I didn't play with Hyper-V before but I may have a few resources that may help you in your journey.
Hyper-V internals researches (2006-2021) [from https://github.com/gerhart01/Hyper-V-Internals]
# Hyper-V internals researches (2006-2021)
- 2006] [Microsoft] Jake Oshins. Device Virtualization Architecture. WinHec 2006. [Link
- 2007] [Microsoft] Brandon Baker. Windows Server Virtualization and The Windows Hypervisor. [Link
- 2011] Matt Suiche [(@msuiche). LiveCloudKd. Your cloud is on my pocket. BlackHat DC 2011. Link
- 2011] [Core Security Technologies] Nicolas Economou [(@nicoeconomou). Hyper-V Vmbus persistent DoS vulnerability. Link
- 2013] Arthur Khudyaev [(@gerhart_x). Hyper-V debugging for beginners. Link. English version link
- 2014] Arthur Khudyaev [(@gerhart_x). Hyper-V debugging for beginners. Part 2 или half disclosure of MS13-092 (1-day exploit reseach). Link. English version link
- 2014] [ERNW]. Felix Wilhelm [(@_fel1x), Matthias Luft (@uchi_mata). Security Assessment of Microsoft Hyper-V. MS13-092 full disclosure. Link
- 2014] [ERNW]. Felix Wilhelm [(@_fel1x), Matthias Luft (@uchi_mata), Enno Rey (@enno_insinuator). Compromise-as-a-Service. Our PleAZURE. HitB Ams 2014 Link
- 2015] Alex Ionescu [(@aionescu). Ring 0 to Ring -1 Attacks. Hyper-V IPC Internals. Link
- 2016] Hyper-V vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow. [Link
- 2016] Hyper-V vmswitch.sys VmsVmNicHandleRssParametersChange OOBR Guest to Host BugChecks. [Link
- 2016] Hyper-V vmswitch.sys VmsPtpIpsecTranslateAddv2toAddv2Ex OOBR Guest to Host BugCheck. [Link
- 2017] Andrea Allievi [(@aall86). The Hyper-V Architecture and its Memory Manager. Link
- 2017] Aleksandr Bazhaniuk [(@ABazhaniuk), Mikhail Gorobets @mikhailgorobets, Andrew Furtak, Yuriy Bulygin @c7zero. Attacking hypervisors through hardware emulation. CHIPSEC] [FUZZING]. [Link
- 2017] Arthur Khudyaev [(@gerhart_x). Hyper-V sockets internals. Link. English version link
- 2018] [Microsoft] Windows Sandbox. [Link
- 2018] [Microsoft] Hyper-V HyperClear Mitigation for L1 Terminal Fault. [Link. Update
- 2018] [Microsoft] Nicolas Joly [(@n_joly), Joe Bialek (@josephbialek). A Dive in to Hyper-V Architecture & Vulnerabilities. Link
- 2018] [Microsoft] Jordan Rabet [(@smealum). Hardening Hyper-V through Offensive Security Research. CVE-2017-0075. Link
- 2018] Alex Ionescu [(@aionescu). Writing a Hyper-V “Bridge” for Fuzzing — Part 2 : Hypercalls & MDLs. Link
- 2018] [Microsoft] Benjamin Armstrong [(@vbenarmstrong). Hyper-V API Overview. Link
- 2018] [Microsoft] Yunhai Zhang [(@_f0rgetting_). Dive Into Windows Defender Appliation Guard. Link
- 2018] [Microsoft] Saar Amar [(@AmarSaar). First Steps in Hyper-V Research. Link
