freezing on eac initialization

[jxttah]

not using ept or any of the features just running hv.sys no bsod only freeze on squad eac

[jonomango]

How and why did you disable ept?

[jxttah]

How and why did you disable ept?

im not making use of the ept hooks or disabling it just running the driver and freezing at the end of initialization on eac

[None4334]

Having the same issue after the recent eac update. It seems like it might be related to the pagetables i am not sure. It just randomly freezes on eac startup and sometimes it doesnt

Edit: My EPT hooks are crashing with EAC sometimes. I hooked a page each in KVASCODE and .text sections, and both caused bluescreens. Errors: PAGE_FAULT_IN_NONPAGED_AREA, KERNEL_SECURITY_CHECK_FAILURE, and mostly DRIVER_IRQL_NOT_LESS_OR_EQUAL
One more weird thing is if i put the hook inbetween somewhere in the page it doesnt bluescreen which is extremely weird

[jonomango]

Having the same issue after the recent eac update. It seems like it might be related to the pagetables i am not sure. It just randomly freezes on eac startup and sometimes it doesnt

Edit: My EPT hooks are crashing with EAC sometimes. I hooked a page each in KVASCODE and .text sections, and both caused bluescreens. Errors: PAGE_FAULT_IN_NONPAGED_AREA, KERNEL_SECURITY_CHECK_FAILURE, and mostly DRIVER_IRQL_NOT_LESS_OR_EQUAL One more weird thing is if i put the hook inbetween somewhere in the page it doesnt bluescreen which is extremely weird

That is pretty interesting, yeah. Is it only the EPT hooks that are causing the crashes, or just having EPT enabled in general?

[None4334]

Its just random. Like without any ept hook on ntoskrnl i will freeze way less like 1/20. With an ept hook my chances are 8/10. And it happens at the end of the initialization. Some of my friends who use this hv also freeze and some freeze alot like 7/10 times. Its like when they are trying to maybe read the ept hooked page thats where the bsod for me occurs. About the freezing i am not sure. This issue doesnt happen on my amd hv so m pretty sure these eac changes are targetting intel or maybe your hypervisor specifically

Edit : One more issue that some of my friends had from day 1 is when they move their mouse their frames drop from 300 to 20. And this issue was random aswell. I optimized the hv to an extent it gave me 3-4 frame drops maximum but this issue still remained and happened sometimes. When i debugged it, it looked like there were like alot of interrupts happening, like alot which was lagging the whole system. Other than this the hypervisor is perfect. Great work and hope you can fix this eac issue

[jonomango]

Its just random. Like without any ept hook on ntoskrnl i will freeze way less like 1/20. With an ept hook my chances are 8/10. And it happens at the end of the initialization. Some of my friends who use this hv also freeze and some freeze alot like 7/10 times. Its like when they are trying to maybe read the ept hooked page thats where the bsod for me occurs. About the freezing i am not sure. This issue doesnt happen on my amd hv so m pretty sure these eac changes are targetting intel or maybe your hypervisor specifically

Edit : One more issue that some of my friends had from day 1 is when they move their mouse their frames drop from 300 to 20. And this issue was random aswell. I optimized the hv to an extent it gave me 3-4 frame drops maximum but this issue still remained and happened sometimes. When i debugged it, it looked like there were like alot of interrupts happening, like alot which was lagging the whole system. Other than this the hypervisor is perfect. Great work and hope you can fix this eac issue

Which EAC game is this for? The strange thing about EAC that I've noticed is that the entire system will freeze if you disable cr3 exiting (both on load and store) but if you enable one of them it will work just fine. The issue with this "fix" is that cr3 vm-exits are the most common by far, which leads to a big performance loss. I'm still not sure what could be causing this issue, since it is very counter-intuitive (I would understand if enabling cr3 exiting caused a system freeze, but not the other way around). I haven't worked on this hypervisor in a few years now, so don't really expect a fix to be coming from my end. Glad to know that some people are using it though.

