[hyperdbg] Hey, it works

[Jon Larimer]

Thanks for posting the development tips. I finally got HyperDbg up and running. My setup is 32-bit Windows XP SP3 on a slightly-modified Bochs 2.4.5 on Ubuntu 10.04 x64, which is running inside of VMWare Workstation 7 on a Windows 7 x64 box... See my screenshot at http://i.imgur.com/thf91.png.

To get it working with Bochs 2.4.5, I had to patch Bochs at line 1050 of cpu/init.cc. They recently added support for the IA32_FEATURE_CTRL MSR, but aren't setting the lock bit (0) - just the VMX bit (2). In init.cc it's getting set to 0x4, I fixed it to be 0x5. The lock bit is now getting checked in the VMXON code in cpu/vmx.cc, so without that patch, HyperDbg GPF's the CPU on the VMXON instruction. I added a comment about this to the bug report for IA32_FEATURE_CTRL (http://sourceforge.net/tracker/?func=detail&aid=2964655&group_id=12580&atid=112580) so maybe it'll get fixed soon.

During my adventure of getting HyperDbg running, I came up with these tips for other people trying to get it working:

• Building Bochs:
• I built Bochs from source using the 2.4.5 tarball from SourceForge.
• To build the source, you'll need some extra packages not included in a stock Ubuntu 10.04 install. I wanted to try the wxWidgets UI and some other features, so these are the packages I installed with apt-get: build-essential xorg-dev libgtk2.0-dev libwxgtk2.8-dev libwxgt2.8-dbg
• To enable VMX, you need to configure it with the --enable-x86-64 and --enable-vmx options. The full set of options I used are: --with-x11 --with-wx --enable-vmx --enable-x86-64 --enable-all-optimizations
• Installing XP on Bochs:
• The XP install wouldn't work with any optimizations or VMX or x86-64 in Bochs. I gave up trying to find combinations of features and just built it with no features - just --with-x11. This allowed me to install XP SP3. Your mileage may vary with other versions of XP. For me, it would get right past the license agreement and reboot. Building Bochs with no features allowed the install to complete but it took a long time.
• XP SP2 and higher need PAE disabled for HyperDbg to load. Do this by setting /noexecute=alwaysoff in boot.ini.
• When using Bochs inside of a VM (I used VMWare Workstation and VirtualBox), the mouse doesn't work very well if your VM is using the xorg vmmouse driver. Since Ubuntu 10.04 doesn't have an xorg.conf file that would allow me to disable it, I just removed the driver package: apt-get remove x11-xorg-input-vmmouse. Do that, restart X, and the mouse will work in the Bochs XP VM.
• Use mkisofs to create an ISO with all this good stuff to install on the XP image:
• OSRLoader or HyperGui
• DebugView - view debug messages. Make sure you enable 'Capture Kernel'!
• Debugging Tools for Windows - for analyzing crash dumps
• Symbol file installer for your OS - these always come in handy
• Make a copy of your XP disk image just in case it gets messed up.
• Running HyperDbg
• If the driver won't start because of error #31 (A device attached to the system is not functioning), that means that DriverEntry in pill.c returned STATUS_UNSUCCESSFUL. To figure out why that happened, check DebugView. For me, it was because PAE was still enabled. 
• If the driver loads and bluescreens the machine with error 0x0000007F (0x0000000D, 0x00000000, 0x00000000, 0x00000000), that means the CPU GPF'd. Check the Bochs log to figure out why. For me, the error said "VMXON is not allowed!" and that helped me figure out the MSR issue mentioned above.

-jon

[Jun Koi]

> Running HyperDbg
>
> If the driver won't start because of error #31 (A device attached to the
> system is not functioning), that means that DriverEntry in pill.c returned
> STATUS_UNSUCCESSFUL. To figure out why that happened, check DebugView. For
> me, it was because PAE was still enabled.

I have exactly the same problem (error #31 occur when I run hyperdbg
tool), so I cannot load Hyperdbg driver in. I doubt that PAE is the
reason, though.

Anybody knows how to fix this bug??

Thanks,
Jun

[Jun Koi]

On Sat, May 22, 2010 at 10:43 PM, Jon Larimer <jlar...@gmail.com> wrote:

So did you disable PAE to run HyperDbg? How did you disable PAE?

