# Hypervisor Technical Specification
## Architecture Overview
Custom Windows hypervisor implementation with UEFI bootkit delivery, providing Ring -1 execution and advanced memory manipulation capabilities. Operates by hooking into Hyper-V infrastructure at boot time.
---
## Core Components
### 1. UEFI Bootkit Deployment
- **UEFI-level injection**: Patches bootmgfw.efi to inject hypervisor before OS initialization
- **Pre-OS execution**: Loads and initializes hypervisor components during boot phase
- **Persistence**: Operates from firmware level, survives OS reinstalls
- **Memory allocation**: Secures physical memory regions before OS memory manager initializes
- **TPM event l0g spoofing**: Manipulates TPM measurements to hide bootkit modifications
- **PE hash computation bypass**: Recalculates and spoofs PE hashes for modified boot components
### 2. Hypervisor Core Engine
- **VM-Exit handler hooking**: Detours Hyper-V's native VM-exit handler to intercept all hypervisor events
- **CPUID-based hypercall interface**: Custom hypercalls triggered via CPUID instruction with dual-key authentication
- **Dual architecture support**: Intel VT-x (VMX/EPT) and AMD-V (SVM/NPT) implementations
- **SLAT manipulation**: Second Level Address Translation (EPT/NPT) page table control
- **Non-maskable interrupt handling**: Processes NMI exits for synchronization
- **APIC virtualization**: Advanced Programmable Interrupt Controller management
### 3. Memory Management System
#### Physical Memory Operations
- **Direct physical memory read/write**: Bypass all OS-level protections
- **Page-granular control**: 4KB page manipulation
- **Memory region hiding**: Remove physical pages from OS visibility
- **Host physical mapping**: Map arbitrary physical addresses into hypervisor address space
#### Virtual Memory Operations
- **Guest virtual memory access**: Read/write to guest virtual addresses
- **Page table walking**: Manual CR3-based address translation
- **Cross-process memory access**: Target any process via CR3 switching
- **Translation caching**: Optimized address translation with caching layer
#### Address Translation Engine
- **4-level page table walking**: PML4 → PDPT → PD → PT traversal
- **Virtual-to-physical translation**: Convert guest virtual addresses to host physical addresses
- **Large page support**: 2MB and 1GB page handling
- **TLB awareness**: Coordinated with processor TLB invalidation
### 4. SLAT (Second Level Address Translation) Engine
#### EPT/NPT Manipulation
- **Dual page table system**: Clean EPT (original guest view) and Hooked EPT (modified view)
- **Dynamic EPT switching**: Switch between clean/hooked views on-demand
- **EPT violation handling**: Process and respond to SLAT violations
- **Per-page permissions**: Granular Read/Write/Execute control per 4KB page
- **SLAT cache flushing**: INVEPT/TLBFLUSH for all logical processors
#### Code Hooking via SLAT
- **Split-page execution hooking**: Execute-only permissions on original page, read from shadow page
- **Shadow page management**: Maintain modified code pages invisible to guest
- **Hook chain management**: Linked list of active SLAT hooks
- **Atomic hook installation**: Race-free hook setup
- **2MB page splitting**: Break large pages for granular hooking
#### Memory Hiding
- **Physical page hiding**: Make specific physical pages inaccessible to guest OS
- **Heap page concealment**: Hide hypervisor heap allocations from OS memory manager
- **Delayed hiding**: Strategic hiding after system stabilization (post-vmexit threshold)
- **MmPfnDatabase manipulation**: Zero out PFN entries to hide pages from Windows memory manager
### 5. Process Management
#### Process Discovery
- **PID-based process enumeration**: Walk EPROCESS linked list
- **Process base address resolution**: Locate process image base from EPROCESS
- **EPROCESS base retrieval**: Get kernel process structure address
- **PsInitialSystemProcess parsing**: Traverse from System process
#### Directory Base (CR3) Management
- **CR3 extraction**: Get page table base from EPROCESS
- **Kernel CR3 access**: System process directory base
- **Per-process CR3 tracking**: Individual process page tables
- **CR3 validation**: Verify directory base integrity
#### CR3 Caching System (Anti-Shuffling)
- **Opportunistic CR3 capture**: Sample CR3 on every VM-exit when target process in Ring 3
- **PID-based filtering**: Only cache when current PID matches target
- **Ring-level detection**: Verify Ring 3 execution via CS register
- **Statistics tracking**: Sample counts, hit rates, update frequency
- **Dynamic target switching**: Runtime PID target updates
- **CR3 shuffle mitigation**: Maintain valid CR3 despite kernel security randomization
### 6. Stealth Memory Injection System
#### Hidden Memory Allocation
- **Hypervisor-backed allocation**: Allocate memory invisible to OS
- **EPT remapping**: Map hypervisor physical pages to guest virtual addresses
