Category: Hypervisors

Evading ACPI checks in commercial virtualization platforms

Overview Dozens of virtual machine checks are scattered throughout various open-source projects. You’ll see a handful of the same checks in various applications, from commercial to fully fleshed-out malware. The checks typically involve looking for drivers, devices, processes, registry entries, custom vendor information, timing attacks, etc. Most of these methods are easily mitigated by tweaking […]

Read More

MMU Virtualization via Intel EPT: Implementation – Part 1

Overview This article will cover the various requirements and features available for MMU virtualization via Intel Extended Page Tables. It’s going to be a relatively long article as I want to cover all of or most of the details concerning initialization and capability checking, MTRR setup, page splitting, and so on. We’ll start with checking […]

Read More

MMU Virtualization via Intel EPT: Technical Details

Overview This article marks the first of 5 articles covering the virtualization of the memory management unit (MMU) using Intel EPT. This technology is used as additional support for the virtualization of physical memory and allows hypervisors to monitor memory activity. This article will address the motivation for extended page tables, the many performance concerns […]

Read More

MMU Virtualization via Intel EPT – Index

Overview After receiving an abundance of requests to complete the EPT series I’ve switched gears to write this 5 part series over MMU Virtualization using Intel EPT. This series is written to be able to be used in your own hypervisor project or in conjunction with the CPU virtualization series published a few months prior. […]

Read More

Day 5: The VM-exit Handler, Event Injection, Context Modifications, and CPUID Emulation

Overview In the last article you learned about the VMCS, initializing the VMCS, segmentation and made a skeleton of the VM-exit handler. It was a long read, but if you’re here reading this now you’ve made it through the most time consuming part. Now we get to start interposing on system operations at a whim, […]

Read More

Day 4: VMCS Initialization, Segmentation, and Operation Visualization

Overview A quick apology for the extended delay of this series. It is my intention to continue this series at Day 4 with a lot of newfound knowledge to share with the readers. I hope that with the last 6 months those of you who had taken an interest in this series were able to […]

Read More

Syscall Hooking via Extended Feature Enable Register (EFER)

Since the dawn of KVA Shadowing (KVAS), similar to Linux’s KPTI, which was developed by Microsoft to mitigate Meltdown vulnerabilities, hooking syscalls among other potentially malicious things has become increasingly difficult in Windows. Upon updating my virtualization toolset which utilizes syscall hooking strategies to assist in control flow analysis, I had trouble when trying to […]

Read More

Day 3: The VMCS, Component Encoding, and Multiprocessor Initialization

Overview This article will be presenting a lot of different information. The first section will be over multiple-processor initialization, the different processor classes and how they’re referenced throughout the post, and a variety of other multi-processor related information. I’ll also demonstrate the MP initialization protocol for the hypervisor we’re creating in full detail using what […]

Read More

Day 2: Entering VMX Operation, Explaining Implementation Requirements

Overview Today is the day of heavy details and implementation. There will be a lot of technical explanation and a lot of text. We’ll start off with a section explaining the need for some form of internal logging API because – well, having DbgPrint spammed throughout functions when validating certain control values is disgusting and […]

Read More

Day 1: Introduction to Virtualization, Type Definitions, and Support Testing

Overview In this article we’re going to introduce virtualization, the various forms of virtualization, terminology, and a high level view of the abstraction that is virtualization. We’ll also be building out a test function for support of virtual machine instructions, followed by defining structures to represent various architectural registers and components. The reason for using […]

Read More