VT系列:退出事件系統構建(VMMEntryPoint)
VT執行流程:
產生退出事件 -> 根據退出事件指定特定的處理函式–> 決定自己處理還是交給CPU處理–> 完成了呼叫VmResume將控制權交給虛擬機器.
而當發生退出事件時要呼叫的函式就是本章要講的
VMCS位置:
HOST_RIP-->VMMEntryPoint(VM-Exit處理程式)
VM-Exit事件表:
#define EXIT_REASON_EXCEPTION_NMI 0 (EXCEPTION_BITMAP)//
#define EXIT_REASON_EXTERNAL_INTERRUPT 1
#define EXIT_REASON_TRIPLE_FAULT 2
#define EXIT_REASON_INIT 3
#define EXIT_REASON_SIPI 4
#define EXIT_REASON_IO_SMI 5
#define EXIT_REASON_OTHER_SMI 6
#define EXIT_REASON_PENDING_INTERRUPT 7
#define EXIT_REASON_TASK_SWITCH 9
#defineEXIT_REASON_CPUID 10 //必須處理的
#define EXIT_REASON_HLT 12
#defineEXIT_REASON_INVD 13 //必須處理的
#define EXIT_REASON_INVLPG 14
#define EXIT_REASON_RDPMC 15
#define EXIT_REASON_RDTSC 16
#define EXIT_REASON_RSM 17
#defineEXIT_REASON_VMCALL 18 //必須處理的因為可能存在多個VT
#define EXIT_REASON_VMCLEAR 19
#define EXIT_REASON_VMLAUNCH 20
#define EXIT_REASON_VMPTRLD 21
#define EXIT_REASON_VMPTRST 22
#define EXIT_REASON_VMREAD 23
#define EXIT_REASON_VMRESUME 24
#define EXIT_REASON_VMWRITE 25
#define EXIT_REASON_VMXOFF 26
#define EXIT_REASON_VMXON 27
#defineEXIT_REASON_CR_ACCESS 28 //必須處理的只要處理cr3暫存器
#defineEXIT_REASON_DR_ACCESS 29 //可以監控硬體斷點
#defineEXIT_REASON_IO_INSTRUCTION 30 //可以監控鍵盤滑鼠輸入輸出
#defineEXIT_REASON_MSR_READ 31 //必須處理的
#defineEXIT_REASON_MSR_WRITE 32 //必須處理的
#define EXIT_REASON_INVALID_GUEST_STATE 33
#define EXIT_REASON_MSR_LOADING 34
#define EXIT_REASON_MWAIT_INSTRUCTION 36
#define EXIT_REASON_MONITOR_INSTRUCTION 39
#define EXIT_REASON_PAUSE_INSTRUCTION 40
#define EXIT_REASON_MACHINE_CHECK 41
#define EXIT_REASON_TPR_BELOW_THRESHOLD 43
必須交由我們自己處理的VM-EXIT事件(即不在CPU_BASED_VM_EXEC_CONTROL或EXCEPTION_BITMAP控制內的):
| 事件 |
代號 |
對應彙編指令 |
| Model Specific Register Read (MSR暫存器讀操作) |
EXIT_REASON_MSR_READ(0x1F) |
rdmsr |
| Model Specific Register Read (MSR暫存器寫操作) |
EXIT_REASON_MSR_WRITE(0x20) |
wrmsr |
| Control Register Access (CR暫存器讀/寫操作) |
EXIT_REASON_CR_ACCESS(0x1C) |
mov crX,XXX mov XXX,crX |
| Invd(快取記憶體控制) |
EXIT_REASON_INVD(0xD) |
invd |
| CPUID |
EXIT_REASON_CPUID(0xA) |
cpuid |
| VmCall |
EXIT_REASON_VMCALL(0x12) |
vmcall |
注:代號參考自Newbluepill
需要注意的是處理CR控制暫存器和MSR時的一些細節
l CR Access:
退出事件條件:
ExitQualification= Vmx_VmRead(EXIT_QUALIFICATION);
控制暫存器,我們只要處理CR3就可以了:
movcrControlRegister= ( ExitQualification & 0x0000000F );
操作型別,0為寫入 1為讀取
movcrAccessType= ( ( ExitQualification & 0x00000030 )>> 4 );
運算元型別,一般為0:
movcrOperandType= ( ( ExitQualification & 0x00000040 )>> 6 );
目的暫存器:
movcrGeneralPurposeRegister= ( ( ExitQualification & 0x00000F00 )>> 8 );
movcrControlRegister= 3 且movcrAccessType =0時為寫入到CR3
movcrControlRegister= 3 且movcrAccessType =1時為從CR3讀出到暫存器
movcrGeneralPurposeRegister
0=eax 1=ecx 2=edx 3=edx 4=esp 5=ebp6=esi 7=edi
l MSRAccess:
Read:ECX為MSR暫存器代號,EAX為返回值的低32位,EDX為返回值的高32位.
