Writing a Hyper-V “Bridge” for Fuzzing — Part 1: WDF

January 18, 2019 ~ hucktech ~ Leave a comment

New Year, New Blog. I've updated my blog theme for the first time in 12 years and kicking things off with a multi-part post on Hyper-V Fuzzing. To start, we begin with a little tutorial on WDF driver development and how it greatly simplifies driver writing https://t.co/zfs2uBGW6b pic.twitter.com/FKywkuWacz

— Alex Ionescu (@aionescu) January 16, 2019

After spending the better part of a weekend writing a specialized Windows driver for the purposes of allowing me to communicate with the Hyper-V hypervisor, as well as the Secure Kernel, from user-mode, I realized that there was a dearth of concise technical content on non-PnP driver development, and especially on how the Windows Driver Foundation (WDF) fundamentally changes how such drivers can be developed. While I’ll eventually release my full tool, once better polished, on GitHub, I figured I’d share some of the steps I took in getting there. Unlike my more usual low-level super-technical posts, this one is meant more as an introduction and tutorial, so if you already consider yourself experienced in WDF driver development, feel free to wait for Part 2.

http://www.alex-ionescu.com/?p=377

hdk – (unofficial) Hyper-V® Development Kit

January 12, 2019 ~ hucktech ~ Leave a comment

I made a thing: https://t.co/4bgsXy3uTy

— Alex Ionescu (@aionescu) January 11, 2019

The HDK is an updated version of the HvGdk.h header file published under MSR-LA as part of the Singularity Research Kernel. It has been updated to add the latest definitions, structures and definitions as described in the Microsoft Hypervisor Top-Level Functional Specification (TLFS) 5.0c published June 2018.

https://ionescu007.github.io/hdk/

Android: emulator gets AMD & Hyper-V support

July 10, 2018 ~ hucktech ~ Leave a comment

Android Emulator – AMD Processor & Hyper-V Support#MobileSecurity #AndroidSecurity https://t.co/JfOR4XrJOf

— Mobile Security (@mobilesecurity_) July 9, 2018

https://android-developers.googleblog.com/2018/07/android-emulator-amd-processor-hyper-v.html

Network kernel debugging of virtual Windows via KDNET

June 25, 2018 ~ hucktech ~ Leave a comment

Debug Hyper-V VMs with KDNET – https://t.co/VvlUET8xUP

— Andy Luhrs (@aluhrs13) June 22, 2018

Setting Up Network Debugging of a Virtual Machine – KDNET
This topic describes how to configure a kernel debugging connection to a Hyper-V virtual machine (VM).[…]

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-network-debugging-of-a-virtual-machine-host

Microsoft launches Windows Bounty Program

July 26, 2017 ~ hucktech ~ Leave a comment

Microsoft bounties++! Hyper-V payouts increased up to $250k, WDAG focus area, & a baseline bounty for Windows 10 https://t.co/0ihNnP1xSl

— Matt Miller (@epakskape) July 26, 2017

Announcing the Windows Bounty Program:
Windows 10 represents the best and newest in our strong commitment to security with world-class mitigations. One of Microsoft’s longstanding strategies toward improving software security involves investing in defensive technologies that make it difficult and costly for attackers to find, exploit and leverage vulnerabilities. We built in mitigations and defenses such as DEP, ASLR, CFG, CIG, ACG, Device Guard, and Credential Guard to harden our systems and we continue adding defenses such as Windows Defender Application Guard to significantly increase protection to harden entry points while ensuring the customer experience is seamless. In the spirit of maintaining a high security bar in Windows, we’re launching the Windows Bounty Program on July 26, 2017. This will include all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge. We’re also bumping up the pay-out range for the Hyper-V Bounty Program.[…]

https://blogs.technet.microsoft.com/msrc/2017/07/26/announcing-the-windows-bounty-program/

https://aka.ms/BugBounty

Hyper-V UEFI bootloader complexities

March 5, 2017 ~ hucktech ~ Leave a comment

Resolving "No x64-based UEFI boot loader was found" when booting #Ubuntu virtual machine… https://t.co/yGO6Zrswok pic.twitter.com/FPGAVu5v7i

— Stefan Johner (@JohnerStefan) February 23, 2017

[…]Forcing GRUB installation to EFI removable media path does basically the same thing as when Ubuntu installer asks you if you want to force UEFI installation: it installs to the removable media path in the ESP (EFI System Partition). This is fine for environment where no other operating system is present. However if there is another operating system present on the device which depends on this fallback location “removable media path” it will make this system temporary unbootable (you can manually configure GRUB later to boot it if necessary though). Windows installer for example *also* installs to the removable media path in the ESP. All OS installers installing things to this removable media path will conflict with any other such installers and that’s why in Debian (and Ubuntu) installers don’t do this by default. You explicitly have to select UEFI mode during the normal installation (what I did).[…]

https://blog.jhnr.ch/2017/02/23/resolving-no-x64-based-uefi-boot-loader-was-found-when-starting-ubuntu-virtual-machine/

OpenCIT 2.2 released

November 10, 2016 ~ hucktech ~ Leave a comment

Adolfo V Aguayo of Intel announced the version 2.2 release of OpenCIT.

