, 08 Mar 2025
    __int64 __fastcall MmGetVirtualForPhysical(unsigned __int64 a1) { return (a1 & 0xFFF) + (*(_QWORD *)(48 * (a1 >> 12) - 6047313952760i64) << 25 >> 16); }
  • @6176993302 #9003 11:46 PM, 08 Mar 2025
    MmGetVirtualForPhysical how this fucking weird function works 😂😂 I mean it needs now context or what (like cr3 value)?
  • 09 March 2025 (3 messages)
  • This is my question too. I know that there is a random number here which refers to the page table's randomized self-ref entry, but I don't know exactly how it works.
  • @6176993302 #9005 12:53 AM, 09 Mar 2025
    mmmm well yes this function drive me crazy i mean i cannot understand how the result of MmGetVirtualForPhysical will be diffirent if we change the cr3 based on this implementation
  • @t1db1t #9006 03:16 PM, 09 Mar 2025
    Joined.
  • 10 March 2025 (20 messages)
  • @lewiscookk #9007 11:10 AM, 10 Mar 2025
    Joined.
  • @6847000763 #9008 01:10 PM, 10 Mar 2025
    Joined.
  • @395437265 #9009 01:51 PM, 10 Mar 2025
    @HughEverett hey, pls tell once again, how can i fight int1 and popfq calls? i need debugger to ignore them
  • Do you mean #DB for trap flags?
  • @6176993302 #9011 05:35 PM, 10 Mar 2025
    @HughEverett bro what is the advantage of having a specific eptpagetable for each core
  • @6176993302 #9012 05:35 PM, 10 Mar 2025
    From a design perspective
  • @6176993302 #9013 05:36 PM, 10 Mar 2025
    I mean for a better control,it will be easy that all cores share the same EptPageTable ?
  • @395437265 ↶ Reply to #9010 #9014 05:38 PM, 10 Mar 2025
    mm not sure, i didnt enable those traps, or they are enabled by default ?
  • They're enabled by default but you could disable them using:

    test trap off

    Or if you want HyperDbg not to intercept breakpoints (#BP), you could run:

