VMBR

VMBR copied to clipboard

i am trying this repo, but where to run it; ubuntu or windows ( virtual box or in host machinr?)

and

im trying in ubuntu host machine

• i setup the win10.vhd successfully running
• When i run make its open qemu envi. and getting "error while reading from disk"???

You should run it in Ubuntu, as it uses kvm (afaik if you run it on Windows you should use HAXM). I personally run it on WSL2 (Ubuntu on Windows), so running it on Ubuntu should work.

"Error while reading from disk" means that something went wrong while using int 0x13 to read the Windows MBR from the disk (see ReadDisk in src/hardware/serial.asm). I would recommend checking the return code (see the Wikipedia page for int 0x13 AH=0x42 which describes the interrupt, and this table for the meaning of the return codes). I'd guess that the disk extensions might not be present (check with int 0x13 AH=0x41). In order to see the return code, add the line LOG_DEBUG("Return code: %x\n", *(byte_t*)DRIVE_IDX_ADDRESS); between line 24 and line 25 of src/hardware/serial.c.

By the way -

1. This is probably not related to your current issue, but how did you get the win10.vhd image? It has to be a Legacy BIOS one, not UEFI. Try running make win and see if Qemu can run it on itself (without my hypervisor in the middle).
2. Just to let you know - this project is not finished yet; It currently contains a type 1 hypervisor that can run Windows 10 on it, and work with multiple cores. I have not yet added all the spyware part.

Good luck :)

thank you mr.gognl for reverting back, On note: am new to this vmbr concept, exploring more into this & initially trying to implement the subvirt/bluepill but confused and stuck so trying these repo's

So, yes am using Ubutnu Host machine environment(ubun-22.04 ) and regarding win10.vhd: first, i created a file Using this " qemu-img create -f vpc win10.vhd 20G " -> in VMBR folder/dir. then, Manually Create a new virtual machine win10 with vm manager: On the "Storage" configuration page, select "Select or create custom storage." Click "Manage." Click "Add Hardware." Choose Disk." Choose "Select or create custom storage." Click "Manage." Click "Browse Local." Selecting the win10.vhd file starting Booting with that and it's running successfully

And when i ran make win :

Regarding legacy BIOS: is it an option > need to enable in vm manager? or what??

Yeah, so make win not working means that your win10.vhd file is not good for this. You need to get a Windows 10 ISO that uses Legacy Bios and not UEFI. This is not that easy, since Microsoft hasn't used Legacy Bios in Windows for some years now, iirc.

I must admit that I don't know much about vm manager; There could maybe be an option to create a legacy bios image using vm manager, but not one that I'm aware of.

The way I did it is quite complex. I made a VM on VirtualBox with the UEFI Windows 10 image, which I got from the Microsoft website. Then somehow VirtualBox converted it to Legacy BIOS by itself (but you can also change it from within the VM, in the Windows settings). I then used Clonezilla to transfer the disk image to a USB, and Rufus to transfer it back to an ISO. For more information see this article.

I can also try to compress the image that I have and upload it to git, but it might be a few days before I get to do it since I'm not currently home.

Hello mr.gognl, So i somehow figured out creating a "Windows legacy BIOS" setup, in different approach by selecting the "win10.vhd" file during the creation process in VirtualBox and ensuring that the "Enable EFI" option was unchecked and it worked(i hope)

and now, i copied the win10.vhd file to the makefile environment, I encountered the same error.

2. Can you please explain about your vmbr repo? need some clarity

• and what happens? upon successful win10.vhd uploading QEMU?

1. This is a project I’m making which in the end is supposed to be a malicious hypervisor which runs Windows, collects spyware (keylogs and maybe network traffic) and sends it to a remote attacker. Currently I only implemented the hypervisor part, and I’m planning to finish the rest in about 2 months from now. I am planning on collecting the keylogs through a Windows function hooking (namely KeyboardClassServiceCallback), and I am planning on building a network driver for RTL8139 which I will use for both hooking the network and sending the data to the attacker. Note that I am not planning on implementing the intrusion part, meaning the project is itself the payload and is not planned to include the part which takes control of the Windows boot process (the code assumes that the hypervisor's code will be loaded upon booting, and not Windows’).
2. If you run make win Qemu should load and run Windows on itself. If that works, it means that your win10.vhd file is good. When you run make it's supposed to run Windows on top of my hypervisor (which runs in Qemu).

The error you are getting probably isn't related to the win10.vhd file. It means that there was a problem while trying to execute int 0x13 to read the Windows MBR from the disk. I recommend trying what I wrote in my first comment - try and find the error code, and then maybe it will help you (and me) understand the bug better.

So, with my low level understanding and with some help i figure out something but i dunno whether am right or worng:

i Changed the code as mentioned: ` #include <hardware/serial.h> #include <boot/addresses.h> #include <lib/util.h>

void read_first_sector(byte_t drive){ dap_t dap_ptr = (dap_t)DAP_ADDRESS; dap_ptr->size = sizeof(dap_t); dap_ptr->unused = 0; dap_ptr->amount = 1; dap_ptr->offset = MBR_ADDRESS; dap_ptr->segment = 0; dap_ptr->sector = 0; (byte_t)DRIVE_IDX_ADDRESS = drive; CallReal(ReadDisk); LOG_DEBUG("Return code: %x\n", (byte_t)DRIVE_IDX_ADDRESS); // Added return code line }

void load_guest(){ mbr_t mbr_ptr = (mbr_t)MBR_ADDRESS;

memcpy(REAL_START+low_functions_end-low_functions_start, CallReal, call_real_end-CallReal);
void (*CallRealCopy)(void(*)(void)) = (void (*)(void(*)(void)))(REAL_START+low_functions_end-low_functions_start);

for (byte_t drive_index = 0x80; drive_index < 0xff; drive_index++){
    read_first_sector(drive_index);
    if (mbr_ptr->signature == BIOS_SIGNATURE){
        // LOG_DEBUG("Copying MBR to 0x7c00...\n");
        *(byte_t*)DRIVE_IDX_ADDRESS = drive_index;
        memcpy(0x7c00, (byte_t*)mbr_ptr, sizeof(mbr_t));
        break;
    }
}

