AAAAAAAAHHHHHHH

2024-11-21 22:24:08 +01:00 · 2023-08-22 01:48:34 +10:00 · 2023-08-22 01:48:34 +10:00 · 7e20e7480e
commit 7e20e7480e
parent 37f204540a
14 changed files with 206 additions and 33 deletions
--- a/driver/asm.asm
+++ b/driver/asm.asm
@ -0,0 +1,64 @@
 .code
 ; Tests the emulation of the INVD instruction
 ;
 ; source and references:
 ;
 ; https://secret.club/2020/04/13/how-anti-cheats-detect-system-emulation.html#invdwbinvd
 ; https://www.felixcloutier.com/x86/invd
 ; https://www.felixcloutier.com/x86/wbinvd
 ;
 ; Returns int
 TestINVDEmulation PROC
 	pushfq
 	cli
 	push 1					; push some dummy data onto the stack which will exist in writeback memory
 	wbinvd					; flush the internal cpu caches and write back all modified caches 
 							; lines to main memory
 	mov byte ptr [rsp], 0	; set our dummy value to 0, this takes place inside writeback memory
 	invd					; flush the internal caches, however this instruction will not write 
 							; back to system memory as opposed to wbinvd, meaning our previous 
 							; instruction which only operated on cached writeback data and not
 							; system memory has been invalidated. 
 	pop rax					; on a real system as a result of our data update instruction being
 							; invalidated, the result will be 1. On a system that does not
 							; properly implement INVD, the result will be 0 as the instruction does
 							; not properly flush the caches.
 	xor rax, 1				; invert result so function returns same way as all verification methods
 	popfq
 	ret
 TestINVDEmulation ENDP
 ;
 ; Note: fild and fistp respectively are used for loading and storing integers in the FPU,
 ; while fld and fstp are used for floating point numbers. No need to use xmm registers
 ; as we dont need that level of precision and we need to be as efficient as possible
 ;
 ; compiler will take care of saving the SSE state for us and restoring it source:
 ; https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/using-floating-point-or-mmx-in-a-wdm-driver
 ;
 ; arguments: INT64 in RCX
 ; returns resulting number lol
 MySqrt PROC
 	push rbp
 	mov rbp, rsp
 	sub rsp, 16
 	mov [rsp + 8], rcx			; cannot directly move from a register into a fp register
 	fild qword ptr[rsp + 8]		; push our number onto the FPU stack
 	fsqrt  						; perform the square root
 	fistp qword ptr[rsp]		; pop the value from the floating point stack into our general purpose stack
 	mov rax, qword ptr[rsp]		; store value in rax for return
 	add rsp, 16
 	pop rbp
 	ret
 MySqrt ENDP
 END
--- a/driver/driver.vcxproj
+++ b/driver/driver.vcxproj
@ -64,6 +64,7 @@
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
  <ImportGroup Label="ExtensionSettings">
    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
  </ImportGroup>
  <ImportGroup Label="PropertySheets">
    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
@ -143,7 +144,11 @@
    <ClInclude Include="nmi.h" />
    <ClInclude Include="queue.h" />
  </ItemGroup>
  <ItemGroup>
    <MASM Include="asm.asm" />
  </ItemGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
  <ImportGroup Label="ExtensionTargets">
    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
  </ImportGroup>
 </Project>
--- a/driver/driver.vcxproj.filters
+++ b/driver/driver.vcxproj.filters
@ -72,4 +72,9 @@
      <Filter>Header Files</Filter>
    </ClInclude>
  </ItemGroup>
  <ItemGroup>
    <MASM Include="asm.asm">
      <Filter>Source Files</Filter>
    </MASM>
  </ItemGroup>
 </Project>
--- a/driver/hv.c
+++ b/driver/hv.c
@ -9,35 +9,92 @@
 #define IA32_APERF_MSR 0x000000E8
 /*
-* 1. Bind thread to a single core
+* TODO: Perform the test in a loop and average the delta out, then compare it 
-* 2. Raise the IRQL to HIGH_LEVEL
+* to an instruction such as FYL2XP1 (source: secret.club) which has an average
-* 3. disable interrupts 
+* execution time slightly higher then the CPUID instruction then compare the two.