    test breakpoint off
  • If you use these commands, you could use other debuggers like WinDbg or x64dbg normally as HyperDbg won't handle breakpoints and traps.
  • HyperDbg was one a single EPTP until 0.7 (I think 🤔), but then we make it a per core multiple EPTP which was a huge milestone for us. Lots of potential bugs are solved with that release.
  • Well, the advantage is if you just use a single EPTP, you might loose some EPT hooks or Monitor hook specially if there is a high rate of execution. For example, you might manipulate one EPTP entry and another core might simultaneously wants to modify the same row and you could imagine that one of the cores will have a wrong EPT page table entry.
  • This is not a problem that could be solved by a spinlock, because this way you'll introduce a lot of delays which is a design disaster.
  • @HughEverett #9021 08:14 PM, 10 Mar 2025
    Besides that, you may need to modify the memory layout of a single thread while maintaining different memory layouts for other threads running on separate cores. In all these scenarios, multiple EPTPs are required.
  • As I mentioned earlier, supporting this was a significant milestone for HyperDbg. Before we transitioned to the current design, I was in contact with some KVM developers, all of them criticized HyperDbg’s approach for using a single EPTP.
  • @6176993302 #9023 08:21 PM, 10 Mar 2025
    Oh got it ... it will be a real mess if two cores tried to access simultaneously the same eptp entry , 100% they will be some sort of inconsistencies information
  • @6176993302 #9024 08:21 PM, 10 Mar 2025
    Now I'm aware that hyperdbg use a eptp table for each core
  • @6176993302 #9025 08:22 PM, 10 Mar 2025
    I have to update my code in mft where I'm catching most important events after write modification handler to force each core to flush its cache and restore the original entry
  • @6176993302 #9026 08:23 PM, 10 Mar 2025
    In my current code I thought that if one core changed the eptp entry it will be sufficient since all cores share the same table
  • @6176993302 #9027 08:23 PM, 10 Mar 2025
    But no no no that's not the case haha
  • 11 March 2025 (19 messages)
  • @6176993302 #9028 12:18 AM, 11 Mar 2025
    @HughEverett bro from my new understanding , i should now call
  • @6176993302 #9029 12:20 AM, 11 Mar 2025
    BOOLEAN ConfigureEptHookMonitor(UINT32 CoreId, EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR * HookingDetails,UINT32 ProcessId)
  • @6176993302 #9030 12:22 AM, 11 Mar 2025
    for all existing cores to make sure that for the address we want to monitor all cores will have the same access policy configuration
  • @6176993302 #9031 12:22 AM, 11 Mar 2025
    right
  • I'm not sure what you mean by "same access policy configuration" but generally once you request a Monitor hook, it synchronizes itself with all of the cores. So, it means you don't need to apply hooks for each core separately, HyperDbg will synchronize it for you.
  • And it does this by knowing whether you're applying the hook in the debugger mode or the VMI mode, because synchronization of each of them is different.
  • @6176993302 #9034 09:17 PM, 11 Mar 2025
    Well you get my point exactly
  • @6176993302 #9035 09:18 PM, 11 Mar 2025
    I'm worried about synchronizing the hook requests for all cores
  • @6176993302 #9036 09:19 PM, 11 Mar 2025
    But actually I'm not working with debugger mode 😕 or the vmi mode either, I told last time that I'm building a simple edr based on hyperdbg API(s)
  • @6176993302 #9037 09:22 PM, 11 Mar 2025
    So it looks like I should handle this task of synchronizing the memory layout for all cores ... I know that when you install a hook from vmx no root mode hyperdbg will make a generic broadcast to apply the same hook for all cores
  • @6176993302 #9038 09:23 PM, 11 Mar 2025
    But in my case most I have to make some ept config change in the MFT handler so i should handle it by myself since there is no DPC mechanism
  • @6176993302 #9039 09:23 PM, 11 Mar 2025
    If I'm not wrong
  • Well, I'm not sure if I implement the broadcasting mechanism in hyperkd or hyperhv but I will look into it for you later once I have access to my laptop. But generally if it's broadcasted from hyperkd, you can copy the codes from broadcaster to your project and use it the same way as hyperkd.sys uses it.
  • So, it shouldn't be a big problem, just take a look at I think in 'Debugger.c' in hyperkd projects there should be some reference to functions that apply event, you could call the same function and it will be fine.
  • There should be a flag that you pass to the top level function and you'll specify whether you want to apply it from VMX root-mode (which is for the debugger mode) or apply it from VMX non-root mode (which is for your case in the vmi mode) and that's all.
  • @6176993302 #9043 10:33 PM, 11 Mar 2025
    I got your point bro thanks for help
  • @6176993302 #9044 10:34 PM, 11 Mar 2025
    Its not easy to build a new project based on a big project like hyeperdbg😂 it's literally means u have to read and understand the design from scratch of the whole project
  • 👍
  • @6176993302 #9046 11:53 PM, 11 Mar 2025
    Bro one last question .. i want now to test my edr based on hyperdbg , how to take of the advantage of LogInfo() etc. It's bit weird here for me singe I'm not using hyperdbg as debugger xd
  • 12 March 2025 (13 messages)
  • @6176993302 #9047 12:06 AM, 12 Mar 2025
    I mean specially my code that will take of hyperdbg Api(s) resides in example\kernel.. you know the project for sure
  • You need to use (import) the HyperLog.dll project in your project and then you can use the LogInfo functions and macros as well as exporting (giving) a pointer to the hyperhv.dll at the initialization time. (The way that hyperkd.sys passes the pointer to these functions to hyperhv.dll).
  • Or another option is importing HyperLog.dll to hyperhv.dll project and changing the code for initialization callbacks. This is also and option but in this option, you will not have access to LogInfo in your top-level project.
  • @6176993302 #9050 12:50 PM, 12 Mar 2025
    okay to understand better
  • @6176993302 #9051 12:50 PM, 12 Mar 2025
    /
    * @file Loader.c
    * @author Sina Karvandi (sina@hyperdbg.org)
    * @brief The functions used in loading the VMM and RM
    * @version 0.2
    * @date 2023-01-29
    *
    * @copyright This project is released under the GNU Public License v3.
    *
    */
    #include "pch.h"

    /
    * @brief Initialize the VMM and Reversing Machine
    *
    * @return BOOLEAN
    */
    BOOLEAN
    LoaderInitVmmAndReversingMachine()
    {
    MESSAGE_TRACING_CALLBACKS MsgTracingCallbacks = {0};
    VMM_CALLBACKS VmmCallbacks = {0};

    //
    // Allow to server IOCTL
    //
    g_AllowIOCTLFromUsermode = TRUE;

    //
    // Fill the callbacks for the message tracer
    //
    MsgTracingCallbacks.VmxOperationCheck = VmFuncVmxGetCurrentExecutionMode;
    // MsgTracingCallbacks.CheckImmediateMessageSending = KdCheckImmediateMessagingMechanism;
    // MsgTracingCallbacks.SendImmediateMessage = KdLoggingResponsePacketToDebugger;

    //
    // Fill the callbacks for using hyperlog in VMM
    //
    VmmCallbacks.LogCallbackPrepareAndSendMessageToQueueWrapper = LogCallbackPrepareAndSendMessageToQueueWrapper;
    VmmCallbacks.LogCallbackSendMessageToQueue = LogCallbackSendMessageToQueue;
    VmmCallbacks.LogCallbackSendBuffer = LogCallbackSendBuffer;
    VmmCallbacks.LogCallbackCheckIfBufferIsFull = LogCallbackCheckIfBufferIsFull;

