From 76a508d6476fc48eb409f3cdd9b66a53da6cc565 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=90=B4=E5=BF=83?= <root@key08.com>
Date: Wed, 22 Jun 2022 14:58:47 +0800
Subject: [PATCH] 1

---
 mash_hypervisor.sln                           |  51 ++++++
 mash_hypervisor/.vscode/c_cpp_properties.json |  22 +++
 mash_hypervisor/main.cpp                      | 110 +++++++++++++
 mash_hypervisor/mash_hypervisor.inf           |  26 +++
 mash_hypervisor/mash_hypervisor.vcxproj       | 149 ++++++++++++++++++
 .../mash_hypervisor.vcxproj.filters           |  31 ++++
 6 files changed, 389 insertions(+)
 create mode 100644 mash_hypervisor.sln
 create mode 100644 mash_hypervisor/.vscode/c_cpp_properties.json
 create mode 100644 mash_hypervisor/main.cpp
 create mode 100644 mash_hypervisor/mash_hypervisor.inf
 create mode 100644 mash_hypervisor/mash_hypervisor.vcxproj
 create mode 100644 mash_hypervisor/mash_hypervisor.vcxproj.filters

diff --git a/mash_hypervisor.sln b/mash_hypervisor.sln
new file mode 100644
index 0000000..128cc87
--- /dev/null
+++ b/mash_hypervisor.sln
@@ -0,0 +1,51 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.32126.315
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mash_hypervisor", "mash_hypervisor\mash_hypervisor.vcxproj", "{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|ARM = Debug|ARM
+		Debug|ARM64 = Debug|ARM64
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|ARM = Release|ARM
+		Release|ARM64 = Release|ARM64
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Debug|ARM.ActiveCfg = Debug|ARM
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Debug|ARM.Build.0 = Debug|ARM
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Debug|ARM.Deploy.0 = Debug|ARM
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Debug|ARM64.ActiveCfg = Debug|ARM64
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Debug|ARM64.Build.0 = Debug|ARM64
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Debug|ARM64.Deploy.0 = Debug|ARM64
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Debug|x64.ActiveCfg = Debug|x64
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Debug|x64.Build.0 = Debug|x64
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Debug|x64.Deploy.0 = Debug|x64
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Debug|x86.ActiveCfg = Debug|Win32
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Debug|x86.Build.0 = Debug|Win32
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Debug|x86.Deploy.0 = Debug|Win32
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Release|ARM.ActiveCfg = Release|ARM
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Release|ARM.Build.0 = Release|ARM
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Release|ARM.Deploy.0 = Release|ARM
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Release|ARM64.ActiveCfg = Release|ARM64
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Release|ARM64.Build.0 = Release|ARM64
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Release|ARM64.Deploy.0 = Release|ARM64
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Release|x64.ActiveCfg = Release|x64
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Release|x64.Build.0 = Release|x64
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Release|x64.Deploy.0 = Release|x64
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Release|x86.ActiveCfg = Release|Win32
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Release|x86.Build.0 = Release|Win32
+		{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}.Release|x86.Deploy.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {49B729C3-DFA3-41A3-B56F-D42D0017F741}
+	EndGlobalSection
+EndGlobal
diff --git a/mash_hypervisor/.vscode/c_cpp_properties.json b/mash_hypervisor/.vscode/c_cpp_properties.json
new file mode 100644
