gbps / gbhv Goto Github PK

Simple x86-64 VT-x Hypervisor with EPT Hooking

License: Creative Commons Attribution 4.0 International

C 98.93% Assembly 0.81% PowerShell 0.26%

gbhv's Introduction

Gbhv - Simple x64 Hypervisor Framework

Gbhv is a simple, powerful 64-bit Windows-based VT-x Hypervisor proof of concept written as an exercise to help learn how to develop and work with Intel's VT-X hardware virtualization technology.

This project is based on the original Blue-Pill hypervisor technique which subverts a running bare-metal OS, turning it into a virtualized system at the mercy of the hypervisor. When running above another operating system, a hypervisor is able to fully compromise the integrity of the system by intercepting any privileged operations and memory accesses the OS performs. For example, Windows will attempt to verify the integrity of the system against tampering from rootkits using a built-in protection called PatchGuard. To show the power of hardware assisted hypervisor technology, Gbhv takes advantage of the features of VT-X to stealthily hide code modifications from PatchGuard. With this technique, Gbhv can hook or modify any function or data of the running operating system without ever triggering security or integrity protections, making it an incredibly powerful tool in security research of operating systems.

Example

Gbhv comes bundled with a precompiled driver ready to see in action (See release/). This driver provides a simple example of hooking the NtCreateFile API using EPT Shadow Hooking to block all usermode APIs which act on files that contain the substring 'test.txt'. The above image is an example of trying to create a file named test.txt, and the hypervisor intercepting and denying the process access. You will need to load it with the bundled OSRLOADER.EXE driver loader, or by using the sc command.

Introduction to Intel VT-X/VMX

Intel's hardware assisted virtualization technology (originally Vanderpool, later renamed VT-X/VMX) is a set of processor features which add support for virtualized operating systems without the use of emulation. In the typical ring protection design of an x86 processor running a modern operating system, there are two main rings of operation: The high privilege kernel-mode ring (Ring 0) and low privilege user-mode ring (Ring 3). Any code running in a higher ring has full privileged access to the code and data of rings below it. In old, non-hardware assisted virtualization, Virtual Machine Monitors (VMM) would execute at Ring 0 and attempt to intercept certain privileged actions using very slow binary translation mechanisms. With the invention of VT-X, a new mode of operation was introduced in hardware to provide the VMMs with a more privileged position over the guest operating systems that it manages. This new processor mode is named VMX Root Mode, and it executes at a mode more privileged than Ring 0, sometimes informally known as "Ring -1". In this higher privileged mode, the hypervisor uses its privilege to isolate memory and devices of multiple running operating systems into separate containerized environments while still achieving close to native processor execution speeds.

The central mechanism by which the processor enters and exits VMX Root Mode is through context switches known as "VM Exits" and "VM Resumes". When a guest operating system performs a privileged operation that the VMM has been configured to intercept, the processor saves its current state and performs a VM Exit where it "exits" out of the guest operating system and into Root Mode. From the exit handler, the hypervisor can perform operations in its high privilege mode to handle the exit condition, and then "resume" back into the guest by restoring the processor context and continuing execution, returning the system back down to its original privilege level. This kind of processor switch will feel familiar for those who have a solid understanding of how interrupts are serviced in modern operating systems.

Not long after the release of VMX came a new feature called Extended Page Tables which significantly increased the functional power of hypervisors over the operating system. With EPT, hypervisors gained the ability to "virtualize" physical memory regions using a very similar kind of multilevel page tables that operating systems use to manage virtual memory. This allows a hypervisor to define and set memory protections for regions of memory at the physical memory level without any ability to interact from the guest operating system. In addition, EPT has a special ability to create "Execute-only" pages, or pages which can not be read or written to but can only be executed on the processor. This feature gave rise to a new kind of hooking mechanism, where a stealthy VMM can intercept attempts to execute a page and swaps in a modified page with new code. If something tries to verify the contents by reading to the code page, the VMM recieves a VM Exit due to the processor trying to read from an "Execute-only" page. This allows the VMM to quickly swap in a "clean" version of the page, making the reader believe that no code modification has taken place. This power over the underlying physical memory gives hypervisors total control of the code and data of the currently executing operating system.

