tandasat / guardmon Goto Github PK

View Code? Open in Web Editor NEW

142.0 142.0 71.0 112 KB

Hypervisor based tool for monitoring system register accesses.

License: MIT License

C++ 87.80% Batchfile 1.78% C 10.42%

guardmon's Introduction

Interested in developing hypervisors for research? Check out my training course!

guardmon's People

Contributors

Stargazers

Watchers

guardmon's Issues

Disabling without hypervisor

It is possible to disable it without hyperv? maybe inline hooking KeBugCheck?

BSOD (MANUALLY_INITIATED_CRASH) on 1803 / ver. 17134

Hey,
I wanted to try out your debugging-framework, but sadly I always get a BSOD.
Here is an MEMORY.DMP out from my system:

The logfile from GuardMon says:
00:20:26.253 INF #3 4 6244 System Log has been initialized. 00:20:26.271 INF #0 4 6244 System Initializing VMX for the processor 0. 00:20:26.346 INF #0 4 6244 System Initialized successfully. 00:20:26.347 INF #1 4 6244 System Initializing VMX for the processor 1.
After that the BSOD with „MANUALLY_INITIATED_CRASH„ get hit.

DRIVER_IRQL_NOT_LESS_OR_EQUAL or PAGE_FAULT_IN_NONPAGED_AREA bug check on Windows 10 14316

UtilIsAccessibleAddress() fails to retrieve correct page table entries due to changes in addresses of PXE, PPE etc. It results in accessing an invalid address as a PxE entry and causing a bug check.

Addresses currently programmed

1: kd> !pte
                                           VA 0000000000000000
PXE at FFFFF6FB7DBED000    PPE at FFFFF6FB7DA00000    PDE at FFFFF6FB40000000    PTE at FFFFF68000000000
Unable to get PXE FFFFF6FB7DBED000

Addresses being used in Windows 10 14316

1: kd> u nt!MiGetPhysicalAddress l50
nt!MiGetPhysicalAddress:
...
fffff802`fdd71897 48b900409f3e7dfaffff mov rcx,0FFFFFA7D3E9F4000h
...
fffff802`fdd718b2 48b90000803e7dfaffff mov rcx,0FFFFFA7D3E800000h
...
fffff802`fdd718d0 48b9000000007dfaffff mov rcx,0FFFFFA7D00000000h

Error log

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {fffff6fb7dbed000, ff, 85, fffff8064d25420c}

*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
Probably caused by : GuardMon.sys ( GuardMon!UtilIsAccessibleAddress+4c )

Followup:     MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: fffff6fb7dbed000, memory referenced
Arg2: 00000000000000ff, IRQL
Arg3: 0000000000000085, value 0 = read operation, 1 = write operation
Arg4: fffff8064d25420c, address which referenced memory

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  14316.1000.amd64fre.rs1_release.160402-2217

DUMP_TYPE:  1

BUGCHECK_P1: fffff6fb7dbed000

BUGCHECK_P2: ff

BUGCHECK_P3: 85

BUGCHECK_P4: fffff8064d25420c

WRITE_ADDRESS:  fffff6fb7dbed000 

CURRENT_IRQL:  2

FAULTING_IP: 
GuardMon!UtilIsAccessibleAddress+4c [c:\users\user\desktop\guardmon\hyperplatform\hyperplatform\util.cpp @ 448]
fffff806`4d25420c 488b00          mov     rax,qword ptr [rax]

CPU_COUNT: 4

CPU_MHZ: 8fc

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 45

CPU_STEPPING: 1

CPU_MICROCODE: 6,45,1,0 (F,M,S,R)  SIG: 1D'00000000 (cache) 1D'00000000 (init)

