From 5b73264021460bc92dec429149034cff44350e2e Mon Sep 17 00:00:00 2001 From: xerox Date: Sat, 3 Oct 2020 08:59:55 +0000 Subject: [PATCH 1/8] Update README.md --- README.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 690bb45..e8e0441 100644 --- a/README.md +++ b/README.md @@ -10,4 +10,21 @@ # Voyager - A Hyper-V Hacking Framework For Windows 10 x64 (AMD & Intel) Voyager is a project designed to offer module injection and vmexit hooking for both AMD & Intel versions of Hyper-V. This project works on all versions of Windows 10-x64 (2004-1511). -The project is currently split into two individual projects, one for Intel and another for AMD. \ No newline at end of file +The project is currently split into two individual projects, one for Intel and another for AMD. + +# Voyager 1 - Intel + +Voyager 1 contains all the code associated with the Intel part of this project. Since intel has vmread/vmwrite instructions all that is needed is a simple hook on the vmexit handler +and interception can commence. + +The payload solution contains a small CPUID interception example. I plan on expanding my examples to include EPT hooking and module injection/module shadowing. I also +need to locate the self referencing pml4e in hyper-v's pml4 :|.... + + +# Voyager 2 - AMD + +Voyager 2 contains all the code associated with the AMD part of this project. Since AMD has no vmread/vmwrite operation, only vmsave/vmload I had to locate +the linear virtual address of the VMCB for every version of windows. GS register contains a pointer to a structure defined by MS, this structure contains alot of stuff. +Deep in this structure is a linear virtual address to the current cores VMCB. + +The payload for AMD is also just a cpuid interception example. \ No newline at end of file From 944adebe2991904c933209eba04f319791822418 Mon Sep 17 00:00:00 2001 From: xerox Date: Sat, 3 Oct 2020 09:01:20 +0000 Subject: [PATCH 2/8] Update README.md --- README.md | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e8e0441..b789149 100644 --- a/README.md +++ b/README.md @@ -27,4 +27,23 @@ Voyager 2 contains all the code associated with the AMD part of this project. Si the linear virtual address of the VMCB for every version of windows. GS register contains a pointer to a structure defined by MS, this structure contains alot of stuff. Deep in this structure is a linear virtual address to the current cores VMCB. -The payload for AMD is also just a cpuid interception example. \ No newline at end of file +The payload for AMD is also just a cpuid interception example. + +# Versions & Support + +:o: -> unknown/not tested. +:heavy_check_mark: -> tested & working. +:x: -> tested & not working. + +| Winver | AMD | Intel | VM | Bare Metal | +|--------|---------|-------|----|-------| +| 2004 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| 1909 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :o: | +| 1903 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :o: | +| 1809 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :o: | +| 1807 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :o: | +| 1803 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :o: | +| 1709 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :o: | +| 1703 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :o: | +| 1607 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :o: | +| 1511 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :o: | \ No newline at end of file From 96d4963092cd063823ba1421a2d1a833eaf779c2 Mon Sep 17 00:00:00 2001 From: xerox Date: Sat, 3 Oct 2020 09:14:53 +0000 Subject: [PATCH 3/8] Update README.md --- README.