How Gbhv utilizes VMX

A particularly useful part of VMX operation is that, at its core, it is just a higher privileged processor mode. There is no requirement that this mode be used for executing a new operating system, considering the feature's original motivation. In Gbhv, the processor enters into VMX mode, but instead of configuring VMX to boot additional operating systems, the virtual processor is instead setup with a full contextual copy of the current bare-metal operating system. When the VMM resumes for the first time, it does not enter into a new operating system, but it instead enters into the original bare-metal system. In this way, the operating system is actually hosting a driver which periodically executes at a higher privilege than the operating system itself. While this seems complicated, it is in fact easier to implement this kind of slim hypervisor than it is to implement a fully functional hypervisor capable of booting into a new system.

While the code is structured in such a way to support an operating system agnostic hypervisor in the future, Gbhv is currently setup to only support modern versions of Windows 7+. The project is compiled as a Windows driver and loaded as an unsigned driver from Test Mode or by using a DSE bypass technique.

Motivation for Gbhv

To learn more in-depth about VT-X, one is almost required to read the lengthy sections on virtualization in the Intel Software Development Manual. While the ideas behind the technology is fairly straightforward, the implementation of a hypervisor using VMX is nothing of a trivial first time task. To truly enjoy the power of a hardware assisted hypervisor, one must configure a vast number of execution controls, special processor registers, and EPT structures to create the exact virtual environment necessary to continue stable operating system execution. Due to the complexity of the initial setup of a hypervisor, it often makes sense for hobbyists and researchers to rely on a simple "core" hypervisor to build functionality off of.

There are some fantastic open source hypervisor projects available to build off of in the last few years, ranging from very simple to very complex, and with varying levels of support and code quality. I urge anyone interested in this field to check out those other projects and read their code in addition to my project. The intent of Gbhv is to provide a high standard of code quality and "hackability", while also documenting and educating the user on why I made the choices I did on this project. It does not attempt to hide itself in any way from a determined kernel driver scanning for rogue hypervisors.

My hope is that the users of this project will not need to treat the core hypervisor code as a "black box", but instead will be able to investigate and learn about its internals and feel confident in modifying the core code to achieve their project goals. I also hope that the users of this project will learn just as much about the deep internals of x86 architecture as I did while developing it.

Design and Features of Gbhv

Gbhv is a fully functional blue-pill hypervisor for Windows, with the core features designed to aid in security research.

Free and Open-Source - Gbhv is licensed under the Creative Commons Attribution 4.0 license, which gives you full freedom to use and modify the code as you please as long as you give appropriate credit.
Designed for Education - The codebase follows a fairly strict, readable code style based on the NT code style. Comments and documentation are exhaustive and are designed teach the reader and help them to understanding the choices made.
Simple and Fast - In terms of size, Gbhv is significantly smaller than most hypervisors, and has a very minimal number of exits from the guest. It is designed to be a framework to extend from, and bloat is intentionally.
Clean and organized - Source files are organized based on general 'subsystems' of the hypervisor, and the naming scheme takes on a similar style to the Windows kernel in that the name also describes the 'subsystem' that the function is a a part of. Gbhv takes full advantage of the awesome ia32-doc project by wbenny which turns tedious bit flipping into C structures for maximum readability, and also provides a consistent naming scheme for various numerical constants used by the x86 architecture.
Full EPT Support (Hooking) - Unlike some other slim hypervisors, Gbhv comes complete with support for EPT hacking and a built-in clean and simple function hooking interface perfect for security research.
64-bit only - This is a design choice that results in an all-around cleaner codebase. Supporting legacy 32-bit systems is often of little gain to researchers.
Intel VMX only - This hypervisor does not support AMD chips, or their virtualization technology AMD-V. As of now, VMX has the best hobbyist support in the community, and also has very strong documentation from Intel. Gbhv will run on any modern desktop or server processor based on or after Intel's Nehalem series (1st generation Core i5/i7, released 2008). The vast majority of desktop/server chips used by Intel machines today are currently supported.
Windows 10 (v. 2004) Ready - Gbhv supports all versions of Windows 7 to Windows 10 2004. There are a number of fantastic open-source hypervisor projects that are based around the Linux ecosystem. Due to the growing use of hypervisors as a security product, there is also a growing need for vast Windows support. Gbhv is currently Windows-only, but the codebase is designed to be operating system agnostic, with potential plans to introduce Linux and/or UEFI support.

