tandasat / memorymon Goto Github PK

Hello!
Where can I find the files of the rootkit that is used in demo video https://www.youtube.com/watch?v=O5_ocsplrfA?

when i compile the project, I always get the LNK ERROR,can you help me look at the error.

Severity Code Description Project File Line Suppression State
Warning 1324 [Version] section should specify PnpLockdown=1. MemoryMon C:\Users\Frankenstein\Desktop\tt\MemoryMon\MemoryMon\MemoryMon.inf 5

Severity Code Description Project File Line Suppression State
Error LNK2019 unresolved external symbol _invoke_watson referenced in function "protected: virtual void __cdecl stdext::bad_alloc::_Doraise(void)const " (?_Doraise@bad_alloc@stdext@@MEBAXXZ) MemoryMon C:\Users\Frankenstein\Desktop\tt\MemoryMon\MemoryMon\AddressRanges.obj 1

Severity Code Description Project File Line Suppression State
Error LNK2001 unresolved external symbol _invoke_watson MemoryMon C:\Users\Frankenstein\Desktop\tt\MemoryMon\MemoryMon\PageFaultRecord.obj 1
Severity Code Description Project File Line Suppression State
Error LNK2001 unresolved external symbol _invoke_watson MemoryMon C:\Users\Frankenstein\Desktop\tt\MemoryMon\MemoryMon\V2PMap.obj 1

Severity Code Description Project File Line Suppression State
Error LNK2001 unresolved external symbol "void (__cdecl* std::_Raise_handler)(class stdext::exception const &)" (?_Raise_handler@std@@3P6AXAEBVexception@stdext@@@ZEA) MemoryMon C:\Users\Frankenstein\Desktop\tt\MemoryMon\MemoryMon\AddressRanges.obj 1

Severity Code Description Project File Line Suppression State
Error LNK2001 unresolved external symbol "void (__cdecl* std::_Raise_handler)(class stdext::exception const &)" (?_Raise_handler@std@@3P6AXAEBVexception@stdext@@@ZEA) MemoryMon C:\Users\Frankenstein\Desktop\tt\MemoryMon\MemoryMon\PageFaultRecord.obj 1

Severity Code Description Project File Line Suppression State
Error LNK2001 unresolved external symbol "void (__cdecl* std::_Raise_handler)(class stdext::exception const &)" (?_Raise_handler@std@@3P6AXAEBVexception@stdext@@@ZEA) MemoryMon C:\Users\Frankenstein\Desktop\tt\MemoryMon\MemoryMon\V2PMap.obj 1

Severity Code Description Project File Line Suppression State
Error LNK1120 2 unresolved externals MemoryMon C:\Users\Frankenstein\Desktop\tt\MemoryMon\x64\Debug\MemoryMon.sys 1

Windows preview 1903 18885.1001 - Intel i7 - VTx enabled.
Having BSOD error at launch. I can't sort out the source tree, the HyperPlatform compiles and run.

FAULTING_SOURCE_FILE:  C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\vmm.cpp
FAULTING_SOURCE_LINE_NUMBER:  328
FAULTING_SOURCE_CODE:  
   324: _Use_decl_annotations_ static void VmmpHandleUnexpectedExit(
   325:     GuestContext *guest_context) {
   326:   VmmpDumpGuestState();
   327:   const auto qualification = UtilVmRead(VmcsField::kExitQualification);
>  328:   HYPERPLATFORM_COMMON_BUG_CHECK(HyperPlatformBugCheck::kUnexpectedVmExit,
   329:                                  reinterpret_cast<ULONG_PTR>(guest_context),
   330:                                  guest_context->ip, qualification);
   331: }
   332: 
   333: // MTF VM-exit

Minidump 800kb - https://1drv.ms/u/s!Au4WOPg47f1-gmRtoOolGxVYrAKd
MemoryMon.log - https://1drv.ms/u/s!Au4WOPg47f1-gmW5NuL62nm0Nhvm
MemoryMon.pdb - https://1drv.ms/u/s!Au4WOPg47f1-gmbXp2U9sAMdnKlA
MemoryMon.sys - https://1drv.ms/u/s!Au4WOPg47f1-gmfvyl_OtEvjTuXQ
FULL-DUMP-ANALYSIS:

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

MANUALLY_INITIATED_CRASH (e2)
The user manually initiated this crash dump.
Arguments:
Arg1: 0000000000000001
Arg2: ffff9b8931ffff10
Arg3: fffff8025bf16164
Arg4: 0000000000000000

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 3

    Key  : Analysis.Elapsed.Sec
    Value: 6

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 66


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  18885.1001.amd64fre.rs_prerelease.190419-1606

SYSTEM_MANUFACTURER:  System manufacturer

SYSTEM_PRODUCT_NAME:  System Product Name

SYSTEM_SKU:  SKU

SYSTEM_VERSION:  System Version

BIOS_VENDOR:  American Megatrends Inc.