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  System

ANALYSIS_SESSION_HOST:  DESKTOP-LQSEFPE

ANALYSIS_SESSION_TIME:  04-16-2016 17:00:41.0382

ANALYSIS_VERSION: 10.0.10586.567 amd64fre

TRAP_FRAME:  ffffb800ab805b10 -- (.trap 0xffffb800ab805b10)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff6fb7dbed000 rbx=0000000000000000 rcx=fffff6fb7da00008
rdx=ffffb800ab805c80 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8064d25420c rsp=ffffb800ab805ca0 rbp=ffffa581753b3b00
 r8=ffffb800ab805c78  r9=ffffb800ab805bd0 r10=0000000000000000
r11=ffffb800ab8056d0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up di ng nz na po nc
GuardMon!UtilIsAccessibleAddress+0x4c:
fffff806`4d25420c 488b00          mov     rax,qword ptr [rax] ds:fffff6fb`7dbed000=????????????????
Resetting default scope

BAD_STACK_POINTER:  ffffb800ab8059c8

LAST_CONTROL_TRANSFER:  from fffff802fdde7629 to fffff802fdddc4b0

STACK_TEXT:  
ffffb800`ab8059c8 fffff802`fdde7629 : 00000000`0000000a fffff6fb`7dbed000 00000000`000000ff 00000000`00000085 : nt!KeBugCheckEx
ffffb800`ab8059d0 fffff802`fdde5c07 : 00000000`00000001 fffff806`4d254620 00000000`00000001 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffb800`ab805b10 fffff806`4d25420c : 00000000`5058768b fffff806`4d25174a 00000000`00000000 ffffb800`ab805fe0 : nt!KiPageFault+0x247
ffffb800`ab805ca0 fffff806`4d25ac64 : 00000000`5058768b 00000000`00000000 0c7f2cae`7e56dce0 fffff806`4d251725 : GuardMon!UtilIsAccessibleAddress+0x4c [c:\users\user\desktop\guardmon\hyperplatform\hyperplatform\util.cpp @ 448]
ffffb800`ab805d10 fffff806`4d25a887 : 00000000`505875c3 fffff806`4d253ccc ffffa581`753b3b00 00000000`002245ce : GuardMon!GMonpIsPgContext+0x54 [c:\users\user\desktop\guardmon\guardmon\guard_mon.cpp @ 279]
ffffb800`ab805d60 fffff806`4d25aa89 : ffffb800`ab805f70 00000000`00000002 00000000`00000002 fffff806`4d25a852 : GuardMon!GMonIsPgExcutionContext+0x17 [c:\users\user\desktop\guardmon\guardmon\guard_mon.cpp @ 249]
ffffb800`ab805d90 fffff806`4d256eb3 : ffffb800`ab805f70 fffff806`4d25b870 fffff806`4d25b850 ffffb800`ace12946 : GuardMon!GMonRemoveNoCr0ModificationFlag+0x29 [c:\users\user\desktop\guardmon\guardmon\guard_mon.cpp @ 160]
ffffb800`ab805df0 fffff806`4d2573bd : ffffb800`ab805f18 ffffb800`9cc95000 fffff806`4d253cc0 fffff806`4d25b740 : GuardMon!VmmpHandleRdtsc+0xc3 [c:\users\user\desktop\guardmon\hyperplatform\hyperplatform\vmm.cpp @ 437]
ffffb800`ab805e60 fffff806`4d254f7b : ffffb800`ab805f18 00000000`00000000 00000000`00000000 00000000`00000000 : GuardMon!VmmpHandleVmExit+0x1bd [c:\users\user\desktop\guardmon\hyperplatform\hyperplatform\vmm.cpp @ 240]
ffffb800`ab805ee0 fffff806`4d251345 : ffffb800`ab805f70 00000000`00000000 00000000`00000000 00000000`00000000 : GuardMon!VmmVmExitHandler+0xcb [c:\users\user\desktop\guardmon\hyperplatform\hyperplatform\vmm.cpp @ 186]
ffffb800`ab805f50 ffffb800`ab805f70 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`fffffff8 : GuardMon!AsmVmmEntryPoint+0x25 [C:\Users\user\Desktop\GuardMon\HyperPlatform\HyperPlatform\Arch\x64\x64.asm @ 148]
ffffb800`ab805f58 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`fffffff8 00000000`00000040 : 0xffffb800`ab805f70


