Skip to content

A simple and heavily documented series of test hypervisors built for 64-bit Windows 10 systems running under Intel's VT-x

Notifications You must be signed in to change notification settings

planckxia/HV-Playground

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

46 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

HV-Playground

A simple and heavily documented series of test hypervisors built for 64-bit Windows 10 systems running under Intel's VT-x.

This hypervisor was designed to be very simple. To achieve this, it outlines all of it's main operations into the Driver.c file (and functions directly above it), and only uses only the current processor to conduct it's VMX operation cycle; which consists of running the guest code, catching exits in the VMM, and completing the DriverEntry routine. It makes use of definitions from the SDM—all of which are promptly cited to enable the end user to conduct research on their own.

As we move past the initial design of our hypervisor—which is only what's required to run guest code—and begin to add functionality, we enter into a considerably more complicated realm of VMX operation; demonstrating concepts such as MMU virtualization (EPT), root to non-root communication, event injection, and so on. To reduce confusion, and to keep our code base as small and simplistic as possible, each these features are outlined individually into their own implementation (branches) which build upon (fork) the prior designs. In doing this, it is my hope that someone without prior experience developing hypervisors could, with some dedication, understand the concepts demonstrated in our master branch, and then go on to learn about these more complicated concepts in a simple and unrestricted environment.

The code for all of these examples was meant to reflect proof-of-concept projects. It's not meant to be something you can fork and use to create some heavily featured hypervisor. It was supposed to be simple, and straight to the point. An environment where users could effectively demo (and view demos) of VT-x features, and get a better idea of how they are implemented. Some of the header files contain clutter. This is seen in unused structure definitions, or unused macro functions/definitions. I could have refactored these elements of the project out, but chose to keep them in. There aren't that many of them, and I felt that users could use these definitions to both gather context on the hypervisor environment (perhaps in the form of debugging), and also expand the project (within reason) to better make sense of VT-x concepts.

To recap, this project is not as clean as you might see with something like SimpleVisor, but that was entirely the point. Commits that attempt to clean up the code in a way that doesn't correspond to the above project ideology will not be accepted. However, if someone out there finds an error that is critical to the project's operation, and moreover something that would inhibit users from learning more about hypervisor concepts, commits in that regard are greatly appreciated.

In time, I will probably create a more useful tutorial on how one would go about learning about hypervisor concepts. But for now, I thought this was a rather interesting project, and something that may end up helping the people out there piecing together their own VT-x powered software.

Below you will find a list of the aforementioned branches.

Branches

  • master - Demonstrates the minimum possible design required to enter into VMX operation and run guest code. The code is designed to run on a single processor (on multiprocessor systems) within a DriverEntry function, setup VMX operation, redirect to guest execution, break back to the VMM after executing a halt instruction (as the guest), exit VMX operations, and complete the DriverEntry function.
  • GuestState [Forked from master] - Adds code to preserve the guest state across VM exits, code to continue the guest execution, and TraceLogging support to enable debug logging from our VMM.
  • EPT [Forked from GuestState] - Simplistic EPT configuration supporting (only) 4KB guest pages, designed to only virtualize the required guest memory. Complete with memory management helper routines, this branch also demonstrates modifications to the underlying EPT tables (in addition to splitting attacks) to redirect memory pages exposed to the guest.
  • EPTIdentity [Forked from EPT] - EPT configuration designed to support 2MB large pages in an guest-to-host identity map (full system memory virtualization). Also demonstrates EPT splitting by selectively splitting target 2MB pages to their 4KB equivalents, and then mapping two separate pages for a taget page (depending upon their accesses).
  • EventInjection [Forked from GuestState] - Demonstrates the simulation of VMX instructions outside VMX operation while within VMX operation. This will be done by modifying the behavior of a VMLAUNCH instruction in our guest (simulating non-root mode), with explanations on how could go about building such a feature in for other instructions which cause non-conditional VM-exits.

Resources

Below are a list of resources I used when developing the hypervisor seen in this repository (the master branch).


Below are an unordered list of public code repositories that demonstrate implementations of hypervisors running on Intel's VT-x (which is inclusive of several of the above). I would like to point out the first entry in the list (Petr Beneš' hvpp), as he is very experienced when it comes to the development of hypervisors, and you will find many concepts not accurately expressed in the above resources within Petr's code. Satoshi Tanda's HyperPlatform is also a very valuable resource, but is very bloated with features outside the scope of simple hypervisor development.

Project Name Description Author Project Link
hvpp a lightweight Intel x64/VT-x hypervisor written in C++ focused primarily on virtualization of already running operating system Petr Beneš https://github.com/wbenny/hvpp
MiniVTx64 Intel Virtualization Technology demo zhuhuibeishadiao https://github.com/zhuhuibeishadiao/MiniVTx64
PFHook Page fault hook use ept (Intel Virtualization Technology) zhuhuibeishadiao https://github.com/zhuhuibeishadiao/PFHook
Kernel-Bridge Windows kernel hacking framework, driver template, hypervisor and API written on C++ HoShiMin https://github.com/HoShiMin/Kernel-Bridge
MiniVT 该代码改(chao)编(xi)自看雪_小宝的MiniVT(他写的有点乱,我实在看不懂,自己抄着整理了一遍)。 Sqdwr https://github.com/Sqdwr/MiniVT
HyperPlatform Intel VT-x based hypervisor aiming to provide a thin VM-exit filtering platform on Windows. Satoshi Tanda https://github.com/tandasat/HyperPlatform
FU_Hypervisor A hypervisor hiding user-mode memory using EPT Satoshi Tanda https://github.com/tandasat/FU_Hypervisor
MiniVisorPkg The research UEFI hypervisor that supports booting an operating system. Satoshi Tanda https://github.com/tandasat/MiniVisorPkg
SimpleVisor SimpleVisor is a simple, portable, Intel VT-x hypervisor with two specific goals: using the least amount of assembly code (10 lines), and having the smallest amount of VMX-related code to support dynamic hyperjacking and unhyperjacking (that is, virtualizing the host state from within the host). It works on Windows and UEFI. Alex Ionescu https://github.com/ionescu007/SimpleVisor
kHypervisor kHypervisor is a lightweight bluepill-like nested VMM for Windows, it provides and emulating a basic function of Intel VT-x Kelvinhack https://github.com/Kelvinhack/kHypervisor
gbhv Simple x86-64 VT-x Hypervisor with EPT Hooking Gbps https://github.com/Gbps/gbhv
HyperBone Minimalistic VT-x hypervisor with hooks DarthTon https://github.com/DarthTon/HyperBone
VT_64_EPT createfile in12hacker https://github.com/in12hacker/VT_64_EPT
hypervisor-for-beginners Intel Vt-x/EPT based thin-hypervisor for windows with minimum possible code. rohan popat kumbhar https://github.com/rohaaan/hypervisor-for-beginners
ProtoVirt An ongoing attempt to create own hypervisior from scratch in linux Shubham Dubey https://github.com/shubham0d/ProtoVirt
Hypervisor From Scratch Source code of a multiple series of tutorial about hypervisor Sina Karvandi https://github.com/SinaKarvandi/Hypervisor-From-Scratch

About

A simple and heavily documented series of test hypervisors built for 64-bit Windows 10 systems running under Intel's VT-x

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 98.2%
  • Assembly 1.8%