- 2019] [Microsoft] Fuzzing para-virtualized devices in Hyper-V. [Link
- 2019] Amardeep Chana. Ventures into Hyper-V - Fuzzing hypercalls. [Link
- 2019] [Microsoft] Daniel King [(@long123king), Shawn Denbow @sdenbow. Growing Hypervisor 0day with Hyperseed. Link
- 2019] Bruce Dang [(@brucedang). Some notes on identifying exit and hypercall handlers in Hyper-V. Link Web-archive
- 2019] Joe Bialek [(@josephbialek). Exploiting the Hyper-V IDE Emulator to Escape the Virtual Machine. Link
- 2019] Arthur Khudyaev [(@gerhart_x). Hyper-V memory internals. Guest OS memory access. Link. English version link
- 2019] [Microsoft] Saar Amar [(@AmarSaar). Attacking the VM Worker Process. Link
- 2020] Alisa Shevchenko [(@alisaesage). Hyper-V Linux integration services description. Link
- 2020] Arthur Khudyaev [(@gerhart_x). Hyper-V memory internals. EXO partition memory access. Link.Russian version
- 2020] Arthur Khudyaev [(@gerhart_x). Windows Hyper-V Denial of Service vulnerability internals in nested virtualization component (CVE-2020-0890). Link
- 2020] Daniel Fernandez Kuehr [(@ergot86). Microsoft Hyper-V Stack Overflow Denial of Service (CVE-2020-0751). Link
- 2020] Daniel Fernandez Kuehr [(@ergot86). Microsoft Hyper-V Type Confusion leading to Arbitrary Memory Dereference (CVE-2020-0904). Link
- 2020] Alisa Shevchenko [(@alisaesage). Hypervisor vulnerability research (slides 35-60). Link
- 2020] Arthur Khudyaev [(@gerhart_x). Hyper-V debugging for beginners (2nd edition).Link. Russian version
- 2021] Alisa Shevchenko [(@alisaesage). Microsoft Hyper-V Virtual Network Switch VmsMpCommonPvtSetRequestCommon Out of Bounds Read. Link
- 2021] Alex Ilgayev [(@_alex_il_). Playing in the Microsoft Windows Sandbox. Link
- 2021] [(@_xeroxz). Voyager - A Hyper-V Hacking Framework. Link
## MSDN sources
Managing Hyper-V hypervisor scheduler types.
Link
Hyper-V top level functional specification (web-version).
Link
(Windows Internals book, Hyper-V TLFS, another MSDN docs are standard Hyper-V internals information sources)
[h3]Headers from official Windows SDK\WDK[/h3]
- hypervdevicevirtualization.h (WDK)
- vmsavedstatedump.h
- vmsavedstatedumpdefs.h
- WinHvEmulation.h
- WinHvPlatform.h
- WinHvPlatformDefs.h
- wmcontainer.h
- Wmcontainer.idl
## VBS\VSM reseaches
I'm not specalized in VBS, which is only Hyper-V based security mechanism, therefore i give links on papers, because they can contain some information about Hyper-V internals.
- 2015] Alex Ionescu [(@aionescu). BATTLE OF SKM AND IUM. Link
- 2015] Guillaume C. Windows 10 VSM Présentation des nouveautés et implémentations. [Link
- 2016] Rafal Wojtczuk. Analysis of the Attack Surface of Windows 10 Virtualization-Based Security]. [Presentation.
