kHypervisor is an Open Source light-weighted Hypervisor that's capable for nested virtualization in Windows x64 platform, as an extended work of HyperPlatform
- Visual Studio 2015 update 3
- Windows SDK 10
- Windowr Driver Kit 10
- VMware 12 with EPT environment.
- Supports Multi-core processor environment
- Test environment with Windows 7 x64 sp1 to Windows 10 x64 build 16299 RS3
- It onlys support restricted guest (protected - paging mode) for the present
The kHypervisor is completed in lab machines, please test kHypervisor in your VMWare or newly installed machine for best experience.
- Virtualized VMX environment
- Virtualized Guest EPT
- VMCS Emulation
- VMExit Emulation
- VMEntry Emulation, including VMEntry parameter check same as hardware spec.
- VMCALL Redirection
- Processor Exception / Interrupt Injection
kHypervisor provide an light-weighted virtulized environment for nesting Guest Hypervisor
- VM Entry Emulation with VMCS state check which is a good solution for debugging VMEntry fail, and locate the actual failure location.
- VM Exit Emulation
- Nested VM Exit Event
- The code is simple and minimize as a nested vmm.
2016-10-19 First commit, Supporting nested itself only, and nested software breakpoint exception from Level 2. And the nested-Vmm is able to dispatch this exception to L1 and help L1 to resume to L2.
2016-10-21 Fixed Ring-3 vm-exit emulation error.
2017-01-03 Refactor project, and Finding VMCS12 through VMCS02 by executing vmptrst
2017-01-22 GS Kernel base MSR bug fixed when Emulation VMRESUME/VMLAUNCH
2017-02-05 VPID shared between VMCS0-1 and VMCS0-2, support multi-processor.
2017-02-08 Emulate VMExit behaviour has been slightly Changed. in case of L2 is trapped by L0, and L0 emulate VMExit to L1, this time of VMRESUME will not be restore a Guest CR8 and Guest IRQL, it is until VMRESUME by L1. (L0 helps L1 resume to L2)
2017-05-28 Fixed Nested-CPUID problem, and add Nested-VMCALL.
2017-06-07 Fixed a VMExit buggy , clear the guest eflags, and reserved bit == 1
2017-06-08 Adding a support for Monitor Trap Flags from L2 and perform Nested VMExit
2017-11-21 Added VM-Entry Check Emulation , Bug Fixed
2018-01-19 Added Nest-Msr Access support , plus, a better coding style changes. Add Test in Windows x64 build 16299 RS3.Release
2018-02-05 Added Nested EPT which is running in Windows 7 x64 build 7601 system. (still not test by Windows 10)
2018-03-28 Use lateste version repo of Ddimon as a being nested-target, deleted nested-vmm
2018-03-29 Added Nested EPT monitoring , when the PTE entry OF guest EPT is modified, L0 knows.
2020-03-07 Refactored and testing on DdiMon
2020-06-27 Fixed MSR out of index for reserved MSR (0x40000000 ~ 0x400000FF)
kHypervisor extended HyperPlatform which is created by Satoshi Tanda, it is a Nested-Virtual Machine Monitor, and DdiMon is one of instance of HyperPlatform for test demo in kHypervisor.
Compiled kHypervisor.sys and DdiMon.sys by kHypervisor and NestedHypervisor respectively
We supports a multi-core environment
Enable Testsigning on x64:
bcdedit /set testsigning on
Install DdiMon.sys and kHypervisor.sys by following command:
sc create hostvmm type= kernel binPath= C:\kHypervisor.sys
sc create nestedvmm type= kernel binPath= C:\Ddimon.sys
start a service as following screen capture with its expected output
Live Demo with kernel rootkit
Nesting VT-x EPT for EPT Based Rootkit - DdiMon
Windows 10 x64 build 16299 RS3 Test Demo (with Nested EPT) :
Kenrel mode Test (Nested breakpoint INT3 exception)
3. After printed VMCS, the emulation of vmexit is done, and kHypervisor will find out which is the original handler as following, the control flow is transfer to DdiMon now. (the kHypervisor is not supposed exists by Ddimon, but it does.)
User Mode Test (Nested breakpoint INT3 Exception)
A INT 3 breakpoint in the system will be work as follow:
Nested VMCALL Emulation (Turning off L1 VMM By VMCALL)
Nested EPT Modification monitoring
With a highest stablility, better close nested-EPT or running nested-EPT in a unicore enivronment first.
- Fully Support CPU Feature from vCPU aspect.
- APIC virtualization
- Unrestricted guest support (vbox) , such as virtual 8086 mode.
This software is released under the MIT License, see LICENSE.