Write:ECX為MSR暫存器代號,EAX為寫入值的低32位,EDX為寫入值的高32位.
部分需要用VmRead和VmWrite來處理。
在產生退出事件的時需要儲存虛擬機器的暫存器資訊
使用的資料結構如下:
typedef struct _GUEST_REGS
{
ULONG eax;
ULONG ecx;
ULONG edx;
ULONG ebx;
ULONG esp;
ULONG ebp;
ULONG esi;
ULONG edi;
ULONG eip;
ULONG cr3;
}GUEST_REGS,*PGUEST_REGS;
在處理函式中需要用到的一些定義
/* VMCS Encordings */
enum
{
VIRTUAL_PROCESSOR_ID = 0x00000000,
POSTED_INTR_NV = 0x00000002,
GUEST_ES_SELECTOR = 0x00000800,
GUEST_CS_SELECTOR = 0x00000802,
GUEST_SS_SELECTOR = 0x00000804,
GUEST_DS_SELECTOR = 0x00000806,
GUEST_FS_SELECTOR = 0x00000808,
GUEST_GS_SELECTOR = 0x0000080a,
GUEST_LDTR_SELECTOR = 0x0000080c,
GUEST_TR_SELECTOR = 0x0000080e,
GUEST_INTR_STATUS = 0x00000810,
HOST_ES_SELECTOR = 0x00000c00,
HOST_CS_SELECTOR = 0x00000c02,
HOST_SS_SELECTOR = 0x00000c04,
HOST_DS_SELECTOR = 0x00000c06,
HOST_FS_SELECTOR = 0x00000c08,
HOST_GS_SELECTOR = 0x00000c0a,
HOST_TR_SELECTOR = 0x00000c0c,
IO_BITMAP_A = 0x00002000,
IO_BITMAP_A_HIGH = 0x00002001,
IO_BITMAP_B = 0x00002002,
IO_BITMAP_B_HIGH = 0x00002003,
MSR_BITMAP = 0x00002004,
MSR_BITMAP_HIGH = 0x00002005,
VM_EXIT_MSR_STORE_ADDR = 0x00002006,
VM_EXIT_MSR_STORE_ADDR_HIGH = 0x00002007,
VM_EXIT_MSR_LOAD_ADDR = 0x00002008,
VM_EXIT_MSR_LOAD_ADDR_HIGH = 0x00002009,
VM_ENTRY_MSR_LOAD_ADDR = 0x0000200a,
VM_ENTRY_MSR_LOAD_ADDR_HIGH = 0x0000200b,
TSC_OFFSET = 0x00002010,
TSC_OFFSET_HIGH = 0x00002011,
VIRTUAL_APIC_PAGE_ADDR = 0x00002012,
VIRTUAL_APIC_PAGE_ADDR_HIGH = 0x00002013,
APIC_ACCESS_ADDR = 0x00002014,
APIC_ACCESS_ADDR_HIGH = 0x00002015,
POSTED_INTR_DESC_ADDR = 0x00002016,
POSTED_INTR_DESC_ADDR_HIGH = 0x00002017,
EPT_POINTER = 0x0000201a,
EPT_POINTER_HIGH = 0x0000201b,
EOI_EXIT_BITMAP0 = 0x0000201c,
EOI_EXIT_BITMAP0_HIGH = 0x0000201d,
EOI_EXIT_BITMAP1 = 0x0000201e,
EOI_EXIT_BITMAP1_HIGH = 0x0000201f,
EOI_EXIT_BITMAP2 = 0x00002020,
EOI_EXIT_BITMAP2_HIGH = 0x00002021,
EOI_EXIT_BITMAP3 = 0x00002022,
EOI_EXIT_BITMAP3_HIGH = 0x00002023,
VMREAD_BITMAP = 0x00002026,
VMWRITE_BITMAP = 0x00002028,
XSS_EXIT_BITMAP = 0x0000202C,
XSS_EXIT_BITMAP_HIGH = 0x0000202D,
GUEST_PHYSICAL_ADDRESS = 0x00002400,
GUEST_PHYSICAL_ADDRESS_HIGH = 0x00002401,
VMCS_LINK_POINTER = 0x00002800,
VMCS_LINK_POINTER_HIGH = 0x00002801,