Thanks,
J

[Jon Larimer]

> To get it working with Bochs 2.4.5, I had to patch Bochs at line 1050 of
> cpu/init.cc. They recently added support for the IA32_FEATURE_CTRL MSR, but
> aren't setting the lock bit (0) - just the VMX bit (2). In init.cc it's
> getting set to 0x4, I fixed it to be 0x5. The lock bit is now getting
> checked in the VMXON code in cpu/vmx.cc, so without that patch, HyperDbg
> GPF's the CPU on the VMXON instruction. I added a comment about this to the

> bug report for IA32_FEATURE_CTRL (http://sourceforge.net/tracker/?func=detail&aid=2964655&group_id=1258...)

> so maybe it'll get fixed soon.

I wrote that a couple of days ago when I was still confused about the
Lock bit. With the hyperdbg patch I submitted last night it isn't
necessary to modify Bochs.

-jon

[joystick]

Hi everybody,

sorry about your posts not showing up immediately, we had a little
issue with the spam checker :(

@jun:

On May 25, 5:07 pm, Jun Koi <junkoi2...@gmail.com> wrote:

> So did you disable PAE to run HyperDbg? How did you disable PAE?

you can add /NOPAE /NOEXECUTE=alwaysoff to your Boot.ini file, that
should do the trick if I remember correctly ;-)

> Thanks,
> J

[Jon Larimer]

If you have hardware DEP (data execution prevention) enabled in the BIOS on a physical machine, XP will automatically enable PAE no matter what you do to boot.ini. The feature needs disabled in the BIOS. This isn't an issue with Bochs, just a physical machine. You can tell if PAE is enabled or not in XP by right-clicking My Computer, click Properties, and look for "Physical Address Extension" showing up in the Computer section of the General tab.

Jun - for your Error 31 issue, download and install DebugView (http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx), then make sure you turn on the "Capture Kernel" option. There should be log messages that show up saying why HyperDbg won't load.

-jon

[Jun Koi]

This is very useful. I will try that later. Thanks a lot, Jon.

A question: why we refuse to load driver on PAE kernel? Does the
Hyperdbg driver intentionally disallow that, or Windows is the
culprit?

Thanks,
J

[Aristide Fattori]

Hi Jun,

that's because the memory handling in HyperDbg still does not support
PAE so far, as you can see if you check out core/mmu.c :-)

Cheer,
Aristide

--
GnuPG Key on keyserver.pgp.com ID 291D712D
http://security.dico.unimi.it/~joystick/

[Jun Koi]

On Thu, May 27, 2010 at 11:59 PM, Aristide Fattori
<aristid...@gmail.com> wrote:
> Hi Jun,
>
> that's because the memory handling in HyperDbg still does not support
> PAE so far, as you can see if you check out core/mmu.c :-)
>

indeed, i missed that.

thanks,
J

[Jun Koi]

On Sat, May 22, 2010 at 10:43 PM, Jon Larimer <jlar...@gmail.com> wrote:
> Thanks for posting the development tips. I finally got HyperDbg up and
> running. My setup is 32-bit Windows XP SP3 on a slightly-modified Bochs

so this means that why the authors say that Hyperdbg only supports
SP2, it actually works well with SP3, too?

Thanks,
J

[Jon Larimer]

On Thu, May 27, 2010 at 10:42 PM, Jun Koi <junko...@gmail.com> wrote:
>
>
> so this means that why the authors say that Hyperdbg only supports
> SP2, it actually works well with SP3, too?
>

Yes - I got the driver start up on SP3, and when I pressed F12 the
HyperDbg screen came up and I could use the commands, then go back
into XP with F12 again. I haven't tried much more than that...

I didn't re-build the symbols (hyperdbg\syms.c - can be built with
hyperdbg\tools\symbol2c.py), so the disassembly was rather plain. The
symbols in the source are for SP2 I believe.

-jon

[joystick]

Hi everybody,

On May 28, 4:49 am, Jon Larimer <jlari...@gmail.com> wrote:
> > so this means that why the authors say that Hyperdbg only supports
> > SP2, it actually works well with SP3, too?

we affirm that it works on SP2 because we tested it only in a windows
XP SP2 environment :)

> Yes - I got the driver start up on SP3, and when I pressed F12 the
> HyperDbg screen came up and I could use the commands, then go back
> into XP with F12 again. I haven't tried much more than that...

Good to know, thanks for the testing on SP3 ;-)

> I didn't re-build the symbols (hyperdbg\syms.c - can be built with
> hyperdbg\tools\symbol2c.py), so the disassembly was rather plain. The
> symbols in the source are for SP2 I believe.

Yes, the symbols included in the svn version are for Windows XP SP 2.

Cheers,
A.