Codebase Layout

One of the central goals of Gbhv is to be clean and organized. Each source file is organized based on what feature it contributes to the total hypervisor.

vmm.c - The core of the Virtual Machine Manager. All entry and exit points from the driver or processor in various modes will go through here. Most of the very initial startup code for each processor is found here, except code used in configuring the VMCS found in vmcs.c.
vmcs.c - Code which sets up the Virtual Machine Control Structure (VMCS) for beginning VMX operation. Most of the complexity of the setup code takes place in the endless structure setup here.
vmx.c - Contains the code relevant only to VMX operation. Separated to eventually support AMD-V.
vmxdefs.asm - Contains important assembly routines relevant only to handling very low level parts of hypervisor operation, such as saving/restoring register contexts and entering/exiting certain processor modes.
arch.c - Contains code that queries and converts certain architectural values of x86. Some inline assembly is used to implement these found in archdefs.asm.
os.h - Implements mostly memory allocation features that rely on the underlying operating system that the VMM is running on. In this case, because Windows is currently the only supported OS, the OS features are implemented in os_nt.c.
os_nt.c - Implements the definitions of os.h using Windows kernel function calls. For example, general purpose memory is allocated using the ExAllocatePoolWithTag function from the Windows kernel.
entry.c - The entry-point of the Windows driver. Passes off to vmm.c.
util.c - Utility functions, including logging features. Currently, Gbhv uses Win32 Debug Logging to print out logs about operation. When combined with DebugView++, you can sort and color these logs for easier reading.
exit.c - Implements the core of the vmexit handler code. When the guest OS is about to perform an operation or encounters and error that the processor has been configured to intercept, the hypervisor will handle the exit using the functions present here. If the exit handler is fairly large, such as the case for EPT exits, the handler will pass off execution to that subsystem for further handling.
ept.c - Code for setting up EPT page tables for each processor, as well as features to support for stealthy EPT Hooking of kernel code. Memory on the system is mapped by default to 2MB Large Pages but supports splitting to smaller 4096 byte pages on demand.

Utilized Libraries

There are a few open-source libraries used by Gbhv.

ia32-doc - Awesome project which pulls constants and structure information from the Intel manual into a usable C format. The result is that Gbhv removes a huge amount of bit-flipping typically required to interact with the processor. In addition, all constants and structures used are automatically documented and link directly to the manual which describes them.

phnt - The ProcessHacker NT Library, a set of NT API header files maintained for interfacing with the Windows Kernel. This project significantly reduces the usage of the official Windows Driver Development Kit, which has been known to be very inconsistent between versions and lacks features which Microsoft deems 'unsupported' but are still very useful to us.

LDE64 - A very lightweight length disassembler for x86-64 which is used by the EPT hooking code to build inline code hooks into shadow memory.

References

The hypervisor development community has been growing significantly in the last few years, and there's a lot of really awesome projects, some which were used to help design and implement Gbhv.

SimpleVisor (by ionescu007) - A simple, portable, Intel x64/EM64T VT-x specific hypervisor which inspired quite a few design decisions for Gbhv.

ksm (by asamy) - A really simple and lightweight x64 hypervisor written in C for Intel processors.

Phrack Vol. 69: A hypervisor for rootkits (by uty and saman) - The basis for EPT hooking methodology

Intel Software Development Manual 3C - The godbook of Intel's desktop chips. Absolutely invaluable to developing and working with x86 architecture and VT-X.

License

Gbhv is free and open-source, licensed under the Creative Commons 4.0 Attribution International license which grants full permission to copy, modify, derive, distribute, and commercialize any portion of the code as long as reasonable credit is given. See license terms for details.

Greetz

Greetz to daax, drew, and zbe for the all the help and motivation to start and finish this project.

Shoutout to everyone from the Reverse Engineering Discord.

This project was originally developed as a semester-long project sponsored by Carnegie Mellon University.