[None4334]

I have tried rust and fortnite. It seems to freeze on both. What do you think i should try to fix the problem myself. Is it also possible that something like this might be an issue https://www.unknowncheats.me/forum/anti-cheat-bypass/523529-hypervisor-eac-loads-freezes-system.html. If it is why would ept hooks crash weirdly

[None4334]

Also i saw someone saying it might be due to ept trashing. What exactly is ept trashing

[None4334]

So this is what fixed my issues

• Changed EPT hooking from rw to no execute shadow pages ( this completely fixed my freezing which was happening due to ept which is quite weird)
• Removed hv present bit from cpuid
• Redid timing checks for rdmsr/rdtsc/rdtscp/cpuid
• Disabled tsc offsetting

One thing i still dont understand is if i place my shadow page directly somewhere in ntoskrnl eac bluescreens me with irql not less or equal. If i place some core in middle of that page it doesnt happen. Do you have an idea what this could mean?

[lauralex]

I've got one ;)

[None4334]

I've got one ;)

were you able to fix the problem fully? Because this only fixed it for me somehow but my friends still have the same freezes. You mind directing me to the right direction or giving me some information

[lauralex]

start with MTRRs and memory allocations. Then take a look at host page tables. Then I would take a look at interrupt handling and much more

[None4334]

Thanks, I will atart taking a look at it

[None4334]

So after debugging i found out i was always freezing at page_fault exception
so i ended up adding this to the interrupt handler
case page_fault: {

  uintptr_t cr2 = vmx_vmread(VMCS_EXIT_QUALIFICATION);
  inject_hw_exception(page_fault);
  __writecr2(cr2);
  break;

} and seems like it fixed crashes for my friends aswell @jonomango

[lauralex]

So after debugging i found out i was always freezing at page_fault exception so i ended up adding this to the interrupt handler case page_fault: {

  uintptr_t cr2 = vmx_vmread(VMCS_EXIT_QUALIFICATION);
  inject_hw_exception(page_fault);
  __writecr2(cr2);
  break;

} and seems like it fixed crashes for my friends aswell @jonomango

yep, that's why HyperDbg also added that handler ;)
https://github.com/HyperDbg/HyperDbg/blob/63f620e00a03bf1af3d94f641f920d05b32655e6/hyperdbg/hyperhv/code/vmm/vmx/IdtEmulation.c#L175.

Anyway, I don't think you should inject the PF to the guest, since the exception happened on the host.

[None4334]

So after debugging i found out i was always freezing at page_fault exception so i ended up adding this to the interrupt handler case page_fault: {

  uintptr_t cr2 = vmx_vmread(VMCS_EXIT_QUALIFICATION);
  inject_hw_exception(page_fault);
  __writecr2(cr2);
  break;

} and seems like it fixed crashes for my friends aswell @jonomango

yep, that's why HyperDbg also added that handler ;) https://github.com/HyperDbg/HyperDbg/blob/63f620e00a03bf1af3d94f641f920d05b32655e6/hyperdbg/hyperhv/code/vmm/vmx/IdtEmulation.c#L175.

Anyway, I don't think you should inject the PF to the guest.

yeah i thought so aswell. You have any recommendations?

[lauralex]

So after debugging i found out i was always freezing at page_fault exception so i ended up adding this to the interrupt handler case page_fault: {

  uintptr_t cr2 = vmx_vmread(VMCS_EXIT_QUALIFICATION);
  inject_hw_exception(page_fault);
  __writecr2(cr2);
  break;

} and seems like it fixed crashes for my friends aswell @jonomango

yep, that's why HyperDbg also added that handler ;) https://github.com/HyperDbg/HyperDbg/blob/63f620e00a03bf1af3d94f641f920d05b32655e6/hyperdbg/hyperhv/code/vmm/vmx/IdtEmulation.c#L175.
Anyway, I don't think you should inject the PF to the guest.

yeah i thought so aswell. You have any recommendations?

Also, why are you writing cr2 with the VMCS_EXIT_QUALIFICATION flags? Not that it matters, since it's only used to fill the address it tried to access before the PF.

