VirtualAddressNotPresentException thrown while searching for NT kernel

[LethalServant]

Summary

When IntroVirt attempts to detect the OS for the specific domain (kvm guest), the VirtualAddressNotPresent Exception is thrown while searching in memory for the start of the Windows NT Kernel. This causes the search to end early and the OS detection to fail for the domain.

This bug was found while adding support for AMD in the kvm-introvirt repo. Further testing needs to be done on Intel hardware to rule out that this bug is specific to CPU architecture.

Component(s)

NtKernelImpl

NtKernelmpl search_ptr

What is the current bug behavior?

The thrown exception cause the search for the kernel to stop early and thus the OS detection to fail.

What is the expected behavior?

The exception should be handle so that the memory region were the kernel is load can be fully search, leading to OS dectection.

System specs

CPU: AMD
KVM Host: Linux introvirt 5.4.0-122-generic #138-Ubuntu SMP Wed Jun 22 15:00:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
KVM Guest: Windows 10 Version 21H2 (OS Build 19044.1288)

Steps to reproduce

1. AMD hardware was used
2. Apply AMD patch to kvm-introvirt. Use branch ubuntu/focal/Ubuntu-5.4.0-122.138 on my fork of kvm-introvirt
3. Create Windows 10 VM on kvm host to test introspection
4. Run ivguestinfo -D guest name