index 0000000..737724f
--- /dev/null
+++ b/mash_hypervisor/.vscode/c_cpp_properties.json
@@ -0,0 +1,22 @@
+{
+    "configurations": [
+        {
+            "name": "Win32",
+            "includePath": [
+                "${workspaceFolder}/**",
+                "D:\\Windows Kits\\10\\Include\\10.0.19041.0\\km\\**"
+            ],
+            "defines": [
+                "_DEBUG",
+                "UNICODE",
+                "_UNICODE"
+            ],
+            "windowsSdkVersion": "10.0.22000.0",
+            "compilerPath": "D:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.29.30133/bin/Hostx64/x64/cl.exe",
+            "cStandard": "c17",
+            "cppStandard": "c++17",
+            "intelliSenseMode": "windows-msvc-x64"
+        }
+    ],
+    "version": 4
+}
\ No newline at end of file
diff --git a/mash_hypervisor/main.cpp b/mash_hypervisor/main.cpp
new file mode 100644
index 0000000..41aae15
--- /dev/null
+++ b/mash_hypervisor/main.cpp
@@ -0,0 +1,110 @@
+#include <intrin.h>
+#include <ntifs.h>
+#include <ntimage.h>
+#include <windef.h>
+#define page_shift 12L
+#define DebugPrint(...) \
+    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__)
+namespace cpu {
+typedef union {
+    uintptr_t AsUInt64;
+    struct {
+        uintptr_t Reserved1 : 3;
+        uintptr_t WriteThrough : 1;
+        uintptr_t CacheDisable : 1;
+        uintptr_t Reserved2 : 7;
+        uintptr_t PageFrameNumber : 36;
+        uintptr_t Reserved3 : 16;
+    } field;
+} _cr3;
+struct _cpuid {
+    unsigned int rax;
+    unsigned int rbx;
+    unsigned int rcx;
+    unsigned int rdx;
+};
+};  // namespace cpu
+
+// copy from hyperduck tools.cpp
+namespace tools {
+auto virtual_to_physical(uintptr_t virtualaddress) -> uintptr_t {
+    PHYSICAL_ADDRESS pa;
+    pa = MmGetPhysicalAddress(reinterpret_cast<void*>(virtualaddress));
+    return pa.QuadPart;
+}
+auto get_phyaddress_by_pfn(uintptr_t pfn) -> uintptr_t {
+    return static_cast<uintptr_t>(pfn) << page_shift;
+}
+auto physical_to_virtual(uintptr_t pa) -> uintptr_t {
+    PHYSICAL_ADDRESS phy_address_transform;
+    phy_address_transform.QuadPart = pa;
+    return reinterpret_cast<uintptr_t>(
+        MmGetVirtualForPhysical(phy_address_transform));
+}
+auto allocate_contiguous_memory(unsigned long size) -> void* {
+    PHYSICAL_ADDRESS phys = {0};
+    phys.QuadPart = ~0ULL;
+    PVOID result = MmAllocateContiguousMemory(size, phys);
+    if (result) RtlSecureZeroMemory(result, size);
+    return result;
+}
+auto free_contiguous_memory(void* address) -> void {
+    MmFreeContiguousMemory(address);
+};
+auto get_cpu_num() -> size_t {
+    return static_cast<size_t>(__readgsbyte(0x184));
+}
+}  // namespace tools
+auto drv_entry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path)
+    -> NTSTATUS {
+    UNREFERENCED_PARAMETER(driver_object);
+    UNREFERENCED_PARAMETER(registry_path);
+    PAGED_CODE();
+    cpu::_cpuid cpuid_info = {0};
+    static const auto pml4_table_size = sizeof(void*) * 512;
+    cpu::_cr3 system_cr3_value;
+    system_cr3_value.AsUInt64 = __readcr3();
+    cpu::_cr3 build_cr3_value;
+    build_cr3_value.AsUInt64 = __readcr3();
+    // copy the system cr3 for backup
+    const auto kernel_pml4_pa =
+        tools::get_phyaddress_by_pfn(system_cr3_value.field.PageFrameNumber);
+    const auto kernel_pml4_va =
+        reinterpret_cast<void*>(tools::physical_to_virtual(kernel_pml4_pa));
+    void* pml4_backup_va = tools::allocate_contiguous_memory(pml4_table_size);
+    NT_ASSERT(pml4_backup_va);
+    // build own cr3 value
+    memcpy(pml4_backup_va, kernel_pml4_va, pml4_table_size);
+    build_cr3_value.field.PageFrameNumber =
+        (tools::virtual_to_physical(
+             reinterpret_cast<uintptr_t>(pml4_backup_va)) >>
+         page_shift);
+
+    KIRQL irql;