BIOS_VERSION:  3805

BIOS_DATE:  05/16/2018

BASEBOARD_MANUFACTURER:  ASUSTeK COMPUTER INC.

BASEBOARD_PRODUCT:  Z170-P

BASEBOARD_VERSION:  Rev X.0x

DUMP_TYPE:  1

BUGCHECK_P1: 1

BUGCHECK_P2: ffff9b8931ffff10

BUGCHECK_P3: fffff8025bf16164

BUGCHECK_P4: 0

CPU_COUNT: 2

CPU_MHZ: fa8

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 5e

CPU_STEPPING: 3

CPU_MICROCODE: 6,5e,3,0 (F,M,S,R)  SIG: C6'00000000 (cache) C6'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  0xE2

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  2

ANALYSIS_SESSION_HOST:  DESKTOP-LG854SK

ANALYSIS_SESSION_TIME:  05-02-2019 05:11:56.0216

ANALYSIS_VERSION: 10.0.18869.1002 amd64fre

BAD_STACK_POINTER:  ffff9b8931fffe58

LAST_CONTROL_TRANSFER:  from fffff802673d4025 to fffff8025b9c56c0

STACK_TEXT:  
ffff9b89`31fffe58 fffff802`673d4025 : 00000000`000000e2 00000000`00000001 ffff9b89`31ffff10 fffff802`5bf16164 : nt!KeBugCheckEx
ffff9b89`31fffe60 fffff802`673d4610 : 00000000`fffffff7 00000000`00000000 00000000`00000002 ffff9b89`31ffff10 : MemoryMon!VmmpHandleUnexpectedExit+0x41 [C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\vmm.cpp @ 328] 
ffff9b89`31fffea0 fffff802`673d2b9e : 00000000`00000000 00000000`fffffff7 ffff9b89`31ffff40 00000000`00000000 : MemoryMon!VmmpHandleVmExit+0x4d0 [C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\vmm.cpp @ 309] 
ffff9b89`31fffef0 fffff802`673d1448 : 00000000`80050033 00000181`d0b3ea00 00000181`cee69660 00000181`d0b78a90 : MemoryMon!VmmVmExitHandler+0xae [C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\vmm.cpp @ 200] 
ffff9b89`31ffff50 00000000`80050033 : 00000181`d0b3ea00 00000181`cee69660 00000181`d0b78a90 00007ffc`6a9c2d78 : MemoryMon!AsmVmmEntryPoint+0x25 [C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\Arch\x64\x64.asm @ 144] 
ffff9b89`31ffff58 00000181`d0b3ea00 : 00000181`cee69660 00000181`d0b78a90 00007ffc`6a9c2d78 00000000`00000000 : 0x80050033
ffff9b89`31ffff60 00000181`cee69660 : 00000181`d0b78a90 00007ffc`6a9c2d78 00000000`00000000 346dc5d6`3886594b : 0x00000181`d0b3ea00
ffff9b89`31ffff68 00000181`d0b78a90 : 00007ffc`6a9c2d78 00000000`00000000 346dc5d6`3886594b 00000181`d0b11a40 : 0x00000181`cee69660
ffff9b89`31ffff70 00007ffc`6a9c2d78 : 00000000`00000000 346dc5d6`3886594b 00000181`d0b11a40 00000000`00000246 : 0x00000181`d0b78a90
ffff9b89`31ffff78 00000000`00000000 : 346dc5d6`3886594b 00000181`d0b11a40 00000000`00000246 00000000`000002b8 : 0x00007ffc`6a9c2d78


THREAD_SHA1_HASH_MOD_FUNC:  6f499a26c682f490d3cb3e65fb7f3a5f553d7faa

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  c8702d70cc40123ea6955a2ae319dc6196f125d1

THREAD_SHA1_HASH_MOD:  6a1f99879137405b70e720581f4e7dc933530485

FOLLOWUP_IP: 
MemoryMon!VmmpHandleUnexpectedExit+41 [C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\vmm.cpp @ 328]
fffff802`673d4025 cc              int     3