gbhv's People

Contributors

Stargazers

Watchers

Forkers

killvxk explife0011 y11en fcccode whathhh-d kernullist yang-zhiyuan porpoise-trend jack51706 moesaif orf53975 fengjixuchui eipp4ssenger hymeca ackroute zhuhuibeishadiao matrixkung assqingt cssxn paud no-realm bryce-ebp haidragon dwendt yafty cydiakk morelli690 wyrover jamesmenetrey crackercat arryboom tzf-omkey 0xhellord hyglvy s405 ktim30 darkersquirrel lgromanowski moneytech ashr bobh233 bb33bb jojeev hnzik sheisback kt0511 cerebral-314 thehlopster longjohncoder jarlob fiappy 2217936322 hackflame arckicriss andrew2019github yuaom ltears fire-flying shhoya lilith2 kaisersoju qazxsw1597532018 wdnmd-rushb alehacksp masa-koz iomeone ghostnaix boa9448 cnguoyj pmarkive 000000000000000000000000000000000000005 cyshell kernal-gh darkhypervisor kungia09 xelentra1 usu0za testcc2c gamegrd ognz yangboyd zanywhale xorrsp ellen2015 lyingsimon hashem9 nsauzede ckwindowsproject steesha laicuacie anti-ghosts wangce888 dragon307 sxyhack songxuyao xjpch clayne mineo333 songbei6 f32by

gbhv's Issues

Checking MTTR Range

Is this correct way to check if a address is inside of a range?
https://github.com/Gbps/gbhv/blob/master/gbhv/ept.c#L142

if(AddressOfPage <= GlobalContext->MemoryRanges[CurrentMtrrRange].PhysicalEndAddress)
{
    if( (AddressOfPage + SIZE_2_MB - 1) >= GlobalContext->MemoryRanges[CurrentMtrrRange].PhysicalBaseAddress )

I think it should be following:

if((AddressOfPage + SIZE_2_MB - 1) <= GlobalContext->MemoryRanges[CurrentMtrrRange].PhysicalEndAddress)
{
    if( AddressOfPage >= GlobalContext->MemoryRanges[CurrentMtrrRange].PhysicalBaseAddress )

That's when a address inside of a range

syscall hook

Hello
I want to thank you for the driver, it's clean and works just fine without any modifications
My problem is that I can't hook functions that are not exported in kernel like NtGetContextThread
I managed to get it's address using this and place the hook successfully but there is a SYSTEM_SERVICE_EXCEPTION bsod.

Code:

NTSTATUS (*NtGetContextThreadOrig)(HANDLE ThreadHandle, PCONTEXT Context);

NTSTATUS NtGetContextThreadHook(HANDLE ThreadHandle, PCONTEXT Context)
{
    const NTSTATUS result = NtGetContextThreadOrig(ThreadHandle, Context);

    HvUtilLog("NtGetContextThreadHook called !");	

    return result;
}

BOOL HvEptLogicalProcessorInitialize(PVMM_PROCESSOR_CONTEXT ProcessorContext)
{
    ...

    PVOID NtGetContextThread = SyscallHookGetFunctionAddress(0x00ed, FALSE);

    if (NtGetContextThread)
    {
	    if (HvEptAddPageHook(ProcessorContext, NtGetContextThread, (PVOID)NtGetContextThreadHook, (PVOID*)&NtGetContextThreadOrig))
		    HvUtilLog("NtGetContextThread hooked");
    }

    return TRUE;
}

Dump:

Microsoft (R) Windows Debugger Version 10.0.19528.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 18362 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff803`4dc00000 PsLoadedModuleList = 0xfffff803`4e048170
Debug session time: Sun May 17 14:58:15.417 2020 (UTC + 4:30)
System Uptime: 0 days 0:13:47.093
Loading Kernel Symbols
...............................................................
................................................................
................................................................
..
Loading User Symbols
PEB is paged out (Peb.Ldr = 0000008f`f51ea018).  Type ".hh dbgerr001" for details
Loading unloaded module list
......
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff803`4ddc2390 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffff9906`67f74770=000000000000003b
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8034e226583, Address of the instruction which caused the bugcheck
Arg3: ffff990667f750a0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

Page 200 not present in the dump file. Type ".hh dbgerr004" for details

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 3

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on SHAHRIYAR

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 3

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 64

    Key  : Analysis.System
    Value: CreateObject


ADDITIONAL_XML: 1

BUGCHECK_CODE:  3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8034e226583

BUGCHECK_P3: ffff990667f750a0

BUGCHECK_P4: 0

CONTEXT:  ffff990667f750a0 -- (.cxr 0xffff990667f750a0)
rax=0000000000000000 rbx=0000000000000550 rcx=ffffc2030f397080
rdx=ffffc203014c2c40 rsi=0000000000000501 rdi=0000000000000000
rip=fffff8034e226583 rsp=ffff990667f75a90 rbp=000001b23b760080
 r8=ffff840134062001  r9=fffff8034dc00000 r10=0000fffff8034e00
r11=ffff840133e2b040 r12=0000000000000001 r13=000001b23b760080
r14=00000000000004d0 r15=00000000000009a0
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nt!NtGetContextThread+0x53:
fffff803`4e226583 f7437400040000  test    dword ptr [rbx+74h],400h ds:002b:00000000`000005c4=????????
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  svchost.exe

