Presentation is loading. Please wait.

Presentation is loading. Please wait.

Turning off hypervisor and resuming OS in 100 instructions FASM CON 2009, Myjava, Slovak republic by Feryno, Czechoslovakia.

Similar presentations


Presentation on theme: "Turning off hypervisor and resuming OS in 100 instructions FASM CON 2009, Myjava, Slovak republic by Feryno, Czechoslovakia."— Presentation transcript:

1 Turning off hypervisor and resuming OS in 100 instructions FASM CON 2009, Myjava, Slovak republic by Feryno, Czechoslovakia

2 FASM CON 2009, Myjava, Slovak republic hypervisor (ring-1) and OS (ring0 + ring3) are running correctly (Intel IA32-e mode) hypervisor uses its own private virtual memory translation tables (private CR3, not shared with OS) how to turn off hypervisor and resume OS ?

3 FASM CON 2009, Myjava, Slovak republic ring0 may initiate the shutdown using the VMCALL instruction (3-bytes instruction) (ring0 privileged instruction) ring3 may initiate the shutdown using the CPUID instruction (2-bytes instruction) both instructions cause unconditional VM EXIT = transfer from ring0 or ring3 into ring -1

4 FASM CON 2009, Myjava, Slovak republic ring0_initialization: movrax,shutdown_magic_number vmcall jbe failure call cleanup

5 FASM CON 2009, Myjava, Slovak republic ; ring -1 part: vm_exit_handler: pushrax moveax,4402h ; vm_exit_reason encodings vmreadrax,rax ; read VMCS field cmpax,18 ; vmcall instruction caused VM exit poprax jzvm_exit_handler_18

6 FASM CON 2009, Myjava, Slovak republic vm_exit_handler_18: cmprax,shutdown_magic_number jzhypervisor_shutdown... vm_exit_handler_18_bad_request: pushrax rcx rdx movecx,6820h; guest RFLAGS encodings vmreadrax,rcx; read guest RFLAGS into RAX ; VMFailValid CF=0, PF=0, AF=0, ZF=1, SF=0, OF=0. andeax,not ( (1 shl 0) + (1 shl 2) + (1 shl 4) + (1 shl 7) + (1 shl 11) ) oral,1 shl 6; rflags.ZF=1 (bit 6. of rflags) vmwritercx,rax; write guest RFLAGS into VMCS field moveax,440Ch; VM-exit instruction length encoding vmreadrcx,rax; instruction length, rcx=3 for the VMCALL instruction moveax,681Eh; guest RIP encoding vmreadrdx,rax; read guest RIP addrcx,rdx; point guest RIP to the instruction after VMCALL vmwriterax,rcx; write guest RIP into VMCS field poprdx rcx rax vmresume

7 FASM CON 2009, Myjava, Slovak republic hypervisor_shutdown: prologue read necessary informations using VMREAD instructions execute the VMXOFF instruction restore necessary registers epilogue and allow OS to run

8 FASM CON 2009, Myjava, Slovak republic ; data and structure used by shutdown ; data: VMCS_fields_encodings: dw0800h dw0802h dw0804h dw0806h dw0808h dw080Ah dw080Ch dw080Eh... dw6826h NUMBER_OF_VMCS_FIELDS = \ ($ - VMCS_fields_encodings) / 2 ; there are about 20-30 words of data ; structure: strucVMCS_FIELDS {.guest_ES_selectordq?.guest_CS_selectordq?.guest_SS_selectordq?.guest_DS_selectordq?.guest_FS_selectordq?.guest_GS_selectordq?.guest_LDTR_selectordq?.guest_TR_selectordq?....guest_IA32_SYSENTER_EIPdq? } ; there are about 20-30 qwords in structure ; the count of words in data and qwords in structure is the same, ; the n-th word in data is VMCS field encodings of the n-th qword in structure

9 FASM CON 2009, Myjava, Slovak republic ; prologue pushrax rcx rdx rbx rbp ; we need some stack frame c=NUMBER_OF_VMCS_FIELDS * 8 ; stack frame for reading ; necessary VMCS fields b=16; stack frame for IDT a=16; stack frame for GDT subrsp,a+b+c

10 FASM CON 2009, Myjava, Slovak republic ; read VMCS fields into the stack frame virtual at rsp + a + b sfshVMCS_FIELDS end virtual leardx,[VMCS_fields_encodings] movecx,number_of_VMCS_fields - 1 sd_read_all_fields: movzxeax,word [rdx + rcx*2] vmreadqword [sfsh + rcx*8],rax dececx jnssd_read_all_fields

11 FASM CON 2009, Myjava, Slovak republic ; execute the VMXOFF instruction vmxoff ; Now we can't use VMxxx instructions anymore. ; This is the reason why we have already read ; everything necessary using vmread instructions.