CallRealCopy(LoadGuestVmcall);

} ` getting the something related to boot failed:

if am not worng the error is related to win10.vhd? but, as you mentioned its legacy bios enabled disk

2. make win getting not bootable device

i really dont understand where am wrong

The error code you're getting is 0xE0, which means "Status Error". You can read the status from the BIOS Data Area. Add the line LOG_DEBUG("%x", (qword_t)*(byte_t*)(0x400+0x41)); under the line you added (in read_first_sector) in order to print the status.

Hello @gognl, I have done all I could to solve the issue, but I am receiving errors. I tried yours too, but the error persists

Ideally, if possible, Can we connect and resolve this at the earliest possible time, probably it takes 15-30min max; providing my email id further: [email protected]

I'm afraid that wouldn't be possible, but I'd be glad to continue helping here. What's the BIOS data status (according to the line I wrote in my last comment)?

Alright guess am getting the same,

1. While running make

2. While running make win

serial.c code:

` #include <hardware/serial.h> #include <boot/addresses.h> #include <lib/util.h>

void read_first_sector(byte_t drive){ dap_t dap_ptr = (dap_t)DAP_ADDRESS; dap_ptr->size = sizeof(dap_t); dap_ptr->unused = 0; dap_ptr->amount = 1; dap_ptr->offset = MBR_ADDRESS; dap_ptr->segment = 0; dap_ptr->sector = 0; (byte_t)DRIVE_IDX_ADDRESS = drive; CallReal(ReadDisk); LOG_DEBUG("Return code: %x\n", (byte_t)DRIVE_IDX_ADDRESS); // Existing line LOG_DEBUG("%x", (qword_t)(byte_t)(0x400+0x41)); // Added line to print the status }

void load_guest(){ mbr_t mbr_ptr = (mbr_t)MBR_ADDRESS;

memcpy(REAL_START+low_functions_end-low_functions_start, CallReal, call_real_end-CallReal);
void (*CallRealCopy)(void(*)(void)) = (void (*)(void(*)(void)))(REAL_START+low_functions_end-low_functions_start);

for (byte_t drive_index = 0x80; drive_index < 0xff; drive_index++){
    read_first_sector(drive_index);
    if (mbr_ptr->signature == BIOS_SIGNATURE){
        // LOG_DEBUG("Copying MBR to 0x7c00...\n");
        *(byte_t*)DRIVE_IDX_ADDRESS = drive_index;
        memcpy(0x7c00, (byte_t*)mbr_ptr, sizeof(mbr_t));
        break;
    }
}

CallRealCopy(LoadGuestVmcall);

} `

What is the first return code that it prints?

i already provided above!!!

so actually i added LOG_DEBUG("Return code: %x\n", (byte_t)DRIVE_IDX_ADDRESS); // first Existing line and LOG_DEBUG("%x", (qword_t)(byte_t)(0x400+0x41)); // Added line to print the status

and then run make and make win to check for the output that ur mentioning >> am i doing wrong??

The error code is printed for each drive that it tries (from 0x80 to 0xfe). The Windows disk should be in drive 0x80, so I'll need to see the first error code that is printed.

By the way, if you plan on git cloneing again, make sure you do so from commit a288108d7deab9d94caa73f03da081184a18e26b. Newer commits will work differently as I'm working on the network part.

hey @gognl , actually smal misinterpretation, so are you saying that after adding those 2 LOG_DEBUG in serial.c >> do i need to run the serial.c or entire Makefile(make or make win ) ?????

and sure i will try that a288108d7deab9d94caa73f03da081184a18e26b commit and let you know

You should run make

Yes mr. @gognl, already did that after making changes running make

as you mentioned::

• In order to see the return code, add the line LOG_DEBUG("Return code: %x\n", *(byte_t*)DRIVE_IDX_ADDRESS); between line 24 and line 25 of src/hardware/serial.c.

• Add the line LOG_DEBUG("%x", (qword_t)*(byte_t*)(0x400+0x41)); under the line you added (in read_first_sector) in order to print the status.

my serial.c added code:

When i run make after added the LOG_DEBUG in terminal:

Qemu terminal:

Running:

You are getting error code 0x1, which means Invalid Command and might be caused if disk extensions are not present. This is a bit weird since you're running in Qemu. I'd try and gather more information: execute int 13h with ah=0x41, dl=0x80 and bx=0x55aa. Then test the carry flag; If it is set, then that's the problem (and in that case you probably want to read ah and cx; see the picture below).

Add the relevant code to serial.asm before the execution of int 13h ah=0x42.

I would also recommend trying to update Qemu and seeing if it changes anything.

Hey @gognl i tried update the qemu and still getting the same

and i just wanted to know; is the qemu that mentioned is custom qemu or not??

I used sudo apt-get install qemu

Then, i did the same

Try what I suggested here:

You are getting error code 0x1, which means Invalid Command and might be caused if disk extensions are not present. This is a bit weird since you're running in Qemu. I'd try and gather more information: execute int 13h with ah=0x41, dl=0x80 and bx=0x55aa. Then test the carry flag; If it is set, then that's the problem (and in that case you probably want to read ah and cx; see the picture below).

Add the relevant code to serial.asm before the execution of int 13h ah=0x42.

okay. i give a try and let you know