sinakarvandi / hypervisor-from-scratch Goto Github PK

View Code? Open in Web Editor NEW

2.0K 54.0 282.0 30.41 MB

Source code of a multiple series of tutorials about the hypervisor. Available at: https://rayanfam.com/tutorials

Home Page: https://rayanfam.com/tutorials

License: MIT License

C++ 6.37% C 89.00% Assembly 4.63%

hypervisor ept hidden-hook tutorial vmx vt-x

hypervisor-from-scratch's Introduction

Hypervisor From Scratch

A tutorial on creating a hypervisor from scratch
All the parts »

Part 1 · Part 2 · Part 3 · Part 4 · Part 5 · Part 6 · Part 7 · Part 8

If you're looking to use a hypervisor for analysis and reverse engineering tasks, check out HyperDbg Debugger. It's a hypervisor-based debugger designed specifically for analyzing, fuzzing, and reversing applications.

Notice: The Hypervisor From Scratch tutorial is completely revised in August 2022. Codes from all parts are updated, unnecessary details are removed, and new explanations and materials are added to the tutorial.

Hypervisor From Scratch

Source code of a multiple series of tutorials about the hypervisor.

Available at: https://rayanfam.com/tutorials

Part 1 - Basic Concepts & Configure Testing Environment (https://rayanfam.com/topics/hypervisor-from-scratch-part-1)

Part 2 - Entering VMX Operation (https://rayanfam.com/topics/hypervisor-from-scratch-part-2)

Part 3 - Setting up Our First Virtual Machine (https://rayanfam.com/topics/hypervisor-from-scratch-part-3)

Part 4 - Address Translation Using Extended Page Table (EPT) (https://rayanfam.com/topics/hypervisor-from-scratch-part-4)

Part 5 - Setting up VMCS & Running Guest Code (https://rayanfam.com/topics/hypervisor-from-scratch-part-5)

Part 6 - Virtualizing An Already Running System (https://rayanfam.com/topics/hypervisor-from-scratch-part-6)

Part 7 - Using EPT & Page-Level Monitoring Features (https://rayanfam.com/topics/hypervisor-from-scratch-part-7)

Part 8 - How To Do Magic With Hypervisor! (https://rayanfam.com/topics/hypervisor-from-scratch-part-8)

Note

Note: please keep in mind that hypervisors change over time because new features are added to the operating systems or using new technologies. For example, updates to Meltdown & Spectre have made a lot of changes to the hypervisors, so if you want to use Hypervisor From Scratch in your projects, research, or whatever, you have to use the driver from the latest parts of these tutorial series as this tutorial is actively updated and changes are applied to the newer parts (earlier parts keep untouched) so you might encounter errors and instability problems in the earlier parts thus make sure to use the latest parts in real-world projects.

Compile & Install

In order to compile this project, you have to use Windows Driver Kit (WDK), first install Visual Studio, then install WDK. After that, you can compile it.

Environment

All the drivers are tested on both physical-machine, and VMWare Workstations's nested-virtualization, from part 8 support to Hyper-V is added, which means that you can test part 8 and newer parts on physical-machine, VMWare Workstation's nested-virtualization, and Hyper-V's nested-virtualization.

Credits

This series is written by:

Special Thanks to these guys for their help and contributions:

Alex Ionescu
Satoshi Tanda
Liran Alon
gerhart
Daax
Noteworthy
ivs
Artem Shishkin
Shahriar
Ahmad
...and many other people who helped to solve the problems

License

Hypervisor From Scratch is licensed under an MIT license.

