EPROCESS struct (x64)

//only for Windows 7 RC x64
/*some little structs have not been introduced because you can easily get their structure with WinDbg*/

typedef struct _SE_AUDIT_PROCESS_CREATION_INFO
{
PVOID ImageFileName; // _OBJECT_NAME_INFORMATION

}SE_AUDIT_PROCESS_CREATION_INFO,*PSE_AUDIT_PROCESS_CREATION_INFO;

typedef struct _MMSUPPORT
{
ULONGLONG PushLock;
PVOID ExitGate; //_KGATE *
PVOID AccessLog;
LIST_ENTRY WorkingSetExpansionLinks;
ULONG AgeDistribution[7];
ULONG MinimumWorkingSetSize;
ULONG WorkingSetSize;
ULONG WorkingSetPrivateSize;
ULONG MaximumWorkingSetSize;
ULONG ChargedWslePages;
ULONG ActualWslePages;
ULONG WorkingSetSizeOverhead;
ULONG PeakWorkingSetSize;
ULONG HardFaultCount;
PVOID VmWorkingSetList; //_MMWSL*
USHORT NextPageColor;
USHORT LastTrimStamp;
ULONG PageFaultCount;
ULONG RepurposeCount;
ULONG Spare[2];
ULONG Flags; //_MMSUPPORT_FLAGS
}MMSUPPORT,*PMMSUPPORT;

typedef struct _EPROCESS
{
KPROCESS Pcb;
PVOID ProcessLock; //EX_PUSH_LOCK
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
EX_RUNDOWN_REF RundownProtect;
PVOID UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONGLONG ProcessQuotaUsage[2];
ULONGLONG ProcessQuotaPeak[2];
ULONGLONG CommitCharge;
PVOID QuotaBlock; //_EPROCESS_QUOTA_BLOCK *
PVOID CpuQuotaBlock; //_PS_CPU_QUOTA_BLOCK
ULONGLONG PeakVirtualSize;
ULONGLONG VirtualSize;
LIST_ENTRY SessionProcessLinks;
PVOID DebugPort;
//union
//{
// PVOID ExceptionPortData;
// ULONG ExceptionPortValue;
// ULONG ExceptionPortState: 3;
//};
PVOID ExceptionPortData;
PVOID ObjectTable; //PHANDLE_TABLE
BYTE Token[8]; //EX_FAST_REF
ULONGLONG WorkingSetPage;
BYTE AddressCreationLock[8]; //EX_PUSH_LOCK
PVOID RotateInProgress; //PETHREAD
PVOID ForkInProgress; //PETHREAD
ULONGLONG HardwareTrigger;
PVOID PhysicalVadRoot; //PMM_AVL_TABLE
PVOID CloneRoot;
ULONGLONG NumberOfPrivatePages;
ULONGLONG NumberOfLockedPages;
PVOID Win32Process;
PVOID Job; //PEJOB
PVOID SectionObject;
PVOID SectionBaseAddress;

ULONG Cookie;
ULONG UmsScheduledThreads;
PVOID WorkingSetWatch; //_PAGEFAULT_HISTORY *
PVOID Win32WindowStation;
PVOID InheritedFromUniqueProcessId;
PVOID LdtInformation;
PVOID Spare;
ULONGLONG ConsoleHostProcess;
PVOID DeviceMap;
PVOID EtwDataSource;
PVOID FreeTebHint;
ULONGLONG PageDirectoryPte; //_HARDWARE_PTE
//union
//{
// HARDWARE_PTE PageDirectoryPte;
// UINT64 Filler;
//};
PVOID Session;
UCHAR ImageFileName[15];
UCHAR PriorityClass;
LIST_ENTRY JobLinks;
PVOID LockedPagesList;
LIST_ENTRY ThreadListHead;
PVOID SecurityPort;
PVOID Wow64Process;
ULONG ActiveThreads;
ULONG ImagePathHash;
ULONG DefaultHardErrorProcessing;
LONG LastThreadExitStatus;
PPEB Peb;
BYTE PrefetchTrace[8]; //EX_FAST_REF
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONGLONG CommitChargeLimit;
ULONGLONG CommitChargePeak;
PVOID AweInfo;
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
MMSUPPORT Vm;
LIST_ENTRY MmProcessLinks;
PVOID HighestUserAddress;
ULONG ModifiedPageCount;
ULONG Flags2;
ULONG Flags;
LONG ExitStatus;
BYTE VadRoot[64]; //_MM_AVL_TABLE
BYTE AlpcContext[32]; //_ALPC_PROCESS_CONTEXT
LIST_ENTRY TimerResolutionLink;
ULONG RequestedTimerResolution;
ULONG ActiveThreadsHighWatermark;
ULONG SmallestTimerResolution;
PVOID TimerResolutionStackRecord;//_PO_DIAG_STACK_RECORD*
} EPROCESS, *PEPROCESS;

