What's new

Discussion Executing Functions In Real Mode

  • Thread starter TEIR1plus2
  • Start date
  • Views 1,501
T

TEIR1plus2

Getting There
Messages
506
Reaction score
225
This is something I created a bit ago to aid my research on the xbox 360, it allows user code to call functions in Hypervisor Real Mode from anywhere on the system using a simple expansion. What is Hypervisor Real Mode? To put it simply its the highest privileges you can obtain on the console. In this example I am calling functions inside the hypervisor from user mode, but it should also allow you to call functions in your code, provided you set them up correctly. Please remember, Hypervisor Real Mode works with Real Addresses, so be sure you build any pointer addresses correctly.

Supports a max of 8 arguments to a function

Code:
// expansion id
DWORD HvProcExpID = 0x48565051;

// example list of HV functions
typedef enum _HV_PROCS {
    HvpGetFlashBaseAddress = 0x68C,
    HvpPhysicalToReal = 0x29E0,
    HvpMemcpy = 0xA880,
    HvpMemset = 0xAD20,
    XeCryptRotSum = 0xB4A8,
    XeCryptRotSum4 = 0xB4B0,
    XeCryptRotSumSha = 0xB4B8
    // sorry, list shortened..
} HV_PROCS;

// keep it simple, just edit peek/poke initializer
// assumes expansion data is loaded in byte array HvProcExp
// Declaration: HRESULT InitializeHvProc();
HRESULT InitializeHvProc()
{
    // Allocate physcial memory for this expansion
    VOID* pPhysExp = XPhysicalAlloc(0x1000, MAXULONG_PTR, 0, PAGE_READWRITE);
    DWORD physExpAdd = (DWORD)MmGetPhysicalAddress(pPhysExp);

    // Copy over our expansion data
    ZeroMemory(pPhysExp, 0x1000);
    memcpy(pPhysExp, HvProcExp, sizeof(HvProcExp));

    // Now we can install our expansion
    printf("ExpAdd: 0x%016llX\n", physExpAdd);
    HRESULT result = (HRESULT)HvExpansionInstall(physExpAdd, 0x1000);

    // Free our allocated data
    XPhysicalFree(pPhysExp);

    if (FAILED(result))
        printf("Expansion failed to install: %08X\n", result);

    // Return our install result
    return result;
}

// pqwProcedure: Real address of function
// cArgs: Argument count
// pqwArgs: Argument array
// Declaration: QWORD HvProc(QWORD pqwProcedure, DWORD cArgs = NULL, PQWORD pqwArgs = NULL);
QWORD HvProc(QWORD pqwProcedure, DWORD cArgs, PQWORD pqwArgs)
{
    if (!cArgs)
        return HvExpansionCall(HvProcExpID, pqwProcedure, NULL, NULL, NULL);
    else
        return HvExpansionCall(HvProcExpID, pqwProcedure, cArgs, (DWORD)MmGetPhysicalAddress(pqwArgs), NULL);
}

// Usage:
QWORD qwArgs[2] = { 0x40000, 0x10000 }; // MSVC doesn't support compound literals...
QWORD qwRealAdd = HvProc(HvpPhysicalToReal, 2, qwArgs);
printf("Call success, result: %016llX\n", qwRealAdd);

// pqwProcedure: Real address of function
// cArgs: Argument count
// followed by arguments
// Declaration: QWORD HvProc(QWORD pqwProcedure, DWORD cArgs = NULL, QWORD Arg1 = NULL, QWORD Arg2 = NULL, QWORD Arg3 = NULL, QWORD Arg4 = NULL, QWORD Arg5 = NULL, QWORD Arg6 = NULL, QWORD Arg7 = NULL, QWORD Arg8 = NULL);
QWORD HvProc(QWORD pqwProcedure, DWORD cArgs, QWORD Arg1, QWORD Arg2, QWORD Arg3, QWORD Arg4, QWORD Arg5, QWORD Arg6, QWORD Arg7, QWORD Arg8)
{
    if(!cArgs)
        return HvExpansionCall(HvProcExpID, pqwProcedure, NULL, NULL, NULL);
    else
    {
        if (cArgs > 8)
            return 0xC800009;
        QWORD pqwArgs[8] = { Arg1, Arg2, Arg3, Arg4, Arg5, Arg6, Arg7, Arg8 };
        return HvExpansionCall(HvProcExpID, pqwProcedure, cArgs, (DWORD)MmGetPhysicalAddress(pqwArgs), NULL);
    }
}

// Usage:
QWORD qwFlashBase = HvProc(HvpGetFlashBaseAddress);
printf("Call success, result: %016llX\n", qwFlashBase);

Download: [Click here to view this link]'
Virus Scan: https://www.virustotal.com/#/file/a...df22f2ca5c034b67320a73f4e6cfd39c8fee8/details
 
Last edited:
S

Snowy

Let it snow
Messages
2,604
Reaction score
913
This is something I created a bit ago to aid my research on the xbox 360, it allows user code to call functions in Hypervisor Real Mode from anywhere on the system using a simple expansion. What is Hypervisor Real Mode? To put it simply its the highest privileges you can obtain on the console. In this example I am calling functions inside the hypervisor from user mode, but it should also allow you to call functions in your code, provided you set them up correctly. Please remember, Hypervisor Real Mode works with Real Addresses, so be sure you build any pointer addresses correctly.