12 FASM CON 2009, Myjava, Slovak republic loading OS virtual memory translation tables - disabling long mode and paging also (requires identity mapped memory page which has the same physical and virtual addresses, necessary at the moment of disabling paging when virtual memory disappeares), then restore CR3 of OS, then enable paging and long mode (hard to do if CR3 is 0000000100000000h or even higher) - do it on the fly using Global pages feature (the same principle used during task switching in multitasking OS, processes have different CR3)

13 FASM CON 2009, Myjava, Slovak republic ; loading OS paging tables using Global pages ; We are going to change CR3. We use the TLB (translation lookaside buffer) ; to have valid translation of virtual into physical memory. ; Make all pages (translation tables, code, data, stack) of the just now ; shutdowned hypervisor global. We are going to execute MOV CR3,new_cr3 ; and then global pages stay in TLB so we will be able to continue. ; Hypervisor had also physical pages holding translation tables mapped into ; its virtual memory to make them easily accessible from its virtual memory. movrax,cr4 oral,1 shl 7; Page Global Enable, bit 7. movcr4,rax

14 FASM CON 2009, Myjava, Slovak republic host_virtual_address = 0FFFF800000000000h number_of_PT_entries = 512 ; (all PT entries with the above settings fit into 1 aligned physical memory page of 4 kB) leardx,[host_PT_tables] movecx,number_of_PT_entries - 1 make_global_pages: moveax,[rdx+rcx*8] orah,1 shl (8-8); PTE.G (global) movnti[rdx+rcx*8],eax dececx jnsmake_global_pages

15 FASM CON 2009, Myjava, Slovak republic

16

17

18 ; Invalidate the TLB by copying CR3 into itself : movrcx,cr3 movcr3,rcx ; the TLB is now empty. the first instruction accessing ; the code in global page will put its virtual memory ; translation into TLB. the first instruction accessing ; stack page which is global also will fill TLB with the ; 1 stack page virtual memory translation. if the code ; of hypervisor shutdown procedure fits into 1 global ; page and stack into 1 global page, we may continue, ; if they are in more pages, we must access all these ; pages (read from stack page, execute instruction in ; code page) to load them into TLB before continuing

19 FASM CON 2009, Myjava, Slovak republic ; control registers ; note the first instruction forces the 1 global page ; holding code and the 1 global page of stack ; (sfsh is structure in stack) to be loaded into TLB movrax,[sfsh.guest_CR4] movrcx,[sfsh.guest_CR3] movrdx,[sfsh.guest_CR0] oral,(1 shl 7) + (1 shl 5); CR4.PGE, PAE oredx,(1 shl 31) + (1 shl 0); CR0.PG, PE movcr4,rax movcr3,rcx movcr0,rdx

20 FASM CON 2009, Myjava, Slovak republic ; descriptor tables movax,word [sfsh.guest_GDTR_limit] movcx,word [sfsh.guest_IDTR_limit] movword [rsp + 8-2],ax movword [rsp + a + 8-2],cx movrdx,[sfsh.guest_GDTR_base] movrax,[sfsh.guest_IDTR_base] mov[rsp + 8],rdx mov[rsp + a + 8],rax lgdt[rsp + 8-2] lidt[rsp + a + 8-2]

21 FASM CON 2009, Myjava, Slovak republic ; selectors moves,word [sfsh.guest_ES_selector] movds,word [sfsh.guest_DS_selector] movfs,word [sfsh.guest_FS_selector] movgs,word [sfsh.guest_GS_selector] lldtword [sfsh.guest_LDTR_selector] ; fs base, gs base will be updated later, ; updating fs base, gs base before fs, gs ; selectors is useless (loading fs, gs always ; destroys the old fs, gs base)