GUEST_IA32_DEBUGCTL = 0x00002802,
GUEST_IA32_DEBUGCTL_HIGH = 0x00002803,
GUEST_IA32_PAT = 0x00002804,
GUEST_IA32_PAT_HIGH = 0x00002805,
GUEST_IA32_EFER = 0x00002806,
GUEST_IA32_EFER_HIGH = 0x00002807,
GUEST_IA32_PERF_GLOBAL_CTRL = 0x00002808,
GUEST_IA32_PERF_GLOBAL_CTRL_HIGH = 0x00002809,
GUEST_PDPTR0 = 0x0000280a,
GUEST_PDPTR0_HIGH = 0x0000280b,
GUEST_PDPTR1 = 0x0000280c,
GUEST_PDPTR1_HIGH = 0x0000280d,
GUEST_PDPTR2 = 0x0000280e,
GUEST_PDPTR2_HIGH = 0x0000280f,
GUEST_PDPTR3 = 0x00002810,
GUEST_PDPTR3_HIGH = 0x00002811,
GUEST_BNDCFGS = 0x00002812,
GUEST_BNDCFGS_HIGH = 0x00002813,
HOST_IA32_PAT = 0x00002c00,
HOST_IA32_PAT_HIGH = 0x00002c01,
HOST_IA32_EFER = 0x00002c02,
HOST_IA32_EFER_HIGH = 0x00002c03,
HOST_IA32_PERF_GLOBAL_CTRL = 0x00002c04,
HOST_IA32_PERF_GLOBAL_CTRL_HIGH = 0x00002c05,
PIN_BASED_VM_EXEC_CONTROL = 0x00004000,
CPU_BASED_VM_EXEC_CONTROL = 0x00004002,
EXCEPTION_BITMAP = 0x00004004,
PAGE_FAULT_ERROR_CODE_MASK = 0x00004006,
PAGE_FAULT_ERROR_CODE_MATCH = 0x00004008,
CR3_TARGET_COUNT = 0x0000400a,
VM_EXIT_CONTROLS = 0x0000400c,
VM_EXIT_MSR_STORE_COUNT = 0x0000400e,
VM_EXIT_MSR_LOAD_COUNT = 0x00004010,
VM_ENTRY_CONTROLS = 0x00004012,
VM_ENTRY_MSR_LOAD_COUNT = 0x00004014,
VM_ENTRY_INTR_INFO_FIELD = 0x00004016,
VM_ENTRY_EXCEPTION_ERROR_CODE = 0x00004018,
VM_ENTRY_INSTRUCTION_LEN = 0x0000401a,
TPR_THRESHOLD = 0x0000401c,
SECONDARY_VM_EXEC_CONTROL = 0x0000401e,
PLE_GAP = 0x00004020,
PLE_WINDOW = 0x00004022,
VM_INSTRUCTION_ERROR = 0x00004400,
VM_EXIT_REASON = 0x00004402,
VM_EXIT_INTR_INFO = 0x00004404,
VM_EXIT_INTR_ERROR_CODE = 0x00004406,
IDT_VECTORING_INFO_FIELD = 0x00004408,
IDT_VECTORING_ERROR_CODE = 0x0000440a,
VM_EXIT_INSTRUCTION_LEN = 0x0000440c,
VMX_INSTRUCTION_INFO = 0x0000440e,
GUEST_ES_LIMIT = 0x00004800,
GUEST_CS_LIMIT = 0x00004802,
GUEST_SS_LIMIT = 0x00004804,
GUEST_DS_LIMIT = 0x00004806,
GUEST_FS_LIMIT = 0x00004808,
GUEST_GS_LIMIT = 0x0000480a,
GUEST_LDTR_LIMIT = 0x0000480c,
GUEST_TR_LIMIT = 0x0000480e,
GUEST_GDTR_LIMIT = 0x00004810,
GUEST_IDTR_LIMIT = 0x00004812,
GUEST_ES_AR_BYTES = 0x00004814,
GUEST_CS_AR_BYTES = 0x00004816,
GUEST_SS_AR_BYTES = 0x00004818,
GUEST_DS_AR_BYTES = 0x0000481a,
GUEST_FS_AR_BYTES = 0x0000481c,
