darthton / hyperbone Goto Github PK

View Code? Open in Web Editor NEW

788.0 51.0 261.0 112 KB

Minimalistic VT-x hypervisor with hooks

License: MIT License

C 90.73% C++ 5.42% Assembly 3.85%

hyperbone's Introduction

HyperBone

Minimalistic VT-X hypervisor with hooks

Features, all PG-compatible

Syscall hooks via MSR_LSTAR
Kernel inline hooks
Kernel page substitution
Kernel page EPT TLB splitting
MSR hooks
IDT hooks

Supported hardware

Intel processors with VT-x and EPT support

Supported platforms

Windows 7 - Windows 10, x64 only

License

HyperBone is licensed under the MIT License. Dependencies are under their respective licenses.

hyperbone's People

Contributors

Stargazers

Watchers

Forkers

gbilbao d4nnyk pyq881120 rootkitsmm-zz kernullist sudami 453483289 demonxjj 0xhellord axsel corporatelad smilingcats madkarl gitcollect zbx91 luciouskami poulader huddy1985 yang123vc zhuhuibeishadiao deki0r liuxingyuzm yuaom mozqt firstblue jheidt dieterhacking eyalfishler kifast dogbitesme ltears fltsec coolboy4me hyperstudy kernux manishshukla own2pwn xiarixiaoyao louk78 iiwerid redcodes whb224117 no-realm pai-po ydc1992 louwangzhiyuy fatenocaster ouguochong zfdyq0 maodapeng jkloop45 crazyharb h0k5 cydiakk hawking2013 baiyfcu kernal-gh xxmmy wasseresser yafare zhanlang cryzlasm kyaky brownbelt kennyzeng lfyg putao520 andreszeng blackhades00 a10ncoder koncybernet ysheldon nightstalkerx peterg75 explife0011 mfxiaosheng safe3 xianlimei songbei6 auradu2011 deelmind crackercat bb33bb f0829 yang-zhiyuan zoand msfwaifu zp2k arryboom applesky6 mining8 developer191 wgwjifeng y11en nkzxw haidragon earthexplore cjyoleon herculesrance eipp4ssenger

hyperbone's Issues

PageHook Duo CPU is Not Work

PageHook Duo CPU is Not Work
And Unload is Dead

Bugcheck 139 Kernel Security Check Failed - On Driver Load

Loading Dump File [C:\Windows\Minidump\041419-5906-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 17134 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 17134.1.amd64fre.rs4_release.180410-1804
Machine Name:
Kernel base = 0xfffff80339aa9000 PsLoadedModuleList = 0xfffff80339e562b0
Debug session time: Sun Apr 14 02:40:38.798 2019 (UTC - 7:00)
System Uptime: 0 days 0:08:25.598
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.............
Loading User Symbols
Loading unloaded module list
...........

                   Bugcheck Analysis                                    *

Use !analyze -v to get detailed debugging information.

BugCheck 139, {2, ffff878a44436b80, ffff878a44436ad8, 0}

Probably caused by : ntkrnlmp.exe ( nt!KiFastFailDispatch+d0 )

Followup: MachineOwner

2: kd> !analyze -v

                   Bugcheck Analysis                                    *

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000002, Stack cookie instrumentation code detected a stack-based
buffer overrun.
Arg2: ffff878a44436b80, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffff878a44436ad8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:

KEY_VALUES_STRING: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 17134.1.amd64fre.rs4_release.180410-1804

SYSTEM_MANUFACTURER: LENOVO

SYSTEM_PRODUCT_NAME: 20349

SYSTEM_SKU: LENOVO_MT_20349_BU_idea_FM_Lenovo Y50-70 Touch

SYSTEM_VERSION: Lenovo Y50-70 Touch

BIOS_VENDOR: LENOVO

BIOS_VERSION: 9ECN31WW(V1.14)

