is it possible to use a hypervisor to track exception handling in windows?
For example:
try{
exception page fault
}
catch (err) {
not debugger
}.
There is a tricky defense mechanism that causes a page error and is handled in the driver itself (Windbg does not see an exception)
- 01 September 2024 (55 messages)
-
-
Yes. You can use the !exception command combined with the event short circuiting mechanism.
By default, if an exception/fault/interrupt happens in the system, HyperDbg re-injects it to the guest.
You can decide whether you want it to be injected to the guest and be handled by Windows or drop it and ignore it by short circuiting it.
Please check:
https://docs.hyperdbg.org/tips-and-tricks/misc/event-short-circuitingEvent short-circuiting | HyperDbg DocumentationThe event short-circuiting and ignoring mechanism in HyperDbg
-
we don't need to ignore the exception, but we need to track where the handler of this exception is located (the code in catch).
-
So, you need to find the handler using a simple script using the same !exception command.
-
Yes, that's right.... what should the script look like for !exception
-
I'm not sure how SEH works these days. A few years ago, it was like putting the address of SEH Handler in the stack but I'm not sure if it still works the same way.
-
You need to check how Microsoft implemented the SEH in newer Windows versions.
-
I tried to put a breakpoint in windbg on the handler function in the idt table, but the system was hanging
-
-
This is also a unique aspect of HyperDbg. You cannot trace instructions in ISRs (IDT functions) in WinDbg but you can do it in HyperDbg. 🙂
Make sure to use the instrumentation step-in instead of regular step-in.
https://docs.hyperdbg.org/commands/debugging-commands/ii (instrumentation step-in) | HyperDbg DocumentationDescription of the 'i' command in HyperDbg.
-
Nope. It's possible in HyperDbg. But it's not possible in WinDbg.
-
But, there should be articles online that they already analyzed SEH. I think this way of analyzing SEH from IDT entries is so fundamental and time consuming. There should be better and easier ways for analyzing SEH. 🤔
-
if we are talking about the driver, is there a VEH?
-
VEH?
-
vector exception handling in 64 windows
-
Unfortunately, I'm not familiar with it.
-
so you can use hyperdbg to analyze the entire chain?
-
Yes. But you need to use the 'i' command instead of 't'.
-
tell me please how to correctly create a script for !exception to stop at KiDispatchException
-
-
Can you send your script here? What's the reason for BSOD?
-
I haven't used the script yet. I just put it on !epthook on KiDispatchException
-
Use a simple script like a simple logging printf and if it crashes the system, send us the WinDbg's analyze -v results.
-
something like this !epthook script {printf (@rip)}?
-
Yes.
-
@HughEverett can i access code safe buffer from script somehow?
im trying
!monitor x 00d6d049 l 2 buffer 10 asm code {mov byte ptr ds:[rcx], 20} script {
printf("%x \n",dq(rcx));
}
but getting
(20:50:24.230 - core : 1 - vmx-root? yes) [+] Information (DebuggerPerformRunScript:1730) | err, ScriptEngineExecute, function = FUNC_DQ -
Safe buffer pointer is available at the '$buffer' pseudo-register.
-
-
You're trying to dereference an invalid address (in this case @rcx). That's why you see that error.
-
damn... again i didnt RTFM :D
-
thanks
-
-
-
-
@HughEverett
hmm
!monitor x 00d6d049 l 2 buffer 10 asm code {mov byte ptr ds:[rcx], 20} script {
printf("TRIGGER %x\n",db($buffer));
}
it prints 0 for some reason,, -
You can use the buffer which is available in rcx. <— from docs
-
That's weird. Will it happen if you don't use (test trap off)? I mean just using the !epthook will crash it?
-
That's an error for sure. Could you please open an issue for it on GitHub?
-
test trap off or enabled.... BSOD
-
Right now, I'm on a trip. I'll fix them all hopefully next week.
-
-
Is it hooked in a normal system? I mean is there any anti-debugging/cheating software working on the target system?
-
I ask it because it seems that people had the same problem for this function:
https://www.unknowncheats.me/forum/anti-cheat-bypass/620722-hooking-kidispatchexception-help.htmlHooking KiDispatchException Need helphi guys ! I hooked the KiDispatchException using ept . I use here to intercept kernel access exceptions. My goal is to make a safe copy function that
-
system work normal mode
-
Other than that, can you test the same script (don't use @rip. Show @rcx instead) using !epthook2 command?
-
one minute
-
i use hyperdbg with trap flag in cpuid
-
-
-
sure
-
That's weird. Something irregular is happening to this function. Maybe it's an immediate patchguard check. I have to inspect it. Please create a GitHub issue for it, so we can investigate and fix it.
-
os windows 10 - vmware 17
-
Joined.
-
@HughEverett https://github.com/HyperDbg/HyperDbg/issues/471Buffer not accessible in script · Issue #471 · HyperDbg/HyperDbg
.start path C:\dbg\getch.exe g !monitor x 00007ff730371016 l 8 buffer 10 asm code {mov byte ptr ds:[rcx], 20; ret;} script { printf("TRIGGER %x\n",db($buffer)); } type any letter and pres...
-
Thanks