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/README.md b/README.md index b789149..7680770 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,48 @@ Deep in this structure is a linear virtual address to the current cores VMCB. The payload for AMD is also just a cpuid interception example. +``` +#if WINVER == 2004 +#define offset_vmcb_base 0x103B0 +#define offset_vmcb_link 0x198 +#define offset_vmcb 0xE80 +#elif WINVER == 1909 +#define offset_vmcb_base 0x83B0 +#define offset_vmcb_link 0x190 +#define offset_vmcb 0xD00 +#elif WINVER == 1903 +#define offset_vmcb_base 0x83B0 +#define offset_vmcb_link 0x190 +#define offset_vmcb 0xD00 +#elif WINVER == 1809 +#define offset_vmcb_base 0x83B0 +#define offset_vmcb_link 0x198 +#define offset_vmcb 0xD00 +#elif WINVER == 1803 +#define offset_vmcb_base 0x82F0 +#define offset_vmcb_link 0x168 +#define offset_vmcb 0xCC0 +#elif WINVER == 1709 +#define offset_vmcb_base 0x82F0 +#define offset_vmcb_link 0x88 +#define offset_vmcb 0xC80 +#elif WINVER == 1703 +#define offset_vmcb_base 0x82F0 +#define offset_vmcb_link 0x80 +#define offset_vmcb 0xBC0 +#elif WINVER == 1607 +#define offset_vmcb_base 0x82F0 +#define offset_vmcb_link 0x90 +#define offset_vmcb 0xBC0 +#elif WINVER == 1511 +#define offset_vmcb_base 0x82F0 +#define offset_vmcb_link 0x90 +#define offset_vmcb 0xC40 +#endif +``` + +Ill probably end up sig scanning for these offsets/resolving them at runtime when i condense this project down to a single solution. + # Versions & Support :o: -> unknown/not tested. From 7f6e88f9f57945bb8c8c827df6fd2032533198d0 Mon Sep 17 00:00:00 2001 From: xerox Date: Sat, 3 Oct 2020 09:15:15 +0000 Subject: [PATCH 4/8] Update README.md --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 7680770..6762e1d 100644 --- a/README.md +++ b/README.md @@ -27,8 +27,6 @@ Voyager 2 contains all the code associated with the AMD part of this project. Si the linear virtual address of the VMCB for every version of windows. GS register contains a pointer to a structure defined by MS, this structure contains alot of stuff. Deep in this structure is a linear virtual address to the current cores VMCB. -The payload for AMD is also just a cpuid interception example. - ``` #if WINVER == 2004 #define offset_vmcb_base 0x103B0 From 40bfc1f78d5959bee41c00ceccf8142d57673648 Mon Sep 17 00:00:00 2001 From: xerox Date: Sat, 3 Oct 2020 09:16:18 +0000 Subject: [PATCH 5/8] Update README.md --- README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.md b/README.md index 6762e1d..d3edb13 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,27 @@ and interception can commence. The payload solution contains a small CPUID interception example. I plan on expanding my examples to include EPT hooking and module injection/module shadowing. I also need to locate the self referencing pml4e in hyper-v's pml4 :|.... +```cpp +svm::pgs_base_struct vmexit_handler(void* unknown, svm::pguest_context context) +{ + const auto vmcb = *reinterpret_cast( + *reinterpret_cast( + *reinterpret_cast( + __readgsqword(0) + offset_vmcb_base) + + offset_vmcb_link) + offset_vmcb); + + if (vmcb->exitcode == VMEXIT_CPUID && context->rcx == VMEXIT_KEY) + { + vmcb->rax = 0xC0FFEE; + vmcb->rip = vmcb->nrip; + return reinterpret_cast(__readgsqword(0)); + } + + return reinterpret_cast( + reinterpret_cast(&vmexit_handler) - + svm::voyager_context.vcpu_run_rva)(unknown, context); +} +``` # Voyager 2 - AMD From 091a4c482d3f9cf5abada2074d04fad7453f4d1b Mon Sep 17 00:00:00 2001 From: xerox Date: Sat, 3 Oct 2020 09:17:24 +0000 Subject: [PATCH 6/8] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index d3edb13..595b85f 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,8 @@ svm::pgs_base_struct vmexit_handler(void* unknown, svm::pguest_context