Ring √(−1)
HOST
HYPERVISOR
GUEST
(baremetal)
(hosted)
ESXi
Hyper-V
KVM
VirtualBox
VMware Workstation
1 root partition (for management)
Graphic Interfaces
Ethernet Interfaces
USB Interfaces
HyperVisor Kernel
USER WORLDS
USER WORLD API
VMM
VMkernel
RESOURCE SCHEDULING
I/O STACKS
DRIVERS
SSHD
VMX
GUEST OS
VMX
USER WORLD API
VMM
VMkernel
RESOURCE SCHEDULING
I/O STACKS
DRIVERS
VIRTUAL HARDWARE
GUEST OS
VMX
USER WORLD API
VMM
VMkernel
RESOURCE SCHEDULING
I/O STACKS
DRIVERS
VIRTUAL HARDWARE
GUEST OS
😈
SHELL CODE
VMX
USER WORLD API
VMM
VMkernel
RESOURCE SCHEDULING
I/O STACKS
DRIVERS
VIRTUAL HARDWARE
GUEST OS
😈
SHELL CODE
void __usercall VMXNET3_REG_CMD() {
PhysMemPage page; //memory mapping
...
case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS
DMA_MEM_CREATE(..., &page);
VMXNET3_CMD_UPDATE_MAC_FILTERS(v6, &page, a5);
PhysMemRelease(&page);
break;
...
}
void __fastcall DMA_MEM_CREATE(unsigned addr, uint64 size, ..., PhysMemPage *page) {
//check the address
if (addr > ... || size || size > ... - addr + 1)
return 0;
PhyMemSetupPage(addr, size, a3, a4, page);
return 1;
}
translate_size
page_offset
page_count
addr
pate_array
...
void __usercall VMXNET3_REG_CMD() {
PhysMemPage page; //memory mapping
...
case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS
DMA_MEM_CREATE(..., &page);
VMXNET3_CMD_UPDATE_MAC_FILTERS(v6, &page, a5);
PhysMemRelease(&page);
break;
...
}
void PhysMemRelease(PhysMemPage *page) {
if(page->page_count == 0)
free(page->page_array); //free the pointer on the stack
else {
...
}
}
vmware-rpctool 'info-get guestinfo.a'