Supports a max of 8 arguments to a function

Code:
// expansion id
DWORD HvProcExpID = 0x48565051;

// example list of HV functions
typedef enum _HV_PROCS {
    HvpGetFlashBaseAddress = 0x68C,
    HvpPhysicalToReal = 0x29E0,
    HvpMemcpy = 0xA880,
    HvpMemset = 0xAD20,
    XeCryptRotSum = 0xB4A8,
    XeCryptRotSum4 = 0xB4B0,
    XeCryptRotSumSha = 0xB4B8
    // sorry, list shortened..
} HV_PROCS;

// keep it simple, just edit peek/poke initializer
// assumes expansion data is loaded in byte array HvProcExp
// Declaration: HRESULT InitializeHvProc();
HRESULT InitializeHvProc()
{
    // Allocate physcial memory for this expansion
    VOID* pPhysExp = XPhysicalAlloc(0x1000, MAXULONG_PTR, 0, PAGE_READWRITE);
    DWORD physExpAdd = (DWORD)MmGetPhysicalAddress(pPhysExp);

    // Copy over our expansion data
    ZeroMemory(pPhysExp, 0x1000);
    memcpy(pPhysExp, HvProcExp, sizeof(HvProcExp));

    // Now we can install our expansion
    printf("ExpAdd: 0x%016llX\n", physExpAdd);
    HRESULT result = (HRESULT)HvExpansionInstall(physExpAdd, 0x1000);

    // Free our allocated data
    XPhysicalFree(pPhysExp);

    if (FAILED(result))
        printf("Expansion failed to install: %08X\n", result);

    // Return our install result
    return result;
}

// pqwProcedure: Real address of function
// cArgs: Argument count
// pqwArgs: Argument array
// Declaration: QWORD HvProc(QWORD pqwProcedure, DWORD cArgs = NULL, PQWORD pqwArgs = NULL);
QWORD HvProc(QWORD pqwProcedure, DWORD cArgs, PQWORD pqwArgs)
{
    if (!cArgs)
        return HvExpansionCall(HvProcExpID, pqwProcedure, NULL, NULL, NULL);
    else
        return HvExpansionCall(HvProcExpID, pqwProcedure, cArgs, (DWORD)MmGetPhysicalAddress(pqwArgs), NULL);
}

// Usage:
QWORD qwArgs[2] = { 0x40000, 0x10000 }; // MSVC doesn't support compound literals...
QWORD qwRealAdd = HvProc(HvpPhysicalToReal, 2, qwArgs);
printf("Call success, result: %016llX\n", qwRealAdd);

// pqwProcedure: Real address of function
// cArgs: Argument count
// followed by arguments
// Declaration: QWORD HvProc(QWORD pqwProcedure, DWORD cArgs = NULL, QWORD Arg1 = NULL, QWORD Arg2 = NULL, QWORD Arg3 = NULL, QWORD Arg4 = NULL, QWORD Arg5 = NULL, QWORD Arg6 = NULL, QWORD Arg7 = NULL, QWORD Arg8 = NULL);
QWORD HvProc(QWORD pqwProcedure, DWORD cArgs, QWORD Arg1, QWORD Arg2, QWORD Arg3, QWORD Arg4, QWORD Arg5, QWORD Arg6, QWORD Arg7, QWORD Arg8)
{
    if(!cArgs)
        return HvExpansionCall(HvProcExpID, pqwProcedure, NULL, NULL, NULL);
    else
    {
        if (cArgs > 8)
            return 0xC800009;
        QWORD pqwArgs[8] = { Arg1, Arg2, Arg3, Arg4, Arg5, Arg6, Arg7, Arg8 };
        return HvExpansionCall(HvProcExpID, pqwProcedure, cArgs, (DWORD)MmGetPhysicalAddress(pqwArgs), NULL);
    }
}

// Usage:
QWORD qwFlashBase = HvProc(HvpGetFlashBaseAddress);
printf("Call success, result: %016llX\n", qwFlashBase);

Download: [Click here to view this link]'
Virus Scan: https://www.virustotal.com/#/file/a...df22f2ca5c034b67320a73f4e6cfd39c8fee8/details
I read this as “hypervisor read mode” and was wondering how the f*** you managed to execute with only read priveleges.

I mean, still sexy as f*** I assume.
 
M

Medaka

Getting There
Messages
391
Reaction score
373
Holy **** my guy. This is amazing. Now I can verify functions that returns stuff I've reversed are correct.
 