hypervisor-from-scratch's People

Contributors

Stargazers

Watchers

Forkers

idkwim peterg75 mrexodia fcccode explife0011 lalospidey wgwjifeng basavesh whathhh-d lzq123218 heruix boogie77 killvxk hymeca oksbsb fengjixuchui flack3r simaarasteh hacker-jie l1212s ntdebug noheart2019 474172261 developer191 zsdaka micahhu louwangzhiyuy atawre liangxianlong manshu amohanta lifupan kmwin hounjini kungia09 basketwill kernullist longjohncoder hash512 telecomms adamrlukaitis lgromanowski rayyang2000 fuxiao511 ysheldon ktim30 y11en hsac2220 yafare wilsonwang371 0xhellord lhutyra paulcalabro bb33bb kasif-dekel youngjinkim0706 kangdazhi ubob74 moodsdada sswares zillr0 kmodedev evrohachik manojmaurya-space stjordanis bwry 5l1v3r1 iamasbcx minaungle fiappy harlan-h equilminis darkhypervisor crimsonskylark bhanug sqdwr andrew2019github jkyoung0 elmelik mhgholamrezaei alamshariful dianpeng frankenstein-bit fire-flying cyangcode l1b0 omidpalvayeh mdmilad neilty shuraros2334 shhoya ahmadghazii jikk sava-alex moneytech testcc2c hyperdbgbot kfallahi zcg19 inifares23lab

hypervisor-from-scratch's Issues

Hyper-V and EPT

If I comment the test code in Part8

//////////// test //////////// 
//HiddenHooksTest();
//SyscallHookTest();
//////////////////////////////

I get a PAGE_FAULT_IN_NONPAGED_AREA on Hyper-V (no problem on VMWare).
Same with Part7. I can't figure out why. What's the problem with Hyper-V?

ProtectedMode.c doesn't seem

C1083 Cannot open source file: 'ProtectedMode.c': No such file or directory
This file doesn't seem in Project.

[Part 2: MyHypervisorDriver] Multiple errors when compiling with with Visual Studio 2019

Unable to open anything after running part8

I'm able to successfully run part 8 and everything appears to be working fine until I go to open any application for example firefox never successfully runs and throws an error while the hypervisor is active and the same goes with pretty much everything else but occasionally I'm able to open something simple like the snipping tool so I'm not sure where to go with this?

I tested it on VMWare 17 and on bare metal resulting in the same behavior, and the OS I was testing it on is Windows 11 Pro 23H2 build 22631.2506 (VBS disabled)

Here is the error message that occurs:

EDIT: If my hardware has any relevance here you go:
CPU: i9-10900k (Comet Lake)
MB: ASUS ROG Z490-E (BIOS/UEFI version 2701)

Wrong Symbolic Name used in DriverUnload

In DriverUnload routine:

RtlInitUnicodeString(&usDosDeviceName, L"\Device\MyHypervisorDevice");

should be

RtlInitUnicodeString(&usDosDeviceName, L"\DosDevices\MyHypervisorDevice");

[BSOD] CRITICAL_STRUCTURE_CORRUPTION or DRIVER_IRQL_NOT_LESS_OR_EQUAL (part 5)

I'm able to execute the driver correctly but after a while (time varies from a few minutes to a few hours) I get one of these:

CRITICAL_STRUCTURE_CORRUPTION (109)

Arguments:
Arg1: a3a015666418d834, Reserved
Arg2: b3b721ecb69c3de8, Reserved
Arg3: fffff80269e64fb0, Failure type dependent information
Arg4: 0000000000000003, Type of corrupted region, can be
0 : A generic data region
1 : Modification of a function or .pdata
2 : A processor IDT
3 : A processor GDT
...

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2687

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 3579

    Key  : Analysis.Init.CPU.mSec
    Value: 3687

    Key  : Analysis.Init.Elapsed.mSec
    Value: 98923

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 78

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1


BUGCHECK_CODE:  109

BUGCHECK_P1: a3a015666418d834

BUGCHECK_P2: b3b721ecb69c3de8

BUGCHECK_P3: fffff80269e64fb0

BUGCHECK_P4: 3

PROCESS_NAME:  System

STACK_TEXT:  
fffffb06`55f0d678 fffff802`64912b12     : fffffb06`55f0d7e0 fffff802`6477d200 00000000`00000100 00000000`00000000 : nt!DbgBreakPointWithStatus
fffffb06`55f0d680 fffff802`649120f6     : 00000000`00000003 fffffb06`55f0d7e0 fffff802`6480c0c0 00000000`00000109 : nt!KiBugCheckDebugBreak+0x12
fffffb06`55f0d6e0 fffff802`647f72b7     : 00000000`fffffb06 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KeBugCheck2+0x946
fffffb06`55f0ddf0 00000000`00000000     : 00000000`00000109 a3a01566`6418d834 b3b721ec`b69c3de8 fffff802`69e64fb0 : nt!KeBugCheckEx+0x107


SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

STACK_COMMAND:  .thread ; .cxr ; kb

FAILURE_BUCKET_ID:  0x109_3_ANALYSIS_INCONCLUSIVE!unknown_function

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffffc6086b831ff8, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: ffffb205fc11d87a, address which referenced memory

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 8452

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 193043

    Key  : Analysis.Init.CPU.mSec
    Value: 2077

    Key  : Analysis.Init.Elapsed.mSec
    Value: 6984915

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 61

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1


BUGCHECK_CODE:  d1

BUGCHECK_P1: ffffc6086b831ff8

BUGCHECK_P2: 2

BUGCHECK_P3: 1

BUGCHECK_P4: ffffb205fc11d87a

WRITE_ADDRESS:  ffffc6086b831ff8 

PROCESS_NAME:  System

TRAP_FRAME:  ffff9b0170745e40 -- (.trap 0xffff9b0170745e40)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000109
rdx=a39ff15e8ddf06d3 rsi=0000000000000000 rdi=0000000000000000
rip=ffffb205fc11d87a rsp=ffff9b0170745fd8 rbp=ffff9b0170746059
 r8=b3b6fde4e0615bcf  r9=fffff8005f064fb0 r10=ffffc6086b831ff8
r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
ffffb205`fc11d87a 498902          mov     qword ptr [r10],rax ds:ffffc608`6b831ff8=????????????????
Resetting default scope

STACK_TEXT:  
ffff9b01`70745548 fffff800`59712b12     : ffff9b01`707456b0 fffff800`5957d200 00000000`00000000 00000000`00000000 : nt!DbgBreakPointWithStatus
ffff9b01`70745550 fffff800`597120f6     : 00000000`00000003 ffff9b01`707456b0 fffff800`5960c0c0 00000000`000000d1 : nt!KiBugCheckDebugBreak+0x12
ffff9b01`707455b0 fffff800`595f72b7     : 00000000`00000000 00000000`00000000 fffff800`5f064fb0 00000000`00000000 : nt!KeBugCheck2+0x946
ffff9b01`70745cc0 fffff800`59609169     : 00000000`0000000a ffffc608`6b831ff8 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx+0x107
ffff9b01`70745d00 fffff800`59605469     : 00000001`ffffffff fffffff6`00000000 ffff9b01`70746020 20726574`66612064 : nt!KiBugCheckDispatch+0x69
ffff9b01`70745e40 ffffb205`fc11d87a     : ffffb205`fc11d00a fffff800`592e3028 ffff9b01`70746fb0 fffff800`594a0927 : nt!KiPageFault+0x469
ffff9b01`70745fd8 ffffb205`fc11d00a     : fffff800`592e3028 ffff9b01`70746fb0 fffff800`594a0927 ffff9b01`70745a60 : 0xffffb205`fc11d87a
ffff9b01`70745fe0 fffff800`592e3028     : ffff9b01`70746fb0 fffff800`594a0927 ffff9b01`70745a60 00000000`00000003 : 0xffffb205`fc11d00a
ffff9b01`70745fe8 ffff9b01`70746fb0     : fffff800`594a0927 ffff9b01`70745a60 00000000`00000003 fffff800`595f71b0 : nt!setjmpexused <PERF> (nt+0xe3028)
ffff9b01`70745ff0 fffff800`594a0927     : ffff9b01`70745a60 00000000`00000003 fffff800`595f71b0 ffffc608`6b837c90 : 0xffff9b01`70746fb0
ffff9b01`70745ff8 4dd5d1ac`b84d7059     : 4dd5d1ac`baedd1ac 00000000`00000000 00000000`00000000 fffff800`59200000 : nt!MiFastLockLeafPageTable+0x357
ffff9b01`70746078 4dd5d1ac`baedd1ac     : 00000000`00000000 00000000`00000000 fffff800`59200000 ffff9b01`70746760 : 0x4dd5d1ac`b84d7059
ffff9b01`70746080 00000000`00000000     : 00000000`00000000 fffff800`59200000 ffff9b01`70746760 ffffc608`6b837428 : 0x4dd5d1ac`baedd1ac


