#1
|
|||
|
|||
Hyper-V reversing
Thinking about a project I would like to start, but I'm not sure how feasible it is. Also, my environment isn't quite set up right now, so I'm not being lazy, just curious if anyone else here has delved into Hyper-V territory before.
Basically, I want a Hyper-V VM which will get past all VM detections for the purpose of reversing and malware analysis. The first thing I want to do is modify what CPUID returns. So I'll need to modify WRMSR data. Assuming Hypervisor Code Integrity and Device Guard are off, is disabling DSE enough to be able to run patched Hyper-V binaries? |
#2
|
|||
|
|||
Unfortunately, Microsoft do not provide symbols for their hypervisor, so debugging it is quite difficult. If you want to change CPUID results, you do not need any MSRs, CPUID command causes VMEXIT, so the answer to it is implemented directly in the hypervisor.
But, WinDBG cannot debug the hypervisor, the only method I know - use external debugger supplied with virtual machine, running nested virtual machine to be able to debug the hypervisor itself (Vmware and VirtualBox have such), but all these things aren't friendly at all. Preliminary analysis of hvix64.exe/vid.dll in the IDA can help. I suggest to start from VidRegisterCpuidHandler and VidRegisterCpuidResult functions from vid.dll. |
#3
|
||||
|
||||
In 2018, MS did release some of their Hyper-V symbols as mentioned in their blog and MSDN articles here:
Code:
https://docs.microsoft.com/en-us/virtualization/community/team-blog/2018/20180425-hyper-v-symbols-for-debugging https://msrc-blog.microsoft.com/2018/05/03/hyper-v-debugging-symbols-are-publicly-available/ - storvsp.pdb, vhdparser.pdb, passthroughparser.pdb, hvax64.pdb, hvix64.pdb, and hvloader.pdb. You can get the symbols from their server automatically by setting up your debuggers symbol path to use MS's server here: Code:
https://msdl.microsoft.com/download/symbols
__________________
Personal Projects Site: https://atom0s.com |
#4
|
|||
|
|||
I didn't play with Hyper-V before but I may have a few resource that may help you in your journey.
Edit: Because of network issue I made too identical comments, I edited this one because the one below has better formatting and more detailed. Last edited by sh3dow; 05-31-2021 at 20:04. |
#5
|
|||
|
|||
I didn't play with Hyper-V before but I may have a few resources that may help you in your journey.
Hyper-V internals researches (2006-2021) [from https://github.com/gerhart01/Hyper-V-Internals] # Hyper-V internals researches (2006-2021)
## MSDN sources Managing Hyper-V hypervisor scheduler types. Link Hyper-V top level functional specification (web-version). Link (Windows Internals book, Hyper-V TLFS, another MSDN docs are standard Hyper-V internals information sources) [h3]Headers from official Windows SDK\WDK[/h3] - hypervdevicevirtualization.h (WDK) - vmsavedstatedump.h - vmsavedstatedumpdefs.h - WinHvEmulation.h - WinHvPlatform.h - WinHvPlatformDefs.h - wmcontainer.h - Wmcontainer.idl ## VBS\VSM reseaches I'm not specalized in VBS, which is only Hyper-V based security mechanism, therefore i give links on papers, because they can contain some information about Hyper-V internals.
## Hyper-V related open source utilities, scripts. 2013-2021] Arthur Khudyaev [(@gerhart_x) * Files to "Hyper-V debugging for beginners (2013)" article. Link * Files to "Hyper-V debugging for beginners. 2nd edition (2020)" article. Link * Files to "Hyper-V internals (2015)" article. Link * LiveCloudKd fork. Link * WinDBG EXDi sample plugin. Link * Native Hyper-V reading memory example driver. Link * Hyper-V integration plugin for MemProcFs by @UlfFrisk. Link. Plugin description from @UlfFrisk. Link * Scripts for Hyper-V reseaching. Link * Create hypercalls table in IDA PRO. Link * Parse VM_PROCESS_CONTEXT structure (pykd base). Link * Display VMCS inside hvix64 (dynamic execution using WinDBG session). Link * Script for automatic Guest OS debugging configuring, using embedded vmms.exe capabilities. Link * Script for getting some information from Secure Kernel in runtime (IDT, loaded modules, syscall, decyphering SkiSecureServiceTable). Link 2014] Marc-André Moreau [(@awakecoding). Hyper-V VmBusPipe Link 2016] Yuriy Bulygin [@c7zero. Hyper-V VMBUS fuzzing. CHIPSEC: Platform Security Assessment Framework. Link 2018] Windows Hypervisor Platform API for Rust. [Link 2018] Alex Ionescu [(@aionescu). Simpleator ("Simple-ator") is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803). Link. 2018] Matt Suiche. LiveCloudKd [(@msuiche). Link 2019] Alex Ionescu [(@aionescu). Hdk - Hyper-V development kit (unofficial). Link 2019] Axel Souchet [(@0vercl0k). Pywinhv. Python binding for the Microsoft Hypervisor Platform APIs. Link 2019] Behrooz Abbassi [(@BehroozAbbassi) * ia32_msr_decoder.py. Link * IA32_VMX_Helper.py. Link 2020] [(@commial). Configure Qemu-KVM for debugging SecureKernel Link 2020] Dmytro "Cr4sh" Oleksiuk [(@d_olex). Hyper-V backdoor, which allows to inspect Secure Kernel and run 3-rd party trustlets in the Isolated User Mode (a virtualization-based security feature of Windows 10). Link 2020] Matt Miller [(@epakskape) WHVP API based NOP-generator. Link 2020] [(@_xeroxz) Hyper-V Hacking Framework For Windows 10 x64 (AMD & Intel). Link 2021] [(@Didu). Hyntrospect. This tool is a coverage-guided fuzzer targeting Hyper-V emulated devices (in the userland of Hyper-V root partition). Link Last edited by sh3dow; 05-30-2021 at 21:49. Reason: correct formating |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Modifying Kernel Mode Driver for Hyper Threading | aldente | General Discussion | 8 | 08-13-2004 10:11 |