STACK_COMMAND:  kb

THREAD_SHA1_HASH_MOD_FUNC:  bc6b408429ca6159ee390dd09f2c0be6a334e7a8

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  8febc4ec83ec099c8a2d2aedf2f7034544466616

THREAD_SHA1_HASH_MOD:  ab245e343572bc9a476077682ac489aa36af2a34

FOLLOWUP_IP: 
GuardMon!UtilIsAccessibleAddress+4c [c:\users\user\desktop\guardmon\hyperplatform\hyperplatform\util.cpp @ 448]
fffff806`4d25420c 488b00          mov     rax,qword ptr [rax]

FAULT_INSTR_CODE:  48008b48

FAULTING_SOURCE_LINE:  c:\users\user\desktop\guardmon\hyperplatform\hyperplatform\util.cpp

FAULTING_SOURCE_FILE:  c:\users\user\desktop\guardmon\hyperplatform\hyperplatform\util.cpp

FAULTING_SOURCE_LINE_NUMBER:  448

FAULTING_SOURCE_CODE:  
   444: 
   445: #if defined(_AMD64_)
   446:   const auto pxe = UtilpAddressToPxe(address);
   447:   const auto ppe = UtilpAddressToPpe(address);
>  448:   if (!pxe || !pxe->valid || !ppe || !ppe->valid) {
   449:     return false;
   450:   }
   451: #endif
   452: 
   453:   const auto is_x86_pae = UtilIsX86Pae();


SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  GuardMon!UtilIsAccessibleAddress+4c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: GuardMon

IMAGE_NAME:  GuardMon.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5712c871

BUCKET_ID_FUNC_OFFSET:  4c

FAILURE_BUCKET_ID:  AV_STACKPTR_ERROR_GuardMon!UtilIsAccessibleAddress

BUCKET_ID:  AV_STACKPTR_ERROR_GuardMon!UtilIsAccessibleAddress

PRIMARY_PROBLEM_CLASS:  AV_STACKPTR_ERROR_GuardMon!UtilIsAccessibleAddress

TARGET_TIME:  2016-04-16T23:23:16.000Z

OSBUILD:  14316

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2016-04-03 00:42:04

BUILDDATESTAMP_STR:  160402-2217

BUILDLAB_STR:  rs1_release

BUILDOSVER_STR:  10.0.14316.1000.amd64fre.rs1_release.160402-2217

ANALYSIS_SESSION_ELAPSED_TIME: 1f4c

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_stackptr_error_guardmon!utilisaccessibleaddress

FAILURE_ID_HASH:  {c3adc55d-0eb2-f557-a195-a9273d61984d}

Followup:     MachineOwner
---------

Memory issues

I use KeReadVirtualMemory/KeWriteVirtualMemory in my own driver, but somehow after loading up GuardMon there is a huge delay when trying to read/write of a proc & communicating with it through a symbol Name with a usermode app.
Do you have an idea what could be the issue?

guardmon driver locking the virtual machine and not working correctly

i used guardmon inside of vmware and hyper-v machines, both build 1809. when kernel debugging the loading of the guardmon driver on both machines with drvloader as the loader and windbg as the debugger, after a few seconds and exactly 2 prints every time i try it the machine stops working. not as shutting down/restarting, but as if i hit a breakpoint in the kernel debugger and now the executing context of the machine is solely debugging the kernel. an example for the output given by the debugger is the following:

KDTARGET: Refreshing KD connection
17:36:01.443 INF #2 4 3028 System Log has been initialized.
17:36:01.505 INF #0 4 3028 System Initializing VMX for the processor 0.

the number in the first print after the "INF #" changes each time but other than that the output is exactly the same.

it would help if someone could help me figure out the problem or even detect where its going wrong so i could try to fix it, thank you!