    //
    // Fill the VMM callbacks
    //
    // VmmCallbacks.VmmCallbackTriggerEvents = DebuggerTriggerEvents;

    //
    // Initialize message tracer
    //
    if (LogInitialize(&MsgTracingCallbacks))
    {
    //
    // Initialize Vmx
    //
    if (VmFuncInitVmm(&VmmCallbacks))
    {
    LogDebugInfo("HyperDbg's hypervisor loaded successfully");

    //
    // Initialize the debugger
    //
    if (CoreInitReversingMachine())
    {
    LogDebugInfo("HyperDbg's reversing machine loaded successfully");

    //
    // Set the variable so no one else can get a handle anymore
    //
    g_HandleInUse = TRUE;

    return TRUE;
    }
    else
    {
    LogError("Err, HyperDbg's debugger was not loaded");
    }
    }
    else
    {
    LogError("Err, HyperDbg's hypervisor was not loaded");
    }
    }
    else
    {
    LogError("Err, HyperDbg's message tracing module was not loaded");
    }

    //
    // Not loaded
    //
    g_AllowIOCTLFromUsermode = FALSE;

    return FALSE;
    }

    /**
    * @brief Uninitialize the log tracer
    *
    * @return VOID
    */
    VOID
    LoaderUninitializeLogTracer()
    {
    LogDebugInfo("Unloading HyperDbg's debugger...\n");

    #if !UseDbgPrintInsteadOfUsermodeMessageTracking

    //
    // Uinitialize log buffer
    //
    LogDebugInfo("Uninitializing logs\n");
    LogUnInitialize();
    #endif
    }
  • @6176993302 #9052 12:51 PM, 12 Mar 2025
    the is the portion of code in the hyperdbg_driver project
  • @6176993302 #9053 12:51 PM, 12 Mar 2025
    i think it implement what you are telling me right now if im not wrong?
  • @6176993302 #9054 12:53 PM, 12 Mar 2025
    all i have to do is to enable the the WPP tracing in the project like in hypervisor from scrath tutuoriel right?
  • @wylzzzzz #9055 10:36 PM, 12 Mar 2025
    Joined.
  • yes, it's an example implementation.
  • Nope, WPP tracing is not used in HyperDbg. Instead we wrote a custom project (which is called HyperLog.dll) for that.
  • @HughEverett #9058 10:44 PM, 12 Mar 2025
    You don't need to use WPP tracing.
  • @6176993302 #9059 11:17 PM, 12 Mar 2025
    Ok got it bro i will use this example as a start a
    To read the output of the loginfo stuffs what i should do in this case ?and sorry for sure for flooding you with tons of questions its just the project is so big to read and I'm trying to focus currently on the memory introspection features not the logs stuffs ...
  • 13 March 2025 (51 messages)
  • @2061102718 #9060 06:35 AM, 13 Mar 2025
    Joined.
  • No worries, ask all of your questions.

