Giter Club home page Giter Club logo

livecloudkd's People

Contributors

gerhart01 avatar msuiche avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

livecloudkd's Issues

hvmm.sys fails to patch process mitigation

Hello,

Thanks again for such an awesome project. I just wanted to let you know that on my machine (Windows 21H2 Build 22000.795), Hmmv fails to disable the process mitigations for vmwp.exe.
I managed to track it down to the fact that hvmm looks for the following policies:

0xAD39BF
1010 1101 0011 1001 1011 1111
0xAD39BD
1010 1101 0011 1001 1011 1101

Or finally:

0xAD31BF
1010 1101 0011 0001 1011 1111

Whereas I got (detailed printing bellow):

0xAD39B9
1010 1101 0011 1001 1011 1001

Quite interestingly ControlFlowGuardStrict is not enabled. Installation is fairly fresh and I did not modify the global or per process policies.
Workaround for me is to enable ControlFlowGuardStrict and then to call into hvmm

0: kd> dx -id 0,0,ffff800cfba59100 -r1 (*((ntkrnlmp!_EPROCESS *)0xffff800cfba59100)).MitigationFlagsValues
(*((ntkrnlmp!_EPROCESS *)0xffff800cfba59100)).MitigationFlagsValues                 [Type: <unnamed-tag>]
    [+0x000 ( 0: 0)] ControlFlowGuardEnabled : 0x1 [Type: unsigned long]
    [+0x000 ( 1: 1)] ControlFlowGuardExportSuppressionEnabled : 0x0 [Type: unsigned long]
    [+0x000 ( 2: 2)] ControlFlowGuardStrict : 0x0 [Type: unsigned long]
    [+0x000 ( 3: 3)] DisallowStrippedImages : 0x1 [Type: unsigned long]
    [+0x000 ( 4: 4)] ForceRelocateImages : 0x1 [Type: unsigned long]
    [+0x000 ( 5: 5)] HighEntropyASLREnabled : 0x1 [Type: unsigned long]
    [+0x000 ( 6: 6)] StackRandomizationDisabled : 0x0 [Type: unsigned long]
    [+0x000 ( 7: 7)] ExtensionPointDisable : 0x1 [Type: unsigned long]
    [+0x000 ( 8: 8)] DisableDynamicCode : 0x1 [Type: unsigned long]
    [+0x000 ( 9: 9)] DisableDynamicCodeAllowOptOut : 0x0 [Type: unsigned long]
    [+0x000 (10:10)] DisableDynamicCodeAllowRemoteDowngrade : 0x0 [Type: unsigned long]
    [+0x000 (11:11)] AuditDisableDynamicCode : 0x1 [Type: unsigned long]
    [+0x000 (12:12)] DisallowWin32kSystemCalls : 0x1 [Type: unsigned long]
    [+0x000 (13:13)] AuditDisallowWin32kSystemCalls : 0x1 [Type: unsigned long]
    [+0x000 (14:14)] EnableFilteredWin32kAPIs : 0x0 [Type: unsigned long]
    [+0x000 (15:15)] AuditFilteredWin32kAPIs : 0x0 [Type: unsigned long]
    [+0x000 (16:16)] DisableNonSystemFonts : 0x1 [Type: unsigned long]
    [+0x000 (17:17)] AuditNonSystemFontLoading : 0x0 [Type: unsigned long]
    [+0x000 (18:18)] PreferSystem32Images : 0x1 [Type: unsigned long]
    [+0x000 (19:19)] ProhibitRemoteImageMap : 0x1 [Type: unsigned long]
    [+0x000 (20:20)] AuditProhibitRemoteImageMap : 0x0 [Type: unsigned long]
    [+0x000 (21:21)] ProhibitLowILImageMap : 0x1 [Type: unsigned long]
    [+0x000 (22:22)] AuditProhibitLowILImageMap : 0x0 [Type: unsigned long]
    [+0x000 (23:23)] SignatureMitigationOptIn : 0x1 [Type: unsigned long]
    [+0x000 (24:24)] AuditBlockNonMicrosoftBinaries : 0x0 [Type: unsigned long]
    [+0x000 (25:25)] AuditBlockNonMicrosoftBinariesAllowStore : 0x0 [Type: unsigned long]
    [+0x000 (26:26)] LoaderIntegrityContinuityEnabled : 0x0 [Type: unsigned long]
    [+0x000 (27:27)] AuditLoaderIntegrityContinuity : 0x0 [Type: unsigned long]
    [+0x000 (28:28)] EnableModuleTamperingProtection : 0x0 [Type: unsigned long]
    [+0x000 (29:29)] EnableModuleTamperingProtectionNoInherit : 0x0 [Type: unsigned long]
    [+0x000 (30:30)] RestrictIndirectBranchPrediction : 0x0 [Type: unsigned long]
    [+0x000 (31:31)] IsolateSecurityDomain : 0x0 [Type: unsigned long]

