 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
buraktamturk
Newbie cheater
![]() Reputation: 0
Joined: 29 Jun 2014
Posts: 18
|
 Posted: Sun Jun 29, 2014 5:33 pm Post subject: DBVM does not load with Linux KVM virtualization |
 |
|
Hello,
CE driver does not try to offload dbvm when running in kvm, CE thinks DBVM is loaded already, because all vmcall instructions goes to kvm and kvm returns -1000 to all calls that CE made. (Nested virtualization is enabled)
Is there any change to get it running on kvm? Like something patching linux kernel to answer vmcall_getversion to give invalid instruction, or patching the driver offload when dbvm version is -1000. After offloading will dbvm overwrite vmcalls?
Attaching a picture.
Thanks.
| Description: |
|
| Filesize: |
144.32 KB |
| Viewed: |
27182 Time(s) |
|
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25785
Location: The netherlands
|
| Posted: Sun Jun 29, 2014 5:46 pm Post subject: |
|
|
hmm, that may be a problem
I could change the vmx_getversion() function to only accept vmx versions bigger than 0, but the general implementation of dbvm's virtual machine is to emulate that intel-vt has been disabled in the bios.
It therefore intercepts vmcall instructions and cause all vmcall commands that do not have recognized commands nor a valid password to raise an #UD
so not sure if KVM is able to continue when all vmcall instruction suddenly start failing with exception
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
buraktamturk
Newbie cheater
![]() Reputation: 0
Joined: 29 Jun 2014
Posts: 18
|
| Posted: Sun Jun 29, 2014 6:10 pm Post subject: |
|
|
| Dark Byte wrote: | hmm, that may be a problem
I could change the vmx_getversion() function to only accept vmx versions bigger than 0, but the general implementation of dbvm's virtual machine is to emulate that intel-vt has been disabled in the bios.
It therefore intercepts vmcall instructions and cause all vmcall commands that do not have recognized commands nor a valid password to raise an #UD
so not sure if KVM is able to continue when all vmcall instruction suddenly start failing with exception |
There is no usermode application that would call vmcall in kvm. There are paravirtualized network drivers, they may call it but i don't think so.
Will offloading dbvm and redirecting vmcalls to dbvm rather than kvm solve the problem?
After offloading the dbvm, will vmcalls go to the dbvm or kvm?
And one more question, if paravirtualized drivers doesn't live without vmcall to kvm, is there a possibilty redirect their call to kvm by looking eip value of caller? (like only ce driver will talk to dbvm, others are redirected to kvm in dbvm)
Thanks.
(looking the dbvm code, this is art rather than programming, i learned a lot, appricate your work, thank you again)
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25785
Location: The netherlands
|
| Posted: Sun Jun 29, 2014 6:30 pm Post subject: |
|
|
I've uploaded a 64bit ce exe and driver with some checks for a proper dbvm signature at http://cheatengine.org/temp/vmxversionaware.rar (untested, extract to a ce install folder)
Just see what happens (or if it encounters another blocking issue)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
buraktamturk
Newbie cheater
![]() Reputation: 0
Joined: 29 Jun 2014
Posts: 18
|
| Posted: Sun Jun 29, 2014 6:42 pm Post subject: |
|
|
| Dark Byte wrote: | I've uploaded a 64bit ce exe and driver with some checks for a proper dbvm signature at (untested, extract to a ce install folder)
Just see what happens (or if it encounters another blocking issue) |
Now it says your system supports dbvm, but
Failure opening the file. Status=c000a000 (filename=cant post url)
The file is present at there, trying to rebooting the guest.
| Description: |
|
| Filesize: |
405.8 KB |
| Viewed: |
27144 Time(s) |
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25785
Location: The netherlands
|
| Posted: Sun Jun 29, 2014 6:47 pm Post subject: |
|
|
copy the vmdisk files from http://cheatengine.org/temp/vmdisk.rar to that folder, perhaps the .sig doesn't match the vmdisk.img (did you compile/edit it ?)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
buraktamturk
Newbie cheater
![]() Reputation: 0
Joined: 29 Jun 2014
Posts: 18
|
| Posted: Sun Jun 29, 2014 7:06 pm Post subject: |
|
|
| Dark Byte wrote: | | copy the vmdisk files from to that folder, perhaps the .sig doesn't match the vmdisk.img (did you compile/edit it ?) |
Now i got BSOD or something like deadlock (tried two times). I were connected with the computer remotely, so i don't know whatever it is BSOD or deadlock.
After the first BSOD, i waited for memory dump and force rebooted the guest from remote (seems i have to wait more). There were no new memory dump. And now, i tried to run again, and waiting more for memory dump. If it is a bsod, i will analyze memory dump. If it is not Tomorrow (after 7 hours from now), i will have local access to the kvm host. I will connect serial cable to the kvm guest, to see what dbvm outputs there.
I will post here again when i got someting new.