    Once you have hyperlog.dll project up and running, you need to have a user-mode thread (separate from original thread) that listens for messages and possible commands from VMX-root mode. It shows all of the messages you sent using LogInfo or other variants (LogWarning, LogError, etc.). I think the user-mode example of the examples implements such a behavior.
  • @AntonioGauthier #9062 11:26 AM, 13 Mar 2025
    Joined.
  • @6176993302 #9063 05:15 PM, 13 Mar 2025
    guys, anyone faced issues while using MemoryMapperReadMemorySafeByPhysicalAddress
  • @6176993302 #9064 05:16 PM, 13 Mar 2025
    it works well until i try to use it to read the content of a Page Directory Entry (PDE)
  • @6176993302 #9065 05:16 PM, 13 Mar 2025
    UINT64
    GetPTAddress(UINT64 PDEAddress)
    {
    UINT64 PDE = 0;
    if (MemoryMapperReadMemorySafeByPhysicalAddress(PDEAddress, &PDE, 8) == STATUS_SUCCESS)
    {
    if (PDE & 0x1)
    { // check if the PDE is valid
    return (PDE & (0x00000000FFFFFF000));
    }
    else
    {
    LogInfo("PDE is invalid , the current content of PDE is 0x%llx ",PDE);
    return 0;
    }
    }
    LogInfo("MemoryMapperReadMemorySafeByPhysicalAddress returned 0 ...");
    return 0;
    }
  • @6176993302 #9066 05:17 PM, 13 Mar 2025
    MemoryMapperReadMemorySafeByPhysicalAddress in this case return FALSE
  • what is this mask here? 0x00000000FFFFFF000
  • @honorary_bot #9068 07:30 PM, 13 Mar 2025
    pfn is larger than that
  • @6176993302 #9069 07:36 PM, 13 Mar 2025
    0x00000000FFFFFF000 this mask is used to extract the address of the page table from the PDE
  • @honorary_bot #9070 07:40 PM, 13 Mar 2025
    Oh, you got 36 bit pfns, ok
  • @6176993302 #9071 08:20 PM, 13 Mar 2025
    Yes exactly bro
  • Are you sure the page-table is mapped in your target process? In VMX root-mode, we always stick to the system process (PID=4).
  • Oh, wait it's a physical address 🤔
  • @honorary_bot #9075 10:28 PM, 13 Mar 2025
    Did you actually check that it is not a large (2mb) page?
  • @honorary_bot #9076 10:28 PM, 13 Mar 2025
    Windows does use them a lot
  • @honorary_bot #9077 10:30 PM, 13 Mar 2025
    Check the PS bit in the PDE
  • @6176993302 #9078 11:29 PM, 13 Mar 2025
    no its not a large page (2mb) i checked the translation using !pte in windbg after exiting hyperdbg
  • @6176993302 ↶ Reply to #9074 #9079 11:30 PM, 13 Mar 2025
    yes its a physical address , i tried to read the content of the memory pointed by that address to extract the address of the next stage in the address translation (aka page table address)
  • @6176993302 #9080 11:31 PM, 13 Mar 2025
    its weird MemoryMapperReadMemorySafeByPhysicalAddress works fine with PML4E, PDPE
  • @6176993302 #9081 11:31 PM, 13 Mar 2025
    but with PDE no
  • @honorary_bot #9082 11:31 PM, 13 Mar 2025
    What's the output of !pte ?
  • @6176993302 #9083 11:32 PM, 13 Mar 2025
    wait
  • @6176993302 #9084 11:43 PM, 13 Mar 2025
    here is the output of my custom hyperdbg code
  • @6176993302 #9085 11:45 PM, 13 Mar 2025
    - The Physical Address of the Page Map Level entry (PML4E) associated to the Virtual address 0x2483cb5000 of the processs 0xffffe38500000284 is 0x26b61000
    - The Physical Address of Page Directory Pointer entry (PDPE) associated to the Virtual address 0x2483cb5000 of the processs 0xffffe38500000284 is 0x1a475490
    - The Physical Address of Page Directory entry (PDE) associated to the Virtual address 0x2483cb5000 of the processs 0xffffe38500000284 is 0x26c760f0
    - (GetPTAddress:116) | MemoryMapperReadMemorySafeByPhysicalAddress returned 0
  • Why windbg? 🤦‍♂
    HyperDbg itself has a nice !pte.

    https://docs.hyperdbg.org/commands/extension-commands/pte
    !pte (display page-level address and entries) | HyperDbg Documentation

    Description of the '!pte' command in HyperDbg.

  • It does not show PTE contents
  • @6176993302 ↶ Reply to #9086 #9088 11:47 PM, 13 Mar 2025
    😅its just my code is a miss now ( a mixte between hyperdbg code and my shitty code) so i tried to make a clean exit to works without doubt , but i already know that hyperdbg !pte command works perfect
  • @honorary_bot #9089 11:48 PM, 13 Mar 2025
    0x1a475490 - have you forgot to zero lowest 12 bits? How can va 0x2483cb5000 map to 0x1a475490 pa?
  • @6176993302 #9090 11:49 PM, 13 Mar 2025
    2: kd> !process 0 0 HelloWorld.exe
    PROCESS ffffcf0aba747080
    SessionId: 1 Cid: 0284 Peb: 2483cb5000 ParentCid: 10ac
    DirBase: 26b61002 ObjectTable: ffff960306a14900 HandleCount: 40.
    Image: HelloWorld.exe