 * If the average time for the CPUID instruction is higher then the average time 
 * then the FYL2XP1 instruction it is a dead giveaway we are running on a 
 * virtualized system.
 * 
 * source: https://secret.club/2020/01/12/battleye-hypervisor-detection.html
 */
-VOID APERFMsrTimingCheck()
+
 INT APERFMsrTimingCheck()
 {
 	KAFFINITY new_affinity = { 0 };
 	KAFFINITY old_affinity = { 0 };
 	ULONG64 old_irql;
 	INT cpuid_result[ 4 ];
-	old_irql = __readcr8();
+	/*
 	* First thing we do is we lock the current thread to the logical processor
 	* its executing on. 
 	*/
 	new_affinity = ( KAFFINITY )( 1 << KeGetCurrentProcessorNumber() );
 	old_affinity = KeSetSystemAffinityThreadEx( new_affinity );
 	/*
 	* Once we've locked our thread to the current core, we saved the old irql
 	* and raise to HIGH_LEVEL to ensure the chance our thread is preempted 
 	* by a thread with a higher IRQL is extremely low.
 	*/
 	old_irql = __readcr8();
 	__writecr8( HIGH_LEVEL );
 	/*
 	* Then we also disable interrupts, once again making sure our thread
 	* is not preempted.
 	*/
 	_disable();
 	/*
 	* Once our thread is ready for the test, we read the APERF from the 
 	* MSR register and store it. We then execute a CPUID instruction
 	* which we don't really care about and immediately after read the APERF
 	* counter once again and store it in a seperate variable.
 	*/
 	UINT64 aperf_before = __readmsr( IA32_APERF_MSR ) << 32;
 	__cpuid( cpuid_result, 1 );
 	UINT64 aperf_after = __readmsr( IA32_APERF_MSR ) << 32;
 	/*
 	* Once we have performed our test, we want to make sure we are not 
 	* hogging the cpu time from other threads, so we reverse the initial
 	* preparation process. i.e we first enable interrupts, lower our irql
 	* to the threads previous irql before it was raised and then restore the
 	* threads affinity back to its original affinity.
 	*/
 	_enable();
 	__writecr8( old_irql );
 	KeRevertToUserAffinityThreadEx( old_affinity );
 	/*
 	* Now the only thing left to do is calculate the change. Now, on some VMs 
 	* such as VMWARE the aperf value will be 0, meaning the change will be 0.
 	* This is a dead giveaway we are executing in a VM. 
 	*/
 	UINT64 aperf_delta = aperf_after - aperf_before;
-	_enable();
+	return aperf_delta == 0 ? TRUE : FALSE;
 }
-	DEBUG_LOG( "delta: %llx", aperf_delta );
+NTSTATUS PerformVirtualizationDetection(
 	_In_ PIRP Irp
 )
 {
 	NTSTATUS status = STATUS_SUCCESS;
 	HYPERVISOR_DETECTION_REPORT report;
 	report.aperf_msr_timing_check = APERFMsrTimingCheck();
 	report.invd_emulation_check = TestINVDEmulation();
 	Irp->IoStatus.Information = sizeof( HYPERVISOR_DETECTION_REPORT );
 	RtlCopyMemory(
 		Irp->AssociatedIrp.SystemBuffer,
 		&report,
 		sizeof( HYPERVISOR_DETECTION_REPORT )
 	);
 	return status;
 }
--- a/driver/hv.h
+++ b/driver/hv.h
@ -3,6 +3,17 @@
 #include <ntifs.h>
-VOID APERFMsrTimingCheck();
+typedef struct _HYPERVISOR_DETECTION_REPORT
 {
 	INT aperf_msr_timing_check;
 	INT invd_emulation_check;