"AsmWaitForever" is undefined

Integration of DdiMon into GuardMon

Hello @tandasat!
Firstly thank you for all your worth knowing informations about the HV topic.
I wanted you to ask if its possible to integrate DdiMon into GuardMon?
I tried it already, and I think I implemented it the right way, but sadly I always get a BSOD after:

21:19:57.449	INF	#5	    4	 6344	System         	Log has been initialized.
21:19:57.457	INF	#0	    4	 6344	System         	Initializing VMX for the processor 0.
21:19:57.872	INF	#0	    4	 6344	System         	Initialized successfully.
21:19:57.874	INF	#1	    4	 6344	System         	Initializing VMX for the processor 1.
21:19:58.290	INF	#1	    4	 6344	System         	Initialized successfully.
21:19:58.292	INF	#2	    4	 6344	System         	Initializing VMX for the processor 2.
21:19:58.713	INF	#2	    4	 6344	System         	Initialized successfully.
21:19:58.715	INF	#3	    4	 6344	System         	Initializing VMX for the processor 3.
21:19:59.130	INF	#3	    4	 6344	System         	Initialized successfully.
21:19:59.131	INF	#4	    4	 6344	System         	Initializing VMX for the processor 4.
21:19:59.545	INF	#4	    4	 6344	System         	Initialized successfully.
21:19:59.547	INF	#5	    4	 6344	System         	Initializing VMX for the processor 5.
21:19:59.961	INF	#5	    4	 6344	System         	Initialized successfully.
21:19:59.962	INF	#6	    4	 6344	System         	Initializing VMX for the processor 6.
21:20:00.376	INF	#6	    4	 6344	System         	Initialized successfully.
21:20:00.376	INF	#7	    4	 6344	System         	Initializing VMX for the processor 7.
21:20:00.792	INF	#7	    4	 6344	System         	Initialized successfully.
21:20:00.793	INF	#7	    4	 6344	System         	Hook has been installed at fffff8029e582010 ExAllocatePoolWithTag.
21:20:00.796	INF	#6	    4	 6344	System         	Hook has been installed at fffff8029e5839e0 ExFreePool.
21:20:00.797	INF	#5	    4	 6344	System         	Hook has been installed at fffff8029e582c60 ExFreePoolWithTag.
21:20:00.800	INF	#5	    4	 6344	System         	Hook has been installed at fffff8029e36f530 ExQueueWorkItem.
21:20:00.802	INF	#5	    4	 6344	System         	Hook has been installed at fffff8029e76f4b0 NtQuerySystemInformation.

BSOD Code: KMODE_EXCEPTION_NOT_HANDLED

If I want to do that, which HyperPlatform version I should take?
The one from DdiMon or from GuardMon?
I ported your code exactly as you created it into the right areas:

DdimonInitialization()
  DdimonpEnumExportedSymbolsCallback()  // Enumerates exports of ntoskrnl
    ShInstallHook()                     // Installs a stealth hook
  ShEnableHooks()                       // Activates installed hooks
    ShEnablePageShadowing()
      ShpEnablePageShadowingForExec()   // Configures an EPT entry as
                                        // explained in "Default state"

into the GuardMon code, it compiles, but sadly always a BSOD.
If I shall post the MEMORY.DMP let me know please, but I didn't really saw something bad in there.
Thanks for your assistance!

Disable certain features of GuardMon

Hey,
How could I disable these features of GuardMon?
monitoring system register accesses. GuardMon is capable of logging read and write activities on CR0, CR4, debug registers, GDT, IDT and MSRs from kernel memory not backed by any images.
I don’t really need it anymore, I’m just interested into the patchguard disarming option.

Use submodules for HyperPlatform instead of copying files

Porting changes made in HyperPlatofm would be easier if submodules are used instead of copying files. Do so if appropriate.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.