1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
|
/*++
Copyright (c) Alex Ionescu. All rights reserved.
Module Name:
shvos.c
Abstract:
This module implements the OS-facing Windows stubs for SimpleVisor.
Author:
Alex Ionescu (@aionescu) 29-Aug-2016 - Initial version
Environment:
Kernel mode only.
--*/
#include <ntifs.h>
#include <stdarg.h>
#include "..\shv_x.h"
#pragma warning(disable:4221)
#pragma warning(disable:4204)
NTKERNELAPI
_IRQL_requires_max_(APC_LEVEL)
_IRQL_requires_min_(PASSIVE_LEVEL)
_IRQL_requires_same_
VOID
KeGenericCallDpc (
_In_ PKDEFERRED_ROUTINE Routine,
_In_opt_ PVOID Context
);
NTKERNELAPI
_IRQL_requires_(DISPATCH_LEVEL)
_IRQL_requires_same_
VOID
KeSignalCallDpcDone (
_In_ PVOID SystemArgument1
);
NTKERNELAPI
_IRQL_requires_(DISPATCH_LEVEL)
_IRQL_requires_same_
LOGICAL
KeSignalCallDpcSynchronize (
_In_ PVOID SystemArgument2
);
DRIVER_INITIALIZE DriverEntry;
DECLSPEC_NORETURN
VOID
__cdecl
ShvOsRestoreContext2 (
_In_ PCONTEXT ContextRecord,
_In_opt_ struct _EXCEPTION_RECORD * ExceptionRecord
);
VOID
ShvVmxCleanup (
_In_ UINT16 Data,
_In_ UINT16 Teb
);
typedef struct _SHV_DPC_CONTEXT
{
PSHV_CPU_CALLBACK Routine;
struct _SHV_CALLBACK_CONTEXT* Context;
} SHV_DPC_CONTEXT, *PSHV_DPC_CONTEXT;
#define KGDT64_R3_DATA 0x28
#define KGDT64_R3_CMTEB 0x50
PVOID g_PowerCallbackRegistration;
NTSTATUS
FORCEINLINE
ShvOsErrorToError (
INT32 Error
)
{
//
// Convert the possible SimpleVisor errors into NT Hyper-V Errors
//
if (Error == SHV_STATUS_NOT_AVAILABLE)
{
return STATUS_HV_FEATURE_UNAVAILABLE;
}
if (Error == SHV_STATUS_NO_RESOURCES)
{
return STATUS_HV_NO_RESOURCES;
}
if (Error == SHV_STATUS_NOT_PRESENT)
{
return STATUS_HV_NOT_PRESENT;
}
if (Error == SHV_STATUS_SUCCESS)
{
return STATUS_SUCCESS;
}
//
// Unknown/unexpected error
//
return STATUS_UNSUCCESSFUL;
}
VOID
ShvOsDpcRoutine (
_In_ struct _KDPC *Dpc,
_In_opt_ PVOID DeferredContext,
_In_opt_ PVOID SystemArgument1,
_In_opt_ PVOID SystemArgument2
)
{
PSHV_DPC_CONTEXT dpcContext = DeferredContext;
UNREFERENCED_PARAMETER(Dpc);
__analysis_assume(DeferredContext != NULL);
__analysis_assume(SystemArgument1 != NULL);
__analysis_assume(SystemArgument2 != NULL);
//
// Execute the internal callback function
//
dpcContext->Routine(dpcContext->Context);
//
// During unload SimpleVisor uses the RtlRestoreContext function which will
// unfortunately use the "iretq" opcode in order to restore execution back.
// This causes the processor to remove the RPL bits off the segments. As
// the x64 kernel does not expect kernel-mode code to change the value of
// any segments, this results in the DS and ES segments being stuck 0x20,
// and the FS segment being stuck at 0x50, until the next context switch.
//
// If the DPC happened to have interrupted either the idle thread or system
// thread, that's perfectly fine (albeit unusual). If the DPC interrupted a
// 64-bit long-mode thread, that's also fine. However if the DPC interrupts
// a thread in compatibility-mode, running as part of WoW64, it will hit a
// GPF instantaneously and crash.
//
// Thus, set the segments to their correct value, one more time, as a fix.
//
ShvVmxCleanup(KGDT64_R3_DATA | RPL_MASK, KGDT64_R3_CMTEB | RPL_MASK);
//
// Wait for all DPCs to synchronize at this point
//
KeSignalCallDpcSynchronize(SystemArgument2);
//
// Mark the DPC as being complete
//
KeSignalCallDpcDone(SystemArgument1);
}
INT32
ShvOsPrepareProcessor (
_In_ PSHV_VP_DATA VpData
)
{
//
// Nothing to do on NT, only return SHV_STATUS_SUCCESS
//
UNREFERENCED_PARAMETER(VpData);
return SHV_STATUS_SUCCESS;
}
VOID
ShvOsUnprepareProcessor (
_In_ PSHV_VP_DATA VpData
)
{
//
// When running in VMX root mode, the processor will set limits of the
// GDT and IDT to 0xFFFF (notice that there are no Host VMCS fields to
// set these values). This causes problems with PatchGuard, which will
// believe that the GDTR and IDTR have been modified by malware, and
// eventually crash the system. Since we know what the original state
// of the GDTR and IDTR was, simply restore it now.