STACK_TEXT:  
ffff9906`67f75a90 fffff803`4eb21fd4 : ffffc203`0f397080 ffff9906`67f75b80 00000000`00000550 00000000`00000550 : nt!NtGetContextThread+0x53
ffff9906`67f75ad0 fffff803`4ddd3c18 : 00000000`0000503a ffff9906`67f75b80 00000000`dc0019ff ffffc203`0801d860 : gbhv!NtGetContextThreadHook+0xc [E:\D Drive\Projects\gbhv\gbhv\ept.c @ 441] 
ffff9906`67f75b00 00007fff`866fde04 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
0000008f`f577e4b8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`866fde04


CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
    fffff8034e170799-fffff8034e17079a  2 bytes - nt!_guard_check_icall_fptr+1
	[ 60 d7:ae dc ]
    fffff8034e1707a0-fffff8034e1707a2  3 bytes - nt!_guard_dispatch_icall_fptr (+0x07)
	[ 40 e6 db:60 ae dc ]
    fffff8034e226527-fffff8034e226529  3 bytes - nt!RtlpValidRelativeAttribute+ff
	[ cc cc cc:57 65 22 ]
Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    fffff8034e226532-fffff8034e226536  5 bytes - nt!NtGetContextThread+2 (+0x0b)
	[ dc 49 89 5b 08:00 00 00 00 00 ]
13 errors : !nt (fffff8034e170799-fffff8034e226536)

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

MEMORY_CORRUPTOR:  LARGE

STACK_COMMAND:  .cxr 0xffff990667f750a0 ; kb

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE

OS_VERSION:  10.0.18362.1

BUILDLAB_STR:  19h1_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {e29154ac-69a4-0eb8-172a-a860f73c0a3c}

Followup:     memory_corruption
---------

bsod

i am got a bsod 0x139 on win10 1809 when unload driver ,and bsod page fult on win7 when load driver ,tested on with my notebook cpu intel i3.

Instant bluescreen without driver unload

Blue screen as soon as loaded, both virtualized and non virtualized environments:
Windows 1703/1803/1809.

[] --------------------------------------------------------------[] HvInitializeAllProcessors: Starting.[] Total Processor Count: 2[DEBUG] OffsetIntoPage: 0x750[DEBUG] Number of bytes of instruction mem: 14[DEBUG] Trampoline: 0xffffdb0d90303ea0[DEBUG] HookFunction: 0xfffff8041c352c20[] HvInitializeLogicalProcessor[#0]: Allocated Context [Context = 0xffffdb0d96d26000][DEBUG] OffsetIntoPage: 0x750[DEBUG] Number of bytes of instruction mem: 14[DEBUG] Trampoline: 0xffffdb0d90303ee0[DEBUG] HookFunction: 0xfffff8041c352c20[] HvInitializeLogicalProcessor[#1]: Allocated Context [Context = 0xffffdb0d96d38000][] VmcsRevisionNumber: 1[DEBUG] Processor does not support AdvancedVmexitEptViolationsInformation![+] HvEptCheckFeatures: All EPT features present.[DEBUG] EPT: Number of dynamic ranges: 8[DEBUG] MTRR Range: Base=0x0 End=0x7FFFFFFF Type=0x6[DEBUG] Total MTRR Ranges Committed: 0[DEBUG] VmxOnRegion[#0]: (V) 0xffffb9807c6d9000 / (P) 0x7ffb3000 [1][DEBUG] VmxOnRegion[#1]: (V) 0xffffb9807c6e8000 / (P) 0x7ff96000 [1][DEBUG] HvSetupVmcsControlFields: VmError = 0[DEBUG] GdtRegister: 0xffff8d85540b5460, Base: 0xfffff8041ac5afb0, Limit: 0x57[DEBUG] HvSetupVmcsControlFields: VmError = 0[DEBUG] GdtRegister: 0xffff8d85518309f0, Base: 0xffffb9807ba14fb0, Limit: 0x57[DEBUG] VmxLaunchProcessor: VMLAUNCH....[DEBUG] VmxLaunchProcessor: VMLAUNCH....[+] HvInitializeAllProcessors: Success.Break instruction exception - code 80000003 (first chance)
gbhv!HvExitHandleUnknownExit+0xe:
fffff804`1c35314e cc int 3
1: kd> g
[!] Unknown exit reason! An exit was made but no handler was configured to handle it. Reason: 0x1FKDTARGET