BIOS_DATE: 08/18/2014

BASEBOARD_MANUFACTURER: LENOVO

BASEBOARD_PRODUCT: Lenovo Y50-70 Touch

BASEBOARD_VERSION: 31900058WIN

DUMP_TYPE: 2

BUGCHECK_P1: 2

BUGCHECK_P2: ffff878a44436b80

BUGCHECK_P3: ffff878a44436ad8

BUGCHECK_P4: 0

TRAP_FRAME: ffff878a44436b80 -- (.trap 0xffff878a44436b80)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000002
rdx=0000000049656e69 rsi=0000000000000000 rdi=0000000000000000
rip=ffff8b819cf04d55 rsp=ffff878a44436d18 rbp=ffffe0838b1250e0
r8=fffff80339e47724 r9=ffff878a44436ea0 r10=ffff8b81999ea180
r11=ffff8b819cf00000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po cy
ffff8b81`9cf04d55 cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: ffff878a44436ad8 -- (.exr 0xffff878a44436ad8)
ExceptionAddress: ffff8b819cf04d55
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000002
Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE

CPU_COUNT: 8

CPU_MHZ: 95a

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3c

CPU_STEPPING: 3

CPU_MICROCODE: 6,3c,3,0 (F,M,S,R) SIG: 24'00000000 (cache) 24'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXPNP: 1 (!blackboxpnp)

CUSTOMER_CRASH_COUNT: 1

BUGCHECK_STR: 0x139

PROCESS_NAME: up we go.exe

CURRENT_IRQL: 2

DEFAULT_BUCKET_ID: FAIL_FAST_STACK_COOKIE_CHECK_FAILURE

WATSON_BKT_EVENT: BEX

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000002

ANALYSIS_SESSION_HOST: DESKTOP-3HJM5HP

ANALYSIS_SESSION_TIME: 04-14-2019 02:48:32.0278

ANALYSIS_VERSION: 10.0.17763.132 amd64fre

LAST_CONTROL_TRANSFER: from fffff80339c63c69 to fffff80339c530a0

STACK_TEXT:
ffff878a44436858 fffff80339c63c69 : 0000000000000139 0000000000000002 ffff878a44436b80 ffff878a44436ad8 : nt!KeBugCheckEx
ffff878a44436860 fffff80339c64010 : ffff46654ce2e06a ffffb000031f4940 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69
ffff878a444369a0 fffff80339c6261f : 0000000000000040 fffff80339b7b2c5 0000000000000000 0000000000000017 : nt!KiFastFailDispatch+0xd0
ffff878a44436b80 ffff8b819cf04d55 : ffff8b819cf0462e 0000000000000000 ffffe0838143c460 ffff8b819cf00000 : nt!KiRaiseSecurityCheckFailure+0x2df
ffff878a44436d18 ffff8b819cf0462e : 0000000000000000 ffffe0838143c460 ffff8b819cf00000 ffff878a44436e00 : 0xffff8b819cf04d55 ffff878a44436d20 0000000000000000 : ffffe0838143c460 ffff8b819cf00000 ffff878a44436e00 ffff8b819cf153bc : 0xffff8b819cf0462e

THREAD_SHA1_HASH_MOD_FUNC: da1f3aee58c4d73777c93ef6d05f8b830ba4b7c1

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ae171d8207eeb0359550e0c744f2ee4a0d83dcd0

THREAD_SHA1_HASH_MOD: d084f7dfa548ce4e51810e4fd5914176ebc66791

FOLLOWUP_IP:
nt!KiFastFailDispatch+d0
fffff803`39c64010 c644242000 mov byte ptr [rsp+20h],0

FAULT_INSTR_CODE: 202444c6

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: nt!KiFastFailDispatch+d0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 5ca31432

IMAGE_VERSION: 10.0.17134.706

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: d0

FAILURE_BUCKET_ID: 0x139_MISSING_GSFRAME_nt!KiFastFailDispatch

BUCKET_ID: 0x139_MISSING_GSFRAME_nt!KiFastFailDispatch

PRIMARY_PROBLEM_CLASS: 0x139_MISSING_GSFRAME_nt!KiFastFailDispatch

TARGET_TIME: 2019-04-14T09:40:38.000Z

OSBUILD: 17134

OSSERVICEPACK: 706

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 784

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2019-04-02 00:50:10

BUILDDATESTAMP_STR: 180410-1804

BUILDLAB_STR: rs4_release

BUILDOSVER_STR: 10.0.17134.1.amd64fre.rs4_release.180410-1804

ANALYSIS_SESSION_ELAPSED_TIME: 29de

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x139_missing_gsframe_nt!kifastfaildispatch

FAILURE_ID_HASH: {1971a9b0-b7ec-89bf-0a51-10ac52818da5}

Followup: MachineOwner

Bugcheck 1E On call to StartHv()

edit: fixed 1E bugcheck, this is a different one...

