AMD Cloak

fix rare case where one single cpu core would see the modified code
formylover · Sep 5, 2020 · 45d7366 · 45d7366
1 parent 35bb595
commit 45d7366
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 9 deletions.
diff --git a/dbvm/vmm/epthandler.c b/dbvm/vmm/epthandler.c
@@ -472,6 +472,7 @@ int ept_cloak_activate(QWORD physicalAddress, int mode)
   //map in the physical address descriptor for all CPU's as execute only
   pcpuinfo currentcpuinfo=firstcpuinfo;
 
+
   while (currentcpuinfo)
   {
     int cpunr=currentcpuinfo->cpunr;
@@ -503,7 +504,7 @@ int ept_cloak_activate(QWORD physicalAddress, int mode)
     {
       //Make it non-executable, and make the data read be the fake data
       _PTE_PAE temp;
-      temp=*((PPTE_PAE)&cloakdata->PhysicalAddressData);  // *(PPTE_PAE)(cloakdata->eptentry[cpunr]);
+      temp=*((PPTE_PAE)&cloakdata->PhysicalAddressData); //read data
 
       temp.P=1;
       temp.RW=1;
@@ -531,7 +532,7 @@ int ept_cloak_activate(QWORD physicalAddress, int mode)
 
 
     _wbinvd();
-    currentcpuinfo->eptUpdated=1;
+    currentcpuinfo->eptUpdated=1; //set this before unlock, so if a NP exception happens before the next vmexit is handled it knows not to remap it with full access
 
     csLeave(&currentcpuinfo->EPTPML4CS);
 
@@ -547,7 +548,6 @@ int ept_cloak_activate(QWORD physicalAddress, int mode)
 
   ept_invalidate();
 
-
   csLeave(&CloakedPagesCS);
   return 0;
 }

diff --git a/dbvm/vmm/nphandler.c b/dbvm/vmm/nphandler.c
@@ -36,7 +36,7 @@ void NPMode1CloakSetState(pcpuinfo currentcpuinfo, int state)
   //mark all other pages as no-execute
   QWORD BaseAddress=currentcpuinfo->NP_Cloak.ActiveRegion->PhysicalAddressExecutable;
 
-  sendstringf("NPMode1CloakSetState for address %6\n", BaseAddress);
+  sendstringf("NPMode1CloakSetState for address %6 (for %x:%6)\n", BaseAddress, currentcpuinfo->vmcb->cs_selector, currentcpuinfo->vmcb->cs_selector);
   int pml4index;
   int pagedirptrindex;
   int pagedirindex;
@@ -128,6 +128,13 @@ void NPMode1CloakSetState(pcpuinfo currentcpuinfo, int state)
 
 
   }
+
+
+  if (((PRFLAGS)(&currentcpuinfo->vmcb->RFLAGS))->IF)
+    currentcpuinfo->vmcb->INTERRUPT_SHADOW=1;
+
+
+
 }
 
 QWORD NPMapPhysicalMemory(pcpuinfo currentcpuinfo, QWORD physicalAddress, int forcesmallpage)
@@ -312,11 +319,15 @@ QWORD NPMapPhysicalMemory(pcpuinfo currentcpuinfo, QWORD physicalAddress, int fo
     //else already mapped
     sendstringf("This physical address (%6) was already mapped\n", physicalAddress);
 
-    //change it to full access
-    pagetable->P=1;
-    pagetable->RW=1;
-    pagetable->US=1;
-    pagetable->EXB=0;
+    //weird issue. change it to full access to prevent a full system crash
+
+    if (currentcpuinfo->eptUpdated==0) //if it's not due to a pending EPT update then make it accessible (just to prevent issues)
+    {
+      pagetable->P=1;
+      pagetable->RW=1;
+      pagetable->US=1;
+      pagetable->EXB=0;
+    }
   }
 
   csLeave(&currentcpuinfo->EPTPML4CS);