Best regards,
Vincent

search path of hvlib.dll in leechcore_device_hvmm.dll

From ufrisk/LeechCore#30
search path of hvlib.dll should also include the directory where leechcore_device_hvmm.dll is located

currently it looks like leechcore_device_hvmm.dll only looks for hvlib.dll in the current directory , but usually hvlib.dll is next to leechcore_device_hvmm.dll, which can be anywhere.

[Q] GVA to GPA

Maybe I've misunderstood it's exact usage but are their limitations to using SdkMmGetPhysicalAddress/SdkHvmmHvTranslateVA?
It seems to be very temperamental in what it returns, often returning only the last 3 bytes (Page aligned) of the GVA passed in.

I would expect to be able to pass in the Virtual Address of a process within the VM and get back a physical address, or is this not it's intended usage?

EDIT:
Upon further testing it's clear it only works for kernel space addresses, usermode addresses seem to be broken and return weird values.

For anyone else with this issue it's easy enough to calculate the GVA -> GPA on a per process basis by walking the EPROCESS DirectoryTableBase.

Error: "Interface is not implemented by COM server."

immagine

Details

Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Interface is not implemented by COM server. ExecuteServerCommand() failed getting the IeXdiControlComponentFunctions pointer: 0x80004002
Kernel Debugger connection established
Found Module Name ntkrnlmp
Found Module Name ntkrnlmp
Could not find the location of KdVersionBlock. Please enable the verbose mode for more details.
Found NT kernel image at fffff80553a07000
Found Module Name ntkrnlmp
Found Module Name ntkrnlmp
Found Module Name ntkrnlmp
Could not find the location of KdVersionBlock. Please enable the verbose mode for more details.
Found Module Name ntkrnlmp
Found Module Name ntkrnlmp
Could not find the location of KdVersionBlock. Please enable the verbose mode for more details.
Found Module Name ntkrnlmp
Found Module Name ntkrnlmp
Could not find the location of KdVersionBlock. Please enable the verbose mode for more details.
Found Module Name ntkrnlmp
Found Module Name ntkrnlmp
Could not find the location of KdVersionBlock. Please enable the verbose mode for more details.
Found Module Name ntkrnlmp
Found Module Name ntkrnlmp
Could not find the location of KdVersionBlock. Please enable the verbose mode for more details.
Could not find NT kernel location based on program counter register.
Could not find the location of KdVersionBlock. Please enable the verbose mode for more details.
Debug API version does not match system version
64-bit machine not using 64-bit API
Debugger data list address is NULL
Connected to eXDI Device 0 x64 target at (Wed Dec 6 01:45:55.555 2023 (UTC + 1:00)), ptr64 TRUE

************* Path validation summary **************
Response Time (ms) Location
Deferred srvc:\Symbolshttp://msdl.microsoft.com/download/symbols
Symbol search path is: srvc:\Symbolshttp://msdl.microsoft.com/download/symbols
Executable search path is:
Module List address is NULL - debugger not initialized properly.
WARNING: .reload failed, module list may be incomplete
KdDebuggerDataBlock not available!
KdDebuggerData.KernBase < SystemRangeStart
eXDI Device Kernel Version 0 UP Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Primary image base = 0x0000000000000000 Loaded module list = 0x0000000000000000
System Uptime: not available
fffff805`53dd00cd 48c1e220 shl rdx,20h
0: kd> !pcr
Unable to read the PCR at fffff8055285d000
0: kd> x nt!ZwProtectVirtualMemory
^ Couldn't resolve 'x nt'

I got this behavior. What's the problem?
I have no problem with Live kernel debugger (menù entry 0). I have problems only with EXDi plugin.

