morimolymoly

m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
9. DIO

morimolymoly

RT3052 # printenv
bootcmd=tftp
bootdelay=5
baudrate=57600
ethaddr="00:AA:BB:CC:DD:10"
preboot=echo;echo
ramargs=setenv bootargs root=/dev/ram rw
addip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):off
addmisc=setenv bootargs $(bootargs) console=ttyS0,$(baudrate) ethaddr=$(ethaddr) panic=1
flash_self=run ramargs addip addmisc;bootm $(kernel_addr) $(ramdisk_addr)

morimolymoly

#include <linux/module.h>

static inline uint64_t exec_rdmsr(uint64_t msr)
{
	uint32_t low, high;
	asm volatile (
		"rdmsr"
		: "=a"(low), "=d"(high)
		: "c"(msr)
	);

morimolymoly

<domain type='xen'>
  <name>chiaki</name>
  <uuid>dd79a623-d6f5-4c61-8c4c-7c8ce856d811</uuid>
  <memory unit='KiB'>524288</memory>
  <currentMemory unit='KiB'>524288</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64' machine='xenfv'>hvm</type>
    <loader type='rom'>/usr/local/lib/xen/boot/hvmloader</loader>
    <boot dev='hd'/>

morimolymoly

Compiled https://github.com/Tr4pMafia/bar0 with https://github.com/Tr4pMafia/hypervisor/tree/moly-bar and make quick.
Patch is below.

diff --git a/bfvmm/include/hve/arch/intel_x64/exit_handler.h b/bfvmm/include/hve/arch/intel_x64/exit_handler.h
index 275c5633..287b7a83 100755
--- a/bfvmm/include/hve/arch/intel_x64/exit_handler.h
+++ b/bfvmm/include/hve/arch/intel_x64/exit_handler.h
@@ -54,6 +54,16 @@
 #pragma warning(disable : 4251)
 #endif

morimolymoly

[0] DEBUG: setup cr3                                           0x000000044758f000
[0] DEBUG: UMP
[0] DEBUG: cr3                                                 0x000000044758f000
[0] DEBUG: AUDIO weooororroe
[0] DEBUG: AUDIO 4K erererjo                                   0x0000000000200000
[0] DEBUG: mmap pdpt
[0] DEBUG: mmap allocate                                       0xffffa52160b1c000
[0] DEBUG: mmap pd
[0] DEBUG: mmap allocate                                       0xffffa52160b1d000
[0] DEBUG: mmap pt

morimolymoly

physical address = 30b0360
Handle NMI by 9
Handle NMI by 8
Handle NMI by 2
Handle NMI by 6
Handle NMI by 5
Handle NMI by 3
Handle NMI by 4
Handle NMI by 0
Handle NMI by 7

morimolymoly

/*
 *********************************************************************

  Part of UEFI DXE driver code that injects Hyper-V VM exit handler
  backdoor into the Device Guard enabled Windows 10 Enterprise.
  
  Execution starts from new_ExitBootServices() -- a hook handler 
  for EFI_BOOT_SERVICES.ExitBootServices() which being called by
  winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi
  transfers exeution to previously loaded Hyper-V kernel (hvix64.sys)

morimolymoly

moly@yayoi:~/cli$ strace curl --noproxy 192.168.200.56 -i -X POST -H 'Content-Type:application/json' -d "{\"ip\":    16754880, \"buf\": \"aaaaaaa\"}" http://192.168.200.56:1919/buf
execve("/usr/bin/curl", ["curl", "--noproxy", "192.168.200.56", "-i", "-X", "POST", "-H", "Content-Type:application/json", "-d", "{\"ip\":    16754880, \"buf\": \"aaaa"..., "http://192.168.200.56:1919/buf"], 0x7ffcfb4cde00 /* 71 vars */) = 0
brk(NULL)                               = 0x55b5a2983000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=104507, ...}) = 0
mmap(NULL, 104507, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8bf0c26000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)

morimolymoly

fd 3, addr: 0x560d941b9080
GET / HTTP/1.1
Host: 192.168.200.56:1919
User-Agent: curl/7.58.0
Accept: */*


fd 3, addr: 0x560d941c3ee0
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8