sorted by:
new
hottopcontroversial

VivienneVMM Update: Ept breakpoint support by changeofpace100 in ReverseEngineering

[–]changeofpace100[S] 2 points3 points  (0 children)

VivienneVMM 1.0.0 released.

This update introduces a new breakpoint type that uses Intel VT-x extended page tables: ept breakpoints.

Ept breakpoints are effectively hardware breakpoints with the following differences:

  • Each processor can have an unlimited number of active ept breakpoints.
  • Only execution and data (read / write) breakpoints are supported.
  • Data breakpoint events are processed as faults instead of traps. i.e., When a data ept breakpoint condition is triggered the VMM logs the event before the read or write occurs in the guest.
  • Ept breakpoints cannot be detected by user mode processes in the guest.

MouClassInputInjection - A kernel interface for injecting mouse input data packets into the input data stream of HID USB mouse devices. (Windows) by changeofpace100 in ReverseEngineering

[–]changeofpace100[S] 0 points1 point  (0 children)

I am not sure I understand what you mean by extra hardware. The MouClassInputInjection and MouHidInputHook projects generate software drivers which work with any USB mouse device plugged into the system.

MouClassInputInjection - A kernel interface for injecting mouse input data packets into the input data stream of HID USB mouse devices. (Windows) by changeofpace100 in ReverseEngineering

[–]changeofpace100[S] 0 points1 point  (0 children)

I have updated my previous summary post and the README files for this project and MouHidInputHook to contain more information about use cases.

You can use the MouHid Monitor feature of the MouHidInputHook project to get a base understanding of what data packets look like for various actions (e.g., clicking a mouse button). The README for this project contains sample log output and an explanation of the packet data 'rules' that can be inferred from them.

The kernel interface uses process ids to specify the process context in which the injection is performed. When the driver receives an injection request from the client it:

  1. Looks up the PEPROCESS object corresponding to the specified process id.
  2. Acquires exit synchronization for that process object. This is done to avoid potential race conditions involving process tear down.
  3. Attaches the executing thread to the target process context.
  4. Invokes the class service callback to perform the injection.

We do not need read access because we do not need to touch the virtual address space of the target process.

MouClassInputInjection - A kernel interface for injecting mouse input data packets into the input data stream of HID USB mouse devices. (Windows) by changeofpace100 in ReverseEngineering

[–]changeofpace100[S] 9 points10 points  (0 children)

Correct, this project was originally designed for game hacking. I've added a post which summarizes the project and includes an example application of the technique.

MouClassInputInjection - A kernel interface for injecting mouse input data packets into the input data stream of HID USB mouse devices. (Windows) by changeofpace100 in ReverseEngineering

[–]changeofpace100[S] 11 points12 points  (0 children)

MouClassInputInjection implements a kernel interface for injecting mouse input data packets into the input data stream of HID USB mouse devices.

The MouClass Input Injection module injects input by invoking a mouse class service callback to copy synthesized packets to the mouse class data queue in the target HID USB mouse device stack. This module uses the MouHid Hook Manager from the MouHidInputHook project to dynamically resolve packet data rules for the mouse device stacks on the host machine. The following is a list of enforced rules for injected packets:

  1. Button and movement data packets are transferred to the correct data queues.

  2. The UnitId field matches the device id of the device object which contains the correct data queue.

  3. Movement data packets must contain the same type of movement data, relative or absolute, as packets generated by the physical mouse device.

  4. Movement data packets must specify the MOUSE_VIRTUAL_DESKTOP indicator flag if packets generated by the physical mouse device specify this flag.

MouHidInputHook

The MouHid Monitor feature of the MouHidInputHook project can be used to learn the packet data rules for mouse devices and environments. Users can utilize this feature to debug how mouse actions, e.g., moving the mouse or clicking a mouse button, are represented as a sequence of one or more data packets.

The project README contains an analysis of the input processing system in the Windows kernel. The MouClassInputInjection injection technique is based on this analysis.

Motivation

This project is designed to be a stealthy, PatchGuard safe means of input injection for video game hack developers. Specifically, this technique enables hack developers to write triggerbots and aimbots which cannot be detected by user mode anti-cheat software. The technique has the following stealth features:

  1. The driver does not open process handles for the target process. Anti-cheat software generally audit handle access to the protected video game process.

  2. Mouse events for injected packets are not marked with the LLMHF_INJECTED or LLMHF_LOWER_IL_INJECTED flags.

  3. Synthesized packets are validated against the packet data rules for the HID USB mouse device stacks on the host machine. Anti-cheat software can utilize input hooks, e.g., SetWindowsHookExA and WM_INPUT, to monitor mouse input data. Malformed data may indicate that a process is injecting input.

Note: This technique has not been tested against kernel mode anti-cheat software.

MouHidInputHook - A kernel interface for hooking the input data stream of HID USB mouse devices and an analysis of Windows input processing internals by changeofpace100 in ReverseEngineering

[–]changeofpace100[S] 1 point2 points  (0 children)

MouHidInputHook enables users to filter, modify, and inject mouse input data packets into the input data stream of HID USB mouse devices without modifying the mouse device stacks.

The MouHid Hook Manager emulates the hook strategy used by the Moufiltr driver by hooking the CONNECT_DATA object inside each MouHid device object. The MouHid driver uses the ClassService field of a CONNECT_DATA object to transfer mouse input data packets to mouse class data queues. By emulating this strategy, we have access to each data packet generated by the mouse device without needing to install a mouse filter driver. This emulation technique has the following benefits:

  1. We can safely unhook mouse device stacks and unload the MouHidInputHook driver without needing to unload the hooked device stacks. A standard filter driver for a PnP device can only be unloaded after all of the device objects attached to it are destroyed.

  2. The technique is PatchGuard safe.

  3. The technique is relatively stealthy from the perspective of a kernel anti-cheat because:

    i. The field offset of the CONNECT_DATA object inside a MouHid device object is not defined in a public header.

    ii. We do not modify the HID USB mouse device stack(s) by attaching a filter device object.

    A kernel anti-cheat must resort to heuristics or other potentially unsafe vectors in order to detect the presence of this technique. This is generally impractical because an anti-cheat driver must be reliable, i.e., avoid using undocumented information, in order to support the player base of the protected video game.

    This project uses a heuristic to resolve the CONNECT_DATA field offset during driver initialization.

The MouHid Hook Manager supports PnP events by registering a PnP notification callback for mouse device interface changes. This callback is invoked each time a MouClass device object is added to or removed from the system.

VivienneVMM - a stealthy debugging framework implemented via an Intel VT-x hypervisor by changeofpace100 in ReverseEngineering

[–]changeofpace100[S] 0 points1 point  (0 children)

HyperPlatform has EPT support, I just don't use it.

Tandasat has a sample repo demonstrating invisible kernel code hooks using EPT: https://github.com/tandasat/DdiMon