Go Back   Exetools > General > General Discussion


Thread Tools Display Modes
Old 05-24-2021, 17:38
rootw0rm rootw0rm is offline
Join Date: Dec 2019
Location: High desert of SoCal
Posts: 3
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
rootw0rm Reputation: 0
Hyper-V reversing

Thinking about a project I would like to start, but I'm not sure how feasible it is. Also, my environment isn't quite set up right now, so I'm not being lazy, just curious if anyone else here has delved into Hyper-V territory before.

Basically, I want a Hyper-V VM which will get past all VM detections for the purpose of reversing and malware analysis.

The first thing I want to do is modify what CPUID returns. So I'll need to modify WRMSR data. Assuming Hypervisor Code Integrity and Device Guard are off, is disabling DSE enough to be able to run patched Hyper-V binaries?
Reply With Quote
Old 05-30-2021, 01:21
pp2 pp2 is offline
Join Date: Jan 2002
Posts: 53
Rept. Given: 1
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 13 Times in 10 Posts
pp2 Reputation: 2
Unfortunately, Microsoft do not provide symbols for their hypervisor, so debugging it is quite difficult. If you want to change CPUID results, you do not need any MSRs, CPUID command causes VMEXIT, so the answer to it is implemented directly in the hypervisor.

But, WinDBG cannot debug the hypervisor, the only method I know - use external debugger supplied with virtual machine, running nested virtual machine to be able to debug the hypervisor itself (Vmware and VirtualBox have such), but all these things aren't friendly at all. Preliminary analysis of hvix64.exe/vid.dll in the IDA can help. I suggest to start from VidRegisterCpuidHandler and VidRegisterCpuidResult functions from vid.dll.
Reply With Quote
Old 05-30-2021, 02:33
atom0s's Avatar
atom0s atom0s is offline
Join Date: Jan 2015
Posts: 331
Rept. Given: 25
Rept. Rcvd 108 Times in 53 Posts
Thanks Given: 49
Thanks Rcvd at 566 Times in 225 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
In 2018, MS did release some of their Hyper-V symbols as mentioned in their blog and MSDN articles here:

Noting that, with most released, they did not release ones for:
- storvsp.pdb, vhdparser.pdb, passthroughparser.pdb, hvax64.pdb, hvix64.pdb, and hvloader.pdb.

You can get the symbols from their server automatically by setting up your debuggers symbol path to use MS's server here:
Personal Projects Site: https://atom0s.com
Reply With Quote
Old 05-30-2021, 21:06
sh3dow sh3dow is offline
Join Date: Oct 2014
Posts: 103
Rept. Given: 97
Rept. Rcvd 77 Times in 22 Posts
Thanks Given: 277
Thanks Rcvd at 126 Times in 45 Posts
sh3dow Reputation: 77
I didn't play with Hyper-V before but I may have a few resource that may help you in your journey.

Edit: Because of network issue I made too identical comments, I edited this one because the one below has better formatting and more detailed.

Last edited by sh3dow; 05-31-2021 at 20:04.
Reply With Quote
The Following 2 Users Say Thank You to sh3dow For This Useful Post:
deepzero (05-30-2021), TQN (05-31-2021)
Old 05-30-2021, 21:27
sh3dow sh3dow is offline
Join Date: Oct 2014
Posts: 103
Rept. Given: 97
Rept. Rcvd 77 Times in 22 Posts
Thanks Given: 277
Thanks Rcvd at 126 Times in 45 Posts
sh3dow Reputation: 77
I didn't play with Hyper-V before but I may have a few resources that may help you in your journey.

