Author: daax

Applied Reverse Engineering: Basic Architecture

Overview Thanks for joining me in my newest series Applied Reverse Engineering. I decided to write this new series concurrently with the EPT series except I pushed out the first five for this one and haven’t started the other. Typical. Anyways, I have to give a little preface to the article and series as well […]

Read More

Applied Reverse Engineering Series

Series Overview This series is intended for readers who are interested in reverse engineering but have only opened a debugger a handful of times. If you have trouble with certain concepts of reverse engineering, tooling, disassembly or debugging then you’ve come to the right place. Starting from the ground up we’ll work our way to […]

Read More

Day 5: The VM-exit Handler, Event Injection, Context Modifications, and CPUID Emulation

Overview In the last article you learned about the VMCS, initializing the VMCS, segmentation and made a skeleton of the VM-exit handler. It was a long read, but if you’re here reading this now you’ve made it through the most time consuming part. Now we get to start interposing on system operations at a whim, […]

Read More

Day 4: VMCS Initialization, Segmentation, and Operation Visualization

Overview A quick apology for the extended delay of this series. It is my intention to continue this series at Day 4 with a lot of newfound knowledge to share with the readers. I hope that with the last 6 months those of you who had taken an interest in this series were able to […]

Read More

Day 3: The VMCS, Component Encoding, and Multiprocessor Initialization

Overview This article will be presenting a lot of different information. The first section will be over multiple-processor initialization, the different processor classes and how they’re referenced throughout the post, and a variety of other multi-processor related information. I’ll also demonstrate the MP initialization protocol for the hypervisor we’re creating in full detail using what […]

Read More

Day 2: Entering VMX Operation, Explaining Implementation Requirements

Overview Today is the day of heavy details and implementation. There will be a lot of technical explanation and a lot of text. We’ll start off with a section explaining the need for some form of internal logging API because – well, having DbgPrint spammed throughout functions when validating certain control values is disgusting and […]

Read More

Day 1: Introduction to Virtualization, Type Definitions, and Support Testing

Overview In this article we’re going to introduce virtualization, the various forms of virtualization, terminology, and a high level view of the abstraction that is virtualization. We’ll also be building out a test function for support of virtual machine instructions, followed by defining structures to represent various architectural registers and components. The reason for using […]

Read More

Day 0: Virtual Environment Setup, Scripts, and WinDbg

Overview Today is the day you begin your wild journey into hypervisor development. It’s going to be miserable, rewarding, frustrating, and exciting – all at the same time. In this article, we accelerate head on into setting up our virtual environment using VMware (taking advantage of their nested virtualization), write scripts for quick stand-up and […]

Read More

5 Days to Virtualization: A Series on Hypervisor Development

Overview Next week, (10/29) I’ll be starting to publish a series that is written to aid new and interested readers with building, testing, and understanding type-2 hypervisor development. This hypervisor will be written for use on Intel processors with virtualization support. If you’re operating on an AMD chip, you may find some parts helpful, but […]

Read More

Detecting Hypervisor Presence on Windows 10

Detecting a hypervisor on Windows 10 is relatively simple, but due to the simplistic nature of the currently published detection vectors it’s likely that they are also relatively simple to spoof or remove. In this article we’ll detail a few ways of detecting a hypervisors presence on Windows 10, determining if it’s a Microsoft hypervisor, […]

Read More