+    KeRaiseIrql(DISPATCH_LEVEL, &irql);
+
+    __writecr3(build_cr3_value.AsUInt64);
+    _mm_lfence();
+    // mash host cr3 memeory
+    memset(kernel_pml4_va, 0x0, pml4_table_size);
+    __rdtsc();
+    _mm_lfence();
+    __readmsr(0xc0000082);
+    auto mash_cr3 = __readcr3();
+    _mm_lfence();
+    // restore cr3
+    memcpy(kernel_pml4_va, pml4_backup_va, pml4_table_size);
+    __writecr3(system_cr3_value.AsUInt64);
+    _mm_lfence();
+
+    KeLowerIrql(irql);
+    DebugPrint("mash cr3: %p build cr3: %p org cr3: %p \n", mash_cr3,
+               build_cr3_value.AsUInt64, system_cr3_value.AsUInt64);
+    tools::free_contiguous_memory(pml4_backup_va);
+    // for lazy duck
+    return STATUS_UNSUCCESSFUL;
+}
+extern "C" NTSTATUS NTAPI DriverEntry(__in PDRIVER_OBJECT DriverObject,
+                                      __in PUNICODE_STRING RegistryPath) {
+    return drv_entry(DriverObject, RegistryPath);
+};
diff --git a/mash_hypervisor/mash_hypervisor.inf b/mash_hypervisor/mash_hypervisor.inf
new file mode 100644
index 0000000..5c35bef
--- /dev/null
+++ b/mash_hypervisor/mash_hypervisor.inf
@@ -0,0 +1,26 @@
+;
+; mash_hypervisor.inf
+;
+
+[Version]
+Signature="$WINDOWS NT$"
+Class=System
+ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}
+Provider=%ManufacturerName%
+DriverVer=
+CatalogFile=mash_hypervisor.cat
+PnpLockDown=1
+
+[DestinationDirs]
+DefaultDestDir = 12
+
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+
+[Strings]
+ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
+ClassName=""
+DiskName="mash_hypervisor Source Disk"
diff --git a/mash_hypervisor/mash_hypervisor.vcxproj b/mash_hypervisor/mash_hypervisor.vcxproj
new file mode 100644
index 0000000..b871e99
--- /dev/null
+++ b/mash_hypervisor/mash_hypervisor.vcxproj
@@ -0,0 +1,149 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM">
+      <Configuration>Release</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM64">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM64">
+      <Configuration>Release</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{6F3EFC99-3415-42AE-BC1E-A8D42ED280BF}</ProjectGuid>
+    <TemplateGuid>{dd38f7fc-d7bd-488b-9242-7d8754cde80d}</TemplateGuid>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
+    <Configuration>Debug</Configuration>
+    <Platform Condition="'$(Platform)' == ''">Win32</Platform>
+    <RootNamespace>mash_hypervisor</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <TargetVersion>Windows7</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
+    <TargetVersion>Windows10</TargetVersion>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
+    <ConfigurationType>Driver</ConfigurationType>
+    <DriverType>WDM</DriverType>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+    <EnableInf2cat>false</EnableInf2cat>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
+    <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <ItemGroup>
+    <Inf Include="mash_hypervisor.inf" />
+  </ItemGroup>
+  <ItemGroup>
+    <FilesToPackage Include="$(TargetPath)" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="main.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/mash_hypervisor/mash_hypervisor.vcxproj.filters b/mash_hypervisor/mash_hypervisor.vcxproj.filters
new file mode 100644
index 0000000..7cb7a91
--- /dev/null
+++ b/mash_hypervisor/mash_hypervisor.vcxproj.filters
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="Driver Files">
+      <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
+      <Extensions>inf;inv;inx;mof;mc;</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <Inf Include="mash_hypervisor.inf">
+      <Filter>Driver Files</Filter>
+    </Inf>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="main.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file