Hyper-V internals researches (2006-2021) [from https://github.com/gerhart01/Hyper-V-Internals]

# Hyper-V internals researches (2006-2021)
  1. 2006] [Microsoft] Jake Oshins. Device Virtualization Architecture. WinHec 2006. [Link
  2. 2007] [Microsoft] Brandon Baker. Windows Server Virtualization and The Windows Hypervisor. [Link
  3. 2011] Matt Suiche [(@msuiche). LiveCloudKd. Your cloud is on my pocket. BlackHat DC 2011. Link
  4. 2011] [Core Security Technologies] Nicolas Economou [(@nicoeconomou). Hyper-V Vmbus persistent DoS vulnerability. Link
  5. 2013] Arthur Khudyaev [(@gerhart_x). Hyper-V debugging for beginners. Link. English version link
  6. 2014] Arthur Khudyaev [(@gerhart_x). Hyper-V debugging for beginners. Part 2 или half disclosure of MS13-092 (1-day exploit reseach). Link. English version link
  7. 2014] [ERNW]. Felix Wilhelm [(@_fel1x), Matthias Luft (@uchi_mata). Security Assessment of Microsoft Hyper-V. MS13-092 full disclosure. Link
  8. 2014] [ERNW]. Felix Wilhelm [(@_fel1x), Matthias Luft (@uchi_mata), Enno Rey (@enno_insinuator). Compromise-as-a-Service. Our PleAZURE. HitB Ams 2014 Link
  9. 2015] Alex Ionescu [(@aionescu). Ring 0 to Ring -1 Attacks. Hyper-V IPC Internals. Link
  10. 2016] Hyper-V vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow. [Link
  11. 2016] Hyper-V vmswitch.sys VmsVmNicHandleRssParametersChange OOBR Guest to Host BugChecks. [Link
  12. 2016] Hyper-V vmswitch.sys VmsPtpIpsecTranslateAddv2toAddv2Ex OOBR Guest to Host BugCheck. [Link
  13. 2017] Andrea Allievi [(@aall86). The Hyper-V Architecture and its Memory Manager. Link
  14. 2017] Aleksandr Bazhaniuk [(@ABazhaniuk), Mikhail Gorobets @mikhailgorobets, Andrew Furtak, Yuriy Bulygin @c7zero. Attacking hypervisors through hardware emulation. CHIPSEC] [FUZZING]. [Link
  15. 2017] Arthur Khudyaev [(@gerhart_x). Hyper-V sockets internals. Link. English version link
  16. 2018] [Microsoft] Windows Sandbox. [Link
  17. 2018] [Microsoft] Hyper-V HyperClear Mitigation for L1 Terminal Fault. [Link. Update
  18. 2018] [Microsoft] Nicolas Joly [(@n_joly), Joe Bialek (@josephbialek). A Dive in to Hyper-V Architecture & Vulnerabilities. Link
  19. 2018] [Microsoft] Jordan Rabet [(@smealum). Hardening Hyper-V through Offensive Security Research. CVE-2017-0075. Link
  20. 2018] Alex Ionescu [(@aionescu). Writing a Hyper-V “Bridge” for Fuzzing — Part 2 : Hypercalls & MDLs. Link
  21. 2018] [Microsoft] Benjamin Armstrong [(@vbenarmstrong). Hyper-V API Overview. Link
  22. 2018] [Microsoft] Yunhai Zhang [(@_f0rgetting_). Dive Into Windows Defender Appliation Guard. Link
  23. 2018] [Microsoft] Saar Amar [(@AmarSaar). First Steps in Hyper-V Research. Link
  24. 2019] [Microsoft] Fuzzing para-virtualized devices in Hyper-V. [Link
  25. 2019] Amardeep Chana. Ventures into Hyper-V - Fuzzing hypercalls. [Link
  26. 2019] [Microsoft] Daniel King [(@long123king), Shawn Denbow @sdenbow. Growing Hypervisor 0day with Hyperseed. Link
  27. 2019] Bruce Dang [(@brucedang). Some notes on identifying exit and hypercall handlers in Hyper-V. Link Web-archive
  28. 2019] Joe Bialek [(@josephbialek). Exploiting the Hyper-V IDE Emulator to Escape the Virtual Machine. Link
  29. 2019] Arthur Khudyaev [(@gerhart_x). Hyper-V memory internals. Guest OS memory access. Link. English version link
  30. 2019] [Microsoft] Saar Amar [(@AmarSaar). Attacking the VM Worker Process. Link
  31. 2020] Alisa Shevchenko [(@alisaesage). Hyper-V Linux integration services description. Link
  32. 2020] Arthur Khudyaev [(@gerhart_x). Hyper-V memory internals. EXO partition memory access. Link.Russian version
  33. 2020] Arthur Khudyaev [(@gerhart_x). Windows Hyper-V Denial of Service vulnerability internals in nested virtualization component (CVE-2020-0890). Link
  34. 2020] Daniel Fernandez Kuehr [(@ergot86). Microsoft Hyper-V Stack Overflow Denial of Service (CVE-2020-0751). Link
  35. 2020] Daniel Fernandez Kuehr [(@ergot86). Microsoft Hyper-V Type Confusion leading to Arbitrary Memory Dereference (CVE-2020-0904). Link
  36. 2020] Alisa Shevchenko [(@alisaesage). Hypervisor vulnerability research (slides 35-60). Link
  37. 2020] Arthur Khudyaev [(@gerhart_x). Hyper-V debugging for beginners (2nd edition).Link. Russian version
  38. 2021] Alisa Shevchenko [(@alisaesage). Microsoft Hyper-V Virtual Network Switch VmsMpCommonPvtSetRequestCommon Out of Bounds Read. Link
  39. 2021] Alex Ilgayev [(@_alex_il_). Playing in the Microsoft Windows Sandbox. Link
  40. 2021] [(@_xeroxz). Voyager - A Hyper-V Hacking Framework. Link