FAULT_INSTR_CODE:  48cccccc

FAULTING_SOURCE_LINE:  C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\vmm.cpp

FAULTING_SOURCE_FILE:  C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\vmm.cpp

FAULTING_SOURCE_LINE_NUMBER:  328

FAULTING_SOURCE_CODE:  
   324: _Use_decl_annotations_ static void VmmpHandleUnexpectedExit(
   325:     GuestContext *guest_context) {
   326:   VmmpDumpGuestState();
   327:   const auto qualification = UtilVmRead(VmcsField::kExitQualification);
>  328:   HYPERPLATFORM_COMMON_BUG_CHECK(HyperPlatformBugCheck::kUnexpectedVmExit,
   329:                                  reinterpret_cast<ULONG_PTR>(guest_context),
   330:                                  guest_context->ip, qualification);
   331: }
   332: 
   333: // MTF VM-exit


SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  MemoryMon!VmmpHandleUnexpectedExit+41

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: MemoryMon

IMAGE_NAME:  MemoryMon.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5cca5eb0

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  41

FAILURE_BUCKET_ID:  0xE2_STACKPTR_ERROR_MemoryMon!VmmpHandleUnexpectedExit

BUCKET_ID:  0xE2_STACKPTR_ERROR_MemoryMon!VmmpHandleUnexpectedExit

PRIMARY_PROBLEM_CLASS:  0xE2_STACKPTR_ERROR_MemoryMon!VmmpHandleUnexpectedExit

TARGET_TIME:  2019-05-02T03:08:58.000Z

OSBUILD:  18885

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  784

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  1978-11-25 11:03:45

BUILDDATESTAMP_STR:  190419-1606

BUILDLAB_STR:  rs_prerelease

BUILDOSVER_STR:  10.0.18885.1001.amd64fre.rs_prerelease.190419-1606

ANALYSIS_SESSION_ELAPSED_TIME:  19e6

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xe2_stackptr_error_memorymon!vmmphandleunexpectedexit

FAILURE_ID_HASH:  {781a428c-6946-179e-f621-27e3af144d53}

Followup:     MachineOwner
---------

Porting changes made in HyperPlatofm would be easier if submodules are used instead of copying files. Do so if appropriate.

Hello! I want to run this tree of MemoryMon: https://github.com/tandasat/MemoryMon/tree/rwe_cdfs. But I have BSOD every time with PAGE_FAULT_IN_NONPAGED_AREA after running hypervisor. I also tried to fix it with tandasat/HyperPlatform#34 and tandasat/HyperPlatform#32
My dump:

Machine Name:
Kernel base = 0xfffff8053aac0000 PsLoadedModuleList = 0xfffff805`3af061b0
System Uptime: 0 days 0:00:00.000
KDTARGET: Refreshing KD connection
Break instruction exception - code 80000003 (first chance)
MemoryMon+0x12109b:
fffff8053a04109b cc int 3
*** WARNING: Unable to verify timestamp for ntdll.dll
0: kd> g
16:45:17.537 DBG #1 4 2060 System Log thread started (TID= 000000000000080C).
16:45:17.761 INF #0 4 272 System Log has been initialized.
16:45:17.761 DBG #1 4 272 System Info= FFFFF80539FF28A0, Buffer= FFFFE604EC010000 FFFFE604EC090000, File= \SystemRoot\MemoryMonRWE.log
16:45:17.761 DBG #1 4 272 System Found a hard coded PTE_BASE at FFFFF8053AD81592
16:45:17.761 DBG #1 4 272 System PXE at FFFFFAFD7EBF5000, PPE at FFFFFAFD7EA00000, PDE at FFFFFAFD40000000, PTE at FFFFFA8000000000
16:45:17.776 DBG #1 4 272 System Physical Memory Range: 0000000000001000 - 00000000000a0000
16:45:17.776 DBG #1 4 272 System Physical Memory Range: 0000000000100000 - 000000000eef1000
16:45:17.791 DBG #1 4 272 System Physical Memory Range: 000000000eefa000 - 000000000ef0d000
16:45:17.791 DBG #1 4 272 System Physical Memory Range: 000000000ef12000 - 000000000ef2c000
16:45:17.791 DBG #1 4 272 System Physical Memory Range: 000000000ef31000 - 000000000fee7000
16:45:17.791 DBG #1 4 272 System Physical Memory Range: 000000000ff77000 - 0000000080000000
16:45:17.803 DBG #1 4 272 System Physical Memory Total: 2096112 KB
16:45:17.803 DBG #1 4 272 System shared_data = FFFFE604E45053B0
16:45:17.817 INF #0 4 272 System Initializing VMX for the processor 0.
16:45:17.896 DBG #0 4 272 System vmm_stack_limit = FFFFE604EA0B9000
16:45:17.896 DBG #0 4 272 System vmm_stack_region_base = FFFFE604EA0BF000
16:45:17.911 DBG #0 4 272 System vmm_stack_data = FFFFE604EA0BEFF8
16:45:17.911 DBG #0 4 272 System vmm_stack_base = FFFFE604EA0BEFF0
16:45:17.919 DBG #0 4 272 System processor_data = FFFFE604E45053F0 stored at FFFFE604EA0BEFF8
16:45:17.927 DBG #0 4 272 System guest_stack_pointer = FFFFD90525D95750
16:45:17.931 DBG #0 4 272 System guest_inst_pointer = FFFFF80539F21427
16:45:17.935 DBG #0 4 272 System Context at FFFFF80539F21478: rax= 0000000000000000 rbx= 0000000000000000 rcx= FFFFF8053A03DDF0 rdx= FFFFE604E45053B0 rsi= FFFFE604E9D5B000 rdi= FFFFD90525D95888 rsp= FFFFD90525D957D0 rbp= 0000000000000000 r8= 0000000000000065 r9= 0000000000000000 r10= 0000000000000007 r11= FFFFD90525D95170 r12= FFFFFFFF800027CC r13= 0000000000000002 r14= FFFFC50F1876A9A0 r15= FFFFE604E9D5B000 efl= 00040282
16:45:17.935 INF #0 4 272 System Initialized successfully.
16:45:17.969 INF #1 4 272 System Initializing VMX for the processor 1.
Access violation - code c0000005 (!!! second chance !!!)
MemoryMon+0x11b000:
fffff8053a03b000 cc int 3
0: kd> g
KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x00000050
(0xFFFFFA8000000000,0x0000000000000002,0xFFFFF8053A03B001,0x000000000000000B)

Driver at fault:
*** MemoryMon.sys - Address FFFFF8053A03B001 base at FFFFF80539F20000, DateStamp 609a7d77
.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff8053ac8b970 cc int 3
0: kd> !analyze -v
Connected to Windows 10 18362 x64 target at (Tue May 11 16:45:23.522 2021 (UTC + 3:00)), ptr64 TRUE
Loading Kernel Symbols
.................................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................
................................................................
................................................................
..............................
Loading User Symbols
PEB address is NULL !
Loading unloaded module list
.......

                Bugcheck Analysis                                    

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: fffffa8000000000, memory referenced.
Arg2: 0000000000000002, value 0 = read operation, 1 = write operation.
Arg3: fffff8053a03b001, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 000000000000000b, (reserved)

Debugging Details:

KEY_VALUES_STRING: 1

Key : Analysis.CPU.Sec
Value: 1

Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-I56MG4S

Key : Analysis.DebugData
Value: CreateObject

Key : Analysis.DebugModel
Value: CreateObject

Key : Analysis.Elapsed.Sec
Value: 3

Key : Analysis.Memory.CommitPeak.Mb
Value: 63

Key : Analysis.System
Value: CreateObject

BUGCHECK_CODE: 50

BUGCHECK_P1: fffffa8000000000

BUGCHECK_P2: 2

BUGCHECK_P3: fffff8053a03b001

BUGCHECK_P4: b

READ_ADDRESS: fffffa8000000000

MM_INTERNAL_CODE: b

IMAGE_NAME: MemoryMon.sys

MODULE_NAME: MemoryMon

FAULTING_MODULE: fffff80539f20000 MemoryMon

PROCESS_NAME: svchost.exe

TRAP_FRAME: ffffd90526d37810 -- (.trap 0xffffd90526d37810)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa8000000000 rbx=0000000000000000 rcx=ffffe604e9a90580
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8053a03b001 rsp=ffffd90526d379a0 rbp=ffffd90526d37b20
r8=fffffafd7eb0a110 r9=0000000021422008 r10=0000000000000001
r11=fffffafd40000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
MemoryMon+0x11b001:
fffff8053a03b001 0000 add byte ptr [rax],al ds:fffffa8000000000=??
Resetting default scope