GUEST_GS_AR_BYTES = 0x0000481e,
GUEST_LDTR_AR_BYTES = 0x00004820,
GUEST_TR_AR_BYTES = 0x00004822,
GUEST_INTERRUPTIBILITY_INFO = 0x00004824,
GUEST_ACTIVITY_STATE = 0X00004826,
GUEST_SYSENTER_CS = 0x0000482A,
VMX_PREEMPTION_TIMER_VALUE = 0x0000482E,
HOST_IA32_SYSENTER_CS = 0x00004c00,
CR0_GUEST_HOST_MASK = 0x00006000,
CR4_GUEST_HOST_MASK = 0x00006002,
CR0_READ_SHADOW = 0x00006004,
CR4_READ_SHADOW = 0x00006006,
CR3_TARGET_VALUE0 = 0x00006008,
CR3_TARGET_VALUE1 = 0x0000600a,
CR3_TARGET_VALUE2 = 0x0000600c,
CR3_TARGET_VALUE3 = 0x0000600e,
EXIT_QUALIFICATION = 0x00006400,
GUEST_LINEAR_ADDRESS = 0x0000640a,
GUEST_CR0 = 0x00006800,
GUEST_CR3 = 0x00006802,
GUEST_CR4 = 0x00006804,
GUEST_ES_BASE = 0x00006806,
GUEST_CS_BASE = 0x00006808,
GUEST_SS_BASE = 0x0000680a,
GUEST_DS_BASE = 0x0000680c,
GUEST_FS_BASE = 0x0000680e,
GUEST_GS_BASE = 0x00006810,
GUEST_LDTR_BASE = 0x00006812,
GUEST_TR_BASE = 0x00006814,
GUEST_GDTR_BASE = 0x00006816,
GUEST_IDTR_BASE = 0x00006818,
GUEST_DR7 = 0x0000681a,
GUEST_RSP = 0x0000681c,
GUEST_RIP = 0x0000681e,
GUEST_RFLAGS = 0x00006820,
GUEST_PENDING_DBG_EXCEPTIONS = 0x00006822,
GUEST_SYSENTER_ESP = 0x00006824,
GUEST_SYSENTER_EIP = 0x00006826,
HOST_CR0 = 0x00006c00,
HOST_CR3 = 0x00006c02,
HOST_CR4 = 0x00006c04,
HOST_FS_BASE = 0x00006c06,
HOST_GS_BASE = 0x00006c08,
HOST_TR_BASE = 0x00006c0a,
HOST_GDTR_BASE = 0x00006c0c,
HOST_IDTR_BASE = 0x00006c0e,
HOST_IA32_SYSENTER_ESP = 0x00006c10,
HOST_IA32_SYSENTER_EIP = 0x00006c12,
HOST_RSP = 0x00006c14,
HOST_RIP = 0x00006c16,
};
由於彙編裡面不能直接引用cpp全域性變數
這裡需要一個函式得到儲存虛擬機器退出時的暫存器資訊的地址
定義的儲存暫存器資訊的變數為GUEST_REGS g_GuestRegs;
在cpp程式碼中新增:
extern "C" ULONG GetGuestRegsAddress()
{
return(ULONG)&g_GuestRegs;
}然後在asm檔案中新增
GetGuestRegsAddress Proto
例子:
.686p
.model flat, stdcall
option casemap:none
GetGuestRegsAddress Proto :在這裡新增
VMMEntryPoint Proto
.data
.code
…..這裡我們要實現一個彙編函式 功能是
1.push 原始暫存器
2.儲存暫存器資訊到全域性變數g_GuestRegs;中
3.call cpp程式碼中的退出事件分發函式
4.pop 原始暫存器
5.恢復原始暫存器
程式碼如下:
其中需要注意的是這裡esp不是虛擬機器的esp,是HOST機的這裡需要在cpp(VMMEntryPoint的cpp)程式碼中重新獲取
最後不是寫ret 而是vmresume
Asm_VMMEntryPoint Proc
cli
push eax
push ecx
push edx
push ebx
push esp ;HOST_RSP
push ebp
push edi
push esi
mov [esp-1280h],eax
