软件逆向-Uefi劫持Hyper-V，hook vmexit实现ept hook

原版地址:https://github.com/uefibootkit/Voyager

原版只支持到win 10 2004，我只更新了win 10 22H2的特征码，如果其他系统版本没效果请自行更新，找BlImgAllocateImageBuffer的特征就行。

另外原版的没有ept hook(hyper-v是开启ept的)，我加了个支持Intel的ept，代码写的仓促，应该有bug，移除hook只是删掉了链表里面的数据，链表并没有删掉，还有拆成4KB的2MB大页面也没恢复，已经拆开过的ept页面在删除链表数据之后应该是不触发ept违规的，有能力的自己改一下。
ept部分代码：

if (vmexit_reason == VMX_EXIT_REASON_EPT_VIOLATION) {
 
        vmx_exit_qualification_ept_violation QualificationEptViolation = { 0 };
        __vmx_vmread(VMCS_EXIT_QUALIFICATION, (size_t*)&QualificationEptViolation);
 
        auto Physical = 0ui64;
        if (QualificationEptViolation.caused_by_translation)
            __vmx_vmread(VMCS_GUEST_PHYSICAL_ADDRESS, (size_t*)&Physical);
        else
            __vmx_vmread(VMCS_EXIT_GUEST_LINEAR_ADDRESS, (size_t*)&Physical);
 
        ept_pointer ept = { 0 };
        __vmx_vmread(VMCS_CTRL_EPT_POINTER, (size_t*)&ept);
 
        mm::phys_addr_t phy = { Physical };
 
        auto pml4 = (ept_pml4e*)mm::map_page(ept.page_frame_number << 12, mm::map_type_t::map_src);
        auto pdpte = (ept_pdpte*)mm::map_page(pml4[phy.pml4_index].page_frame_number << 12, mm::map_type_t::map_src);
        auto pde2mb = (epde_2mb*)mm::map_page(pdpte[phy.pdpt_index].page_frame_number << 12, mm::map_type_t::map_src);
 
        if (!pde2mb[phy.pd_index].large_page) {
            auto pte = (ept_pte*)mm::map_page(((ept_pde*)pde2mb)[phy.pd_index].page_frame_number << 12, mm::map_type_t::map_src);
            if (pte) {
                auto pfn_1 = 0ui64;
                auto pfn_2 = 0ui64;
 
                SpinlockLock(&mm::SpinLock);
 
                PLIST_ENTRY Entry = mm::ListHead.Flink;
                while (Entry != &mm::ListHead) {
                    PLIST_ENTRY NextEntry = Entry->Flink;
                    mm::HOOK_INFO* data = CONTAINING_RECORD(Entry, mm::HOOK_INFO, List);
 
                    if (data->Physical_1 == (Physical & ~0xFFF)) {
                        pfn_1 = data->Physical_1 >> 12;
                        pfn_2 = data->Physical_2 >> 12;
                        break;
                    }
 
                    Entry = NextEntry;
                }
 
                SpinlockUnlock(&mm::SpinLock);
 
                if (pfn_1 && pfn_2) {
                    if (QualificationEptViolation.execute_access) {
                        pte[phy.pt_index].read_access = 0;
                        pte[phy.pt_index].write_access = 0;
                        pte[phy.pt_index].execute_access = 1;
                        pte[phy.pt_index].page_frame_number = pfn_2;
                    }
                    else {
                        pte[phy.pt_index].read_access = 1;
                        pte[phy.pt_index].write_access = 1;
                        pte[phy.pt_index].execute_access = 0;
                        pte[phy.pt_index].page_frame_number = pfn_1;
                    }
 
                    invept_descriptor Descriptor = { 0 };
                    mm::AsmInvept(invept_all_context, &Descriptor);
                    return;
                }
            }
        }
 
    }

原理：通过挂载自己的bootmgfw.efi，在高版本win10中，hook winload.efi里面的BlLdrLoadImage在加载hv.exe的时候添加新区段，将payload映射到里面，随后hook vmexit函数，hook BlImgAllocateImageBuffer是为了修改加载的hv.exe的Iamge大小，hook完成之后调用原bootmgfw入口正常启动系统。

支持库太大了，自行到git编译相关库
https://github.com/ionescu007/VisualUefi
https://github.com/ionescu007/edk2
另外需要装nasm

上传的附件：

Voyager-main.rar （513.38kb，2次下载）

更多【软件逆向-Uefi劫持Hyper-V，hook vmexit实现ept hook】相关视频教程：www.yxfzedu.com

软件逆向-Uefi劫持Hyper-V，hook vmexit实现ept hook

相关文章推荐

友情链接

课程目录

技术交流QQ群