mirror-ac/driver/hv.c

106 lines
3 KiB
C
Raw Normal View History

2023-08-21 14:40:40 +02:00
#include "hv.h"
#include <intrin.h>
#include "common.h"
2023-10-07 17:37:47 +02:00
#ifdef ALLOC_PRAGMA
#pragma alloc_text(PAGE, PerformVirtualizationDetection)
#endif
2023-08-21 14:40:40 +02:00
#define TOTAL_ITERATION_COUNT 20
/*
2023-10-05 08:27:17 +02:00
* TODO: Perform the test in a loop and average the delta out, then compare it
2023-08-21 17:48:34 +02:00
* to an instruction such as FYL2XP1 (source: secret.club) which has an average
* execution time slightly higher then the CPUID instruction then compare the two.
2023-10-05 08:27:17 +02:00
* If the average time for the CPUID instruction is higher then the average time
* for the FYL2XP1 instruction it is a dead giveaway we are running on a
2023-08-21 17:48:34 +02:00
* virtualized system.
2023-10-05 08:27:17 +02:00
*
2023-08-29 19:36:58 +02:00
* reference: https://secret.club/2020/01/12/battleye-hypervisor-detection.html
2023-08-21 14:40:40 +02:00
*/
2023-08-21 17:48:34 +02:00
2023-10-10 19:49:17 +02:00
_IRQL_always_function_max_(HIGH_LEVEL)
2023-09-27 06:22:14 +02:00
STATIC
2023-10-05 08:27:17 +02:00
INT
2023-09-27 06:22:14 +02:00
APERFMsrTimingCheck()
2023-08-21 14:40:40 +02:00
{
2023-08-21 17:48:34 +02:00
KAFFINITY new_affinity = { 0 };
KAFFINITY old_affinity = { 0 };
2023-08-21 14:40:40 +02:00
ULONG64 old_irql;
2023-10-05 08:27:17 +02:00
INT cpuid_result[4];
2023-08-21 14:40:40 +02:00
2023-08-21 17:48:34 +02:00
/*
* First thing we do is we lock the current thread to the logical processor
2023-10-05 08:27:17 +02:00
* its executing on.
2023-08-21 17:48:34 +02:00
*/
2023-10-10 19:49:17 +02:00
new_affinity = (KAFFINITY)(1ull << KeGetCurrentProcessorNumber());
2023-10-05 08:27:17 +02:00
old_affinity = KeSetSystemAffinityThreadEx(new_affinity);
2023-08-21 17:48:34 +02:00
/*
2023-08-22 10:51:52 +02:00
* Once we've locked our thread to the current core, we save the old irql
2023-10-05 08:27:17 +02:00
* and raise to HIGH_LEVEL to ensure the chance our thread is preempted
2023-08-21 17:48:34 +02:00
* by a thread with a higher IRQL is extremely low.
*/
2023-08-21 14:40:40 +02:00
old_irql = __readcr8();
2023-10-05 08:27:17 +02:00
__writecr8(HIGH_LEVEL);
2023-08-21 14:40:40 +02:00
2023-08-21 17:48:34 +02:00
/*
* Then we also disable interrupts, once again making sure our thread
* is not preempted.
*/
2023-08-21 14:40:40 +02:00
_disable();
2023-08-21 17:48:34 +02:00
/*
2023-10-05 08:27:17 +02:00
* Once our thread is ready for the test, we read the APERF from the
2023-08-21 17:48:34 +02:00
* MSR register and store it. We then execute a CPUID instruction
* which we don't really care about and immediately after read the APERF
* counter once again and store it in a seperate variable.
*/
2023-10-05 08:27:17 +02:00
UINT64 aperf_before = __readmsr(IA32_APERF_MSR) << 32;
__cpuid(cpuid_result, 1);
UINT64 aperf_after = __readmsr(IA32_APERF_MSR) << 32;
2023-08-21 14:40:40 +02:00
2023-08-21 17:48:34 +02:00
/*
2023-10-05 08:27:17 +02:00
* Once we have performed our test, we want to make sure we are not
2023-08-21 17:48:34 +02:00
* hogging the cpu time from other threads, so we reverse the initial
* preparation process. i.e we first enable interrupts, lower our irql
* to the threads previous irql before it was raised and then restore the
* threads affinity back to its original affinity.
*/
2023-08-21 14:40:40 +02:00
_enable();
2023-10-05 08:27:17 +02:00
__writecr8(old_irql);
KeRevertToUserAffinityThreadEx(old_affinity);
2023-08-21 14:40:40 +02:00
2023-08-21 17:48:34 +02:00
/*
2023-10-05 08:27:17 +02:00
* Now the only thing left to do is calculate the change. Now, on some VMs
2023-08-21 17:48:34 +02:00
* such as VMWARE the aperf value will be 0, meaning the change will be 0.
2023-10-05 08:27:17 +02:00
* This is a dead giveaway we are executing in a VM.
2023-08-21 17:48:34 +02:00
*/
2023-08-21 14:40:40 +02:00
UINT64 aperf_delta = aperf_after - aperf_before;
2023-08-21 17:48:34 +02:00
return aperf_delta == 0 ? TRUE : FALSE;
}
2023-10-05 08:27:17 +02:00
NTSTATUS
2023-09-27 06:22:14 +02:00
PerformVirtualizationDetection(
2023-10-07 17:37:47 +02:00
_Inout_ PIRP Irp
2023-08-21 17:48:34 +02:00
)
{
2023-10-09 20:19:51 +02:00
PAGED_CODE();
2023-08-21 17:48:34 +02:00
HYPERVISOR_DETECTION_REPORT report;
report.aperf_msr_timing_check = APERFMsrTimingCheck();
report.invd_emulation_check = TestINVDEmulation();
2023-10-05 08:27:17 +02:00
Irp->IoStatus.Information = sizeof(HYPERVISOR_DETECTION_REPORT);
2023-08-21 14:40:40 +02:00
2023-08-21 17:48:34 +02:00
RtlCopyMemory(
Irp->AssociatedIrp.SystemBuffer,
&report,
2023-10-05 08:27:17 +02:00
sizeof(HYPERVISOR_DETECTION_REPORT)
2023-08-21 17:48:34 +02:00
);
2023-08-21 14:40:40 +02:00
2023-10-03 17:23:01 +02:00
return STATUS_SUCCESS;
2023-08-21 14:40:40 +02:00
}