## MSDN sources

Managing Hyper-V hypervisor scheduler types. Link
Hyper-V top level functional specification (web-version). Link

(Windows Internals book, Hyper-V TLFS, another MSDN docs are standard Hyper-V internals information sources)

[h3]Headers from official Windows SDK\WDK[/h3]
- hypervdevicevirtualization.h (WDK)
- vmsavedstatedump.h
- vmsavedstatedumpdefs.h
- WinHvEmulation.h
- WinHvPlatform.h
- WinHvPlatformDefs.h
- wmcontainer.h
- Wmcontainer.idl

## VBS\VSM reseaches

I'm not specalized in VBS, which is only Hyper-V based security mechanism, therefore i give links on papers, because they can contain some information about Hyper-V internals.
  1. 2015] Alex Ionescu [(@aionescu). BATTLE OF SKM AND IUM. Link
  2. 2015] Guillaume C. Windows 10 VSM Présentation des nouveautés et implémentations. [Link
  3. 2016] Rafal Wojtczuk. Analysis of the Attack Surface of Windows 10 Virtualization-Based Security]. [Presentation.
  4. Whitepaper
  5. 2017] Adrien Chevalier [(@0x00_ach). Virtualization Based Security - Part 1: The boot process. Link
  6. 2017] Adrien Chevalier [(@0x00_ach). Virtualization Based Security - Part 2: kernel communications. Link
  7. 2017] Hans Kristian Brendmo. Live forensics on the Windows 10 secure kernel. [Link
  8. 2018] Alex Ionescu [(@aionescu), David Weston @dwizzzleMSFT. Inside the Octagon. Analyzing System Guard Runtime Attestation. OPCDE 2018. Link
  9. 2018] [Microsoft] Saar Amar [(@AmarSaar). VBS and VSM Internals. BlueHat IL 2018. Link
  10. 2019] Aleksandar Milenkoski [(@milenkowski). Interfaces Virtual Secure Mode: Protections of Communication. Link
  11. 2019] Dominik Phillips, Aleksandar Milenkoski [(@milenkowski). Virtual Secure Mode: Initialization. Link
  12. 2019] Aleksandar Milenkoski [(@milenkowski). Virtual Secure Mode: Communication Interfaces. Link
  13. 2019] Aleksandar Milenkoski [(@milenkowski). Virtual Secure Mode: Architecture Overview. Link
  14. 2019] Lukas Beierlieb, Lukas Ifflander, Aleksandar Milenkoski [(@milenkowski), Charles F. Goncalves, Nuno Antunes, Samuel Kounev. Towards Testing the Software Aging Behavior of Hypervisor Hypercall Interfaces. Link
  15. 2019] Federal office for information security (Germany). [(@BSI_Bund). Work Package 6: Virtual Secure Mode. Link
  16. 2019] Federal office for information security (Germany). [(@BSI_Bund). Work Package 7: Device Guard. Link
  17. 2020] Andrea Allievi [(@aall86). Introducing Kernel Data Protection, a new platform security technology for preventing data corruption. Link
  18. 2020] Yarden Shafir [(@yarden_shafir). Secure Pool Internals : Dynamic KDP Behind The Hood. Link
  19. 2020] [Microsoft] Saar Amar [(@AmarSaar), Daniel King (@long123king). Breaking VSM by Attacking Secure Kernel. Hardening Secure Kernel through Offensive Research. Link