- **PTE manipulation**: Modify guest page tables to establish mappings
- **Allocation tracking**: Linked list of hidden memory regions (GPA to HPA mapping)
#### Silent DLL Loading
- **DllMain invocation**: Execute DLL entry point from hypervisor context
- **Hidden memory hosting**: Load PE images into concealed memory regions
- **Import resolution**: Resolve and redirect IAT entries
- **Execution context setup**: Establish proper stack and register state
- **Return value handling**: Capture DllMain return status
### 7. Kernel Structure Analysis
#### ntoskrnl.exe Discovery
- **IDT-based kernel location**: Parse Interrupt Descriptor Table to find kernel handlers
- **2MB alignment scanning**: Search for PE headers at kernel alignment boundaries
- **MZ/PE signature validation**: Verify kernel image integrity
- **KPCR-based resolution**: Alternative kernel base discovery via processor control region
- **Export directory parsing**: Locate and parse kernel export table
#### Symbol Resolution
- **MmPfnDatabase location**: Pattern scanning in MmGetVirtualForPhysical
- **Export enumeration**: Parse PE export directory for function addresses
- **Pattern-based discovery**: Signature scanning for undocumented structures
- **Version-agnostic**: Works across multiple Windows versions (OS version detection included)
### 8. TPM Security Bypass
#### TPM Event l0g Spoofing
- **Boot measurements manipulation**: Modify TPM event logs during UEFI phase
- **Hash recalculation**: Recompute PE hashes for spoofed measurements
- **TCG protocol interception**: Hook TPM measurement protocols
- **tbi.dll discovery**: Locate and parse Trusted Boot Interface module
- **Runtime TPM query**: Expose TBI base address to usermode via hypercall
#### Secure Boot Evasion
- **Measurement filtering**: Selective TPM measurement blocking
- **Chain of trust manipulation**: Modify boot component measurements
- **UEFI protocol hooking**: Intercept security-critical UEFI protocols
### 9. Hypercall Interface (30+ Operations)
#### Memory Operations
- `read_guest_physical_memory` - Direct physical RAM access
- `write_guest_physical_memory` - Physical RAM modification
- `read_guest_virtual_memory` - Process virtual memory read
- `write_guest_virtual_memory` - Process virtual memory write
- `translate_guest_virtual_address` - VA to PA translation
#### SLAT Operations
- `add_slat_code_hook` - Install split-page execution hook
- `remove_slat_code_hook` - Remove EPT hook
- `hide_guest_physical_page` - Make physical page invisible
- `map_guest_physical_to_host_physical` - Custom EPT remapping
- `unmap_guest_physical` - Remove EPT mapping
#### Process Operations
- `get_process_base` - Get process image base from PID
- `get_process_cr3` - Extract CR3 from PID
- `get_process_eprocess_base` - Kernel structure address
- `dirbase_from_base_address` - Reverse CR3 lookup
#### Stealth Operations
- `allocate_hidden_memory` - Create invisible memory region
- `free_hidden_memory` - Release hidden allocation
- `call_dllmain_silently` - Execute DLL from hypervisor
- `hide_hypervisor_memory` - Zero MmPfnDatabase entries
- `restore_hypervisor_memory` - Restore PFN entries
#### CR3 Caching Operations
- `enable_cr3_caching` - Activate anti-shuffle system
- `disable_cr3_caching` - Deactivate caching
- `set_target_pid_for_cr3_caching` - Set monitored process
- `get_cached_cr3` - Retrieve cached directory base
- `get_cr3_cache_stats` - Performance statistics
#### System Information
- `get_ntoskrnl_base_from_kpcr` - Kernel base via IDT
- `get_system_process_cr3_from_kpcr` - System CR3
- `query_hypervisor_pfn_info` - Detailed PFN structure data
- `get_hypervisor_memory_info` - Memory layout information
- `test_export_discovery` - Symbol resolution testing
- `get_tbi_dll_info` / `get_tbi_dll_base` - TPM interface access
#### Debugging & Logging
- `flush_logs` - Retrieve hypervisor debug logs
- `log_current_state` - Capture register state snapshot
- `get_heap_free_page_count` - Heap statistics
### 10. Heap Management
- **Custom heap allocator**: Hypervisor-private heap implementation
- **Physical memory allocation**: Direct physical page allocation
- **Free page tracking**: Monitor available heap pages
- **Allocation statistics**: Heap usage metrics via hypercall
### 11. Interrupt & Exception Handling
- **NMI interception**: Non-maskable interrupt processing
- **IPI coordination**: Inter-processor interrupt synchronization
- **All-processor SLAT flushing**: Broadcast EPT invalidation via IPI
- **Interrupt injection passthrough**: Forward unhandled interrupts to original handler
### 12. Architectural Abstraction Layer
- **Intel/AMD unified interface**: Common API for both architectures
- **VMCS/VMCB access**: Vendor-specific VM control structure manipulation
- **Exit reason normalization**: Unified exit code handling
- **Instruction emulation**: RIP advancement, RSP modification
### 13. Logging & Diagnostics
- **Trap frame logging**: Capture full register state (RAX-R15, RIP, RSP, etc.)
- **Event timestamping**: Track hypervisor events
- **Ring-buffer l0g storage**: Circular buffer in hypervisor memory
- **Usermode l0g retrieval**: Flush logs via hypercall for analysis
- **Debug markers**: Structured logging with event codes
### 14. Runtime C/C++ Support
- **Freestanding C++ runtime**: Custom CRT for hypervisor environment
- **Memory operations**: Custom memcpy, memset, memmove
- **No OS dependencies**: Fully self-contained runtime
- **Constructor/destructor support**: Global object initialization
---
## Security Features
### Anti-Detection Mechanisms
- **Ring -1 execution**: Below kernel visibility
- **EPT-based hiding**: Memory invisible at hardware level
- **PFN zeroing**: Remove traces from Windows memory manager
- **Physical memory stealth**: Direct RAM access bypasses kernel hooks
- **Boot-time initialization**: Pre-OS execution avoids detection
- **VM-exit handler hooking**: Intercept hypervisor before OS sees events
### Anti-Anti-Cheat Capabilities
- **Physical read bypass**: Circumvent virtual memory hooks
- **CR3 shuffle resistance**: Maintain valid page tables despite randomization
- **Page table translation**: Manual walking avoids kernel APIs
- **Hypervisor-level injection**: DLL loading invisible to kernel
- **Hidden memory allocation**: Allocations not in VAD tree
### Forensic Resistance
- **No driver loading**: Zero kernel-mode drivers
- **No registry keys**: No persistent OS-level artifacts
- **No file system presence**: Operates purely from memory
- **MmPfnDatabase cleaning**: Remove physical memory evidence
- **TPM l0g spoofing**: Hide boot modifications from attestation
---
## Technical Specifications
### Performance Characteristics
- **VM-exit overhead**: ~1000 cycle latency per hypercall
- **Memory read throughput**: Limited by page table walks (~500ns per translation)
- **Translation caching**: Reduces repeated translation overhead
- **Delayed heap hiding**: Defer hiding until 10,000+ VM-exits for stability
### Memory Layout
- **Heap allocation**: Managed physical memory pool
- **Page granularity**: 4KB standard pages, 2MB large page support
- **UEFI boot image**: Separate boot component memory region
- **Hypervisor attachment**: Main hypervisor code and data
- **Shadow pages**: Dedicated storage for hooked code pages
### Supported Platforms
- **Intel**: VT-x with EPT (Extended Page Tables)
- **AMD**: AMD-V with NPT (Nested Page Tables)
- **Windows versions**: Version-agnostic kernel structure resolution
- **UEFI firmware**: Standard UEFI boot environments
### Limitations & Considerations
- **Single-processor focus**: Primary operations on current logical processor
- **IPI required for multi-core**: Cross-core operations need manual IPI
- **Delayed initialization**: Some features activate after vmexit threshold
- **Page boundary constraints**: Operations must respect 4KB alignment
- **Large page splitting**: Performance impact when splitting 2MB pages
---
## Use Cases
This hypervisor framework provides capabilities suitable for:
- **Security research**: Low-level Windows internals analysis
- **Anti-cheat development**: Understanding evasion techniques for defensive improvements
- **Kernel debugging**: Hardware-level system introspection
- **Memory forensics**: Physical memory analysis and manipulation
- **Virtualization research**: Nested hypervisor development
- **Boot process analysis**: UEFI and early Windows boot investigation
---
## Command-Line Interface
The usermode component provides an interactive shell for hypercall invocation and system control. Commands are
processed through a modular command handler supporting memory operations, process management, and diagnostic functions.
---
*Architecture: Intel VT-x / AMD-V*
*Delivery: UEFI Bootkit*
*Execution Level: Ring -1 (Hypervisor)*
.