 }HYPERVISOR_DETECTION_REPORT, *PHYPERVISOR_DETECTION_REPORT;
 NTSTATUS PerformVirtualizationDetection(
 	_In_ PIRP Irp
 );
 extern INT TestINVDEmulation();
 #endif
--- a/driver/ioctl.c
+++ b/driver/ioctl.c
@ -98,8 +98,6 @@ NTSTATUS DeviceControl(
 	case IOCTL_HANDLE_REPORTS_IN_CALLBACK_QUEUE:
 		APERFMsrTimingCheck();
 		status = HandlePeriodicCallbackReportQueue(Irp);
 		if ( !NT_SUCCESS( status ) )
@ -107,6 +105,15 @@ NTSTATUS DeviceControl(
 		break;
 	case IOCTL_PERFORM_VIRTUALIZATION_CHECK:
 		status = PerformVirtualizationDetection( Irp );
 		if ( !NT_SUCCESS( status ) )
 			DEBUG_ERROR( "PerformVirtualizationDetection failed with status %x", status );
 		break;
 	default:
 		DEBUG_ERROR( "Invalid IOCTL passed to driver" );
 		break;
--- a/driver/ioctl.h
+++ b/driver/ioctl.h
@ -11,6 +11,7 @@
 #define IOCTL_VALIDATE_DRIVER_OBJECTS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2002, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define IOCTL_NOTIFY_DRIVER_ON_PROCESS_LAUNCH CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2004, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define IOCTL_HANDLE_REPORTS_IN_CALLBACK_QUEUE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2005, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define IOCTL_PERFORM_VIRTUALIZATION_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2006, METHOD_BUFFERED, FILE_ANY_ACCESS)
 typedef struct _DRIVER_INITIATION_INFORMATION
 {
--- a/driver/modules.h
+++ b/driver/modules.h
@ -5,7 +5,7 @@
 #include <intrin.h>
 #define REPORT_MODULE_VALIDATION_FAILURE 60
-#define MODULE_VALIDATION_FAILURE_MAX_REPORT_COUNT 5
+#define MODULE_VALIDATION_FAILURE_MAX_REPORT_COUNT 20
 #define MODULE_REPORT_DRIVER_NAME_BUFFER_SIZE 128
--- a/user/km/driver.cpp
+++ b/user/km/driver.cpp
@ -192,8 +192,6 @@ void kernelmode::Driver::QueryReportQueue()
 				( UINT64 )buffer + sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER ) +
 				i * sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT ) );
 		std::cout << report->process_id << " " << report->process_name << std::endl;
 		this->report_interface->ReportViolation( report );
 	}
@ -232,21 +230,33 @@ void kernelmode::Driver::NotifyDriverOnProcessLaunch()
 		LOG_ERROR( "DeviceIoControl failed with status code 0x%x", GetLastError() );
 }
-void kernelmode::Driver::CompleteQueuedCallbackReports()
+void kernelmode::Driver::DetectSystemVirtualization()
 {
 	BOOLEAN status;
 	HYPERVISOR_DETECTION_REPORT report;
 	DWORD bytes_returned;
-}
+	status = DeviceIoControl(
 		this->driver_handle,
 		IOCTL_PERFORM_VIRTUALIZATION_CHECK,
 		NULL,
 		NULL,
 		&report,
 		sizeof( HYPERVISOR_DETECTION_REPORT ),
 		&bytes_returned,
 		NULL
 	);
-void kernelmode::Driver::EnableProcessLoadNotifyCallbacks()
+	if ( status == NULL )
-{
+	{
-	/* 
+		LOG_ERROR( "DeviceIoControl failed virtualization detect with status %x", GetLastError() );
-	* note: no need for these since when the dll is loaded it will simply
+		return;
-	* notify the driver.