    2: kd> !vtop 26b61000 2483cb5000
    Amd64VtoP: Virt 0000002483cb5000, pagedir 0000000026b61000
    Amd64VtoP: PML4E 0000000026b61000
    Amd64VtoP: PDPE 000000001a475490
    Amd64VtoP: PDE 0000000026c760f0
    Amd64VtoP: PTE 0000000026b775a8
    Amd64VtoP: Mapped phys 0000000170078000
    Virtual address 2483cb5000 translates to physical address 170078000.
  • @honorary_bot #9091 11:49 PM, 13 Mar 2025
    I don't get this output tbh
  • @6176993302 #9092 11:49 PM, 13 Mar 2025
    and here is the output of windbg
  • Use !pte please
  • Oh, that means it's an entry address I guess
  • @6176993302 #9095 11:52 PM, 13 Mar 2025
    0x1a475490 is the physical address of PDPE, then i will use MemoryMapperReadMemorySafeByPhysicalAddress to read its content to extract the address of Page directory table
  • @6176993302 #9096 11:52 PM, 13 Mar 2025
    if you compare the results of my code and the output of !vtop i was doing fine 😂
  • Can you use !pte instead of !vtop ?
  • @honorary_bot #9098 11:53 PM, 13 Mar 2025
    And show the output
  • @6176993302 #9099 11:53 PM, 13 Mar 2025
    okay
  • @6176993302 #9100 11:53 PM, 13 Mar 2025
    !pte of windbg or hyperdbg im confused xd
  • @honorary_bot #9101 11:53 PM, 13 Mar 2025
    windbg
  • @honorary_bot #9102 11:53 PM, 13 Mar 2025
    No offense to @HughEverett , it's just a habit :)
  • @6176993302 #9103 11:54 PM, 13 Mar 2025
    1: kd> !pte 2483cb5000
    VA 0000002483cb5000
    PXE at FFFF8E472391C000 PPE at FFFF8E4723800490 PDE at FFFF8E47000920F0 PTE at FFFF8E001241E5A8
    contains 8A0000001A475867 contains 0A00000026C76867 contains 0A00000026B77867 contains 8100000170078847
    pfn 1a475 ---DA--UW-V pfn 26c76 ---DA--UWEV pfn 26b77 ---DA--UWEV pfn 170078 ---D---UW-V
  • @6176993302 #9105 11:55 PM, 13 Mar 2025
    next time we should use !pte hyperdbg 😅or sina will be angry xd
  • Agreed
  • @honorary_bot #9107 11:55 PM, 13 Mar 2025
    I feel threatened :)
  • @honorary_bot #9108 11:56 PM, 13 Mar 2025
    Well, looks like a totally normal mapping, can you just compare the pte content output?
  • @6176993302 #9109 11:58 PM, 13 Mar 2025
    well i told based on the analysis of the output of !pte command and output of my "custom " address translation code they are the same
  • @6176993302 #9110 11:58 PM, 13 Mar 2025
    except that i cannot go further in the PDE stage when i need to read the content of PDE to get the physical address of next table
  • @6176993302 #9111 11:59 PM, 13 Mar 2025
    so why "MemoryMapperReadMemorySafeByPhysicalAddress" doesnt work with PDE as input is the big question now xd
  • 14 March 2025 (22 messages)
  • @honorary_bot #9112 12:00 AM, 14 Mar 2025
    I can't even see where it can return FALSE
  • @honorary_bot #9113 12:00 AM, 14 Mar 2025
    So I blame you xD
  • @honorary_bot #9114 12:02 AM, 14 Mar 2025
    Wait dude, BOOLEAN MemoryMapperReadMemorySafeByPhysicalAddress
  • @honorary_bot #9115 12:02 AM, 14 Mar 2025
    It returns BOOLEAN
  • @honorary_bot #9116 12:02 AM, 14 Mar 2025
    And you compare it with status_success?
  • @6176993302 #9117 12:04 AM, 14 Mar 2025
    yes
  • @6176993302 #9118 12:04 AM, 14 Mar 2025
    exactly bro it returns BOOLEAN
  • @6176993302 #9119 12:04 AM, 14 Mar 2025
    UINT64
    GetPTAddress(UINT64 PDEAddress)
    {
    UINT64 PDE = 0;
    if (MemoryMapperReadMemorySafeByPhysicalAddress(PDEAddress, &PDE, 8) == STATUS_SUCCESS)
    {
    if (PDE & 0x1)
    { // check if the PDE is valid
    return (PDE & (0x00000000FFFFFF000));
    }
    else
    {
    LogInfo("PDE is invalid , the current content of PDE is 0x%llx ",PDE);
    return 0;
    }
    }
    LogInfo("MemoryMapperReadMemorySafeByPhysicalAddress returned 0 ...");
    return 0;
    }
  • So why do you compare it with ntstatus?
  • @6176993302 #9121 12:05 AM, 14 Mar 2025
    🥲
  • @6176993302 #9122 12:06 AM, 14 Mar 2025
    ouuuuuuuuuuuuuuuuups
  • @6176993302 #9123 12:06 AM, 14 Mar 2025
    nice remark bro
  • @honorary_bot #9124 12:07 AM, 14 Mar 2025
    Well I can only recommend to have more sleep in these cases
  • @6176993302 #9125 12:07 AM, 14 Mar 2025
    😮‍💨 🤣
  • @6176993302 #9126 12:07 AM, 14 Mar 2025
    you got my point xd
