The payload solution contains a small CPUID interception example. I plan on expanding my examples to include EPT hooking and module injection/module shadowing. I also
need to locate the self referencing pml4e in hyper-v's pml4 :|....
@ -50,48 +28,6 @@ Voyager 2 contains all the code associated with the AMD part of this project. Si
the linear virtual address of the VMCB for every version of windows. GS register contains a pointer to a structure defined by MS, this structure contains alot of stuff.
Deep in this structure is a linear virtual address to the current cores VMCB.
```
#if WINVER == 2004
#define offset_vmcb_base 0x103B0
#define offset_vmcb_link 0x198
#define offset_vmcb 0xE80
#elif WINVER == 1909
#define offset_vmcb_base 0x83B0
#define offset_vmcb_link 0x190
#define offset_vmcb 0xD00
#elif WINVER == 1903
#define offset_vmcb_base 0x83B0
#define offset_vmcb_link 0x190
#define offset_vmcb 0xD00
#elif WINVER == 1809
#define offset_vmcb_base 0x83B0
#define offset_vmcb_link 0x198
#define offset_vmcb 0xD00
#elif WINVER == 1803
#define offset_vmcb_base 0x82F0
#define offset_vmcb_link 0x168
#define offset_vmcb 0xCC0
#elif WINVER == 1709
#define offset_vmcb_base 0x82F0
#define offset_vmcb_link 0x88
#define offset_vmcb 0xC80
#elif WINVER == 1703
#define offset_vmcb_base 0x82F0
#define offset_vmcb_link 0x80
#define offset_vmcb 0xBC0
#elif WINVER == 1607
#define offset_vmcb_base 0x82F0
#define offset_vmcb_link 0x90
#define offset_vmcb 0xBC0
#elif WINVER == 1511
#define offset_vmcb_base 0x82F0
#define offset_vmcb_link 0x90
#define offset_vmcb 0xC40
#endif
```
Ill probably end up sig scanning for these offsets/resolving them at runtime when i condense this project down to a single solution.
xerox
4 years ago