mov [esp-1284h],ebx
call GetGuestRegsAddress
mov [eax+4h],ecx
mov [eax+8h],edx
mov [eax+0Ch],ebx
mov [eax+10h],esp
mov [eax+14h],ebp
mov [eax+18h],esi
mov [eax+1Ch],edi
mov ebx,[esp-1280h]
mov [eax],ebx
mov eax,[esp-1280h]
mov ebx,[esp-1284h]
call VMMEntryPoint
pop esi
pop edi
pop ebp
pop esp
pop ebx
pop edx
pop ecx
pop eax
call GetGuestRegsAddress
mov ecx,[eax+4h]
mov edx,[eax+8h]
mov ebx,[eax+0Ch]
mov esp,[eax+10h]
mov ebp,[eax+14h]
mov esi,[eax+18h]
mov edi,[eax+1Ch]
mov eax,[eax]
sti
vmresume
Asm_VMMEntryPoint Endp
VMMEntryPoint 的Cpp程式碼實現(也就是彙編程式碼裡call的那個):
extern "C" void VMMEntryPoint()
{
ULONG ExitReason; //退出事件型別
ULONG ExitInstructionLength; //退出事件時的程式碼的長度 用於後面恢復時跳過
ULONG GuestResumeEIP; //虛擬機器恢復時的EIP
ExitReason = Vmx_VmRead(VM_EXIT_REASON); //通過Vmx_VmRead(VM_EXIT_REASON)得到退出事件型別
ExitInstructionLength = Vmx_VmRead(VM_EXIT_INSTRUCTION_LEN); //得到產生退出事件時程式碼的長度 用於恢復
g_GuestRegs.esp = Vmx_VmRead(GUEST_RSP); //前面說過esp要重新獲取
g_GuestRegs.eip = Vmx_VmRead(GUEST_RIP); //得到產生退出事件時的EIP
g_GuestRegs.cr3 = Vmx_VmRead(GUEST_CR3); //得到產生退出事件時的CR3 用於處理CR ACCESS(必須處理的)
switch(ExitReason)
{
case EXIT_REASON_CPUID: //如果是呼叫了CPUID
{
HandleCPUID();
break;
}
case EXIT_REASON_INVD://如果是INVD 不知道幹什麼的 但必須處理
{
HandleInvd();
break;
}
case EXIT_REASON_VMCALL: //處理VMCALL 可能存在多個VT 關閉虛擬機器
{
HandleVmCall();
break;
}
case EXIT_REASON_MSR_READ: //MSR READ
{
HandleMsrRead();
break;
}
case EXIT_REASON_MSR_WRITE: // MSR WRITR
{
HandleMsrWrite();
break;
}
case EXIT_REASON_CR_ACCESS: //CR_ACCESS
{
HandleCrAccess();
break;
}
default:
break;
}
//如果不是上面的就恢復
Resume:
GuestResumeEIP = g_GuestRegs.eip+ExitInstructionLength;
Vmx_VmWrite(GUEST_RIP,GuestResumeEIP);
Vmx_VmWrite(GUEST_RSP,g_GuestRegs.esp);
}
各個處理函式的實現 :這裡只實現必須要處理的 其它請自己研究
//CPUID的處理函式
void HandleCPUID()
{
//如果是我們的
if (g_GuestRegs.eax == 'Mini')
{
g_GuestRegs.ebx = 0x88888888;
g_GuestRegs.ecx = 0x11111111;
g_GuestRegs.edx = 0x12345678;
}//不是我們的就讓CPU模擬執行後返回 x86下 nfn儲存在eax中
else Asm_CPUID(g_GuestRegs.eax,&g_GuestRegs.eax,&g_GuestRegs.ebx,&g_GuestRegs.ecx,&g_GuestRegs.edx);
}
// Invd處理函式
void HandleInvd()
{
Asm_Invd();
}
//VMCall處理函式 未寫完待續
void HandleVmCall()
{
if (g_GuestRegs.eax == 'SVT')
{
Vmx_VmxOff();
// ......
