Conversation

Does anyone know if it's possible to trigger VM-exit on transition between kernelmode <-> usermode? Ideally, when CPL is changed. I'm aware that there probably won't be a direct way, but I can't even think of any "trick" that would bring me close.

namazso

@namazso

Jul 1, 2019

I think a way could be just making LSTAR point at invalid address, and exiting on all interrupts. Then MTF-ing over all the kernelmode code until we get back to usermode again. This is probably even slower than your proposed solution, since that's almost how hvs worked before EPT

Petr Beneš

@PetrBenes

Jul 1, 2019

That would be painfully slow and it would resolve only syscalls (which can be much easily solved by EFER.SCE=0). Interrupts/exceptions is what's bugging me the most.

namazso

@namazso

Hm, maybe you could do what hypervisors before EPT used to do with copying, monitoring writes and spoofing to a shadow page table for each normal page table, except with two for each, one um executable, one km executable. Should be faster than rebuilding EPT every new CR3

9:25 PM · Jul 1, 2019

Petr Beneš

@PetrBenes

Jul 1, 2019

Yeah, that's basically my only idea on how to do it ( twitter.com/PetrBenes/stat ). Although I'd rather avoid building such monster :/

Quote Tweet

Petr Beneš

@PetrBenes

Jul 1, 2019

My only idea is: take snapshot of page-tables (+ monitoring them for changes), make 2 EPTs where EPT1 has executable memory where PTE's Supervisor bit = 0, and EPT2 is inverted to EPT1 (has executable only the rest of the memory). But that solution would be kinda pain in the neck

Show this thread