## Hyper-V related open source utilities, scripts.

2013-2021] Arthur Khudyaev [(@gerhart_x)

* Files to "Hyper-V debugging for beginners (2013)" article. Link
* Files to "Hyper-V debugging for beginners. 2nd edition (2020)" article. Link
* Files to "Hyper-V internals (2015)" article. Link
* LiveCloudKd fork. Link
* WinDBG EXDi sample plugin. Link
* Native Hyper-V reading memory example driver. Link
* Hyper-V integration plugin for MemProcFs by @UlfFrisk. Link. Plugin description from @UlfFrisk. Link
* Scripts for Hyper-V reseaching. Link
* Create hypercalls table in IDA PRO. Link
* Parse VM_PROCESS_CONTEXT structure (pykd base). Link
* Display VMCS inside hvix64 (dynamic execution using WinDBG session). Link
* Script for automatic Guest OS debugging configuring, using embedded vmms.exe capabilities. Link
* Script for getting some information from Secure Kernel in runtime (IDT, loaded modules, syscall, decyphering SkiSecureServiceTable). Link

2014] Marc-André Moreau [(@awakecoding). Hyper-V VmBusPipe Link
2016] Yuriy Bulygin [@c7zero. Hyper-V VMBUS fuzzing. CHIPSEC: Platform Security Assessment Framework. Link
2018] Windows Hypervisor Platform API for Rust. [Link
2018] Alex Ionescu [(@aionescu). Simpleator ("Simple-ator") is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803). Link.
2018] Matt Suiche. LiveCloudKd [(@msuiche). Link
2019] Alex Ionescu [(@aionescu). Hdk - Hyper-V development kit (unofficial). Link
2019] Axel Souchet [(@0vercl0k). Pywinhv. Python binding for the Microsoft Hypervisor Platform APIs. Link
2019] Behrooz Abbassi [(@BehroozAbbassi)
* ia32_msr_decoder.py. Link
* IA32_VMX_Helper.py. Link

2020] [(@commial). Configure Qemu-KVM for debugging SecureKernel Link
2020] Dmytro "Cr4sh" Oleksiuk [(@d_olex). Hyper-V backdoor, which allows to inspect Secure Kernel and run 3-rd party trustlets in the Isolated User Mode (a virtualization-based security feature of Windows 10). Link
2020] Matt Miller [(@epakskape) WHVP API based NOP-generator. Link
2020] [(@_xeroxz) Hyper-V Hacking Framework For Windows 10 x64 (AMD & Intel). Link
2021] [(@Didu). Hyntrospect. This tool is a coverage-guided fuzzer targeting Hyper-V emulated devices (in the userland of Hyper-V root partition). Link

Last edited by sh3dow; 05-30-2021 at 21:49. Reason: correct formating
Reply With Quote
The Following 3 Users Say Thank You to sh3dow For This Useful Post:
deepzero (05-30-2021), Mendax47 (05-31-2021), TQN (05-31-2021)

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

All times are GMT +8. The time now is 12:14.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )