Vm Exit Eflags error

[fake-cheater]

Your hypervisor will change the original Eflags on exit.
For example, eflags==246 cpuid->>vmexit -->eflags 206.
You can test on x64dbg~

[fake-cheater]

fix Anticheat Check
msr::vmx_entry_ctls_t entry_ctls{};
entry_ctls.ia32e_mode_guest = true;
entry_ctls.load_debug_controls = true; //must be set
vm_entry_controls(entry_ctls);

msr::vmx_exit_ctls_t exit_ctls{};
exit_ctls.ia32e_mode_host = true;
exit_ctls.acknowledge_interrupt_on_exit = true;//must be set
exit_ctls.save_debug_controls = true;//must be set
vm_exit_controls(exit_ctls);

[fake-cheater]

if (!suppress_rip_adjust_)
{
exit_context_.rip += exit_instruction_length();
//fix rip/eflags error
if (exit_context_.rflags.trap_flag) {
inject(interrupt_info_t(vmx::interrupt_type::hardware_exception,
exception_vector::debug));
}
}

[Skyfail]

Here's a good blog post about this, explaining the actual issue: https://howtohypervise.blogspot.com/2019/01/a-common-missight-in-most-hypervisors.html

[rianquinn]

That is an interesting article. I remember years ago when I was writing the hypervisor that was eventually used by Jacob on MoRE (which was a dirivative of Embelton's vmxvcpu rootkit), we learned similar issues with ensuring instruction emulation is done properly.

We will have to add the same fix to Bareflank as I think we are missing this as well.

[Skyfail]

I also noticed:

• The code by @myckx causes undefined behaviour on some systems while it's working fine when setting the guest_pending_debug_exceptions vmcs field as stated in the Intel Manual
• VMWare does not seem to handle this case properly too as it randomly ignores the single steps, on physical hardware this never happened for me