SYMBOL_NAME:  nt!KiPageFault+469

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  469

FAILURE_BUCKET_ID:  AV_nt!KiPageFault

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

Win10-2004 on Hyper-V

ms word not working when part8 is loaded

I get the"Microsoft Word has stopped working box" whenever stating word once parrt 8 is runninig .
no clue how to approach this

HvGetSegmentDescriptor function

SegDesc = (PSEGMENT_DESCRIPTOR)((PUCHAR)GdtBase + (Selector & ~0x7));
Hi, I didn't understand this line. Should (Selector & ~0x7) be multiplied by 8? because GdtBase is unsigned char*，it's 8 bits，Adding 1 means that the address is increased by 8 bits, and segment desciptor is 64 bits
If it's okay, how should this line code be interpreted?

Tutorial on how to use the hypervisor to virtualize a single app

Hello,

can you please make a tutorial on how to virtualize an existing app (.exe in windows) using the hypervisor?

also, is it possible to make a generic sandbox app using the hypervisor which virtualized other apps? similar to what VMware ThinApp and other portable app makers do.

I know software like ThinApp doesn't use the hardware on the CPU to sandbox the app but I just want to gain insight on how it's done if we were to use the hypervisor.

by the way, your tutorials are the best I could find out there about hypervisors, great job!

Is there any reasoning for the 8K byte allocation for the VMCS region?

I've started researching about hypervisors (for intel's virtualization technology) a few days ago, your project seems like a great reference to read off, but i've noticed that there is an 8k byte allocation for the VMCS region (despite the comment saying it's 4), according to the intel manual (chapter C3, 24.2, "Format of the VMCS region")
"A VMCS region comprises up to 4-KBytes"
and you are allocating this size:
VmcsSize = 2 * VMCS_SIZE; (8k bytes)

anyways my question is if there's any reasoning for this or is this a mistake? keep in mind im new so i may have just overlooked something in intel's manual.

Thanks!

Accessed the website meeting 522

Hey! Really cool project, I have learnt a lot from your course. But these days when I try to access https://rayanfam.com/topics/hypervisor-from-scratch-part-5/, it always connection timed out.

hello,i modify project to cpp, but the func name of VmxVmexitHandler was called by asm in Exit.c, how to build it with cmake?

https://github.com/DiskGetor/Driver/

Hello, help me please

Thank you so much for a great project When a user application sends a specific process address through IOCTL communication, it would be nice to make a function that hides that address. I tried for a month, but I couldn't help. And I'm Korean, I'm writing a translator

Cannot run anything as admin

When the hypervisor is running. (PART 8) I cannot run any process as admin. it gives error like this:
https://cdn.discordapp.com/attachments/713358396346073122/810214626565947432/unknown.png
which is STATUS_ILLEGAL_INSTRUCTION. nothing in the vmexit handler is called when this happens (related to it)

waitting 4 new push

hahaha

hook for address range?

can I put a hook on a range (section) of memory cells?

[Part 2: MyHypervisorApp] VMX operation is shown to be not supported even though virtualization is enabled in VMWare Player

The VM loses control from windbg.

Hi, SinaKarvandi :
Thank you very much for the tutorial, it helped me a lot.
But there is a problem that has been bothering me for a long time(OS: Windows 10 x64,19044, Disabled VBS). Without enabling EPT, the GUEST_RIP was able to execute every time the VMLAUNCH instruction was executed, but when I go (g) in windbg, the VM gets stuck and loses control from windbg and cannot enter the VM-exit handler, I tried the following method to try to find the reason: Before VMLANCH execution, I promoted IRQL > =DISPATCH_LEVEL to successfully enter the VM-exit handler every time the preset conditions in the control area are triggered. But as you know, the wrong IRQL will cause BSOD, but at least it will hit the VM-exit handler. I can't find a good solution, if you know, please help me correct it, thank you very much.

sinakarvandi / hypervisor-from-scratch Goto Github PK

hypervisor-from-scratch's Introduction

Hypervisor From Scratch

Hypervisor From Scratch

Note

Compile & Install

Environment

Other Articles & Projects

Credits

License

hypervisor-from-scratch's People

Contributors

Stargazers

Watchers

Forkers

hypervisor-from-scratch's Issues

Recommend Projects

Recommend Topics

Recommend Org