+	}
 	*/
 }
-void kernelmode::Driver::DisableProcessLoadNotifyCallbacks()
+	if ( report.aperf_msr_timing_check == TRUE || report.invd_emulation_check == TRUE )
-{
+		LOG_INFO( "HYPERVISOR DETECTED!!!" );
 	/* shutdown the application or smth lmao */
 }
 void kernelmode::Driver::ValidateKPRCBThreads()
--- a/user/km/driver.h
+++ b/user/km/driver.h
@ -11,6 +11,7 @@
 #define IOCTL_MONITOR_CALLBACKS_FOR_REPORTS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2003, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define IOCTL_NOTIFY_DRIVER_ON_PROCESS_LAUNCH CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2004, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define IOCTL_HANDLE_REPORTS_IN_CALLBACK_QUEUE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2005, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define IOCTL_PERFORM_VIRTUALIZATION_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2006, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define MAX_HANDLE_REPORTS_PER_IRP 10
@ -23,6 +24,7 @@ namespace kernelmode
 		std::shared_ptr<global::Report> report_interface;
 		void QueryReportQueue();
 	public:
 		Driver(LPCWSTR DriverName, std::shared_ptr<global::Report> ReportInterface );
@ -31,9 +33,7 @@ namespace kernelmode
 		void VerifySystemModules();
 		void RunCallbackReportQueue();
 		void NotifyDriverOnProcessLaunch();
-		void CompleteQueuedCallbackReports();
+		void DetectSystemVirtualization();
 		void EnableProcessLoadNotifyCallbacks();
 		void DisableProcessLoadNotifyCallbacks();
 		void ValidateKPRCBThreads();
 		void CheckDriverHeartbeat();
 		/* todo: driver integrity check */
@ -43,6 +43,12 @@ namespace kernelmode
 	{
 		LONG protected_process_id;
 	};
 	struct HYPERVISOR_DETECTION_REPORT
 	{
 		INT aperf_msr_timing_check;
 		INT invd_emulation_check;
 	};
 }
 #endif
--- a/user/km/kmanager.cpp
+++ b/user/km/kmanager.cpp
@ -20,3 +20,8 @@ void kernelmode::KManager::MonitorCallbackReports()
 {
 	this->thread_pool->QueueJob( [ this ]() { this->driver_interface->RunCallbackReportQueue(); } );
 }
 void kernelmode::KManager::DetectSystemVirtualization()
 {
 	this->thread_pool->QueueJob( [ this ]() { this->driver_interface->DetectSystemVirtualization(); } );
 }
--- a/user/km/kmanager.h
+++ b/user/km/kmanager.h
@ -20,6 +20,7 @@ namespace kernelmode
 		void RunNmiCallbacks();
 		void VerifySystemModules();
 		void MonitorCallbackReports();
 		void DetectSystemVirtualization();
 	};
 }
--- a/user/main.cpp
+++ b/user/main.cpp
@ -28,9 +28,10 @@ DWORD WINAPI Init(HINSTANCE hinstDLL)
    usermode::UManager umanager( thread_pool, report_interface );
    kernelmode::KManager kmanager( driver_name, thread_pool, report_interface);
-    kmanager.MonitorCallbackReports();
+    //kmanager.MonitorCallbackReports();
    //kmanager.RunNmiCallbacks();
-    kmanager.VerifySystemModules();
+    //kmanager.VerifySystemModules();
    kmanager.DetectSystemVirtualization();
    //umanager.ValidateProcessModules();
    //umanager.ValidateProcessMemory();
--- a/user/report.h
+++ b/user/report.h
@ -9,7 +9,7 @@
 #define REPORT_BUFFER_SIZE 1024
 #define MAX_SIGNATURE_SIZE 256
-#define MODULE_VALIDATION_FAILURE_MAX_REPORT_COUNT 5
+#define MODULE_VALIDATION_FAILURE_MAX_REPORT_COUNT 20
 #define REPORT_CODE_MODULE_VERIFICATION 10
 #define REPORT_CODE_START_ADDRESS_VERIFICATION 20