Skip to content

Commit

Permalink
Fix #52; use kernel-mode CR3
Browse files Browse the repository at this point in the history
  • Loading branch information
tandasat authored and Satoshi Tanda committed Apr 1, 2018
1 parent d14633c commit 97d6ccc
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 5 deletions.
2 changes: 1 addition & 1 deletion HyperPlatform/log.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -317,7 +317,7 @@ _Use_decl_annotations_ VOID static LogpReinitializationRoutine(
UNREFERENCED_PARAMETER(driver_object);
UNREFERENCED_PARAMETER(count);
NT_ASSERT(context);
__analysis_assume(context);
_Analysis_assume_(context);

auto info = reinterpret_cast<LogBufferInfo *>(context);
auto status = LogpInitializeLogFile(info);
Expand Down
30 changes: 26 additions & 4 deletions HyperPlatform/vmm.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,8 @@ static void VmmpInjectInterruption(_In_ InterruptionType interruption_type,
_In_ bool deliver_error_code,
_In_ ULONG32 error_code);

static ULONG_PTR VmmpGetKernelCr3();

////////////////////////////////////////////////////////////////////////////////
//
// variables
Expand Down Expand Up @@ -617,7 +619,7 @@ _Use_decl_annotations_ static void VmmpHandleGdtrOrIdtrAccess(

// Update CR3 with that of the guest since below code is going to access
// memory.
const auto guest_cr3 = UtilVmRead(VmcsField::kGuestCr3);
const auto guest_cr3 = VmmpGetKernelCr3();
const auto vmm_cr3 = __readcr3();
__writecr3(guest_cr3);

Expand Down Expand Up @@ -720,7 +722,7 @@ _Use_decl_annotations_ static void VmmpHandleLdtrOrTrAccess(

// Update CR3 with that of the guest since below code is going to access
// memory.
const auto guest_cr3 = UtilVmRead(VmcsField::kGuestCr3);
const auto guest_cr3 = VmmpGetKernelCr3();
const auto vmm_cr3 = __readcr3();
__writecr3(guest_cr3);

Expand All @@ -746,7 +748,7 @@ _Use_decl_annotations_ static void VmmpHandleLdtrOrTrAccess(
const auto sd = reinterpret_cast<SegmentDescriptor *>(
UtilVmRead(VmcsField::kGuestGdtrBase) +
ss.fields.index * sizeof(SegmentDescriptor));
sd->fields.type |= 2; // Set the Busy bit
sd->fields.type |= 2; // Set the Busy bit
break;
}
}
Expand Down Expand Up @@ -879,7 +881,7 @@ _Use_decl_annotations_ static void VmmpIoWrapper(bool to_memory, bool is_string,

// Update CR3 with that of the guest since below code is going to access
// memory.
const auto guest_cr3 = UtilVmRead(VmcsField::kGuestCr3);
const auto guest_cr3 = VmmpGetKernelCr3();
const auto vmm_cr3 = __readcr3();
__writecr3(guest_cr3);

Expand Down Expand Up @@ -1340,4 +1342,24 @@ _Use_decl_annotations_ static void VmmpInjectInterruption(
}
}

// Returns a kernel CR3 value of the current process;
/*_Use_decl_annotations_*/ static ULONG_PTR VmmpGetKernelCr3() {
auto guest_cr3 = UtilVmRead(VmcsField::kGuestCr3);
// Assume it is an user-mode CR3 when the lowest bit is set. If so, get CR3
// from _KPROCESS::DirectoryTableBase.
if (guest_cr3 & 1) {
static const long kDirectoryTableBaseOffsetX64 = 0x28;
static const long kDirectoryTableBaseOffsetX86 = 0x18;
auto process = reinterpret_cast<PUCHAR>(PsGetCurrentProcess());
if (IsX64()) {
guest_cr3 =
*reinterpret_cast<PULONG_PTR>(process + kDirectoryTableBaseOffsetX64);
} else {
guest_cr3 =
*reinterpret_cast<PULONG_PTR>(process + kDirectoryTableBaseOffsetX86);
}
}
return guest_cr3;
}

} // extern "C"

0 comments on commit 97d6ccc

Please # to comment.