I am not running the tests, purely just attempting to virtualize each CPU so I removed the Test files. HyperBone is manually mapped into the system and all the imports are resolved properly but that's why the log says 'Unknown Module' instead of "Hyperbone.sys".

I do not have SEH enabled, I see that you are using __try/__except for unhandled exceptions, but only in UtilKernelBase and UtilSearchPattern. The call to UtilKernelBase is fine, and I never call UtilSearchPattern as I'm not setting any hooks.

Microsoft (R) Windows Debugger Version 10.0.18317.1001 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\MEMORY.DMP]
Could not open dump file [C:\Windows\MEMORY.DMP], Win32 error 0n2
"The system cannot find the file specified."

Microsoft (R) Windows Debugger Version 10.0.18317.1001 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\Minidump\041419-6953-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 17134 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 17134.1.amd64fre.rs4_release.180410-1804
Machine Name:
Kernel base = 0xfffff80384e92000 PsLoadedModuleList = 0xfffff8038523f2b0
Debug session time: Sun Apr 14 14:24:51.641 2019 (UTC - 7:00)
System Uptime: 0 days 0:10:19.437
Loading Kernel Symbols
...............................................................
................................................................
................................................................
..............
Loading User Symbols
Loading unloaded module list
........
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff8038503c0a0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffcf8139dd5bd0=0000000000000133
5: kd> !analyze -v
                                                                        *
                   Bugcheck Analysis                                    *
                                                                        *
DPC_WATCHDOG_VIOLATION (133)
The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL
or above.
Arguments:
Arg1: 0000000000000000, A single DPC or ISR exceeded its time allotment. The offending
component can usually be identified with a stack trace.
Arg2: 0000000000000501, The DPC time count (in ticks).
Arg3: 0000000000000500, The DPC time allotment (in ticks).
Arg4: fffff803852de378, cast to nt!DPC_WATCHDOG_GLOBAL_TRIAGE_BLOCK, which contains
additional information regarding this single DPC timeout

Debugging Details:

*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***

*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***

*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***

*** Type referenced: TickPeriods ***

*** WARNING: Unable to verify checksum for win32k.sys

KEY_VALUES_STRING: 1

PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 17134.1.amd64fre.rs4_release.180410-1804

SYSTEM_MANUFACTURER: LENOVO

SYSTEM_PRODUCT_NAME: 20349

SYSTEM_SKU: LENOVO_MT_20349_BU_idea_FM_Lenovo Y50-70 Touch

SYSTEM_VERSION: Lenovo Y50-70 Touch

BIOS_VENDOR: LENOVO

BIOS_VERSION: 9ECN31WW(V1.14)

BIOS_DATE: 08/18/2014

BASEBOARD_MANUFACTURER: LENOVO

BASEBOARD_PRODUCT: Lenovo Y50-70 Touch

BASEBOARD_VERSION: 31900058WIN

DUMP_TYPE: 2

BUGCHECK_P1: 0

BUGCHECK_P2: 501

BUGCHECK_P3: 500

BUGCHECK_P4: fffff803852de378

DPC_TIMEOUT_TYPE: SINGLE_DPC_TIMEOUT_EXCEEDED

CPU_COUNT: 8

CPU_MHZ: 95a

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3c

CPU_STEPPING: 3

CPU_MICROCODE: 6,3c,3,0 (F,M,S,R) SIG: 24'00000000 (cache) 24'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXPNP: 1 (!blackboxpnp)