  • @6176993302 #9127 12:07 AM, 14 Mar 2025
    hypervisor stuffs need more sleep hour
  • @6176993302 #9128 12:07 AM, 14 Mar 2025
    hours*
  • @6176993302 #9129 12:07 AM, 14 Mar 2025
    🙃😂
  • @6176993302 #9130 12:08 AM, 14 Mar 2025
    sorry guys for this bug 🤣
  • @honorary_bot #9131 12:08 AM, 14 Mar 2025
    No problem
  • @6176993302 #9132 11:46 PM, 14 Mar 2025
    guys im following this strategy to test my code and correct me give me advices if im wrong ... so since i dont want to make things complicated from the start im trying to use one single core for testing to avoid any synchro issues in my code .. however when i do that the machine become "halt" not responding (with only 4 or 5 EPT_HOOK_MONITOR) should i assume that something is wrong in my code (i modified slightly mft handler and ept violation handler) or its just 1 core is not enough to handle hyperdbg code
  • @6176993302 #9133 11:46 PM, 14 Mar 2025
    windows 10
  • 15 March 2025 (5 messages)
  • @501857157 #9134 07:34 AM, 15 Mar 2025
    Joined.
  • Well, monitor works on both single core and multiple core. The problem is most likely on your MTF modifications. 🤔
  • @6176993302 #9136 12:11 PM, 15 Mar 2025
    Yes bro that's what i found xd it , i added a loginfo("hello word1") at the start of mft handler and loginfo("hello world2") at the start of ept violation handler then I start seeing an infinite loop lf "hello world1" in the output which is weird since in theory the number of "hello world1" should be approximately the same of "hello world 2"
  • @6176993302 #9137 12:11 PM, 15 Mar 2025
    Xd
  • @6176993302 #9138 12:11 PM, 15 Mar 2025
    Well I will make some code review and verify
  • 17 March 2025 (6 messages)
  • @6176993302 #9139 12:45 PM, 17 Mar 2025
    @HughEverett I fixed the bug😂😐 finally, let's say I confused the pid of the parent process with the child a very long story
  • @6176993302 #9140 12:48 PM, 17 Mar 2025
    Btw guys , any idea /scientific metrics about the minimum number of vm exits per second that we can consider an indicator of a slow VM?
  • It's all empirical, since different CPU gens and uarchs have different vmexit latencies.
  • @6176993302 #9142 01:03 PM, 17 Mar 2025
    I know but we cannot define let's say sole standard number for "average cpu " that widely used
  • @honorary_bot #9143 01:11 PM, 17 Mar 2025
    I don't think so
  • @anti666satan #9144 07:01 PM, 17 Mar 2025
    Joined.
  • 18 March 2025 (5 messages)
  • @6176993302 #9146 09:48 PM, 18 Mar 2025
    i discovered that the system freeze if we put rw monitor hooks on physical addresses of PML4E, PDPE, PDE, PTE of the peb address of some process
  • @6176993302 #9147 09:49 PM, 18 Mar 2025
    can someone replicate the same behavior ?
  • @6176993302 #9148 09:50 PM, 18 Mar 2025
    to be more specific the system freez "sometimes" and sometimes it continue working
  • @6176993302 #9149 09:51 PM, 18 Mar 2025
    hyperdbg 0.13
  • 19 March 2025 (60 messages)
  • I encountered this problem a few years ago. The problem is not because of the HyperDbg's implementation. My conclusion was that there are some bits (like dirty bit in the page table) that cause a VM-exit once they're applied by CPU. But, we couldn't re-apply them to the memory as they don't have an instruction for applying the dirty bit and it's the processor that applies it. I think the reason why HyperDbg hangs is because of this (but I'm not sure and I couldn't verify the assumption).
  • @HughEverett #9151 08:52 PM, 19 Mar 2025
    The 'dirty' bit is an example, there might be other bits as well.
  • @honorary_bot #9152 09:05 PM, 19 Mar 2025
    Can you elaborate more on this dirty bit problem? I didn't catch the exact problem
  • @honorary_bot #9153 09:06 PM, 19 Mar 2025
    Dirty bit don't cause VM-exits
  • @6176993302 #9154 09:31 PM, 19 Mar 2025
    mmmmmmm my assumption was that probably the PML4 table is heavily accessed since thats the start point of translating addresses and when you try to put any monitor point on some specific PML4E it will end up triggering any read/write in the table since its seize is exactly 0x1000 bytes
  • Got it, EPT violation due to dirty bits update?