Host Machine: Windows 10 Pro (Build 19041)
Guest Machine: Windows 11 Enterprise (Build 22621)

Issues debugging Windows 11 22H2 - Can't find nt!BdInfiniteLoop

Hi, awesome tool!
I'm trying to debug the securekernel.exe, but it fails while scanning for some fields/structs. Symbols are configured correctly and I'm unsure how to advance from here.

Host machine: Windows 11 version 22H2 (Build 22621.1848) running on Hyper-V
Guest machine: Windows 11 version 22H2 (Build 22621.1702), SecureBoot Disabled, VBS enabled:

OS Name	Microsoft Windows 11 Enterprise Evaluation	
Version	10.0.22621 Build 22621	
Processor	Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz, 2304 Mhz, 1 Core(s), 1 Logical Processor(s)	
BIOS Version/Date	Microsoft Corporation Hyper-V UEFI Release v4.1, 4/6/2022	
BIOS Mode	UEFI	
Secure Boot State	Off	
Hardware Abstraction Layer	Version = "10.0.22621.1413"	
Total Virtual Memory	3.12 GB	
Available Virtual Memory	1.57 GB	
Kernel DMA Protection	Off	
Virtualization-based security	Running	
Virtualization-based security Required Security Properties	Base Virtualization Support	
Virtualization-based security Available Security Properties	Base Virtualization Support, DMA Protection, UEFI Code Readonly	
Virtualization-based security Services Configured	Hypervisor enforced Code Integrity	
Virtualization-based security Services Running	Credential Guard, Hypervisor enforced Code Integrity	

When I'm using windbg with the EXDI plugin it finds the kernel's base and KdVersionBlock but can't find nt!BdInfiniteLoop:

DbgX.Shell.exe -v -kx exdi:CLSID={53838F70-0936-44A9-AB4E-ABB568401508},Kd=Guess

Microsoft (R) Windows Debugger Version 10.0.25877.1004 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

EXDI: DbgCoInitialize returned 0x00000001
EXDI: CoCreateInstance() returned 0x00000000
EXDI: QueryInterface(IExdiServer3) returned 0x00000000
Interface is not implemented by COM server. ExecuteServerCommand() failed getting the IeXdiControlComponentFunctions pointer: 0x80004002
EXDI: Server::GetTargetInfo() returned 0x00000000
EXDI: Server::SetKeepaliveInterface() returned 0x80004001
EXDI: Server::GetNbCodeBpAvail() returned 0x00000000
EXDI: ExdiNotifyRunChange::Initialize() returned 0x00000000
EXDI: LiveKernelTargetInfo::Initialize() returned 0x00000000
EXDI: Target initialization succeeded
Kernel Debugger connection established
Searching for module base address...
Obtaining the System Application base address...
CPU: 0, Vector Address: 0xfffff8070204d5c0, Memory space = Supervisor-Kernel
Found a potential PE image at 0xfffff80701c14000. Scanning image headers...
Analyzing debug directory of module at 0xfffff80701c14000...
Reading debug directory header at offset 0...
Debug directory RVA=0x4d020, size=37...
The image at 0xfffff80701c14000 has a PDB path of ntkrnlmp.pdb
The module at 0xfffff80701c14000 refers to ntkrnlmp
Found Module Name ntkrnlmp
Found a potential PE image at 0xfffff80701c14000. Scanning image headers...
Analyzing debug directory of module at 0xfffff80701c14000...
Reading debug directory header at offset 0...
Debug directory RVA=0x4d020, size=37...
The image at 0xfffff80701c14000 has a PDB path of ntkrnlmp.pdb
The module at 0xfffff80701c14000 refers to ntkrnlmp
Found Module Name ntkrnlmp
Searching for nt!KdVersionBlock...
Overriding symbol path for nt!KdVersionBlock location to srv*C:\Symbols*https://msdl.microsoft.com/download/symbols;
The following symbol path will be used to find nt kernel symbols: srv*C:\Symbols*https://msdl.microsoft.com/download/symbols;
Overriding symbol path for nt!BdInfiniteLoop location to srv*C:\Symbols*https://msdl.microsoft.com/download/symbols;
The following symbol path will be used to find nt kernel symbols: srv*C:\Symbols*https://msdl.microsoft.com/download/symbols;
SymFromName() could not find the location of nt!BdInfiniteLoop. Check your symbol path.
Found KdVersionBlock at 0xfffff8070281d9b0
Found target VersionBlock at 0xfffff8070281d9b0
Connected to Windows 10 22621 x64 target at (Mon Jul 10 05:59:36.088 2023 (UTC - 7:00)), ptr64 TRUE