Thanks again.
|
|
| Back to top |
|
|
buraktamturk
Newbie cheater
![]() Reputation: 0
Joined: 29 Jun 2014
Posts: 18
|
| Posted: Mon Jun 30, 2014 5:11 am Post subject: |
|
|
The guest complately freezes while offloading dbvm, i don't know why and where. DebugView does not show anything after the freeze, it may freeze quickly so doesn't let a task switch to DebugView.
And now looking to the KVM source code, looks like kvm_emulate_hypercall handling vmcalls. I compared RDX with the password which come with dbvm source code, if yes it answers all vmcalls with rax = 9, and wrote a dummy kernel mode driver that call vmcall_getversion, i successfully managed to get 9 at guest side. I could give UD but since you patched the code it will not change anything.
I don't know how to get memory dump of a frozen system, so we can look where the code is freezing, is there any way to find where is the problem? If it will not work with the KVM, i understant dbvm is written without nested virtualization in mind, i would like to start porting it to KVM, if you permit (i don't know much, but i want to learn).
Thanks.
| Description: |
|
| Filesize: |
66.39 KB |
| Viewed: |
27101 Time(s) |
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25785
Location: The netherlands
|
| Posted: Mon Jun 30, 2014 5:44 am Post subject: |
|
|
When it freezes without BSOD it means dbvm encountered an event it doesn't know how to handle (e.g a triple fault)
I have no experience with KVM at all so can't really say much (I'll check it out when I get time. It looks useful for debugging dbvm for which I use Bochs right now)
If possible, configure your KVM to use only 1 cpu (that way, if it crashes, you know it's the first and only cpu) DBVM has a chance of crashing each time a cpu is offloaded (there are some bugs which I haven't been able to find yet as my systems now always run 100%)
Also, can it emulate serial ports ? If so, I could build a debug build of dbvm which outputs debug data to the serial port and provides some interactivity (disassembling, vm state, etc...)
I would need an IO port I can use for that though (e.g 0x3f8 ? )
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
buraktamturk
Newbie cheater
![]() Reputation: 0
Joined: 29 Jun 2014
Posts: 18
|
| Posted: Mon Jun 30, 2014 6:15 am Post subject: |
|
|
| Dark Byte wrote: | When it freezes without BSOD it means dbvm encountered an event it doesn't know how to handle (e.g a triple fault)
I have no experience with KVM at all so can't really say much (I'll check it out when I get time. It looks useful for debugging dbvm for which I use Bochs right now)
If possible, configure your KVM to use only 1 cpu (that way, if it crashes, you know it's the first and only cpu) DBVM has a chance of crashing each time a cpu is offloaded (there are some bugs which I haven't been able to find yet as my systems now always run 100%)
Also, can it emulate serial ports ? If so, I could build a debug build of dbvm which outputs debug data to the serial port and provides some interactivity (disassembling, vm state, etc...)
I would need an IO port I can use for that though (e.g 0x3f8 ? ) |
I will try with a one virtual cpu gived to the guest.
I can catch serial, I tried to build a custom dbvm before, because usb keyboard didn't worked on dbvm (i just pached two of something like command = readkeyboard() to command = '0'), i saw "last message before entering vmx" on monitor, there were more output at serial, but it didn't booted the os seems hangs at there too.
If dbvm can output to serial while offloading, debug build with a sig file would be awesome.
By the way, KVM is a very good virtualization, if your cpu supports iommu it can assign pysical graphics cards to the guest, when you passthrought usb keyboard and mouse, it looks like a physical machine, and performance is good. And many anti cheat engines doesn't catch it.
Thank you.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25785
Location: The netherlands
|
| Posted: Mon Jun 30, 2014 7:22 am Post subject: |
|
|
The debug build needs a bi-directional serial port connection
Once it has started the serial port menu will be sent and then it waits for a command on how to continue, so just saving the output won't have an effect
In vmware in windows i use a pipe with putty
In bochs i use a sleeping terminal for output
Perhaps kvm has something like that
Also, if you build your own dbvm you should compile the driver yourself as well and then boot windows with unsigned driver support (or sign the driver). You won't need the .sig then
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
buraktamturk
Newbie cheater
![]() Reputation: 0
Joined: 29 Jun 2014
Posts: 18
|
| Posted: Mon Jun 30, 2014 9:34 am Post subject: |
|
|
| Dark Byte wrote: | The debug build needs a bi-directional serial port connection
Once it has started the serial port menu will be sent and then it waits for a command on how to continue, so just saving the output won't have an effect
In vmware in windows i use a pipe with putty
In bochs i use a sleeping terminal for output
Perhaps kvm has something like that
Also, if you build your own dbvm you should compile the driver yourself as well and then boot windows with unsigned driver support (or sign the driver). You won't need the .sig then |
Now i tried to boot with custom build of dbvm (just two patches, all of them is command = '0'; ). Monitor is showing Last display before entering vmx, and here is the output from serial console. I also changed cpu count to 1.
It's not important that you look it at or not, since very rare people try to use dbvm in kvm and report it when it isn't going to work.
Thank you, again.