[godpassword]

So after debugging i found out i was always freezing at page_fault exception so i ended up adding this to the interrupt handler case page_fault: {

  uintptr_t cr2 = vmx_vmread(VMCS_EXIT_QUALIFICATION);
  inject_hw_exception(page_fault);
  __writecr2(cr2);
  break;

} and seems like it fixed crashes for my friends aswell @jonomango

Dear, can you tell me where to modify in this project to solve this problem?:D

[None4334]

After all those were fixed now after 5th of nov update of eac my game freezes after 40minutes - 1hour. Somehow disabling efficiency cores seems to increase the time window. Any tips @lauralex @jonomango

[None4334]

alright those who are still having these freezes the issues are related to mwait and hlt instructions.

[lauralex]

alright those who are still having these freezes the issues are related to mwait and hlt instructions.

Check intelppm.sys driver

[None4334]

alright those who are still having these freezes the issues are related to mwait and hlt instructions.

Check intelppm.sys driver

i figured it was an issue with ppm. But how come interrupts are being stopped. Do you know what i should do or point me in a direction? Is there another vmexit i should be emulating related to interrupts
Edit : Also j tested by enabling mwait exiting and skipping over it which ofcourse fked my laptop but i had no freezes ingame. I logged that interrupts were disabled sometimes. How is that not causing a system freeze if a hypervisor is not present

[lauralex]

alright those who are still having these freezes the issues are related to mwait and hlt instructions.

Check intelppm.sys driver

i figured it was an issue with ppm. But how come interrupts are being stopped. Do you know what i should do or point me in a direction? Is there another vmexit i should be emulating related to interrupts Edit : Also j tested by enabling mwait exiting and skipping over it which ofcourse fked my laptop but i had no freezes ingame. I logged that interrupts were disabled sometimes. How is that not causing a system freeze if a hypervisor is not present

There are various cases where the cpu doesn't receive interrupts: the IF is not set (this will not impact NMIs), the cpu is in shutdown state (this will impact all interrupts), the cpu is in wait-for-SIPI state (this will impact all interrupts), the cpu is in a very low power state (this could impact all interrupts), the cpu is executing a SMI handler (this will impact all interrupts), and maybe some others more unusual.

A fix would be to prevent that one of the above events happen during vmx-root operation.

[lauralex]

Also, try to play around with the preemption timer, sometimes setting it higher fixes it and sometimes setting it lower fixes it, but it's just a workaround and based on probability

[lauralex]

The Intel ppm driver makes the cpu go to a c-state deeper than C2, periodically

[None4334]

The Intel ppm driver makes the cpu go to a c-state deeper than C2, periodically

Thanks for the info. What i have seen is even if intelppm is disabled the normal window's power management also causes the same freeze. The interrupts are disabled and mwait gets executed which in return freezes the system or causes a watchdog violation (rare cases). I checked the rflags when i got the dump and the interrupt bit was 0.

[None4334]

alright those who are still having these freezes the issues are related to mwait and hlt instructions.

Check intelppm.sys driver

i figured it was an issue with ppm. But how come interrupts are being stopped. Do you know what i should do or point me in a direction? Is there another vmexit i should be emulating related to interrupts Edit : Also j tested by enabling mwait exiting and skipping over it which ofcourse fked my laptop but i had no freezes ingame. I logged that interrupts were disabled sometimes. How is that not causing a system freeze if a hypervisor is not present

There are various cases where the cpu doesn't receive interrupts: the IF is not set (this will not impact NMIs), the cpu is in shutdown state (this will impact all interrupts), the cpu is in wait-for-SIPI state (this will impact all interrupts), the cpu is in a very low power state (this could impact all interrupts), the cpu is executing a SMI handler (this will impact all interrupts), and maybe some others more unusual.

A fix would be to prevent that one of the above events happen during vmx-root operation.

arent rflags interrupts always disabled in vmx-root operations[RFLAGS.IF]. i tried emulating mwait + monitor and observed that smi's in very rare cases were disabled which matches the time window of when the freezing occurs.