KPROCESS struct (x64)

//only for Windows 7 RC x64
/*some little structs have not been introduced because you can easily get their structure with WinDbg*/

typedef struct _KEXECUTE_OPTIONS
{
union
{
ULONG ExecuteDisable: 1;
ULONG ExecuteEnable: 1;
ULONG DisableThunkEmulation: 1;
ULONG Permanent: 1;
ULONG ExecuteDispatchEnable: 1;
ULONG ImageDispatchEnable: 1;
ULONG DisableExceptionChainValdation: 1;
ULONG Spare: 1;
UCHAR ExecuteOptions;
};

} KEXECUTE_OPTIONS, *PKEXECUTE_OPTIONS;

typedef struct _KAFFINITY_EX
{
USHORT Count;
USHORT Size;
ULONG Reserved;
ULONGLONG Bitmap[4];
} KAFFINITY_EX,*PKAFFINITY_EX;

typedef struct _KPROCESS
{
DISPATCHER_HEADER Header;
LIST_ENTRY ProfileListHead;
ULONGLONG DirectoryTableBase;
LIST_ENTRY ThreadListHead;
ULONGLONG ProcessLock;
KAFFINITY_EX Affinity;
LIST_ENTRY ReadyListHead;
SINGLE_LIST_ENTRY SwapListEntry;
KAFFINITY_EX ActiveProcessors;
union
{
ULONG AutoAlignment: 1;
ULONG DisableBoost: 1;
ULONG DisableQuantum: 1;
ULONG ActiveGroupMask :4;
ULONG ReservedFlags: 25;
LONG ProcessFlags;
};
CHAR BasePriority;
CHAR QuantumReset;
UCHAR Visited;
UCHAR Unused3;
ULONG ThreadSeed[4] ;
USHORT IdealNode[4] ;
USHORT IdealGlobalNode;
KEXECUTE_OPTIONS Flags;
UCHAR Unused1;
UCHAR Unused2;
UCHAR Unused4;
ULONG StackCount;
LIST_ENTRY ProcessListEntry;
UINT64 CycleTime;
ULONG KernelTime;
ULONG UserTime;
PVOID InstrumentationCallback;
ULONGLONG LdtDescriptor[2];
PVOID LdtBaseAddress;
KGUARDED_MUTEX LdtProcessLock;
USHORT LdtFreeSelectorHint;
USHORT LdtTableLength;
} KPROCESS, *PKPROCESS;

P.S.P (Public Service Programmers)

This is my new team of PSP (PlayStation Portable) programming. this is the site : psprogrammer.wordpress.com

HVM- going into details

Reed this article : rootkit.com

Part 1

This is my first article so I expect you not to be rigorous.

Of course all of us experience lots of problems and maybe stuck in something when we try to get deeper into anything new. So that’s why I write this article.

We’ll try to understand the AMD Pasifica’s some ‘hidden’ details (at least there were hidden for me).I’ll give you the part of text from AMD’s manual, which they thing must help you to write correct code.

1. Updating RIP after every VMEXIT.
I’ll show the part of text written in AMD’s manual which they must provide to understand that RIP must be updated:
“Loading Guest State. After saving host state, VMRUN loads the following guest state from the
VMCB:
• CS, rIP—Guest begins execution at this address. The hidden state of the CS segment register is
also loaded from the VMCB….”

So this means that you must add to the current RIP size of opcode.
e.g.
“ _emit 0x0f //VMRUN
_emit 0x01
_emit 0xd8

…
switch (hVMCB->exitcode)
{
}…
hVMCB->rip += opcode;
”

2. Writing CLGI before VMRUN, and STGI after (this step is recommended by XEN and other hypervisors).I haven’t seen anything about this in AMD’s manual.

3.Checking for erratum #170, this means that you must force TLB flushing on VMEXIT’s.
You can check like this:
“ GetCpuId (0x00000001, &eax, &ebx, &ecx, &edx);

baseFamily = (eax & 0xf00) >> 8;
extFamily = (eax & 0xff00000) >> 20;
baseModel = (eax & 0xf0) >> 4;
extModel = (eax & 0xf0000) >> 16;
stepping = eax & 0xf;

….
if (baseFamily >= 0xf)
model = baseModel + (extModel <= 0x68)
&& (stepping >= 1)));
if (Erratum170)
DbgPrint ((“Buggy CPU: Erratum #170 – must use TLB FLUSHING on VMEXITs!\n”));
….
”
There wasn’t any information concerning with this question.

4. After VMEXIT global CPU registers remain constant, this means that register value used in Guest mode will be same for Hypervisor code.
So if you don’t want to change anything, better save them and restore after.

5. This is an addition to the 4-th detail,
There is one important exception, while in hypervisor the global rAX register value always contains the physical address of the VMCB structure. And the Guest’s rAX is loaded and saved into VMCB.rAX field.
This detail was hidden in this text
“Loading Guest State. After saving host state, VMRUN loads the following guest state from the
VMCB:
……
• RFLAGS, RAX.
…….
“
6. Handling exceptions. This detail is well explained in AMD’s manual , but I write about I because it’s very important.
So, you must handle certain exceptions in you want to intercept certain instruction.
For additional information look up in AMD’s manual.

Maybe I am not right and all these information was explained in the manual, however I hope this article will help you.
I also hope this article will be continued, but everything depends on your and my curiosity and researches.

Oooh…. Man at last exams!!

Bloody,bloody exam of math, i was so confused of its difficulty they, gave 3 hours and 80 questions- its bloody hard.
there aren’t little questions those were full excersices.
At last i passed then,actually idon’t yet know how much will i get, but i answered all question.
I hope to get 20 from 20!!!!!

Realy Good Stuff for Kernel programmer

I wont to help people in learning kernel programming
this is the list of books & sources:

I Part.Kernel

1.Windows Internals(Mark R.,David S.) Realy,realy cool book,read this first!!!

SECND PART:

2.ReactOS sources(it’s compatible with Windows).

3.WRK(Windows Research Kernel).
4.If you speak Russian, you must read the FourF’s tutorials.

II Virtualization.

1.Read “The definitive guide to the Xen hypervisor”
2.Amd OR/AND Intel Manual.
3.XEN sources.
4.VirtualBox sources.
5.Linux KVM sources(don’t be affraid of “Linux”,because virtualization is hardware based ,not OS).
6.Take a Look on BluePill’s Code(it’s for AMD virt.)

Oh it’s gona be offtopic but i must say, is writing OS,or over Kernel stuff is very dangerous you must be carefull,so i strongly recommend you to read “Write Secure code” by Michel Howard & David Leblank.

So get your way in Kernel programming.

Your sincerely….

Virtual Machine Detection

Virtual Box
Ya I know, there are lots of methods to find out is your PC virtualized.
You can analyze IDT, GDT&LDT base adresses, use RDTSC trick…list continues.
But this is what I found out from my researches.
Continue

Microsoft PDC: Win 7 and Win Server 2008 R2 Kernel Changes

Check this out, I found it od PDC’s site, It’s Mark’s new presentation.

And ofcourse specially for you:
!Note.Your browser must have a SilverLight!

PART 1

 

PART 2

Come explore beneath the hood of Windows 7 and Windows Server 2008 R2, and learn about the key changes in the kernel. Topics include: scalability improvements, security improvements, power efficiency enhancements, core architecture changes to modularize Windows, and much more. Note: This session spans the 1:30 and 3pm session slots with a 10 minute break at 2:30.

Your sincerely…

Virtual Machine Detection

Virtual Box

Ya I know, there are lots of methods to find out is your PC virtualized.
You can analyze IDT, GDT&LDT base adresses, use RDTSC trick…list continues.
But this is what I found out from my researches.

One day i was looking through Mark’s Blog(i hope you know hows it: Mark Russinovich OS Maestro).I found an interesting Post about Computer SID’s, here’s linkSID(Mark’s Blog).

He wrote a programm called PsGetSid.When I saw it, my left part of brain asked,”Do You SMELL anything”,- the right part answered,”It SMELLs like Virtulization detection”, so I downloaded the programm.I was having VirtualBox on PC.

So I runned the prog,and saved the recieved SID.
After I runned it on VirtualBox & Compared with one I had recieved on real PC,I understood that they were DIFFERENT.
I said,”Ho-Ho one more method for adding to detection list”.
After I shutted down my PC & went for sleep.

I’am not trying to proof that this is the best method, but it works.Actually it’s not such a pretty method,because you must have the real computer’s SID.