Burak
| Code: |
cpunr=0
intnr=1
rsp=7fe490
cr2=0000000000000000
Checking if it was an expected interrupt
not expected
Status:
r15=0000000000000000
r14=0000000000000000
r13=0000000000000cf3
r12=0000000000000000
r11=00000000007ff631
r10=00000000007ff631
r9=0000000000000020
r8=00000000000000ff
rbp=0000000000002230
rsi=0000000000000000
rdi=000000000044c1c0
rdx=0000000000000002
rcx=00000000007ff5f0
rbx=000000000044c1c0
rax=0000000000000002
intnr=0000000000000001
stack[16]=000000000040047e
stack[17]=0000000000000050
stack[18]=00000000000041d6
stack[19]=00000000007ff7b0
--------------
DR6=00000000ffff4ff0
eip=000000000040047e
cs=0000000000000050
rflags=00000000000041d6 ( PF AF ZF SF TF NT )Trying to disassemble caller instruction
400460 : 5c - POP RSP
400461 : 41 5b - POP R11
400463 : 41 5a - POP R10
400465 : 41 59 - POP R9
400467 : 41 58 - POP R8
400469 : 5d - POP RBP
40046a : 5e - POP RSI
40046b : 5f - POP RDI
40046c : 5a - POP RDX
40046d : 59 - POP RCX
40046e : 5b - POP RBX
40046f : 58 - POP RAX
400470 : 0f01c3 - VMRESUME
400473 : 48 c7c0 03000000 - MOV RAX, 0x3
40047a : eb 02 - JMP 0x40047e
40047c : 31c0 - XOR EAX, EAX
>>40047e : 48 83c4 78 - ADD RSP, 0x78
400482 : 41 5f - POP R15
400484 : 41 5e - POP R14
400486 : 41 5d - POP R13
400488 : 41 5c - POP R12
40048a : 41 5b - POP R11
End of interrupt
----------------------------
Interrupt handler debug menu
----------------------------
1: Exit from interrupt
2: Check CRC values
3: Get vmstate
p: Previous vmstates
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25785
Location: The netherlands
|
| Posted: Mon Jun 30, 2014 9:42 am Post subject: |
|
|
Weird, it looks like debug register 2 caused an interrupt inside dbvm itself
this may indicate that restoring DR7 on vmexit isn't properly implemented in kvm (with a serial connection you could send '3' and get the vm state and confirm that DR2+DR7 in the guest was set to cause a breakpoint)
or it's a leftover debug thing I put in myself which i forgot to remove. I'll check it out later today (I doubt it as I'm more a DR0 guy)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25785
Location: The netherlands
|
| Posted: Wed Jul 02, 2014 6:00 am Post subject: |
|
|
it looks like vmlaunch fails due to incorrect parameters so I'll check it out (I fixed the issue with the weird exception, it was stack corruption)
also, a tip for debugging with serial:
open a new terminal window or tab
type in tty, write down the path and then sleep 10000000
then just launch kvm with parameter -serial pathoftty (e.g: -serial /dev/pts/3 )
keyboard input is accepted
(also found a small bug in kvm that under normal usage should never cause any issues, but if vmlaunch fails, it returns one byte later than it should)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
buraktamturk
Newbie cheater
![]() Reputation: 0
Joined: 29 Jun 2014
Posts: 18
|
| Posted: Thu Jul 03, 2014 4:24 pm Post subject: |
|
|
| Dark Byte wrote: | it looks like vmlaunch fails due to incorrect parameters so I'll check it out (I fixed the issue with the weird exception, it was stack corruption)
also, a tip for debugging with serial:
open a new terminal window or tab
type in tty, write down the path and then sleep 10000000
then just launch kvm with parameter -serial pathoftty (e.g: -serial /dev/pts/3 )
keyboard input is accepted
(also found a small bug in kvm that under normal usage should never cause any issues, but if vmlaunch fails, it returns one byte later than it should) |
I've already attached a pts device to my guest, but i don't know how to attach to the pts from the console. (All i did to get previous debug output from dbvm was "cat /dev/pts/3" and "echo 1 > /dev/pts/3") Searched over internet but i used wrong keywords i think.
I think i would better to port dbvm to kvm as a db kvm extensions or something like, I would learn a lot and the possibility to manipulate the guest from host system is a awesome idea i think.
I've started a couple days ago but i didn't have much time for improving and understanding it. Do not know where to place codes to how to get int 1 redirected. Injecting interrupt 1 from host is seems easy, redirecting interrupt 1 to somewhere from kvm would be possible, just the coder need to place the code to right function, and i don't have that capacity.
EDIT: I think it is possible emulate all of the dbvm vmcall's at here, including va to pa, and read/write to pa addresses. KVM has all of these functions and they are working very well.
| Description: |
|
| Filesize: |
24.42 KB |
| Viewed: |
26947 Time(s) |
|
| Description: |
|
| Filesize: |
70.46 KB |
| Viewed: |
26947 Time(s) |
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
