Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to complete ForEachLogicalCore () in the driver #43

Open
LLLZed opened this issue Jan 14, 2020 · 4 comments
Open

How to complete ForEachLogicalCore () in the driver #43

LLLZed opened this issue Jan 14, 2020 · 4 comments

Comments

@LLLZed
Copy link

LLLZed commented Jan 14, 2020

` vcpu_t* vcpu_list = hvpp::hypervisor::get_vcpu_list();

for (uint32_t i = 0; i < mp::cpu_count(); i++)
{
  // Split the 2MB page where the code we want to hook resides.
  vcpu_list[i].ept().split_2mb_to_4kb(page_exec & ept_pd_t::mask, page_exec & ept_pd_t::mask);
  // Set execute-only access on the page we want to hook.
  vcpu_list[i].ept().map_4kb(page_exec, page_exec, epte_t::access_type::execute);
  // We've changed EPT structure - mappings derived from EPT need to be invalidated.
  vmx::invept_single_context(vcpu_list[i].ept().ept_pointer());
}`

Hello, I had some problems while modifying your code as a toy. I plan to port the function ForEachLogicalCore () to the kernel so that when the program exits, the driver can automatically recover the hidden memory. But the code I wrote has an exception DRIVER_IRQL_NOT_LESS_OR_EQUAL
@wbenny
Copy link
Owner

wbenny commented Jan 14, 2020

It doesn't work that way, unfortunatelly. You must issue invept instruction on CPU that the EPT belongs to. Use mp::ipi_call() for this - its basically your "ForEachLogicalCore", except that it runs on IRQL 14.

@LLLZed
Copy link
Author

LLLZed commented Jan 14, 2020

It's amazing, you are really an energetic and excellent technician, I didn't think I could get your reply in such a short time. I will try the method you proposed

不幸的是,这种方式行不通。您必须在EPT所属的CPU上发出invept指令。为此,使用mp :: ipi_call()-基本上是您的“ ForEachLogicalCore”,除了它运行在IRQL 14上。

@LLLZed
Copy link
Author

LLLZed commented Jan 14, 2020

It doesn't work that way, unfortunatelly. You must issue invept instruction on CPU that the EPT belongs to. Use mp::ipi_call() for this - its basically your "ForEachLogicalCore", except that it runs on IRQL 14.

Thank you very much for your previous guidance, but after four hours of hard work, I still cannot use this function to call split_2mb_to_4kb, which will cause the system to crash, and I hope to get your help. Could you please write an example

@Hiramsgit
Copy link

It doesn't work that way, unfortunatelly. You must issue invept instruction on CPU that the EPT belongs to. Use mp::ipi_call() for this - its basically your "ForEachLogicalCore", except that it runs on IRQL 14.

Thank you very much for your previous guidance, but after four hours of hard work, I still cannot use this function to call split_2mb_to_4kb, which will cause the system to crash, and I hope to get your help. Could you please write an example

You cannot use ipi_call with vmexit handler

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wbenny @Hiramsgit @LLLZed