Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


How to hook function in user mode with DBVM?
Goto page Previous  1, 2
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> DBVM
View previous topic :: View next topic  
Author Message
kabachi
How do I cheat?
Reputation: 0

Joined: 08 May 2015
Posts: 7

PostPosted: Fri May 08, 2015 10:18 pm    Post subject: Reply with quote

Dark Byte wrote:

or it's just that one single game has recently added integrity checks

I can certify that the game I"m interested in has none worth mentioning, I was just contemplating adding hypervisor-based stealth breakpoints to something and here this thread comes up on google. It looks like you did some research on this, so TYVM for sharing! Now I know how to shop for a new CPU Smile
EDIT:

dbk_readMSR(0x48C)=f0106114141

I guess I'm in luck and my CPU supports it?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 465

Joined: 09 May 2003
Posts: 25509
Location: The netherlands

PostPosted: Sat May 09, 2015 7:13 am    Post subject: Reply with quote

Yes, bit 0 indicates it's supported
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
kabachi
How do I cheat?
Reputation: 0

Joined: 08 May 2015
Posts: 7

PostPosted: Sun May 10, 2015 2:57 pm    Post subject: Reply with quote

Ok, while my RS232 cable is in the mail here are some thoughts that you hopefully can validate:

1. That PET you mentioned in this thread, it is EPT right? Google returns some weird stuff when you google for intel pets Smile
2. EPT is not in DBVM in the present, so it needs to be added. First, added as 1:1 mapping to the physical addresses to make things easier
3. A new command commands to DBVM that would allow taking a snapshot of a certain page given its address and store it in the reserved space
4. Add another command that would mark this page as "split", meaning two pages are used. Either the snapshot with "Read" access or the actual copy with "Execute only" access. Flip them in the VM exit that is supposed to happen in case of access violation from EPT permissions.
5. If a write happens when a snapshot is active, invalidate the snapshot and restore the original page contents from it.
6. Two more new commands to invalidate the snapshot and to check the page state. This should get us to the point where you can set INT 3 breakpoints on a code page or add some instrumentation to it and then trick any consistency checks in the malware we are trying to analyse Smile More can be done to deal with self-modifying code, but this should be enough for the 1st cut.
7. If the page gets swapped out, the effect should disappear when its "guest" physical memory is overwritten. That means all our instrumentation would be gone - just disable the swap file for better effect.
8. Debugging it inside vmware or virtualbox is not feasible because they likely don't emulate EPT. That means I'll need RS232 to USB converter plus a null modem cable to debug it from my laptop (PC has a com port, laptop doesn't)
9. Virtual box implements EPT and can be used as an example with its source code
10. Same thing can be added to virtualbox built-in debugger and that would convert it into a badass malware analysis tool Smile

Am I making sense here or just babbling? Smile

I also noticed that when kernel debugging is enabled in CE only hardware breakpoints can be used. Would regular breakpoints be hard to implement and is anything happening to hide debug registers from the OS or the process?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 465

Joined: 09 May 2003
Posts: 25509
Location: The netherlands

PostPosted: Sun May 10, 2015 4:12 pm    Post subject: Reply with quote

1: yes, I meant EPT
2: correct. Some architectures (like your support huge page mapping, so that can make things easier)
It will probably still require a bit more memory than the default 4MB

3: that's one posibility yes. Alternatively, allocate the copy in the target process and adjust read/write registers to there on access violation (a bit easier to detect, but faster)
4: you could probably add that in the one of 3

5: restore the original page, and set the TF flag in eflags. This will cause the current cpu to execute the instruction referencing the memory and then raise an debug exception.
Resume and block external interrupts for at least one cpu cycle, else there could be task switching anoyances(alternatively, the timed vmexit could be used to exit after 1 instruction cycle, but not sure if it can be that accurate)

6:

7: Code that is executed will almost never get paged out by windows so shouldn't be an issue. Besides, when it's loaded back, it's a write operation, and thus an access violation which you can deny

8: should work, but expect a BSOD once in a while on the laptop if there's a LOT of data coming through at once. (two of my usb com devices tend to cause a bsod when flooded, different manufacturers, so could be a generic driver things)

9-10: it might be easier to start with virtualbox

Quote:

Would regular breakpoints be hard to implement

Not really, just needs to implement an interrupt 3 handler then and pass on that data to ce's debuggerinterface. (most people that go for kernel debug usually don't want software breakpoints)

Quote:

and is anything happening to hide debug registers from the OS or the process?

Only when global debug is enabled.
It will then break on every single debug register access and emulate the read and write. This includes when windows does an context switch

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping


Last edited by Dark Byte on Fri Feb 12, 2016 2:07 pm; edited 1 time in total
Back to top
View user's profile Send private message MSN Messenger
kabachi
How do I cheat?
Reputation: 0

Joined: 08 May 2015
Posts: 7

PostPosted: Sun May 10, 2015 6:04 pm    Post subject: Reply with quote

Dark Byte wrote:

2: correct. Some architectures (like your support huge page mapping, so that can make things easier)
It will probably still require a bit more memory than the default 4MB

If I didn't mess up the math, it is about 24 meg just to hold the structure with regular pages for 12gb of RAM. And if I go for bigger pages, chances are I'd get a mix of code and data and data writes will screw me up. 1:1 relationship between pages seems necessary. Even in virtualbox I'd have to disable large pages in EPT. No way to just add a proper virtualProtect that supports execute-only.

