本文共 4550 字，大约阅读时间需要 15 分钟。

一、虚拟机启动

整个过程比较清晰，2.7的过程会对vmcs的状态域进行设置，也就是会接管中断过程，VMxLaunch启动硬件虚拟化。

再往上，一段汇编。调用HvmSubvertCpu

CmSubvert (PVOID  GuestRsp);CmSubvert PROC StdCall _GuestRsp	CM_SAVE_ALL_NOSEGREGS	mov	eax,esp	push	eax        ;setup esp to argv[0]	call	HvmSubvertCpu@4	retCmSubvert ENDP

//对当前物理CPU上的所有逻辑CPU，进行虚拟设置，反转到虚拟机的运行状态NTSTATUS NTAPI HvmSwallowBluepill (){  CCHAR cProcessorNumber;  NTSTATUS Status, CallbackStatus;  _KdPrint (("HvmSwallowBluepill(): Going to subvert %d processor%s\n",             KeNumberProcessors, KeNumberProcessors == 1 ? "" : "s"));  KeWaitForSingleObject (&g_HvmMutex, Executive, KernelMode, FALSE, NULL);  for (cProcessorNumber = 0; cProcessorNumber < KeNumberProcessors; cProcessorNumber++) {    _KdPrint (("HvmSwallowBluepill(): Subverting processor #%d\n", cProcessorNumber));    Status = CmDeliverToProcessor (cProcessorNumber, CmSubvert, NULL, &CallbackStatus);  }  KeReleaseMutex (&g_HvmMutex, FALSE);  if (KeNumberProcessors != g_uSubvertedCPUs) {    HvmSpitOutBluepill ();    return STATUS_UNSUCCESSFUL;  }  return STATUS_SUCCESS;}

到这里其实，整个流程就都走通了。

NTSTATUS DriverEntry (  PDRIVER_OBJECT DriverObject,  PUNICODE_STRING RegistryPath){  NTSTATUS Status;#ifdef USE_COM_PRINTS  PioInit ((PUCHAR) COM_PORT_ADDRESS);#endif  ComInit ();  Status = MmInitManager ();//建立四级页表结构，blue   // pill有自己的页表，但页表的自映射虚拟地址与windows相同  if (!NT_SUCCESS (Status)) {    _KdPrint (("NEWBLUEPILL: MmInitManager() failed with status 0x%08hX\n", Status));    return Status;  }#ifdef USE_LOCAL_DBGPRINTS  Status = DbgRegisterWindow (g_BpId);  if (!NT_SUCCESS (Status)) {    _KdPrint (("NEWBLUEPILL: DbgRegisterWindow() failed with status 0x%08hX\n", Status));    MmShutdownManager ();    return Status;  }#endif  _KdPrint (("\r\n"));  _KdPrint (("NEWBLUEPILL v%d.%d.%d.%d. Instance Id: 0x%02X\n",             (NBP_VERSION >> 48) & 0xff,             (NBP_VERSION >> 32) & 0xff, (NBP_VERSION >> 16) & 0xff, NBP_VERSION & 0xff, g_BpId));  // We need it only for VMX  // TODO: this should be conditionally executed only if Arch == VMX  Status = MmInitIdentityPageTable (); //分配页表，为了在客户机关闭CPU分页机制时仍然可以访问内存  if (!NT_SUCCESS (Status)) {    _KdPrint (("NEWBLUEPILL: MmInitIdentifyPageTable() failed with status 0x%08hX\n", Status));#ifdef USE_LOCAL_DBGPRINTS    DbgUnregisterWindow ();#endif    MmShutdownManager ();    return Status;  }  Status = MmMapGuestKernelPages (); //映射当前操作系统内核部分的页表到blue                                      // pill的页表中，使用的是一样的虚拟地址(不是必须，为了方便)，                                     //这样就可以保证使用和windows的内核API  if (!NT_SUCCESS (Status)) {    _KdPrint (("BEWBLUEPILL: MmMapGuestKernelPages() failed with status 0x%08hX\n", Status));#ifdef USE_LOCAL_DBGPRINTS    DbgUnregisterWindow ();#endif    MmShutdownManager ();    return Status;  }#ifdef RUN_BY_SHELLCODE  _KdPrint (("NEWBLUEPILL: Image base: 0x%p, image size: 0x%x\n", DriverObject, (ULONG64) RegistryPath));  //映射本驱动代码到bp的虚拟地址空间，使用当前Guest的虚拟地址  Status = MmMapGuestPages (DriverObject, (ULONG) BYTES_TO_PAGES ((ULONG64) RegistryPath));#else  Status = MmMapGuestPages (DriverObject->DriverStart, BYTES_TO_PAGES (DriverObject->DriverSize));#endif  if (!NT_SUCCESS (Status)) {    _KdPrint (("NEWBLUEPILL: MmMapGuestPages() failed to map guest NewBluePill image with status 0x%08hX\n", Status));#ifdef USE_LOCAL_DBGPRINTS    DbgUnregisterWindow ();#endif    MmShutdownManager ();    return Status;  }  //bp第四级页表物理地址  _KdPrint (("NEWBLUEPILL: g_PageMapBasePhysicalAddress: 0x%p\n", g_PageMapBasePhysicalAddress));  if (!NT_SUCCESS (Status = HvmInit ())) { //判断当前平台是否支持VT    _KdPrint (("NEWBLUEPILL: HvmInit() failed with status 0x%08hX\n", Status));#ifdef USE_LOCAL_DBGPRINTS    DbgUnregisterWindow ();#endif    MmShutdownManager ();    return Status;  }  //让操作系统吞下这药丸，函数成功返回后操作系统就运行在一个开客户虚拟机中  if (!NT_SUCCESS (Status = HvmSwallowBluepill ())) {    _KdPrint (("NEWBLUEPILL: HvmSwallowBluepill() failed with status 0x%08hX\n", Status));#ifdef USE_LOCAL_DBGPRINTS    DbgUnregisterWindow ();#endif    MmShutdownManager ();    return Status;  }#ifndef RUN_BY_SHELLCODE  DriverObject->DriverUnload = DriverUnload;#endif  _KdPrint (("NEWBLUEPILL: Initialization finished\n"));#if DEBUG_LEVEL>1  _KdPrint (("NEWBLUEPILL: RFLAGS = %#x, CR8 = %#x\n", RegGetRflags (), RegGetCr8 ()));#endif  return STATUS_SUCCESS;}

这里会进行页表进行操作，但我的理解，如果简化的话是可以直接使用guest的虚拟地址，因为VMM是半路启动的，guest反而是先启动的。

《newbluepill深入理解硬件虚拟机》一书中5.3.2  私有页表的生效

解释了私有页表的作用，其实就是为了隐藏bluepill的内存，原理就是复制原有页表，并对NewBluePill的页表项和页表自身空间页表项进行替换，然后在虚拟机启动时用新页表地址填充CR3。这样的原理恰好说明，我们不做任何操作，CR3维持原始值，只是暴露newbluepill的内存信息，其他虚拟机状态仍然可以正常使用。CmPatchPTEPhysicalAddress。

转载地址：http://enjvb.baihongyu.com/