How to complete ForEachLogicalCore () in the driver

Question

How to complete ForEachLogicalCore () in the driver

LLLZed opened this issue 5 years ago · comments

` vcpu_t* vcpu_list = hvpp::hypervisor::get_vcpu_list();

for (uint32_t i = 0; i < mp::cpu_count(); i++)
{
  // Split the 2MB page where the code we want to hook resides.
  vcpu_list[i].ept().split_2mb_to_4kb(page_exec & ept_pd_t::mask, page_exec & ept_pd_t::mask);
  // Set execute-only access on the page we want to hook.
  vcpu_list[i].ept().map_4kb(page_exec, page_exec, epte_t::access_type::execute);
  // We've changed EPT structure - mappings derived from EPT need to be invalidated.
  vmx::invept_single_context(vcpu_list[i].ept().ept_pointer());
}`

Hello, I had some problems while modifying your code as a toy. I plan to port the function ForEachLogicalCore () to the kernel so that when the program exits, the driver can automatically recover the hidden memory. But the code I wrote has an exception DRIVER_IRQL_NOT_LESS_OR_EQUAL

Petr Beneš · Answer 1 · Tue Jan 14 2020 21:16:03 GMT+0800 (China Standard Time)

It doesn't work that way, unfortunatelly. You must issue invept instruction on CPU that the EPT belongs to. Use mp::ipi_call() for this - its basically your "ForEachLogicalCore", except that it runs on IRQL 14.

LLLZed · Answer 2 · Tue Jan 14 2020 21:20:50 GMT+0800 (China Standard Time)

It's amazing, you are really an energetic and excellent technician, I didn't think I could get your reply in such a short time. I will try the method you proposed

不幸的是，这种方式行不通。您必须在EPT所属的CPU上发出invept指令。为此，使用mp :: ipi_call（）-基本上是您的“ ForEachLogicalCore”，除了它运行在IRQL 14上。

LLLZed · Answer 3 · Wed Jan 15 2020 00:46:44 GMT+0800 (China Standard Time)

It doesn't work that way, unfortunatelly. You must issue invept instruction on CPU that the EPT belongs to. Use mp::ipi_call() for this - its basically your "ForEachLogicalCore", except that it runs on IRQL 14.

Thank you very much for your previous guidance, but after four hours of hard work, I still cannot use this function to call split_2mb_to_4kb, which will cause the system to crash, and I hope to get your help. Could you please write an example

Hirams · Answer 4 · Wed Mar 09 2022 11:56:19 GMT+0800 (China Standard Time)

It doesn't work that way, unfortunatelly. You must issue invept instruction on CPU that the EPT belongs to. Use mp::ipi_call() for this - its basically your "ForEachLogicalCore", except that it runs on IRQL 14.

Thank you very much for your previous guidance, but after four hours of hard work, I still cannot use this function to call split_2mb_to_4kb, which will cause the system to crash, and I hope to get your help. Could you please write an example

You cannot use ipi_call with vmexit handler