Relevant logs and/or screenshots

root@introvirt:/home/dev/IntroVirt# ivguestinfo -D win10-1
TRACE : libintrovirt v0.57.3-1-g6706bab: DEBUG=1 Optimized=0
 WARN : You are running an unoptimized build of libintrovirt!
TRACE : Domain win10-1 attached vcpu 0
TRACE : Domain 91212 Vcpu 0 paused
TRACE : Domain 91212 Vcpu 0 resumed
TRACE : Domain 91212 Vcpu 0 paused
TRACE : Domain 91212 Vcpu 0 resumed
DEBUG : Domain win10-1 Vcpu0 intercept_exception(INT3, 1)
TRACE : Domain win10-1 attached vcpu 1
TRACE : Domain 91212 Vcpu 1 paused
TRACE : Domain 91212 Vcpu 1 resumed
TRACE : Domain 91212 Vcpu 1 paused
TRACE : Domain 91212 Vcpu 1 resumed
DEBUG : Domain win10-1 Vcpu1 intercept_exception(INT3, 1)
DEBUG : Domain win10-1 attached 2 vcpus
TRACE : Domain 91212 Vcpu 0 paused
DEBUG : Domain win10-1 Vcpu 0: Loading registers for paused VCPU
TRACE : Domain 91212 Vcpu 0 resumed
DEBUG : Attempting OS detection...
TRACE : Domain 91212 Vcpu 0 paused
TRACE : Domain 91212 Vcpu 1 paused
DEBUG : Domain win10-1 Vcpu 0 intercept_cr_writes(3, 1)
TRACE : Domain 91212 Vcpu 0 resumed
TRACE : Domain 91212 Vcpu 1 resumed
TRACE : Received event for VCPU 0:1 Type: EVENT_CR_WRITE
TRACE : Domain 91212 Vcpu 0 paused
TRACE : Domain 91212 Vcpu 1 paused
DEBUG : Using event VCPU 0
DEBUG : Starting NT kernel search at address 0xFFFFF80136408000
DEBUG : Virtual address 0xFFFFF801361FF000 not present
 0# introvirt::TraceableException::IMPL::IMPL() in /lib/libintrovirt.so
 1# std::_MakeUniq<introvirt::TraceableException::IMPL>::__single_object std::make_unique<introvirt::TraceableException::IMPL>() in /lib/libintrovirt.so
 2# introvirt::TraceableException::TraceableException(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at /home/dev/IntroVirt/src/core/exception/TraceableException.cc:45
 3# introvirt::MemoryException::MemoryException(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at /home/dev/IntroVirt/src/core/exception/MemoryException.cc:21
 4# introvirt::VirtualAddressNotPresentException::VirtualAddressNotPresentException(unsigned long, unsigned long) at /home/dev/IntroVirt/src/core/exception/VirtualAddressNotPresentException.cc:28
 5# introvirt::x86::PageDirectory::translate(unsigned long, unsigned long) const at /home/dev/IntroVirt/src/core/arch/x86/PageDirectory.cc:203
 6# void introvirt::basic_guest_ptr<unsigned short, void, false, void>::_remap<false, (void*)0>() at /home/dev/IntroVirt/include/introvirt/core/memory/guest_ptr.hh:795
 7# introvirt::basic_guest_ptr<unsigned short, void, false, void>::_reset(unsigned long, unsigned long) at /home/dev/IntroVirt/include/introvirt/core/memory/guest_ptr.hh:865
 8# introvirt::basic_guest_ptr<unsigned short, void, false, void>& introvirt::basic_guest_ptr<unsigned short, void, false, void>::operator-=<unsigned long>(unsigned long) at /home/dev/IntroVirt/include/introvirt/core/memory/guest_ptr.hh:637
 9# introvirt::windows::nt::NtKernelImpl<unsigned long>::NtKernelImpl(introvirt::windows::WindowsGuest&) at /home/dev/IntroVirt/src/windows/kernel/nt/NtKernelImpl.cc:392
10# void std::_Optional_base_impl<introvirt::windows::nt::NtKernelImpl<unsigned long>, std::_Optional_base<introvirt::windows::nt::NtKernelImpl<unsigned long>, false, false> >::_M_construct<introvirt::windows::WindowsGuestImpl<unsigned long>&>(introvirt::windows::WindowsGuestImpl<unsigned long>&) at /usr/include/c++/9/optional:419
11# std::enable_if<is_constructible_v<introvirt::windows::nt::NtKernelImpl<unsigned long>, introvirt::windows::WindowsGuestImpl<unsigned long>&>, introvirt::windows::nt::NtKernelImpl<unsigned long>&>::type std::optional<introvirt::windows::nt::NtKernelImpl<unsigned long> >::emplace<introvirt::windows::WindowsGuestImpl<unsigned long>&>(introvirt::windows::WindowsGuestImpl<unsigned long>&) at /usr/include/c++/9/optional:849
12# introvirt::windows::WindowsGuestImpl<unsigned long>::WindowsGuestImpl(introvirt::Domain&) at /home/dev/IntroVirt/src/windows/WindowsGuestImpl.cc:515
13# std::_MakeUniq<introvirt::windows::WindowsGuestImpl<unsigned long> >::__single_object std::make_unique<introvirt::windows::WindowsGuestImpl<unsigned long>, introvirt::DomainImpl&>(introvirt::DomainImpl&) at /usr/include/c++/9/bits/unique_ptr.h:857
14# introvirt::DomainImpl::detect_guest() at /home/dev/IntroVirt/src/core/domain/DomainImpl.cc:352
15# main at /home/dev/IntroVirt/tools/ivguestinfo.cc:98
16# __libc_start_main in /lib/x86_64-linux-gnu/libc.so.6
17# _start in ivguestinfo

TRACE : Domain 91212 Vcpu 0 resumed
TRACE : Domain 91212 Vcpu 1 resumed
DEBUG : Failed to detect WindowsGuest: Domain win10-1 failed guest detection: Virtual address 0xFFFFF801361FF000 not present
 0# introvirt::TraceableException::IMPL::IMPL() in /lib/libintrovirt.so
 1# std::_MakeUniq<introvirt::TraceableException::IMPL>::__single_object std::make_unique<introvirt::TraceableException::IMPL>() in /lib/libintrovirt.so
 2# introvirt::TraceableException::TraceableException(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at /home/dev/IntroVirt/src/core/exception/TraceableException.cc:45
 3# introvirt::GuestDetectionException::GuestDetectionException(introvirt::Domain const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at /home/dev/IntroVirt/src/core/exception/GuestDetectionException.cc:29
 4# introvirt::windows::WindowsGuestImpl<unsigned long>::WindowsGuestImpl(introvirt::Domain&) at /home/dev/IntroVirt/src/windows/WindowsGuestImpl.cc:528
 5# std::_MakeUniq<introvirt::windows::WindowsGuestImpl<unsigned long> >::__single_object std::make_unique<introvirt::windows::WindowsGuestImpl<unsigned long>, introvirt::DomainImpl&>(introvirt::DomainImpl&) at /usr/include/c++/9/bits/unique_ptr.h:857
 6# introvirt::DomainImpl::detect_guest() at /home/dev/IntroVirt/src/core/domain/DomainImpl.cc:352
 7# main at /home/dev/IntroVirt/tools/ivguestinfo.cc:98
 8# __libc_start_main in /lib/x86_64-linux-gnu/libc.so.6
 9# _start in ivguestinfo