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*C:\Symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*C:\Symbols*https://msdl.microsoft.com/download/symbols
Executable search path is: 
Loading symbols for fffff807`01c14000     ntkrnlmp.exe ->   ntkrnlmp.exe
ModLoad: fffff807`01c14000 fffff807`02c5b000   ntkrnlmp.exe
Windows 10 Kernel Version 22621 MP (1 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0xfffff807`01c14000 PsLoadedModuleList = 0xfffff807`02827470
Debug session time: Mon Jul 10 05:59:36.564 2023 (UTC - 7:00)
System Uptime: 0 days 3:48:27.087
nt!PpmIdleGuestExecute+0x1d:
fffff807`01fab80d 48c1e220        shl     rdx,20h
kd> lm
start             end                 module name
fffff807`01c14000 fffff807`02c5b000   nt         (pdb symbols)          c:\symbols\ntkrnlmp.pdb\9DC3FC69B1CA4B34707EBC57FD1D61261\ntkrnlmp.pdb

And the "KD log" window is always empty, so I have no information regarding securekernel's base.
Any idea what could be the issue?

Note: the new WinDbg process is called dbgx.shell.exe, so the LiveCloudKd can't find it by default

Hvlib.dll fails to decode KDBG for Windows 11 Guest

Hello,

I would like to signal that the scan for the KDBG is failing for Windows 11 Guests (Build 22000.556).
I double checked that the structure is not paged out (disabled paging on guest) and that nested virtualization is not enabled. I think that there is perhaps something different regarding the decoding algorithm on windows 11 for the structure or something else that broke the search for KiWaitAlways, KiWaitNever in hvlib.

Resolution is successful at earlier stages of boot, when the structure is not yet encoded.

leechcore_device_hvmm unable to compile

I am interested in using MemProcFS with LiveCloudKd, and attempted to compile the hvmm plugin for it.

There are some missing header files, so I used the files from ufrisk: https://github.com/ufrisk/LeechCore

The compilation still did not work as there are some missing struct definitions that are not available in the added header files. Is there any missing header files that I should include as well? Or a particular version of LeechCore I should work with?

Screenshot of error output:

image

LiveCloudKd for live debugging not working

Hello, I am trying to use LiveCloudKd as explained in the LiveDebugging tutorial, but unfortunately it doesn't work.
My goal is to debug the securekernel with windbg, I understand this tool can achieve it.

I believe there are multiple problems:

  1. It seems the source code in the repository does not match the binary in the published releases (we can see that the usage differ)
  2. When using the released binaries, I am able to capture a live dump and debug it with kd.exe but any of the flags /w (use windbg) or /l (live debugging) or /e (use exdi) do not seem to affect the flow and it's always run the same thing (loading the live dump of the VM)

I would much appreciate your assistance, Thanks

container debugging

Hi,

Im trying to debug Windows Sandbox like a normal guest vm(set breakpoint single step etc...), as you know i cannot enable debug as usual by bcedit /debug on! So i thought i might use LiveCloudKd but i dont seem to find EXDi plugin in https://github.com/gerhart01/LiveCloudKd/releases/tag/v2.0.0.20210814

I tried to use LiveCloudKd without EXDi plugin and i got the following output,

C:\Windows\system32>livecloudkd.exe /l /m 1 /v 2
   LiveCloudKd - 2.0.0.20210814
   Microsoft Hyper-V Virtual Machine Physical Memory Dumper & Live Kernel Debugger
   Copyright (C) 2010-2020, Matthieu Suiche (@msuiche)
   Copyright (C) 2020, Comae Technologies DMCC <http://www.comae.com> <[email protected]>
   All rights reserved.