New Features in 2.2:
– TPM 2.0 support.
   + Added support for platform and asset tag attestation of Linux and Windows hosts with TPM 2.0.
   + Support attestation of either SHA1 or SHA256 PCR banks on TPM 2.0.
   + Ubuntu 16.04 and RHEL 7.2, 7.3 (SHA1 and SHA256), Windows Server 2012 and Hyper-V Server 2012 (SHA1) are supported with TPM 2.0
– All the certificates and hashing algorithms used in CIT are upgraded to use SHA256. SHA1 has been deprecated and will no longer be used.
– CIT Attestation Service UI has been updated to allow the user to select either the SHA1 or SHA256 PCR bank for Attestation of TPM 2.0 hosts.
    + The CIT Attestation Service will automatically choose the strongest available algorithm for attestation (SHA1 for TPM 1.2, and SHA256 for TPM 2.0)
– CIT Attestation Service UI Whitelist tab no longer requires the user to select PCRs when whitelisting, and will automatically choose the PCRs to use based on the host OS and TPM version. This is done to reduce confusion due to differing behaviors between TPM 1.2 and TPM 2.0 PCR usages.
– Additional changes made to support TPM 2.0:
    + Linux hosts with TPM 2.0 will now utilize TPM2.0-TSS (TPM 2.0 Software Stack) and TPM2.0-tools instead of the legacy trousers and tpm-tools packages. The new TSS2 and TPM2.0-tools are packaged with the CIT Trust Agent installer.
    + TPM 2.0 Windows hosts use TSS.MSR (The TPM Software Stack from Microsoft Research) PCPTool.
    + TPM 1.2 hosts will continue to use the legacy TSS stack (trousers) and tpm-tools components.

For more information, see the full announcement on the oat-devel@lists.01.org mailing list.

https://github.com/opencit
https://01.org/opencit

CHIPSEC updates

June 8, 2016 ~ hucktech ~ Leave a comment

The CHIPSEC team have tweeted about an upcoming 1.2.3 release with more Xen, Hyper-V, IOMMU, EPT support.

Also, Yuriy Bulygin of the Intel CHIPSEC team has posted some videos of their REcon training showing CHIPSEC usage:

Another PoC demo (from last @reconmtl) disables BIOS hardware protection via S3 vuln in UEFI BIOS impl (VU# 976132): https://t.co/ALTPqV5L2o

— Yuriy Bulygin (@c7zero) June 7, 2016

This shows PoC exploit for unchecked pointer vuln in SMI firmware presented at #csw15 (https://t.co/psZeKZAKQC): https://t.co/XnmFaW1F6R

— Yuriy Bulygin (@c7zero) June 6, 2016

Recorded a demo on how to find [unchecked pointer] vulns in SMI firmware on a system w/o reversing using @CHIPSEC: https://t.co/hK1bYrDfFa

— Yuriy Bulygin (@c7zero) June 6, 2016

https://github.com/chipsec/chipsec
It looks like their last checkin to the public git repo was in April:
https://github.com/chipsec/chipsec/commits/master

Hyper-V Chromium bug status

April 24, 2016 ~ hucktech ~ Leave a comment

Kostya Kortchinsky pointed out some Hyper-V bugs recently fixed in Chromium, all 3 are listed as being fixed 4 days ago.

Hyper-V bugs details released — https://t.co/lU4zEBJXQA https://t.co/mcgcZAUHcD https://t.co/LAeBRAhFXH

— Kostya Kortchinsky (@crypt0ad) April 19, 2016

https://bugs.chromium.org/p/project-zero/issues/detail?id=688
Hyper-V vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow

https://bugs.chromium.org/p/project-zero/issues/detail?id=689
Hyper-V vmswitch.sys VmsVmNicHandleRssParametersChange OOBR Guest to Host BugChecks

https://bugs.chromium.org/p/project-zero/issues/detail?id=690
Hyper-V vmswitch.sys VmsPtpIpsecTranslateAddv2toAddv2Ex OOBR Guest to Host BugCheck

Hyper-V vmswitch.sys VmsPtpIpsecTranslateAddv2toAddv2Ex OOBR Guest to Host BugCheck https://t.co/acd88GwoiX

— Project Zero Bugs (@ProjectZeroBugs) April 19, 2016

Hyper-V vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow https://t.co/HgVlDwuFNj

— Project Zero Bugs (@ProjectZeroBugs) April 19, 2016

Hyper-V vmswitch.sys VmsVmNicHandleRssParametersChange OOBR Guest to Host BugChecks https://t.co/E9TQUQ0IUH

— Project Zero Bugs (@ProjectZeroBugs) April 19, 2016

Hyper-V research

November 2, 2015 ~ hucktech ~ Leave a comment

Gerhart X has done some research on Microsoft Hyper-V:

Microsoft Hyper-V and vmbus internals https://t.co/IGaLsIkWUC

— Nicolas Krassas (@Dinosn) October 31, 2015

http://hvinternals.blogspot.gr/2015/10/hyper-v-internals.html

Nice document, lots of figures and information, apparently from a translation!