VMX guest instruction pointer problems

CRoemheld · Post by **CRoemheld** » Sat Sep 08, 2018 9:40 am

I am aware that there are not too many VMX posts and articles around here, so I am going to rely on my luck now:

I am trying to implement a hypervisor in my OS and right now I am implementing the vmentry and vmexit handlers for switches between VMX root and VMX non-root. However, I cannot seem to jump to an entry point when starting the VM via vmlaunch, because the GUEST_RIP field does not seem to match the dummy function address in physical memory.

The current approach looks like this:

- Set all neccessary fields (HOST_*, GUEST_* and control fields)
- Currently there is no EPT available (this shouldn't be a problem, as no EPT would mean the addresses are 1:1, however in limited range (16/32 bit instead of 64bit in x86-64 host))
- The code segment is initialized with the following values:
- - Selector: 0xf000
  - Base: 0xf0000
  - Limit: 0xffff
  - AR bytes: 0x9b
- For a dummy function which the VM should jump to after a successfull vmlaunch, I allocated space at 0xa000 (This is just for testing purposes) and copied my function there.
- Given the values, the function should now be located at Base + Offset for the guest, which is 0xf0000 + 0xa000 = 0xfa000.
- I write the GUEST_RIP with value 0xa000, because with the base of 0xf0000, it should automatically revert to 0xfa000.

Now when I launch the VM, the instruction pointer goes to 0xfa000, which is all accordingly to my plan, but there are only null bytes at this address. Did I miss something important here or is this approach complete bogus?

PS: Usually the Base value for the code segment would be 0xffff0000, I was just looking for other possible values here.