drakvuf
drakvuf copied to clipboard
tklengyel
`libusermode` not support x86
As the code states for non-x64: "[USERHOOK] Usermode hooking is not yet supported on this architecture/bitness.\n"
@icedevml could you please clarify why. I have read #669 and #675 but there is no comments for this. Thank you very much.
If I recall correctly, there is some problem with the exception handler. AFAIR there is no KiSystemServiceHandler but we would want to hook it. This probably works in a similar way in x86 mode but I didn't had enough time to dig this :(
The purpose of hooking this handler is that we inject page faults pretty often and these are rather dangerous, so we guard against possible accidental exceptions caused by this.
If you are brave enough you can comment out the exception handler part and remove this check, there is some probability that it would work then (or with small changes). Such change would also decrease stability and the VM might crash in some circumstances. The true solution is ofc to find differences for x86 and implement accordingly.
@icedevml @skvl I notice that the function vmi_request_page_fault API manual is better to use in the user-mode. But in function internal_perform_hooking it is used in kernel-mode. I think it is better to insert a user page fault in the user-mode not in kernel mode. The function NtMapViewOfSection was call from user-mode by the syscall , and we can easy to find the sysret 's return address by the KTHREAD.InitialStack, so we can set a trap in there (the next instruction of syscall) , and call the vmi_request_page_fault in that moment to make sure our intersted code was move into the physical memory. It may be safer.
@4M4Z4 this very interesting note.
Though I think it acceptable to run vmi_request_page_fault in kernel-mode.
The vmi_request_page_fault injects #PF into virtual machine. But we should not inject it during fault handling. That could result in double fault or triple fault. As far as I know the NtMapViewOfSection is not called during fault handling.