hvpp is a lightweight Intel x64/VT-x hypervisor written in C++ focused primarily on virtualization of already running operating system.
Although several open-source research hypervisors aimed at simplicity already exist, in my opinion this field is still somewhat unexplored and needs more open-source projects. This can especially help those who have just started exploring virtualization technologies and are looking for small/reference projects. If you're one of them, my bets are that you're really disappointed right now, because all you've got are barely dozen of (great!) projects and huge pile of Intel Manual pages.
C++ has been chosen as a language for this project because of two reasons:
Even though this project is primarily developed for Windows, I've decided to not use traditional Windows Driver naming
DrvCamelCase). Instead, traditional C++
snake_case is used. The reason is that hypervisor is very
"stand-alone" and doesn't depend on many OS functions. Therefore I decided to treat it as a regular C++ project.
If you want to challenge yourself in low-level programming, my advice would be to try and write a simple hypervisor. During the process you'll get invaluable knowledge and experience and you'll probably discover many new things. For instance here's a selection of some things I've learned thanks to writing this project:
KeIpiGenericCall- which can be used instead of undocumented
KeGenericCallDpc(but at the cost of higher IRQL)
mov cr3, <source>instructions in the guest)
Also - as obvious as it might sound - I'd like to point out that if you decide to write your own VT-x hypervisor, you'll NEED Intel® 64 and IA-32 architectures software developer’s manual combined volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4. So download the PDF - together with Adobe Acrobat Reader - because trust me, you don't want to read and navigate through 5000 pages with browser's built-in PDF reader.
VMCALLinstruction (used for termination of hvpp)
INVVPIDinstructions raise #UD (invalid opcode exception)
ExAllocatePoolWithTag). But in VM-exit handler, interrupts are disabled and your IRQL is effectively HIGH_LEVEL.
CPUIDinstruction interception, hiding hooks in user-mode applications via EPT and communication with hvpp via
Note: hvpp is compiled as a static library, which is linked with the hvppdrv project.
vmexit_handlerinstance to each VCPU
vmexit_handler::setup()is called, which allows anyone to initialize the VM-exit handler and/or modify the VMCS before the launch (see
vmexit_custom_handler::setup()in hvppdrv, vmexit_custom.cpp)
vmexit_handler::teardown()is called and switches into VMX mode (
vmexit_passthrough_handler::teardown()does it by
vcpu_t::vmx_leave()is called - it leaves VMX mode with
Compile hvpp using Visual Studio 2017. Solution file is included. The only required dependency is WDK.
You can run hvpp on Windows 7 or higher. Windows 10 is recommended though, because it supports TraceLogging.
Enable Test-Signing boot configuration option (note that you'll need administrative privileges to use
bcdedit /set testsigning on
Register driver with Service Control Manager (yes, it's important to leave these spaces):
sc create hvpp type= kernel binPath= "C:\full\path\to\hvppdrv.sys"
Now you should restart your computer for testsigning to take effect, otherwise you'll be unable to start the driver.
But before you do, you might want to prepare DebugView from SysInternals and
traceview.exe tool from the WDK (note that
traceview will work properly only on Windows 10).
After restart, launch
File -> Create New Log Session, click on
Manually Entered Control GUID or Hashed Name
916fcd3e-673b-4610-aaba-0b71e28acd40(arbitrarily chosen, see lib/win32/tracelog.cpp)
Source Of WPP Format Informationset to
Next, which will bring you to
Log Session Optionsdialog
Log Session Nameeditbox you can give this logging session any name you like, e.g.
HvppSessionor you can leave it as it is
Log Trace Event Data To File, which saves whole logging session into an
TraceView is now set-up and ready to show tracelogs from hvpp. You can launch hvpp
sc start hvpp
hvpp now performs various checks and enters VMX mode if they pass. In case of success you should see message
hvpp started in the
CPUID instruction with
EAX = 0x70707668 ('hvpp') which hvpp should intercept and return
hello from hvpp in EAX, EBX, ECX and EDX registers (see vmexit_custom.cpp).
hvppctrl should print this string.
hvppctrl tries to "stealthily" hook
ntdll!ZwClose function using EPT. The exact process is described
hvppctrl performs IOCTL, which should instruct hvpp to set one-time breakpoint when
manipulating with port
0x64 (keyboard) is executed.
ZwClosefunction in ntdll.dll
NULLparameter, this function call will most likely fail with some NTSTATUS error code, which it ignores)
HookCallCountand it's expected value (explained below)
ntdll!ZwClosefuction using Detours
jmpbeing first instruction)
HookCallCountand it's expected value - it should be 1 now, as the hooked function has been called for the first time now
RCX = 0xc1(arbitrarily chosen),
RDX = AddressOfReadPageand
R8 = AddressOfExecutePage- this instructs hvpp to hide the hook
HookCallCountwill be incremented again
HookCallCountand it's expected value - it should be 2
RCX = 0xc2(arbitrarily chosen) - this instructs hvpp to unhide the hook
jmpas a first instruction again
HookCallCountwill be incremented again
HookCallCountand it's expected value - it should be 3
HookCallCountshould not be incremented now
HookCallCountand it's expected value - it should be still 3
At the same time you should see tracelog messages in the
TraceView - they are generated on each
VMCALL and on each
When you decide you want to turn off the hvpp, just execute:
sc stop hvpp
This software is open-source under the MIT license. See the LICENSE.txt file in this repository.
Phrack #69: http://www.phrack.org/issues/69/15.html
NOVA Microhypervisor: https://awesomeopensource.com/project/udosteinberg/NOVA
If you find this project interesting, you can buy me a coffee
BTC 3GwZMNGvLCZMi7mjL8K6iyj6qGbhkVMNMF LTC MQn5YC7bZd4KSsaj8snSg4TetmdKDkeCYk