//
__lgdt(&VpData->SpecialRegisters.Gdtr.Limit);
__lidt(&VpData->SpecialRegisters.Idtr.Limit);
}
VOID
PowerCallback (
_In_opt_ PVOID CallbackContext,
_In_opt_ PVOID Argument1,
_In_opt_ PVOID Argument2
)
{
UNREFERENCED_PARAMETER(CallbackContext);
//
// Ignore non-Sx changes
//
if (Argument1 != (PVOID)PO_CB_SYSTEM_STATE_LOCK)
{
return;
}
//
// Check if this is S0->Sx, or Sx->S0
//
if (ARGUMENT_PRESENT(Argument2))
{
//
// Reload the hypervisor
//
ShvLoad();
}
else
{
//
// Unload the hypervisor
//
ShvUnload();
}
}
VOID
ShvOsFreeContiguousAlignedMemory (
_In_ PVOID BaseAddress
)
{
//
// Free the memory
//
MmFreeContiguousMemory(BaseAddress);
}
PVOID
ShvOsAllocateContigousAlignedMemory (
_In_ SIZE_T Size
)
{
PHYSICAL_ADDRESS lowest, highest;
//
// The entire address range is OK for this allocation
//
lowest.QuadPart = 0;
highest.QuadPart = lowest.QuadPart - 1;
//
// Allocate a contiguous chunk of RAM to back this allocation and make sure
// that it is RW only, instead of RWX, by using the new Windows 8 API.
//
return MmAllocateContiguousNodeMemory(Size,
lowest,
highest,
lowest,
PAGE_READWRITE,
KeGetCurrentNodeNumber());
}
ULONGLONG
ShvOsGetPhysicalAddress (
_In_ PVOID BaseAddress
)
{
//
// Let the memory manager convert it
//
return MmGetPhysicalAddress(BaseAddress).QuadPart;
}
VOID
ShvOsRunCallbackOnProcessors (
_In_ PSHV_CPU_CALLBACK Routine,
_In_opt_ PVOID Context
)
{
SHV_DPC_CONTEXT dpcContext;
//
// Wrap the internal routine and context under a Windows DPC
//
dpcContext.Routine = Routine;
dpcContext.Context = Context;
KeGenericCallDpc(ShvOsDpcRoutine, &dpcContext);
}
VOID
ShvOsRestoreContext(
_In_ PCONTEXT ContextRecord
)
{
ShvOsRestoreContext2(ContextRecord, NULL);
}
VOID
ShvOsCaptureContext (
_In_ PCONTEXT ContextRecord
)
{
//
// Windows provides a nice OS function to do this
//
RtlCaptureContext(ContextRecord);
}
INT32
ShvOsGetCurrentProcessorNumber (
VOID
)
{
//
// Get the group-wide CPU index
//
return (INT32)KeGetCurrentProcessorNumberEx(NULL);
}
INT32
ShvOsGetActiveProcessorCount (
VOID
)
{
//
// Get the group-wide CPU count
//
return (INT32)KeQueryActiveProcessorCountEx(ALL_PROCESSOR_GROUPS);
}
VOID
ShvOsDebugPrint (
_In_ PCCH Format,
...
)
{
va_list arglist;
//
// Call the debugger API
//
va_start(arglist, Format);
vDbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, Format, arglist);
va_end(arglist);
}
VOID
DriverUnload (
_In_ PDRIVER_OBJECT DriverObject
)
{
UNREFERENCED_PARAMETER(DriverObject);
//
// Unregister the power callback. We would not have loaded without it
//
ExUnregisterCallback(g_PowerCallbackRegistration);
//
// Unload the hypervisor
//
ShvUnload();
}
NTSTATUS
DriverEntry (
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
PCALLBACK_OBJECT callbackObject;
UNICODE_STRING callbackName =
RTL_CONSTANT_STRING(L"\\Callback\\PowerState");
OBJECT_ATTRIBUTES objectAttributes =
RTL_CONSTANT_OBJECT_ATTRIBUTES(&callbackName,
OBJ_CASE_INSENSITIVE |
OBJ_KERNEL_HANDLE);
UNREFERENCED_PARAMETER(RegistryPath);
//
// Make the driver (and SHV itself) unloadable
//
DriverObject->DriverUnload = DriverUnload;
//
// Create the power state callback
//
status = ExCreateCallback(&callbackObject, &objectAttributes, FALSE, TRUE);
if (!NT_SUCCESS(status))
{
return status;
}
//
// Now register our routine with this callback
//
g_PowerCallbackRegistration = ExRegisterCallback(callbackObject,
PowerCallback,
NULL);
//
// Dereference it in both cases -- either it's registered, so that is now
// taking a reference, and we'll unregister later, or it failed to register
// so we failing now, and it's gone.
//
ObDereferenceObject(callbackObject);
//
// Fail if we couldn't register the power callback
//
if (g_PowerCallbackRegistration == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
//
// Load the hypervisor
//
status = ShvOsErrorToError(ShvLoad());
//
// If load of the hypervisor happened to fail, unregister previously registered
// power callback, otherwise we would get BSOD on shutdown.
//
if (!NT_SUCCESS(status))
{
ExUnregisterCallback(g_PowerCallbackRegistration);
}
return status;
}
|