   Contributor: Arthur Khudyaev (@gerhart_x)

   Hyper-V VM memory access operations based on hvlib

   Virtual Machines:
    --> [0]  (PartitionId = 0x0, )

   Please select the ID of the virtual machine you want to play with
   > 0
   You selected the following virtual machine:

   Action List:
    --> [0] Live kernel debugger
    --> [1] Linear physical memory dump
    --> [2] Microsoft crash memory dump
    --> [3] RAW memory dump (start position, size)
    --> [4] Resume partition
    --> [5] Dump all VMs

   Please select the Action ID
   > 0
   ERROR in SdkSelectPartitionHandle.
   kd.exe was closed. Press enter for closing LiveCloudKd

Is the compiled version of EXDi is available for download?
I will appreciate if you share any experience on debugging Windows Sandbox.

Thanks

Unable to find base kernel modules and start debugging

Hello,

I am trying to debug the secure kernel, but it seem to fail when it attempts to find the kernel modules in memory
If I run livecloudkd several times it sometimes locates the normal kernel and not the secure kernel but when I run it again
both kernels are not found:
hvlib:kernel base is not found
hvlib:kernel base is not found

Another error I get which might be related : open registry key vmld was failed.

I am running Windows server 2019 in a nested virtualization in VM workstation as the host and as the guest Windows 11.

Any idea what could be the issue in this case? If its only related to the vmld failure, then do you have any idea how to resolve that issue?

P.S. everything was ran as admin with the same privilege level

Thank you,

Please help me, cant debug step by step and breakpoints are not work

Hi, gerhart01, thanks for your tools.

LiveCloundKd is not working well for me, please help me, thank you.

version: https://github.com/gerhart01/LiveCloudKd/releases/download/v1.0.22021109/LiveCloudKd.EXDi.debugger.v1.0.22021109.zip
I try with the document: https://github.com/gerhart01/LiveCloudKd/blob/master/ExdiKdSample/LiveDebugging.md

  1. WinDBG x64 10.0.22621 can debug sk step by step and bp is ok when I install it firstly, but no symbol, and it cant work in second time.
  2. Other version windbg can get the right symols, but cant debug sk step by step .

How can I do, thank you!

Part of memory can't be reached

I tried the plugin with MemProcFS to read VM's memory, but some parts of memory can't be reached randomly.
It may be fixed by rebooting the host machine sometimes, but sometimes it is not.
I have checked those memory addresses in the VM, which can be read.

Some additonal info about my previous issue aka /issues/9

About MemProcFS plugin
Your new README.md says
Hyper-V Virtual Machine plugin for MemProcFS. Download ->
https://github.com/gerhart01/LiveCloudKd/releases/download/v2.5.5.20220914/leechcore_hyperv_plugin_14.09.2022.zip

Technically plugin should work alone, but your leechcore_hyperv_plugin_14.09.2022.zip doesn't include hvmm.sys

leechcore_hyperv_plugin_14.09.2022.zip Content:
LiveCloudKd.exe
hvlib.dll
leechcore_device_hvmm.dll

So MemProcFS throws error about hvmm.sys missing:
MemProcFS.exe -device hvmm://id=0
DEVICE_HVMM: ERROR: unable to locate driver file 'C:\test\memproc5\hvmm.sys'.
DEVICE_HVMM: FAILED: Failed to initialize the driver.
MemProcFS: Failed to connect to memory acquisition device.

To fix problem you need to download not plugin aka
https://github.com/gerhart01/LiveCloudKd/releases/download/v2.5.5.20220911/LiveCloudKd.v2.5.5.20220911-release.zip
and extract hvmm.sys to MemProcFS folder

and this where my /issues/9 comes from

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.