TRACE : Completing event 1
TRACE : KvmVcpu::complete_event() completed

...

Additional context or possible fixes

potential fix for this bug

[chp-io]

Thank you for this bug report. This is a nice write up!

However, I have not been able to reproduce your exact same issue on my AMD box. For example, without your patch, IV is still able to find the kernel base:

[DEBUG] introvirt.windows.kernel.nt.NtKernel: Using event VCPU 0
[DEBUG] introvirt.windows.kernel.nt.NtKernel: Starting NT kernel search at address 0xFFFFF8025D87E000
[DEBUG] introvirt.windows.kernel.nt.NtKernel: Found MZ at 0xFFFFF8025D6B5000
[DEBUG] introvirt.windows.kernel.nt.NtKernel: Found PDB Filename: ntkrnlmp.pdb

Which statement was causing the VirtualAddressNotPresentException to be thrown, preventing kernel detection?

In your case, was this fix enough for you to successfully run ivguestinfo, or were you getting another error further down?

[LethalServant]

@chp-io Thanks for looking into this.

The VirtualAddressNotPresentException is thrown in PageDirectory::translate method line 203.
Line 5 in the first stack trace in the above logs.
My fix handles the exception by catching it when it rises up to Line 9 in the first stack trace.

Yes, my fix was enough to successfully run ivgustinfo, no other errors occur.

Since, you were not able to reproduce this issue, it might due to inconsistences in our KVM guests.
What is the Windows version of your test VM?

[chp-io]

According to line 9 in the first stack trace, the statement causing the exception and preventing kernel detection in NtKernelImpl is:

IntroVirt/src/windows/kernel/nt/NtKernelImpl.cc

Line 392 in d86c827

while (search_ptr.address() > search_bottom) {

which doesn't make sense, because according to line 8 of the first stack trace, the exception occurs during the operator-= call in:

IntroVirt/include/introvirt/core/memory/guest_ptr.hh

Lines 624 to 637 in d86c827

	// Integer compound subtraction
	template <typename I>
	basic_guest_ptr<_Tp, _PtrType, _Physical, _Enabled>& operator-=(I offset) {
	if constexpr (_is_guest_ptr_t_v) {
	this->ptr_ -= offset;
	} else {
	_validate_valid_ptr();
	if constexpr (_is_array_v) {
	this->_reset(this->address_ - (offset * _element_size()), this->length_);
	} else {
	this->_reset(this->address_ - (offset * _element_size()));
	}
	}
	return *this;

which would instead indicate that the culprit in NtKernelImpl is:

IntroVirt/src/windows/kernel/nt/NtKernelImpl.cc

Line 432 in acdcbfa

search_ptr -= PageDirectory::PAGE_SIZE / sizeof(uint16_t);

[chp-io]

Interesting that your fix was enough to successfully run ivguestinfo with no other errors. In my case, I had to fix an issue with the KPCR failing to initialize. I'll post my solution in a separate issue.

[chp-io]

I am now able to reproduce the same behavior you've observed.

Line #9 of the stack trace, which pointed to NtKernelImpl.cc:392, was indeed wrong. This seems to be an issue with the stack trace library that we use.

Using a debugger, the stack trace, doesn't ever point to NtKernelImpl.cc:392, but instead correctly points to NtKernelImpl.cc:432:

IntroVirt/src/windows/kernel/nt/NtKernelImpl.cc

Line 432 in acdcbfa

search_ptr -= PageDirectory::PAGE_SIZE / sizeof(uint16_t);

which now makes sense.

Would you like to create a pull request?