Dark Byte wrote:

3: that's one posibility yes. Alternatively, allocate the copy in the target process and adjust read/write registers to there on access violation (a bit easier to detect, but faster)

Faster to write or will work faster? I got an impression that those flags are for EPT and not for your regular paging tables, meaning I'll still have to go all the way to DBVM to make it work and EPT will have to be implemented there.

Dark Byte wrote:

4: you could probably add that in the one of 3

May be, but how I would change the data from the user mode then? My idea was to use the first instruction then set breakpoints/instrumentation and then use the second instruction.

Dark Byte wrote:

5: restore the original page, and set the TF flag in eflags. This will cause the current cpu to execute the instruction referencing the memory and then raise an debug exception. (alternatively, the timed vmexit could be used to exit after 1 instruction cycle, but not sure if it can be that accurate)

So, this way I could recover from writes. Good point.

Dark Byte wrote:

7: Code that is executed will almost never get paged out by windows so shouldn't be an issue. Besides, when it's loaded back, it's a write operation, and thus an access violation which you can deny

That's what I have been thinking as well. It would be loaded back to a different address though and I won't know it from just the hypervisor.

Dark Byte wrote:

8: should work, but expect a BSOD once in a while on the laptop if there's a LOT of data coming through at once. (two of my usb com devices tend to cause a bsod when flooded, different manufacturers, so could be a generic driver things)

I have a linux laptop and windows PC where I run DBVM, so it is other way around - DBVM will have a proper serial. I sure hope laptop won't crash Smile

Dark Byte wrote:

9-10: it might be easier to start with virtualbox

Good point, I was actually digging in that direction already, just found all those articles online saying that this can't be done on Intel and almost gave up before I found this thread.
EDIT: It looks like my laptop supports it as well:
sudo rdmsr 0x48C
f0106114141
Back to top
View user's profile Send private message
John111
How do I cheat?
Reputation: 0

Joined: 05 May 2015
Posts: 2
Location: Netherlands

PostPosted: Tue May 12, 2015 12:47 pm    Post subject: Reply with quote

Looks like there was a talk on blackhat 2014 about using EPT with a small hypervisor.
Slides and hypervisor code is on github (dot) com (slash) ainfosec (slash) MoRE
Back to top
View user's profile Send private message
kabachi
How do I cheat?
Reputation: 0

Joined: 08 May 2015
Posts: 7

PostPosted: Tue May 12, 2015 5:28 pm    Post subject: Reply with quote

John111 wrote:
Looks like there was a talk on blackhat 2014 about using EPT with a small hypervisor.
Slides and hypervisor code is on github (dot) com (slash) ainfosec (slash) MoRE

Looking into it already, it is for 32bit only, one CPU and based on DDK instead of gcc&stuff Dark Byte used. But they did exactly what I am trying to accomplish, so should be a good example.
Back to top
View user's profile Send private message
tigerite
How do I cheat?
Reputation: 0

Joined: 16 May 2007
Posts: 9

PostPosted: Thu Oct 15, 2015 2:35 pm    Post subject: Reply with quote

Did anyone have any luck with merging the memory code from the MoRE source with DBVM? As MoRE's VM/hypervisor is nothing compared to DBVM's..
Back to top
View user's profile Send private message
kabachi
How do I cheat?
Reputation: 0

Joined: 08 May 2015
Posts: 7

PostPosted: Mon Feb 01, 2016 1:05 am    Post subject: Reply with quote

Dark Byte wrote:

9-10: it might be easier to start with virtualbox

I managed to add TLB splitting to KVM (the damned forum doesn't let me to post the link, search for split tlb on github). This solves the issue of hiding patches in general because you can virtualize almost anything with KVM, including most games, but adding this to DBVM would make it more accessible. Unfortunately, DBVM is way trickier to work with than KVM where I didn't even get a single panic while working on it, at least not before I started stress testing on low memory. Also, solution in MORE appeared to be a bit over complicated. For some reason, in MORE Jacob always uses single step to go over the offending instruction and in my case the naive approach of just flipping the flag+address in EPT violation handler seems to work fine. The special case of combined read+execute seems to never happen, at least not in read-only mode that I've implemented.
Back to top
View user's profile Send private message
tigerite
How do I cheat?
Reputation: 0

Joined: 16 May 2007
Posts: 9

PostPosted: Thu Feb 11, 2016 4:04 am    Post subject: Reply with quote

Thanks for posting this, it's really useful, so do I take that to mean you're using Linux and running Windows as a (K)VM within it? If so, it's funny because I've started doing something similar, you may want to look into DRAKVUF as well, it's mostly for malware analysis but could come in useful to monitor what system calls games are making.
Back to top
View user's profile Send private message
kabachi
How do I cheat?
Reputation: 0

Joined: 08 May 2015
Posts: 7

PostPosted: Sun Feb 14, 2016 6:38 pm    Post subject: Reply with quote

tigerite wrote:
Thanks for posting this, it's really useful, so do I take that to mean you're using Linux and running Windows as a (K)VM within it? If so, it's funny because I've started doing something similar, you may want to look into DRAKVUF as well, it's mostly for malware analysis but could come in useful to monitor what system calls games are making.

DRAKVUF is actually very interesting. What I have now requires a common injector and you can just write your DLL so that it conceals its own code section and any patches it makes. I am thinking of writing a hypervisor based DLL/process injector and DRAKVUF claims to have something along these lines. This would require some windows kernel hooking from hypervisor, which is really some wild stuff. It is encouraging if somebody got it working and have it available open source. I am also sure there is a reason they only support Windows 7 Smile
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> DBVM All times are GMT - 6 Hours
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites