HVM- going into details

Reed this article : rootkit.com

Part 1

This is my first article so I expect you not to be rigorous.

Of course all of us experience lots of problems and maybe stuck in something when we try to get deeper into anything new. So that’s why I write this article.

We’ll try to understand the AMD Pasifica’s some ‘hidden’ details (at least there were hidden for me).I’ll give you the part of text from AMD’s manual, which they thing must help you to write correct code.

1. Updating RIP after every VMEXIT.
I’ll show the part of text written in AMD’s manual which they must provide to understand that RIP must be updated:
“Loading Guest State. After saving host state, VMRUN loads the following guest state from the
VMCB:
• CS, rIP—Guest begins execution at this address. The hidden state of the CS segment register is
also loaded from the VMCB….”

So this means that you must add to the current RIP size of opcode.
e.g.
“ _emit 0x0f //VMRUN
_emit 0x01
_emit 0xd8

…
switch (hVMCB->exitcode)
{
}…
hVMCB->rip += opcode;
”

2. Writing CLGI before VMRUN, and STGI after (this step is recommended by XEN and other hypervisors).I haven’t seen anything about this in AMD’s manual.

3.Checking for erratum #170, this means that you must force TLB flushing on VMEXIT’s.
You can check like this:
“ GetCpuId (0x00000001, &eax, &ebx, &ecx, &edx);

baseFamily = (eax & 0xf00) >> 8;
extFamily = (eax & 0xff00000) >> 20;
baseModel = (eax & 0xf0) >> 4;
extModel = (eax & 0xf0000) >> 16;
stepping = eax & 0xf;

….
if (baseFamily >= 0xf)
model = baseModel + (extModel <= 0x68)
&& (stepping >= 1)));
if (Erratum170)
DbgPrint ((“Buggy CPU: Erratum #170 – must use TLB FLUSHING on VMEXITs!\n”));
….
”
There wasn’t any information concerning with this question.

4. After VMEXIT global CPU registers remain constant, this means that register value used in Guest mode will be same for Hypervisor code.
So if you don’t want to change anything, better save them and restore after.

5. This is an addition to the 4-th detail,
There is one important exception, while in hypervisor the global rAX register value always contains the physical address of the VMCB structure. And the Guest’s rAX is loaded and saved into VMCB.rAX field.
This detail was hidden in this text
“Loading Guest State. After saving host state, VMRUN loads the following guest state from the
VMCB:
……
• RFLAGS, RAX.
…….
“
6. Handling exceptions. This detail is well explained in AMD’s manual , but I write about I because it’s very important.
So, you must handle certain exceptions in you want to intercept certain instruction.
For additional information look up in AMD’s manual.

Maybe I am not right and all these information was explained in the manual, however I hope this article will help you.
I also hope this article will be continued, but everything depends on your and my curiosity and researches.

~ by KeMmIo on March 7, 2010.