I looked at the exit code: #define VMX_EXIT_REASON_EXECUTE_RDMSR 0x0000001F

It's unimplemented, although I was looking at some of the links on your page and I think Daax talked about it here:

https://revers.engineering/day-5-vmexits-interrupts-cpuid-emulation/

So i'm guessing it needs to be implemented? I figured the demo would work without bluescreening.. until you unload.. when you unload it would bluescreen.

HvEptAddPageHook failing

This is an issue that I've experienced every time I load the hypervisor. I'm using 'dsefix' to disable driver signature enforcement, and using the Windows 'sc' service manager to start the driver. @autisticlittleguy mentioned that he had the same problem in issue #2 .

I've added some more debug prints and found out that the failure in HvEptGetPml1Entry lies here:

if(!PML1) { HvUtilLogError("HvEptGetPml1Entry: !PML1\n"); return NULL; }

This seems to indicate that the OsPhysicalToVirtual function is failing for some reason. I haven't made any other modifications to the source besides adding debug prints.

BUG HvEptHookWriteAbsoluteJump

In ept.c

/* Write an absolute x64 jump to an arbitrary address to a buffer. */
VOID HvEptHookWriteAbsoluteJump(PCHAR TargetBuffer, SIZE_T TargetAddress)
{

/* mov r11, Target */
TargetBuffer[0] = 0x49;
TargetBuffer[1] = 0xBB;

/* Target */
*((PSIZE_T)&TargetBuffer[2]) = TargetAddress;

/* push r11 */
TargetBuffer[10] = 0x41;
TargetBuffer[11] = 0x53;

/* ret */
TargetBuffer[12] = 0xC3;

}

r11 is usually used to save rsp at the beginning of the function.
win7 x64 NtCreateFile:
PAGE:000000014037EE5C 4C 8B DC....................................mov r11, rsp
PAGE:000000014037EE5F 48 81 EC 88 00 00 00.............sub rsp, 88h
PAGE:000000014037EE66 33 C0............................................xor eax, eax
PAGE:000000014037EE68 49 89 43 F0............................... mov [r11-10h], rax;<--------first 16 bytes

PAGE:000000014037EE6C C7 44 24 70 20 00 00 00......mov [rsp+88h+var_18], 20h
PAGE:000000014037EE74 89 44 24 68................................mov dword ptr [rsp+88h+var_20], eax
PAGE:000000014037EE78 49 89 43 D8...............................mov [r11-28h], rax;<---------use r11,BSOD
PAGE:000000014037EE7C 89 44 24 58...............................mov [rsp+88h+var_30], eax

VOID HvEptHookWriteAbsoluteJump(PCHAR TargetBuffer, SIZE_T TargetAddress)
{

/**
 *   Use 'push ret' instead of 'jmp qword[rip+0]',
 *   Because 'jmp qword[rip+0]' will read hooked page 8bytes.
 *
 *   14 bytes hook:
 *   0x68 0x12345678 ......................push 'low 32bit of TargetAddress'
 *   0xC7 0x44 0x24 0x04 0x12345678........mov dword[rsp + 4], 'high 32bit of TargetAddress'
 *   0xC3..................................ret
 */

UINT32  Low32;
UINT32  High32;

Low32 = (UINT32)TargetAddress;
High32 = (UINT32)(TargetAddress >> 32);

/* push 'low 32bit of TargetAddress' */
TargetBuffer[0] = 0x68;
*((UINT32*)&TargetBuffer[1]) = Low32;

/* mov dword[rsp + 4], 'high 32bit of TargetAddress' */
*((UINT32*)&TargetBuffer[5]) = 0x042444C7;
*((UINT32*)&TargetBuffer[9]) = High32;

/* ret */
TargetBuffer[13] = 0xC3;

}

BOOL HvEptHookInstructionMemory(PVMM_EPT_PAGE_HOOK Hook, PVOID TargetFunction, PVOID HookFunction, PVOID* OrigFunction)
{
replace 13 to 14
}

Guest freezed on Virtualbox after successful vmlaunch

Hi, has you managed to successfully run a vt-x hypervisor project on Virtualbox, I have tried this project and https://github.com/tandasat/HyperPlatform without success.