X

XeX Dergham

Coder and Stealth Server owner and Rgh owner
Messages
62
Reaction score
10
This is something I created a bit ago to aid my research on the xbox 360, it allows user code to call functions in Hypervisor Real Mode from anywhere on the system using a simple expansion. What is Hypervisor Real Mode? To put it simply its the highest privileges you can obtain on the console. In this example I am calling functions inside the hypervisor from user mode, but it should also allow you to call functions in your code, provided you set them up correctly. Please remember, Hypervisor Real Mode works with Real Addresses, so be sure you build any pointer addresses correctly.

Supports a max of 8 arguments to a function

Code:
// expansion id
DWORD HvProcExpID = 0x48565051;

// example list of HV functions
typedef enum _HV_PROCS {
    HvpGetFlashBaseAddress = 0x68C,
    HvpPhysicalToReal = 0x29E0,
    HvpMemcpy = 0xA880,
    HvpMemset = 0xAD20,
    XeCryptRotSum = 0xB4A8,
    XeCryptRotSum4 = 0xB4B0,
    XeCryptRotSumSha = 0xB4B8
    // sorry, list shortened..
} HV_PROCS;

// keep it simple, just edit peek/poke initializer
// assumes expansion data is loaded in byte array HvProcExp
// Declaration: HRESULT InitializeHvProc();
HRESULT InitializeHvProc()
{
    // Allocate physcial memory for this expansion
    VOID* pPhysExp = XPhysicalAlloc(0x1000, MAXULONG_PTR, 0, PAGE_READWRITE);
    DWORD physExpAdd = (DWORD)MmGetPhysicalAddress(pPhysExp);

    // Copy over our expansion data
    ZeroMemory(pPhysExp, 0x1000);
    memcpy(pPhysExp, HvProcExp, sizeof(HvProcExp));

    // Now we can install our expansion
    printf("ExpAdd: 0x%016llX\n", physExpAdd);
    HRESULT result = (HRESULT)HvExpansionInstall(physExpAdd, 0x1000);

    // Free our allocated data
    XPhysicalFree(pPhysExp);

    if (FAILED(result))
        printf("Expansion failed to install: %08X\n", result);

    // Return our install result
    return result;
}

// pqwProcedure: Real address of function
// cArgs: Argument count
// pqwArgs: Argument array
// Declaration: QWORD HvProc(QWORD pqwProcedure, DWORD cArgs = NULL, PQWORD pqwArgs = NULL);
QWORD HvProc(QWORD pqwProcedure, DWORD cArgs, PQWORD pqwArgs)
{
    if (!cArgs)
        return HvExpansionCall(HvProcExpID, pqwProcedure, NULL, NULL, NULL);
    else
        return HvExpansionCall(HvProcExpID, pqwProcedure, cArgs, (DWORD)MmGetPhysicalAddress(pqwArgs), NULL);
}

// Usage:
QWORD qwArgs[2] = { 0x40000, 0x10000 }; // MSVC doesn't support compound literals...
QWORD qwRealAdd = HvProc(HvpPhysicalToReal, 2, qwArgs);
printf("Call success, result: %016llX\n", qwRealAdd);

// pqwProcedure: Real address of function
// cArgs: Argument count
// followed by arguments
// Declaration: QWORD HvProc(QWORD pqwProcedure, DWORD cArgs = NULL, QWORD Arg1 = NULL, QWORD Arg2 = NULL, QWORD Arg3 = NULL, QWORD Arg4 = NULL, QWORD Arg5 = NULL, QWORD Arg6 = NULL, QWORD Arg7 = NULL, QWORD Arg8 = NULL);
QWORD HvProc(QWORD pqwProcedure, DWORD cArgs, QWORD Arg1, QWORD Arg2, QWORD Arg3, QWORD Arg4, QWORD Arg5, QWORD Arg6, QWORD Arg7, QWORD Arg8)
{
    if(!cArgs)
        return HvExpansionCall(HvProcExpID, pqwProcedure, NULL, NULL, NULL);
    else
    {
        if (cArgs > 8)
            return 0xC800009;
        QWORD pqwArgs[8] = { Arg1, Arg2, Arg3, Arg4, Arg5, Arg6, Arg7, Arg8 };
        return HvExpansionCall(HvProcExpID, pqwProcedure, cArgs, (DWORD)MmGetPhysicalAddress(pqwArgs), NULL);
    }
}

// Usage:
QWORD qwFlashBase = HvProc(HvpGetFlashBaseAddress);
printf("Call success, result: %016llX\n", qwFlashBase);

Download: [Click here to view this link]'
Virus Scan: https://www.virustotal.com/#/file/a...df22f2ca5c034b67320a73f4e6cfd39c8fee8/details
Do you think you could demonstrate how you'd be able to use this with memcpy or memset?
 
Top Bottom