context) } ``` + + # Voyager 2 - AMD Voyager 2 contains all the code associated with the AMD part of this project. Since AMD has no vmread/vmwrite operation, only vmsave/vmload I had to locate From b8e21b248af7448d6704250a081c22c99be80186 Mon Sep 17 00:00:00 2001 From: xerox Date: Sat, 3 Oct 2020 09:18:32 +0000 Subject: [PATCH 7/8] Update README.md --- README.md | 64 ------------------------------------------------------- 1 file changed, 64 deletions(-) diff --git a/README.md b/README.md index 595b85f..bd6c440 100644 --- a/README.md +++ b/README.md @@ -20,28 +20,6 @@ and interception can commence. The payload solution contains a small CPUID interception example. I plan on expanding my examples to include EPT hooking and module injection/module shadowing. I also need to locate the self referencing pml4e in hyper-v's pml4 :|.... -```cpp -svm::pgs_base_struct vmexit_handler(void* unknown, svm::pguest_context context) -{ - const auto vmcb = *reinterpret_cast( - *reinterpret_cast( - *reinterpret_cast( - __readgsqword(0) + offset_vmcb_base) - + offset_vmcb_link) + offset_vmcb); - - if (vmcb->exitcode == VMEXIT_CPUID && context->rcx == VMEXIT_KEY) - { - vmcb->rax = 0xC0FFEE; - vmcb->rip = vmcb->nrip; - return reinterpret_cast(__readgsqword(0)); - } - - return reinterpret_cast( - reinterpret_cast(&vmexit_handler) - - svm::voyager_context.vcpu_run_rva)(unknown, context); -} -``` - # Voyager 2 - AMD @@ -50,48 +28,6 @@ Voyager 2 contains all the code associated with the AMD part of this project. Si the linear virtual address of the VMCB for every version of windows. GS register contains a pointer to a structure defined by MS, this structure contains alot of stuff. Deep in this structure is a linear virtual address to the current cores VMCB. -``` -#if WINVER == 2004 -#define offset_vmcb_base 0x103B0 -#define offset_vmcb_link 0x198 -#define offset_vmcb 0xE80 -#elif WINVER == 1909 -#define offset_vmcb_base 0x83B0 -#define offset_vmcb_link 0x190 -#define offset_vmcb 0xD00 -#elif WINVER == 1903 -#define offset_vmcb_base 0x83B0 -#define offset_vmcb_link 0x190 -#define offset_vmcb 0xD00 -#elif WINVER == 1809 -#define offset_vmcb_base 0x83B0 -#define offset_vmcb_link 0x198 -#define offset_vmcb 0xD00 -#elif WINVER == 1803 -#define offset_vmcb_base 0x82F0 -#define offset_vmcb_link 0x168 -#define offset_vmcb 0xCC0 -#elif WINVER == 1709 -#define offset_vmcb_base 0x82F0 -#define offset_vmcb_link 0x88 -#define offset_vmcb 0xC80 -#elif WINVER == 1703 -#define offset_vmcb_base 0x82F0 -#define offset_vmcb_link 0x80 -#define offset_vmcb 0xBC0 -#elif WINVER == 1607 -#define offset_vmcb_base 0x82F0 -#define offset_vmcb_link 0x90 -#define offset_vmcb 0xBC0 -#elif WINVER == 1511 -#define offset_vmcb_base 0x82F0 -#define offset_vmcb_link 0x90 -#define offset_vmcb 0xC40 -#endif -``` - -Ill probably end up sig scanning for these offsets/resolving them at runtime when i condense this project down to a single solution. - # Versions & Support :o: -> unknown/not tested. From ecec369a87411d712ef6941e6c18323f416a88ac Mon Sep 17 00:00:00 2001 From: xerox Date: Sat, 3 Oct 2020 09:18:45 +0000 Subject: [PATCH 8/8] Update README.md --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index bd6c440..862ee33 100644 --- a/README.md +++ b/README.md @@ -20,8 +20,6 @@ and interception can commence. The payload solution contains a small CPUID interception example. I plan on expanding my examples to include EPT hooking and module injection/module shadowing. I also need to locate the self referencing pml4e in hyper-v's pml4 :|.... - - # Voyager 2 - AMD Voyager 2 contains all the code associated with the AMD part of this project. Since AMD has no vmread/vmwrite operation, only vmsave/vmload I had to locate