  • Do you actually get VM-exits logged on PML4 lookups? Because those are supposed to be cached in TLB all the time
  • @honorary_bot #9157 09:41 PM, 19 Mar 2025
    But that's interesting, never thought of this use case
  • @6176993302 ↶ Reply to #9157 #9158 10:27 PM, 19 Mar 2025
    well each time we discover some strange behavior in virtualization xd
  • @6176993302 #9159 10:27 PM, 19 Mar 2025
    thats a strange world
  • @honorary_bot #9161 10:28 PM, 19 Mar 2025
    Well, too bad :)
  • @6176993302 #9162 10:29 PM, 19 Mar 2025
    i have modified the code of the MFT handler by adding a debug message : LogInfo("Inside the MonitorTrapFlag handler again ");
  • @6176993302 #9163 10:29 PM, 19 Mar 2025
    at the start of EptHookHandleMonitorTrapFlag
  • @6176993302 #9164 10:29 PM, 19 Mar 2025
    and when i applied the monitor rw hook on the PML4E it generate an infinite loop of MFT exit events
  • @honorary_bot #9165 10:31 PM, 19 Mar 2025
    Oh, I got it, tlb cache entries actually hold ept rwxu bits, so even if they are cached in tlb, they are still consulted for a possible ept violation exit
  • @6176993302 ↶ Reply to #9165 #9166 10:35 PM, 19 Mar 2025
    in other words the ept violation will happen for sure right
  • @honorary_bot #9167 10:36 PM, 19 Mar 2025
    yeah, no matter if it's cached or fetched from the memory
  • @honorary_bot #9168 10:36 PM, 19 Mar 2025
    in fact if it's not in the cache, it is fetched into the cache first
  • @honorary_bot #9169 10:36 PM, 19 Mar 2025
    so consulted with the cache entry anyway
  • @6176993302 #9170 10:40 PM, 19 Mar 2025
    got your point bro it seems logic
  • @6176993302 #9171 10:40 PM, 19 Mar 2025
    but what i dont understand now
  • @6176993302 #9172 10:41 PM, 19 Mar 2025
    is that i modified the EPT hook handler function
  • @6176993302 #9173 10:41 PM, 19 Mar 2025
    EptHookHandleHookedPage
  • @6176993302 #9174 10:41 PM, 19 Mar 2025
    in such way that it will display the details of the access
  • @6176993302 #9175 10:42 PM, 19 Mar 2025
    like : LogInfo("Guest RIP : 0x%llx tries to read the page at : 0x%llx", HvGetRip(), PhysicalAddress);
  • @6176993302 #9176 10:42 PM, 19 Mar 2025
    however i dont see this output in the current logs displayed
  • @honorary_bot #9177 10:43 PM, 19 Mar 2025
    what's in the logs?
  • @6176993302 #9178 10:45 PM, 19 Mar 2025
    wait i will make some screen and show you
  • Obviously instruction fetch also causes ept violation btw, so every instruction would cause a EPT violation
  • @honorary_bot #9180 10:51 PM, 19 Mar 2025
    Also, if you need to monitor page table changes, why don't you trap just writes?
  • @honorary_bot #9181 10:52 PM, 19 Mar 2025
    Monitoring all page table accesses doesn't make sense
  • @6176993302 #9182 10:56 PM, 19 Mar 2025
    in order to minitor the write only what config i need to set up
  • @6176993302 #9183 10:56 PM, 19 Mar 2025
    because if im not wrong you cannot set up write alone?
  • @honorary_bot #9184 10:57 PM, 19 Mar 2025
    EPT protection definitely allows write-only, as well as execute-only on later (IVB+) cpus
  • @6176993302 #9185 10:58 PM, 19 Mar 2025
    really?
  • @6176993302 #9186 10:58 PM, 19 Mar 2025
    because if im not wrong the current hyperdbg implementation
  • @6176993302 #9187 10:58 PM, 19 Mar 2025
    add always the read
  • @6176993302 #9188 10:58 PM, 19 Mar 2025
    even if the user specified the write only
  • @honorary_bot #9190 10:59 PM, 19 Mar 2025
    Oh, that's hyperdbg specifics then )
  • @honorary_bot #9191 10:59 PM, 19 Mar 2025
    I'm just an Intel guy
  • @6176993302 #9192 10:59 PM, 19 Mar 2025
    im aware of the execute only
  • @6176993302 #9193 10:59 PM, 19 Mar 2025
    but for the write only
  • @6176993302 #9194 10:59 PM, 19 Mar 2025
    thats the first time i hear about
  • @6176993302 #9195 11:00 PM, 19 Mar 2025
    @HughEverett i think sina have more details about the implementation
  • Applicable for every pte type
  • @6176993302 #9198 11:01 PM, 19 Mar 2025
    well if that was the case
  • @6176993302 #9199 11:02 PM, 19 Mar 2025
    i think we should have a fork of hyperdbg that ignore read access when the user specify write access only
  • @6176993302 #9200 11:03 PM, 19 Mar 2025