}
}
//MSR Read 必須處理三個 MSR_IA32_SYSENTER_CS: MSR_IA32_SYSENTER_ESP: MSR_IA32_SYSENTER_EIP;
其中有意思的是MSR_IA32_SYSENTER_EIP 這個就是x86下KiFastCallEntry 看雪開學的一份OD外掛中就是修改了此處
void HandleMsrRead()
{
switch(g_GuestRegs.ecx)
{
case MSR_IA32_SYSENTER_CS:
{
g_GuestRegs.eax = Vmx_VmRead(GUEST_SYSENTER_CS);
break;
}
case MSR_IA32_SYSENTER_ESP:
{
g_GuestRegs.eax = Vmx_VmRead(GUEST_SYSENTER_ESP);
break;
}
case MSR_IA32_SYSENTER_EIP: // KiFastCallEntry
{
g_GuestRegs.eax = Vmx_VmRead(GUEST_SYSENTER_EIP);
break;
}
default:
g_GuestRegs.eax = Asm_ReadMsr(g_GuestRegs.ecx);
}
}
//Msr Write 也必須處理三個 可能有誤
void HandleMsrWrite()
{
switch(g_GuestRegs.ecx)
{
case MSR_IA32_SYSENTER_CS:
{
Vmx_VmWrite(GUEST_SYSENTER_CS,g_GuestRegs.eax);
break;
}
case MSR_IA32_SYSENTER_ESP:
{
Vmx_VmWrite(GUEST_SYSENTER_ESP,g_GuestRegs.eax);
break;
}
case MSR_IA32_SYSENTER_EIP: // KiFastCallEntry
{
Vmx_VmWrite(GUEST_SYSENTER_EIP,g_GuestRegs.eax);
break;
}
default:
Asm_WriteMsr(g_GuestRegs.ecx,g_GuestRegs.eax,g_GuestRegs.edx);
}
}
/*
CR Access:
退出事件條件:
ExitQualification = Vmx_VmRead(EXIT_QUALIFICATION) ;
控制暫存器,我們只要處理CR3就可以了:
movcrControlRegister = ( ExitQualification & 0x0000000F );
操作型別,0為寫入 1為讀取
movcrAccessType = ( ( ExitQualification & 0x00000030 ) >> 4 );
運算元型別,一般為0:
movcrOperandType = ( ( ExitQualification & 0x00000040 ) >> 6 );
目的暫存器:
movcrGeneralPurposeRegister = ( ( ExitQualification & 0x00000F00 ) >> 8 );
movcrControlRegister= 3 且movcrAccessType = 0時為寫入到CR3
movcrControlRegister= 3 且movcrAccessType = 1時為從CR3讀出到暫存器
movcrGeneralPurposeRegister
0=eax 1=ecx 2=edx 3=edx 4=esp 5=ebp 6=esi 7=edi
*/
void HandleCrAccess()
{
ULONG movcrControlRegister;
ULONG movcrAccessType;
ULONG movcrOperandType;
ULONG movcrGeneralPurposeRegister;
ULONG movcrLMSWSourceData;
ULONG ExitQualification;
ExitQualification = Vmx_VmRead(EXIT_QUALIFICATION) ;
movcrControlRegister = ( ExitQualification & 0x0000000F );
movcrAccessType = ( ( ExitQualification & 0x00000030 ) >> 4 );
movcrOperandType = ( ( ExitQualification & 0x00000040 ) >> 6 );
movcrGeneralPurposeRegister = ( ( ExitQualification & 0x00000F00 ) >> 8 );
// Control Register Access (CR3 <-- reg32)
//
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 0 )
{
Vmx_VmWrite( GUEST_CR3, g_GuestRegs.eax );
}
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 1 )
{
Vmx_VmWrite( GUEST_CR3, g_GuestRegs.ecx );
}
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 2 )
{
Vmx_VmWrite( GUEST_CR3, g_GuestRegs.edx );
}
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 3 )
{
Vmx_VmWrite( GUEST_CR3, g_GuestRegs.ebx );
}
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 4 )
{
Vmx_VmWrite( GUEST_CR3, g_GuestRegs.esp );
}
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 5 )
{
Vmx_VmWrite( GUEST_CR3, g_GuestRegs.ebp );
}
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 6 )
{
Vmx_VmWrite( GUEST_CR3, g_GuestRegs.esi );
}
if( movcrControlRegister == 3 && movcrAccessType == 0 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 7 )
{
Vmx_VmWrite( GUEST_CR3, g_GuestRegs.edi );
}
// Control Register Access (reg32 <-- CR3)
//
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 0 )
{
g_GuestRegs.eax = g_GuestRegs.cr3;
}
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 1 )
{
g_GuestRegs.ecx = g_GuestRegs.cr3;
}
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 2 )
{
g_GuestRegs.edx = g_GuestRegs.cr3;
}
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 3 )
{
g_GuestRegs.ebx = g_GuestRegs.cr3;
}
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 4 )
{
g_GuestRegs.esp = g_GuestRegs.cr3;
}
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 5 )
{
g_GuestRegs.ebp = g_GuestRegs.cr3;
}
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 6 )
{
g_GuestRegs.esi = g_GuestRegs.cr3;
}
if( movcrControlRegister == 3 && movcrAccessType == 1 && movcrOperandType == 0 && movcrGeneralPurposeRegister == 7 )
{
g_GuestRegs.edi = g_GuestRegs.cr3;
}
}
下一章將講VMCS表填寫