Thread: Hyper-V reversing
View Single Post
  #5  
Old 05-30-2021, 21:27
sh3dow sh3dow is offline
Family
  
Join Date: Oct 2014
Posts: 158
Rept. Given: 113
Rept. Rcvd 79 Times in 24 Posts
Thanks Given: 458
Thanks Rcvd at 202 Times in 75 Posts
sh3dow Reputation: 79
I didn't play with Hyper-V before but I may have a few resources that may help you in your journey.

Hyper-V internals researches (2006-2021) [from https://github.com/gerhart01/Hyper-V-Internals]


# Hyper-V internals researches (2006-2021)
  1. 2006] [Microsoft] Jake Oshins. Device Virtualization Architecture. WinHec 2006. [Link
  2. 2007] [Microsoft] Brandon Baker. Windows Server Virtualization and The Windows Hypervisor. [Link
  3. 2011] Matt Suiche [(@msuiche). LiveCloudKd. Your cloud is on my pocket. BlackHat DC 2011. Link
  4. 2011] [Core Security Technologies] Nicolas Economou [(@nicoeconomou). Hyper-V Vmbus persistent DoS vulnerability. Link
  5. 2013] Arthur Khudyaev [(@gerhart_x). Hyper-V debugging for beginners. Link. English version link
  6. 2014] Arthur Khudyaev [(@gerhart_x). Hyper-V debugging for beginners. Part 2 или half disclosure of MS13-092 (1-day exploit reseach). Link. English version link
  7. 2014] [ERNW]. Felix Wilhelm [(@_fel1x), Matthias Luft (@uchi_mata). Security Assessment of Microsoft Hyper-V. MS13-092 full disclosure. Link
  8. 2014] [ERNW]. Felix Wilhelm [(@_fel1x), Matthias Luft (@uchi_mata), Enno Rey (@enno_insinuator). Compromise-as-a-Service. Our PleAZURE. HitB Ams 2014 Link
  9. 2015] Alex Ionescu [(@aionescu). Ring 0 to Ring -1 Attacks. Hyper-V IPC Internals. Link
  10. 2016] Hyper-V vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow. [Link
  11. 2016] Hyper-V vmswitch.sys VmsVmNicHandleRssParametersChange OOBR Guest to Host BugChecks. [Link
  12. 2016] Hyper-V vmswitch.sys VmsPtpIpsecTranslateAddv2toAddv2Ex OOBR Guest to Host BugCheck. [Link
  13. 2017] Andrea Allievi [(@aall86). The Hyper-V Architecture and its Memory Manager. Link
  14. 2017] Aleksandr Bazhaniuk [(@ABazhaniuk), Mikhail Gorobets @mikhailgorobets, Andrew Furtak, Yuriy Bulygin @c7zero. Attacking hypervisors through hardware emulation. CHIPSEC] [FUZZING]. [Link
  15. 2017] Arthur Khudyaev [(@gerhart_x). Hyper-V sockets internals. Link. English version link
  16. 2018] [Microsoft] Windows Sandbox. [Link
  17. 2018] [Microsoft] Hyper-V HyperClear Mitigation for L1 Terminal Fault. [Link. Update
  18. 2018] [Microsoft] Nicolas Joly [(@n_joly), Joe Bialek (@josephbialek). A Dive in to Hyper-V Architecture & Vulnerabilities. Link
  19. 2018] [Microsoft] Jordan Rabet [(@smealum). Hardening Hyper-V through Offensive Security Research. CVE-2017-0075. Link
  20. 2018] Alex Ionescu [(@aionescu). Writing a Hyper-V “Bridge” for Fuzzing — Part 2 : Hypercalls & MDLs. Link
  21. 2018] [Microsoft] Benjamin Armstrong [(@vbenarmstrong). Hyper-V API Overview. Link
  22. 2018] [Microsoft] Yunhai Zhang [(@_f0rgetting_). Dive Into Windows Defender Appliation Guard. Link
  23. 2018] [Microsoft] Saar Amar [(@AmarSaar). First Steps in Hyper-V Research. Link
  24. 2019] [Microsoft] Fuzzing para-virtualized devices in Hyper-V. [Link
  25. 2019] Amardeep Chana. Ventures into Hyper-V - Fuzzing hypercalls. [Link
  26. 2019] [Microsoft] Daniel King [(@long123king), Shawn Denbow @sdenbow. Growing Hypervisor 0day with Hyperseed. Link
  27. 2019] Bruce Dang [(@brucedang). Some notes on identifying exit and hypercall handlers in Hyper-V. Link Web-archive
  28. 2019] Joe Bialek [(@josephbialek). Exploiting the Hyper-V IDE Emulator to Escape the Virtual Machine. Link
  29. 2019] Arthur Khudyaev [(@gerhart_x). Hyper-V memory internals. Guest OS memory access. Link. English version link
  30. 2019] [Microsoft] Saar Amar [(@AmarSaar). Attacking the VM Worker Process. Link
  31. 2020] Alisa Shevchenko [(@alisaesage). Hyper-V Linux integration services description. Link
  32. 2020] Arthur Khudyaev [(@gerhart_x). Hyper-V memory internals. EXO partition memory access. Link.Russian version
  33. 2020] Arthur Khudyaev [(@gerhart_x). Windows Hyper-V Denial of Service vulnerability internals in nested virtualization component (CVE-2020-0890). Link
  34. 2020] Daniel Fernandez Kuehr [(@ergot86). Microsoft Hyper-V Stack Overflow Denial of Service (CVE-2020-0751). Link
  35. 2020] Daniel Fernandez Kuehr [(@ergot86). Microsoft Hyper-V Type Confusion leading to Arbitrary Memory Dereference (CVE-2020-0904). Link
  36. 2020] Alisa Shevchenko [(@alisaesage). Hypervisor vulnerability research (slides 35-60). Link
  37. 2020] Arthur Khudyaev [(@gerhart_x). Hyper-V debugging for beginners (2nd edition).Link. Russian version
  38. 2021] Alisa Shevchenko [(@alisaesage). Microsoft Hyper-V Virtual Network Switch VmsMpCommonPvtSetRequestCommon Out of Bounds Read. Link
  39. 2021] Alex Ilgayev [(@_alex_il_). Playing in the Microsoft Windows Sandbox. Link
  40. 2021] [(@_xeroxz). Voyager - A Hyper-V Hacking Framework. Link