    this will help really improve the performance since usually we are intersted in write access events from a malware detection perspective
  • yes
  • what is the exit reason? can you print that?
  • Do you mean that each translation of a page (VA to PA), will create EPT violation?
  • That's what I deduce from the the discussion, it makes sense. Though I haven't tried myself
  • @6176993302 #9208 11:58 PM, 19 Mar 2025
    many of the addresses that caused the EPT violation are related to the memory manager code
  • Ohh, but that's a manual page walk with an actual pte access
  • HyperDbg allows all of the possible combination. The only thing that is not allowed is a page that you want to intercept its reads but not writes. (It automatically sets the write to FALSE) because it's not supported in Intel processors (you'll get a VM error if you configure it like this).
  • 20 March 2025 (38 messages)
  • You can't do it, Intel won't allow it. That's why HyperDbg automatically configures the (read to FALSE) bit.
  • Got it. That's reasonable.
  • @6176993302 #9213 12:01 AM, 20 Mar 2025
    so
  • @6176993302 #9214 12:01 AM, 20 Mar 2025
    in order to monitor write access
  • @6176993302 #9215 12:01 AM, 20 Mar 2025
    only
  • @6176993302 #9216 12:01 AM, 20 Mar 2025
    we should
  • @6176993302 #9217 12:01 AM, 20 Mar 2025
    MonitorDetails.SetHookForRead = FALSE;
    MonitorDetails.SetHookForWrite = TRUE;
    MonitorDetails.SetHookForExec = FALSE;
  • Not possible, using this combination is not allowed in Intel.
  • @6176993302 #9219 12:02 AM, 20 Mar 2025
    so something like
  • @6176993302 #9220 12:02 AM, 20 Mar 2025
    MonitorDetails.SetHookForRead = FALSE;
    MonitorDetails.SetHookForWrite = TRUE;
    MonitorDetails.SetHookForExec = TRUE;
  • again, not possible.
  • He needs a EPT violation only on writes
  • @honorary_bot #9223 12:03 AM, 20 Mar 2025
    That means R is 1, but W is 0
  • @honorary_bot #9224 12:03 AM, 20 Mar 2025
    In EPT
  • You can't set hook for write without having it for reads.
  • @honorary_bot #9226 12:04 AM, 20 Mar 2025
    You can
  • @honorary_bot #9227 12:04 AM, 20 Mar 2025
    R = 0, W = 1 is invalid
  • @honorary_bot #9228 12:04 AM, 20 Mar 2025
    But it's the other way round
  • @honorary_bot #9229 12:05 AM, 20 Mar 2025
    R = 1, W = 0
  • well, let me double check the code. I think we're mixing set write to FALSE with set hook to FALSE.
  • Oh, yes
  • I mean this one, but in terms of setting hook, it's NOT(Page bits).
  • So, what's the problem Poikourditchy78 ? HyperDbg certainly support this one on its current design.
  • @6176993302 #9234 12:07 AM, 20 Mar 2025
    im just confused about the
  • @6176993302 #9235 12:07 AM, 20 Mar 2025
    defintion of access from code perspective
  • @6176993302 #9236 12:07 AM, 20 Mar 2025
    so im not wrong
  • @6176993302 #9237 12:07 AM, 20 Mar 2025
    MonitorDetails.SetHookForRead = TRUE;
    MonitorDetails.SetHookForWrite = FALSE;
    MonitorDetails.SetHookForExec = TRUE;
  • @6176993302 #9238 12:08 AM, 20 Mar 2025
    will trigger write access only
  • @HughEverett #9239 12:08 AM, 20 Mar 2025
    Setting hook = Not (Setting RWX bits)
  • @6176993302 #9240 12:08 AM, 20 Mar 2025
    okaaay
  • No, you need to configure it like:

    MonitorDetails.SetHookForRead = FALSE;
    MonitorDetails.SetHookForWrite = TRUE;
    MonitorDetails.SetHookForExec = FALSE;
  • @6176993302 #9242 12:09 AM, 20 Mar 2025
    so : not setting hook = Setting RWX bits)
  • @6176993302 #9243 12:09 AM, 20 Mar 2025
    got it got it got it
  • yes
  • @6176993302 #9245 12:11 AM, 20 Mar 2025
    mmmmm however we should solve the puzzle of this PML4E xd
  • @6176993302 #9246 12:12 AM, 20 Mar 2025
    i found this article
  • @6176993302 #9247 12:12 AM, 20 Mar 2025
    Monitor Trap Flag (MTF) Usage in EPT-based Guest Physical Memory Monitoring

    A blog focusing on the technologies and practices for system and low level, embedded, firmware, OS internals, computer security, hypervisor.

  • @6176993302 #9248 12:12 AM, 20 Mar 2025
    it somehow implements the same idea to monitor page tables (he will set page table entries to "read only" according to him"