- Whitepaper
- 2017] Adrien Chevalier [(@0x00_ach). Virtualization Based Security - Part 1: The boot process. Link
- 2017] Adrien Chevalier [(@0x00_ach). Virtualization Based Security - Part 2: kernel communications. Link
- 2017] Hans Kristian Brendmo. Live forensics on the Windows 10 secure kernel. [Link
- 2018] Alex Ionescu [(@aionescu), David Weston @dwizzzleMSFT. Inside the Octagon. Analyzing System Guard Runtime Attestation. OPCDE 2018. Link
- 2018] [Microsoft] Saar Amar [(@AmarSaar). VBS and VSM Internals. BlueHat IL 2018. Link
- 2019] Aleksandar Milenkoski [(@milenkowski). Interfaces Virtual Secure Mode: Protections of Communication. Link
- 2019] Dominik Phillips, Aleksandar Milenkoski [(@milenkowski). Virtual Secure Mode: Initialization. Link
- 2019] Aleksandar Milenkoski [(@milenkowski). Virtual Secure Mode: Communication Interfaces. Link
- 2019] Aleksandar Milenkoski [(@milenkowski). Virtual Secure Mode: Architecture Overview. Link
- 2019] Lukas Beierlieb, Lukas Ifflander, Aleksandar Milenkoski [(@milenkowski), Charles F. Goncalves, Nuno Antunes, Samuel Kounev. Towards Testing the Software Aging Behavior of Hypervisor Hypercall Interfaces. Link
- 2019] Federal office for information security (Germany). [(@BSI_Bund). Work Package 6: Virtual Secure Mode. Link
- 2019] Federal office for information security (Germany). [(@BSI_Bund). Work Package 7: Device Guard. Link
- 2020] Andrea Allievi [(@aall86). Introducing Kernel Data Protection, a new platform security technology for preventing data corruption. Link
- 2020] Yarden Shafir [(@yarden_shafir). Secure Pool Internals : Dynamic KDP Behind The Hood. Link
- 2020] [Microsoft] Saar Amar [(@AmarSaar), Daniel King (@long123king). Breaking VSM by Attacking Secure Kernel. Hardening Secure Kernel through Offensive Research. Link
## Hyper-V related open source utilities, scripts.
2013-2021] Arthur Khudyaev [(@gerhart_x)
* Files to "Hyper-V debugging for beginners (2013)" article.
Link
* Files to "Hyper-V debugging for beginners. 2nd edition (2020)" article.
Link
* Files to "Hyper-V internals (2015)" article.
Link
* LiveCloudKd fork.
Link
* WinDBG EXDi sample plugin.
Link
* Native Hyper-V reading memory example driver.
Link
* Hyper-V integration plugin for MemProcFs by
@UlfFrisk.
Link. Plugin description from
@UlfFrisk.
Link
* Scripts for Hyper-V reseaching.
Link
* Create hypercalls table in IDA PRO.
Link
* Parse VM_PROCESS_CONTEXT structure (pykd base).
Link
* Display VMCS inside hvix64 (dynamic execution using WinDBG session).
Link
* Script for automatic Guest OS debugging configuring, using embedded vmms.exe capabilities.
Link
* Script for getting some information from Secure Kernel in runtime (IDT, loaded modules, syscall, decyphering SkiSecureServiceTable).
Link
2014] Marc-André Moreau [(@awakecoding). Hyper-V VmBusPipe
Link
2016] Yuriy Bulygin [@c7zero. Hyper-V VMBUS fuzzing. CHIPSEC: Platform Security Assessment Framework.
Link
2018] Windows Hypervisor Platform API for Rust. [Link
2018] Alex Ionescu [(@aionescu). Simpleator ("Simple-ator") is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803).
Link.
2018] Matt Suiche. LiveCloudKd [(@msuiche).
Link
2019] Alex Ionescu [(@aionescu). Hdk - Hyper-V development kit (unofficial).
Link
2019] Axel Souchet [(@0vercl0k). Pywinhv. Python binding for the Microsoft Hypervisor Platform APIs.
Link
2019] Behrooz Abbassi [(@BehroozAbbassi)
* ia32_msr_decoder.py.
Link
* IA32_VMX_Helper.py.
Link
2020] [(@commial). Configure Qemu-KVM for debugging SecureKernel
Link
2020] Dmytro "Cr4sh" Oleksiuk [(@d_olex). Hyper-V backdoor, which allows to inspect Secure Kernel and run 3-rd party trustlets in the Isolated User Mode (a virtualization-based security feature of Windows 10).
Link
2020] Matt Miller [(@epakskape) WHVP API based NOP-generator.
Link
2020] [(@_xeroxz) Hyper-V Hacking Framework For Windows 10 x64 (AMD & Intel).
Link
2021] [(@Didu). Hyntrospect. This tool is a coverage-guided fuzzer targeting Hyper-V emulated devices (in the userland of Hyper-V root partition).
Link