My latest progress is making vmlaunch successful and DriverEntry returns STATUS_SUCCESS, but windbg(on host) shows busy and vm keep freezed. Any advice on how to troubleshoot this? Thanks.

Host machine: win10 x64 (physical)
CPU: Intel I7 10700
Virtualbox: 7.0.8 (on win10)
VM: Win7 x64 (in virtualbox)

Wrong loop logic when using LDE

Inside ept.c, when counting the number of instruction bytes at the start of the hooked function, the instruction pointer is not incremented - this results in counting the length of the same instruction over and over again.

SizeOfHookedInstructions += LDE(TargetFunction, 64))

should be changed to something like:

SizeOfHookedInstructions += LDE(TargetFunction + SizeOfHookedInstructions, 64))

Shadowing of pages on different cr3s

I've been messing around with gbhv for a while (amazing project, adding features was a breeze with such a simple yet consistent and robust code base), and i've been trying to implement ept hooks that are process specific after implementing capstone as a disassembler, yet i'm not having that much success with it. As far as i understand, i need to save the cr3 and restore it on ept violation and switch the page to whatever has the correct access rights (x or rw), though i'm having trouble implementing this myself. Has anyone tried to do this yet? Sorry for the edits, but i pressed enter by mistake after writing out the title.

Build process fails on latest VS2019 with latest WDK

Build process fails with the following errors on VS2019 with Windows SDK 10.0.194.041.0:

1>C:\Users\jj\Documents\Coding\gbhv-master\gbhv\gbhv.inf : error 1297: Device driver does not install on any devices, use primitive driver if this is intended.

1>C:\Users\jj\Documents\Coding\gbhv-master\gbhv\gbhv.inf(5-5): warning 1324: [Version] section should specify PnpLockdown=1

WHEA_UNCORRECTABLE_ERROR (124)

Version 10.0.17763.168 WHEA_UNCORRECTABLE_ERROR (124)

Ten minutes after installation

project still active?

Hello,

I have an idea where this type of HV might really be useful but am wondering if it is still active before diving in more?

Thanks

Exit Handler issues

Hi I've been playing around with gbhv as part of getting into hypervisor research I'd like to appreciate the project it's well made and it pretty simplistic which helps my learning curve by a lot

I have a question I'm trying to extend its compatibility with a manual mapper and I know that it should work since there's isn't much SEH

However, as soon as I remove the driver unload routine I've had to implement more VM exit handlers for MSR R/W

the handlers are implemented correctly but then I'm getting an exception when restoring CR4 for disabling Virtual Machine Extensions

Unhandled exits on MSR read/write (Windows 10 1903)

Hey, I'm having some trouble getting the hypervisor to run correctly on both virtualized and non-virtualized environments.

Both of the test environments are running Windows 10 Pro, build 1903.
I wanted to test other builds to see if the issue persists, however, the source doesn't seem to mess with undocumented OS internals and there's already been another issue opened (but closed later on) describing the same issue I'm experiencing.

Now, the HvExitHandleUnknownExit function is invoked multiple times by the VM exit handler and it receives exit codes 0x1F and 0x20, which are, as far as I'm aware, exits for MSR read/write.

What makes this interesting to me is that the MSR bitmap is both cleared and set before the CPU is subverted (https://github.com/Gbps/gbhv/blob/master/gbhv/vmcs.c#L515-L527), so I'm not sure what could be causing the exits...

I'm not too experienced with VT-x, I've never implemented a type 1 hypervisor by myself, but I've covered most of the basics/theory in SDM volume 3, so pardon if my lack of experience is the cause of the issue :)

EDIT: I haven't modified anything, I'm running it on clean Windows 10 installs and the hypervisor is compiled straight from the repo, no modifications...

High CPU usage

Hey, as soon as i load the hypervisor my system lags out completely and stays at 100% usage caused by System and System interrupts. it takes like 20 seconds to load up task manager. no bluescreens and the Createfile hook works fine, the system is just kinda unusable. im on a i7 7700hq, 1809 fully updated windows.
any idea what could cause it?

im not sure if thats the cause of my problem but are you intentionally saving r14 twice, and dont save r12 in https://github.com/Gbps/gbhv/blob/master/gbhv/archdefs.asm#L39

comparing it to the mentioned ntoskrnl.RtlCaptureContext also shows that there might be a mistake:

Support for more that 64 Cores?

