NoTruth is an Open Source project for hiding a user-mode memory based on VT-x in Windows x64 platform.
- Visual Studio 2015 update 3
- Windows SDK 10
- Windowr Driver Kit 10
- VMware 12 with EPT environment.
- Supports Multi-core processor environment
- Test environment with Windows 7 x64 sp1
VT-x/EPT for User Memory Hiding hiding. Faking Any read memory read operation in the OS. So that it could be used for bypassing any checksum in user mode memory.
Let any one reading a faked value. But CPU execution
As a reuslt should be expected as following :
Explanation:
- There is a test-case in VTxRing3 with a 20 number of threads, 10 for memory reading the memory, 10 for executing the function.
- 1: Read correct value of that function.
- 2: In case someone call(execute) the function(memory), it throws exception, becoz we write a 0xCC on that.
NoTruth can be tested by user mode with Multi-Core Processor Configuration For Making a test case simple, we simply used x64dbg + notepad(x64) for demonstration.
Basically, we could use x64dbg to editing the text section of notepad as following and we could compare the result :
Open a notepad.exe(x64) and VTxRing3.exe with administrator, by clicking on LoadDriver to loading NoTruth driver:
After the NoTruth Driver is loaded, do the same things as previous(modifing memory), write a 0xCC on NtCreateFile :
We could see, the memory hasn't changed as following from debugger aspect :
We are going to execute once NtCreateFile by notepad.exe :
It is breaked on that instruction, but debugging can't realize it is 0xCC (breakpoint instruction) , then the exception comes
Finally, close the notepad.exe, release and unlock the memory.
Debug...
