VT-X的学习历程(一)

学习的目标

就是如何实现一个简单VT框架并拦截指令的调用以及EPTHOOK的实现。

大概的流程

  1. 检测是否允许开启VT。
    a. 我们可以从白皮书的24.6 DISCOVERING SUPPORT FOR VMX章节中得到这样的信息

    b. 其次就是设置smx

    c. 检测CPUID是否支持VT


    cpuid第5位是否为1

Define.h

#pragma once
/// See: MODEL-SPECIFIC REGISTERS (MSRS)
enum class Msr : unsigned int {
	kIa32ApicBase = 0x01B,

	kIa32FeatureControl = 0x03A,

	kIa32SysenterCs = 0x174,
	kIa32SysenterEsp = 0x175,
	kIa32SysenterEip = 0x176,

	kIa32Debugctl = 0x1D9,

	kIa32MtrrCap = 0xFE,
	kIa32MtrrDefType = 0x2FF,
	kIa32MtrrPhysBaseN = 0x200,
	kIa32MtrrPhysMaskN = 0x201,
	kIa32MtrrFix64k00000 = 0x250,
	kIa32MtrrFix16k80000 = 0x258,
	kIa32MtrrFix16kA0000 = 0x259,
	kIa32MtrrFix4kC0000 = 0x268,
	kIa32MtrrFix4kC8000 = 0x269,
	kIa32MtrrFix4kD0000 = 0x26A,
	kIa32MtrrFix4kD8000 = 0x26B,
	kIa32MtrrFix4kE0000 = 0x26C,
	kIa32MtrrFix4kE8000 = 0x26D,
	kIa32MtrrFix4kF0000 = 0x26E,
	kIa32MtrrFix4kF8000 = 0x26F,

	kIa32VmxBasic = 0x480,
	kIa32VmxPinbasedCtls = 0x481,
	kIa32VmxProcBasedCtls = 0x482,
	kIa32VmxExitCtls = 0x483,
	kIa32VmxEntryCtls = 0x484,
	kIa32VmxMisc = 0x485,
	kIa32VmxCr0Fixed0 = 0x486,
	kIa32VmxCr0Fixed1 = 0x487,
	kIa32VmxCr4Fixed0 = 0x488,
	kIa32VmxCr4Fixed1 = 0x489,
	kIa32VmxVmcsEnum = 0x48A,
	kIa32VmxProcBasedCtls2 = 0x48B,
	kIa32VmxEptVpidCap = 0x48C,
	kIa32VmxTruePinbasedCtls = 0x48D,
	kIa32VmxTrueProcBasedCtls = 0x48E,
	kIa32VmxTrueExitCtls = 0x48F,
	kIa32VmxTrueEntryCtls = 0x490,
	kIa32VmxVmfunc = 0x491,

	kIa32Efer = 0xC0000080,
	kIa32Star = 0xC0000081,
	kIa32Lstar = 0xC0000082,

	kIa32Fmask = 0xC0000084,

	kIa32FsBase = 0xC0000100,
	kIa32GsBase = 0xC0000101,
	kIa32KernelGsBase = 0xC0000102,
	kIa32TscAux = 0xC0000103,
};

对应的检测VMX支持的代码

#include "Utils.h"
#include"vmxDefine.h"
#include<intrin.h>
/// <summary>
/// 检测VT-BIOS是否支持
/// </summary>
/// <returns>支持</returns>
inline bool VmxCheckSupportedVTBios()
{
    ULONG64 msr=__readmsr(static_cast<unsigned long>(Msr::kIa32FeatureControl));
    return (msr & 0x5) == 0x5;

}
inline bool VmxCheckSupportedVTCpuId()
{
    int cpuInfo[4] = { -1 };
    __cpuidex(cpuInfo, 1,0);
    return (cpuInfo[2] & (1 << 5)) != 0;

}
inline bool VmxCheckSupportedCr4()
{
	ULONG64 cr4 = __readcr4();
	return (cr4 & (1 << 13)) != 0;
}
bool Utils::VmxIsSupported()
{
    if (!VmxCheckSupportedVTBios())
    {
        DbgPrintEx(77, 0, "VT-BIOS is not supported!\n");
		return false;
	}
    if (!VmxCheckSupportedVTCpuId())
    {
        DbgPrintEx(77,0,"VT-CPUID is not supported!\n");
        return false;
    }
    if (!VmxCheckSupportedCr4())
    {
        DbgPrintEx(77, 0, "VT-Cr4 is not supported!\n");
        return false;
    }

    return false;
}

进行多核的侵染,进行VT的检测。

posted @ 2024-01-17 15:17  飘雨的河  阅读(47)  评论(0编辑  收藏  举报