Washing machine be like: 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃 👕🔃👖🔃

BSOD - SYSTEM THREAD EXCEPTION NOT HANDLED

hello, I very new to hypervisor and been using gbhv to learn more about hypervisors, I been wanting to do all my tests on my proxmox system (Xeon CPU X567) that using kvm. The VM is running windows 2004 and as the driver load, I get an BSOD - SYSTEM THREAD EXCEPTION NOT HANDLED & I also get PAGE FAULT IN NONPAGED AREA. i dont know if it the proxmox not working with this driver. any information will be helpful!

can fix unload drv?

kernel security check failure

thank you!The code is very good!

thank you!The code is very good!,but there's a bug in this HvEptHookInstructionMemory !

//fix bug: fix SizeOfHookedInstructions error!
PVOID Tmp_TargetFunction = TargetFunction;

for (SizeOfHookedInstructions = LDE(Tmp_TargetFunction, 64);
	SizeOfHookedInstructions < MaxSizeOfTrampoline;
	SizeOfHookedInstructions += LDE(Tmp_TargetFunction, 64))
{
	HvUtilLogDebug("LDE Size Code of : %d\n", SizeOfHookedInstructions);
	(INT64)Tmp_TargetFunction = (INT64)Tmp_TargetFunction + LDE(Tmp_TargetFunction, 64);
}

I hope you can update the compatibility of the code in the latest CPU，thank you！

VMLaunch hangs when enabling rdtsc exiting

When I enable rdtsc exiting within the primary processor controls of the VMCS, my entire system hangs (tested on both VM & baremetal).

I have tried using a fresh download of gbhv to rule out any of my changes to the project.
I have created a handler for rdtsc exiting, which never gets triggered. In fact, no exits occur overall. (So vmlaunch is definitely hanging/erroring??)
I have tried installing a debug break directly before the vmlaunch and tracing the vmlaunch, however my entire system hangs and WinDbg cannot trace through the vmlaunch.
I have downloaded a separate hypervisor (HyperPlatform) and enabled rdtsc exiting, which worked as intended

I am guessing that there is some conflict within the VMCS with rdtsc exiting and some other control, but I have read through the Intel SDM and looked for all references of the rdtsc exiting field, and there seems to be no information on control conflicts or requirements for rdtsc exiting other than that rdtsc offsetting must be disabled (which it is).

I have hit my experience cap when it comes to hypervisor development, and I am searching for further assistance. Thanks.

Unload Cause BSOD

Question:
when i stop gbhv. it call DriverUnload, some times Event exits hanppen. then bsod.

information:
BSOD before:
windbg print:
Unknown exit reason! An exit was made but no handler was configured to handle it. Reason: 0x20()+0x39:(VMX_EXIT_REASON_EXECUTE_WRMSR )
fffff800`a98925f9 488b442438 mov rax,qword ptr [rsp+38h]

!analyze -v

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000096, The exception code that was not handled
Arg2: fffff800a98913ec, The address that the exception occurred at
Arg3: ffffd000e8f9f508, Exception Record Address
Arg4: ffffd000e8f9ed20, Context Record Address

FOLLOWUP_IP:
gbhv!ArchDisableVmxe+2c [e:\gbhv-master\gbhv\arch.c @ 100]
fffff800`a98913ec 0f22e0 mov cr4,rax

Windbg code location:

FAULTING_SOURCE_CODE:
96: // Enable the bit
97: Register.VmxEnable = 0;
98:
99: // Write it back to cr4

100: __writecr4(Register.Flags);
101: }
102:

Hope
How to locate this problem. Can you provide some ideas?

AMD-V support

Could this be added?

Windows > 1809 support

Can you point me in the right direction as to what offsets or structs need to be updated for Windows versions later than 1809? I'm currently on Windows 10 2004, and the hypervisor loads without issue, but certain features don't work, such as the HvEptAddPageHook function. The example NtCreateFile hook errors with this message: HvEptAddPageHook: Failed to get PML1 entry for target address.

How to hook cpuid ?

How to hook cpuid ? any way

Release version not found