## MSDN sources

Managing Hyper-V hypervisor scheduler types. Link
Hyper-V top level functional specification (web-version). Link

(Windows Internals book, Hyper-V TLFS, another MSDN docs are standard Hyper-V internals information sources)

[h3]Headers from official Windows SDK\WDK[/h3]
- hypervdevicevirtualization.h (WDK)
- vmsavedstatedump.h
- vmsavedstatedumpdefs.h
- WinHvEmulation.h
- WinHvPlatform.h
- WinHvPlatformDefs.h
- wmcontainer.h
- Wmcontainer.idl

## VBS\VSM reseaches

I'm not specalized in VBS, which is only Hyper-V based security mechanism, therefore i give links on papers, because they can contain some information about Hyper-V internals.
  1. 2015] Alex Ionescu [(@aionescu). BATTLE OF SKM AND IUM. Link
  2. 2015] Guillaume C. Windows 10 VSM Présentation des nouveautés et implémentations. [Link
  3. 2016] Rafal Wojtczuk. Analysis of the Attack Surface of Windows 10 Virtualization-Based Security]. [Presentation.
  4. Whitepaper
  5. 2017] Adrien Chevalier [(@0x00_ach). Virtualization Based Security - Part 1: The boot process. Link
  6. 2017] Adrien Chevalier [(@0x00_ach). Virtualization Based Security - Part 2: kernel communications. Link
  7. 2017] Hans Kristian Brendmo. Live forensics on the Windows 10 secure kernel. [Link
  8. 2018] Alex Ionescu [(@aionescu), David Weston @dwizzzleMSFT. Inside the Octagon. Analyzing System Guard Runtime Attestation. OPCDE 2018. Link
  9. 2018] [Microsoft] Saar Amar [(@AmarSaar). VBS and VSM Internals. BlueHat IL 2018. Link
  10. 2019] Aleksandar Milenkoski [(@milenkowski). Interfaces Virtual Secure Mode: Protections of Communication. Link
  11. 2019] Dominik Phillips, Aleksandar Milenkoski [(@milenkowski). Virtual Secure Mode: Initialization. Link
  12. 2019] Aleksandar Milenkoski [(@milenkowski). Virtual Secure Mode: Communication Interfaces. Link
  13. 2019] Aleksandar Milenkoski [(@milenkowski). Virtual Secure Mode: Architecture Overview. Link
  14. 2019] Lukas Beierlieb, Lukas Ifflander, Aleksandar Milenkoski [(@milenkowski), Charles F. Goncalves, Nuno Antunes, Samuel Kounev. Towards Testing the Software Aging Behavior of Hypervisor Hypercall Interfaces. Link
  15. 2019] Federal office for information security (Germany). [(@BSI_Bund). Work Package 6: Virtual Secure Mode. Link
  16. 2019] Federal office for information security (Germany). [(@BSI_Bund). Work Package 7: Device Guard. Link
  17. 2020] Andrea Allievi [(@aall86). Introducing Kernel Data Protection, a new platform security technology for preventing data corruption. Link
  18. 2020] Yarden Shafir [(@yarden_shafir). Secure Pool Internals : Dynamic KDP Behind The Hood. Link
  19. 2020] [Microsoft] Saar Amar [(@AmarSaar), Daniel King (@long123king). Breaking VSM by Attacking Secure Kernel. Hardening Secure Kernel through Offensive Research. Link

