Shadow EPT Management

This section covers functions for creating, modifying, and managing Shadow EPT (Extended Page Table) pages. These functions allow fine-grained control of memory access by mapping guest virtual address

Core Functions

create_SEPT

Description: Creates a shadow page for a guest virtual address. This function hooks the virtual address and maps it to separate physical memory pages for read and execute operations.

Parameters:

  • virt_addr (guest_virt_t): The virtual address in the guest to hook.

  • SEPT_read (guest_virt_t): The virtual address of the read-only page.

  • SETP_execute (guest_virt_t): The virtual address of the executable page.

Returns: vmxroot_error_t: Error code indicating success or failure.

Example:

ScyHV::guest_virt_t guest_addr = 0x7FFE0000;
ScyHV::guest_virt_t read_page = 0x7FFE1000;
ScyHV::guest_virt_t exec_page = 0x7FFE2000;

ScyHV::vmxroot_error_t result = Styx::create_SEPT(guest_addr, read_page, exec_page);
if (result == STY_SUCCESS) {
    std::cout << "Shadow page created successfully" << std::endl;
}

create_SEPTphys

Description: Creates a shadow page using physical addresses. Hooks the guest virtual address and maps it to separate read and execute physical pages.

Parameters:

  • virt_addr (guest_virt_t): The virtual address in the guest to hook.

  • SEPT_read (guest_phys_t): The physical address of the read-only page.

  • SEPT_execute (guest_phys_t): The physical address of the executable page.

Returns: vmxroot_error_t: Error code indicating success or failure.

Example:

ScyHV::guest_virt_t guest_addr = 0x7FFE0000;
ScyHV::guest_phys_t read_page = 0x1000;
ScyHV::guest_phys_t exec_page = 0x2000;

ScyHV::vmxroot_error_t result = Styx::create_SEPTphys(guest_addr, read_page, exec_page);
if (result == STY_SUCCESS) {
    std::cout << "Physical shadow page created successfully" << std::endl;
}

remove_SEPT

Description: Removes a shadow page associated with a guest virtual address. Restores the original mapping and frees resources associated with the shadow page.

Parameters:

  • virt_addr (guest_virt_t): The virtual address of the shadow page to remove.

Returns: vmxroot_error_t: Error code indicating success or failure.

Example:

ScyHV::guest_virt_t guest_addr = 0x7FFE0000;

ScyHV::vmxroot_error_t result = Styx::remove_SEPT(guest_addr);
if (result == STY_SUCCESS) {
    std::cout << "Shadow page removed successfully" << std::endl;
}

reveal_SEPT

Description: Reveals a hidden shadow page by restoring its original permissions and mappings. This function disables the shadow hook for a specific virtual address.

Parameters:

  • virt_addr (guest_virt_t): The virtual address of the hidden shadow page to reveal.

Returns: vmxroot_error_t: Error code indicating success or failure.

Example:

ScyHV::guest_virt_t guest_addr = 0x7FFE0000;

ScyHV::vmxroot_error_t result = Styx::reveal_SEPT(guest_addr);
if (result == STY_SUCCESS) {
    std::cout << "Shadow page revealed successfully" << std::endl;
}

disable_SEPT

Description: Disables page protection for a specific physical address by granting full read, write, and execute permissions. This bypasses EPT protections temporarily.

Parameters:

  • phys_addr (guest_phys_t): The physical address for which page protection is disabled.

Returns: vmxroot_error_t: Error code indicating success or failure.

Example:

ScyHV::guest_phys_t phys_addr = 0x1000;

ScyHV::vmxroot_error_t result = Styx::disable_SEPT(phys_addr);
if (result == STY_SUCCESS) {
    std::cout << "Page protection bypassed successfully" << std::endl;
}

PreviousProcess and Module InformationNextUtility Functions

Last updated