22 FASM CON 2009, Myjava, Slovak republic ; task register (at first make busy TSS available) ; rdx = guest_GDT_base movzxeax,word [sfsh.guest_TR_selector] movecx,eax andal,not 111b ; testcl,100b; TI (Table Indicator) ; jzvm_exit_handler_18_L0 ; movrdx,[sfsh.guest_LDTR_base] ; TSS can’t be in LDT because of #GP ; vm_exit_handler_18_L0: andbyte [rdx+rax*1+5],not 0010b ltrcx

23 FASM CON 2009, Myjava, Slovak republic ; fs.base, gs.base (never before updating fs, gs) movecx,MSR_IA32_FS_BASE moveax,dword [sfsh.guest_FS_base] movedx,dword [sfsh.guest_FS_base+4] wrmsr movecx,MSR_IA32_GS_BASE moveax,dword [sfsh.guest_GS_base] movedx,dword [sfsh.guest_GS_base+4] wrmsr

24 FASM CON 2009, Myjava, Slovak republic ; SYSENTER MSRs movecx,MSR_IA32_SYSENTER_CS movzxeax,[sfsh.guest_IA32_SYSENTER_CS] xoredx,edx wrmsr movecx,MSR_IA32_SYSENTER_ESP moveax,[sfsh.guest_IA32_SYSENTER_ESP] movedx,[sfsh.guest_IA32_SYSENTER_ESP+4] wrmsr movecx,MSR_IA32_SYSENTER_EIP moveax,[sfsh.guest_IA32_SYSENTER_EIP] movedx,[sfsh.guest_IA32_SYSENTER_EIP+4] wrmsr

25 FASM CON 2009, Myjava, Slovak republic ; debug registers test[sfsh.VM_exit_controls],1 shl 2 jzafter_restoring_guest_debug_state ; CPU saved guest debug state during VM exit ; into guest VMCS fields, we will restore them movecx,MSR_IA32_DEBUGCTL moveax,[sfsh.guest_IA32_DEBUGCTL] movedx,[sfsh.guest_IA32_DEBUGCTL + 4] wrmsr movrax,[sfsh.guest_DR7] movdr7,rax after_restoring_guest_debug_state:

26 FASM CON 2009, Myjava, Slovak republic ; preparing RIP, CS, RFLAGS, RSP, SS movrbp,[sfsh.guest_RIP] addrbp,[sfsh.vm_exit_instruction_length] movzxebx,word [sfsh.guest_CS_selector] movedx,dword [sfsh.guest_RFLAGS] movrcx,[sfsh.guest_RSP] movzxeax,word [sfsh.guest_SS_selector] ; signalizing VMsucceed ; CF=0, PF=0, AF=0, ZF=0, SF=0, OF=0. andedx,not ((1 shl 0) + (1 shl 2) + (1 shl 4) + \ (1 shl 6) + (1 shl 7) + (1 shl 11) )

27 FASM CON 2009, Myjava, Slovak republic ; procedure epilogue + resuming OS addrsp,a+b+c; discard stack frame xchg[rsp+8*0],rbp; restore RBP and store RIP xchg[rsp+8*1],rbx; restore RBX and store CS xchg[rsp+8*2],rdx; restore RDX and store rflags xchg[rsp+8*3],rcx; restore RCX and store RSP xchg[rsp+8*4],rax; restore RAX and store SS iretq; db 48h,0CFh; restore: ; RIP, CS, RFLAGS, RSP, SS ; (run the OS)

28 FASM CON 2009, Myjava, Slovak republic ; cleanup mov rax,shutdown_magic_number vmcall jbe failure callcleanup cleanup: movrax,host_virtual_address movecx,(number_of_PT_entries-1)*1000h remove_TLB_entries: invlpg[rax+rcx*1] subecx,1000h jncremove_TLB_entries ret

29 FASM CON 2009, Myjava, Slovak republic That was a way how to turn off hypervisor and resume OS in about 100 instructions. Good? No. It is VERY POOR !!! Now a guy who is able to turn off hypervisor in 1 instruction !!!

30 FASM CON 2009, Myjava, Slovak republic

31 The guy is now hardly thinking how to resume the OS in 1 instruction !!!


Download ppt "Turning off hypervisor and resuming OS in 100 instructions FASM CON 2009, Myjava, Slovak republic by Feryno, Czechoslovakia."

Similar presentations


Ads by Google