STACK_TEXT:
ffffd90526d36e88 fffff8053ad68dc2 : fffffa8000000000 0000000000000003 ffffd90526d36ff0 fffff8053abe64d0 : nt!DbgBreakPointWithStatus
ffffd90526d36e90 fffff8053ad684b7 : fffff80500000003 ffffd90526d36ff0 fffff8053ac981f0 ffffd90526d37530 : nt!KiBugCheckDebugBreak+0x12
ffffd90526d36ef0 fffff8053ac83c27 : 0000000000000000 0000000000000005 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x947
ffffd90526d375f0 fffff8053ad10c54 : 0000000000000050 fffffa8000000000 0000000000000002 ffffd90526d37810 : nt!KeBugCheckEx+0x107
ffffd90526d37630 fffff8053ab8ac3a : 0000000000000000 0000000000000002 ffffd90526d37770 0000000000000000 : nt!MiRaisedIrqlFault+0x127c14
ffffd90526d37670 fffff8053ac91b5e : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!MmAccessFault+0x48a
ffffd90526d37810 fffff8053a03b001 : 0000000000000aa0 ffffe604e8413030 ffffd90526d37d4a fffff8053b0e7f8a : nt!KiPageFault+0x35e
ffffd90526d379a0 0000000000000aa0 : ffffe604e8413030 ffffd90526d37d4a fffff8053b0e7f8a 0000000000000000 : MemoryMon+0x11b001
ffffd90526d379a8 ffffe604e8413030 : ffffd90526d37d4a fffff8053b0e7f8a 0000000000000000 fffff80500000027 : 0xaa0
ffffd90526d379b0 ffffd90526d37d4a : fffff8053b0e7f8a 0000000000000000 fffff80500000027 ffffffffffffffff : 0xffffe604e8413030
ffffd90526d379b8 fffff8053b0e7f8a : 0000000000000000 fffff80500000027 ffffffffffffffff ffffe604e4a40000 : 0xffffd90526d37d4a
ffffd90526d379c0 fffffafd61422008 : ffffe60400000000 ffffffffffffffff ffffd90500000000 0000000000000000 : nt!IopGetFileInformation+0x106
ffffd90526d37a40 ffffe60400000000 : ffffffffffffffff ffffd90500000000 0000000000000000 0000000000001001 : 0xfffffafd61422008
ffffd90526d37a48 ffffffffffffffff : ffffd90500000000 0000000000000000 0000000000001001 ffff8508803ad000 : 0xffffe60400000000
ffffd90526d37a50 ffffd90500000000 : 0000000000000000 0000000000001001 ffff8508803ad000 0000000000000000 : 0xffffffffffffffff
ffffd90526d37a58 0000000000000000 : 0000000000001001 ffff8508803ad000 0000000000000000 0000000000000000 : 0xffffd90500000000

SYMBOL_NAME: MemoryMon+11b001

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 11b001

FAILURE_BUCKET_ID: AV_INVALID_MemoryMon!unknown_function

OS_VERSION: 10.0.18362.1

BUILDLAB_STR: 19h1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {26be4fc7-3792-4cc6-76ba-e1db17101433}

Followup: MachineOwner

(different debugging + i checked address with IDA)

Access violation - code c0000005 (!!! second chance !!!)
MemoryMon+0x11b000:
fffff8047c7eb000 cc int 3

thanks for your excellent work, I learned a lot from it. And I try to use this project to monitor windows kernel memory access.
And I set corresponding ept entry's r/w to false. Every time windows kernel access memory, I set corresponding ept entry's r/w to ture ,and mtf flag. However, the windows always get stuck somewhere. Can you give some suggestion.

Add VPID support to retain cache and gain performance benefit. Only downside of it would be that older processors might not support it and HyperPlatform could drop their support, but seems that the VPID feature is old enough to ignore this impact.

Also, Intel SDM describes that some cache invalidation should|can be done. Review the description and implement them. At this time, HyperPlatform would need those two invalidation.

Guidelines for Use of the INVVPID Instruction

Software can use the INVVPID instruction with the “all-context” INVVPID type immediately after execution of the VMXON instruction or immediately prior to execution of the VMXOFF instruction. Either prevents potentially undesired retention of information cached from paging structures between separate uses of VMX operation.

Guidelines for Use of the INVEPT Instruction

Software can use the INVEPT instruction with the “all-context” INVEPT type immediately after execution of the VMXON instruction or immediately prior to execution of the VMXOFF instruction. Either prevents potentially undesired retention of information cached from EPT paging structures between separate uses of VMX operation.

Do not forget test code with real hardware since VMware is unlikely to implement cache behaviour perfectly.