## Hyper-V related open source utilities, scripts.

2013-2021] Arthur Khudyaev [(@gerhart_x)

* Files to "Hyper-V debugging for beginners (2013)" article. Link
* Files to "Hyper-V debugging for beginners. 2nd edition (2020)" article. Link
* Files to "Hyper-V internals (2015)" article. Link
* LiveCloudKd fork. Link
* WinDBG EXDi sample plugin. Link
* Native Hyper-V reading memory example driver. Link
* Hyper-V integration plugin for MemProcFs by @UlfFrisk. Link. Plugin description from @UlfFrisk. Link
* Scripts for Hyper-V reseaching. Link
* Create hypercalls table in IDA PRO. Link
* Parse VM_PROCESS_CONTEXT structure (pykd base). Link
* Display VMCS inside hvix64 (dynamic execution using WinDBG session). Link
* Script for automatic Guest OS debugging configuring, using embedded vmms.exe capabilities. Link
* Script for getting some information from Secure Kernel in runtime (IDT, loaded modules, syscall, decyphering SkiSecureServiceTable). Link

2014] Marc-André Moreau [(@awakecoding). Hyper-V VmBusPipe Link
2016] Yuriy Bulygin [@c7zero. Hyper-V VMBUS fuzzing. CHIPSEC: Platform Security Assessment Framework. Link
2018] Windows Hypervisor Platform API for Rust. [Link
2018] Alex Ionescu [(@aionescu). Simpleator ("Simple-ator") is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803). Link.
2018] Matt Suiche. LiveCloudKd [(@msuiche). Link
2019] Alex Ionescu [(@aionescu). Hdk - Hyper-V development kit (unofficial). Link
2019] Axel Souchet [(@0vercl0k). Pywinhv. Python binding for the Microsoft Hypervisor Platform APIs. Link
2019] Behrooz Abbassi [(@BehroozAbbassi)
* ia32_msr_decoder.py. Link
* IA32_VMX_Helper.py. Link

2020] [(@commial). Configure Qemu-KVM for debugging SecureKernel Link
2020] Dmytro "Cr4sh" Oleksiuk [(@d_olex). Hyper-V backdoor, which allows to inspect Secure Kernel and run 3-rd party trustlets in the Isolated User Mode (a virtualization-based security feature of Windows 10). Link
2020] Matt Miller [(@epakskape) WHVP API based NOP-generator. Link
2020] [(@_xeroxz) Hyper-V Hacking Framework For Windows 10 x64 (AMD & Intel). Link
2021] [(@Didu). Hyntrospect. This tool is a coverage-guided fuzzer targeting Hyper-V emulated devices (in the userland of Hyper-V root partition). Link
Last edited by sh3dow; 05-30-2021 at 21:49. Reason: correct formating
Reply With Quote
The Following 4 Users Say Thank You to sh3dow For This Useful Post:
deepzero (05-30-2021), Mendax47 (05-31-2021), SinaDiR (07-06-2021), TQN (05-31-2021)