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x133

PROCESS_NAME: System

CURRENT_IRQL: d

ANALYSIS_SESSION_HOST: DESKTOP-3HJM5HP

ANALYSIS_SESSION_TIME: 04-14-2019 14:27:17.0775

ANALYSIS_VERSION: 10.0.18317.1001 amd64fre

LAST_CONTROL_TRANSFER: from fffff803850670f7 to fffff8038503c0a0

STACK_TEXT:
ffffcf8139dd5bc8 fffff803850670f7 : 0000000000000133 0000000000000000 0000000000000501 0000000000000500 : nt!KeBugCheckEx
ffffcf8139dd5bd0 fffff80384ed43ba : 0000015b94731e7a ffffcf8139db9180 0000000000000282 0000000000000000 : nt!KeAccumulateTicks+0x1903f7
ffffcf8139dd5c30 fffff80384e0951b : 0000015b9472f302 00000000052f5008 0000000000000000 ffffe40ea2501a00 : nt!KeClockInterruptNotify+0x9da
ffffcf8139dd5f40 fffff80384f99a65 : ffffe40ea2501a00 ffffa88030261b50 fffffb0006fcad40 fffff80385260080 : hal!HalpTimerClockIpiRoutine+0x1b
ffffcf8139dd5f70 fffff8038503d95a : ffffa88030261310 ffffe40ea2501a00 0000000000100000 fffffb0006e470e0 : nt!KiCallInterruptServiceRoutine+0xa5
ffffcf8139dd5fb0 fffff8038503de47 : 000000000024e00d 012e13a8fffffff8 0000000000000000 0000000000000000 : nt!KiInterruptSubDispatchNoLockNoEtw+0xea
ffffa88030261290 fffff80384f45fea : 0000000000000000 ffffa88030261520 0000000008100008 fffff80384ed8461 : nt!KiInterruptDispatchNoLockNoEtw+0x37
ffffa88030261420 fffff80384f6495b : 0000007f00000000 ffffe267c0a24fb0 ffffcf81449db000 ffffcf81449db690 : nt!MiFindContiguousPages+0x25a
ffffa880302615d0 fffff80384f6477d : 3032303700000200 0000000000001000 0000000fffffffff 3431433000000000 : nt!MiAllocateContiguousMemory+0x1cb
ffffa88030261680 fffff803850184c1 : ffffa880302617a0 0000000000074c00 ffffe267c0a24fb0 ffffe27133e05120 : nt!MmAllocateContiguousNodeMemory+0x8d
ffffa880302616d0 fffff80385018479 : ffffffffffffffd2 ffffcf813d6840b7 0000000000000010 0000000000000206 : nt!MmAllocateContiguousMemorySpecifyCacheNode+0x31
ffffa88030261710 ffffcf813d6815e4 : 0000000000000001 fffff80384eb0733 ffffcf814434e7f8 ffffcf81449f6000 : nt!MmAllocateContiguousMemorySpecifyCache+0x19
ffffa88030261750 0000000000000001 : fffff80384eb0733 ffffcf814434e7f8 ffffcf81449f6000 0000000200000000 : 0xffffcf813d6815e4 ffffa88030261758 fffff80384eb0733 : ffffcf814434e7f8 ffffcf81449f6000 0000000200000000 0000000000000206 : 0x1 ffffa88030261760 ffffcf813d681461 : ffffcf814434e800 0000000000220000 ffffcf814434e000 0000000000000001 : nt!MmGetPhysicalAddress+0x13 ffffa88030261790 ffffcf814434e800 : 0000000000220000 ffffcf814434e000 0000000000000001 0000000000220000 : 0xffffcf813d681461
ffffa88030261798 0000000000220000 : ffffcf814434e000 0000000000000001 0000000000220000 0000000000220000 : 0xffffcf814434e800 ffffa880302617a0 ffffcf814434e000 : 0000000000000001 0000000000220000 0000000000220000 ffffe40ea36a7808 : 0x220000 ffffa880302617a8 0000000000000001 : 0000000000220000 0000000000220000 ffffe40ea36a7808 ffffcf813d681794 : 0xffffcf814434e000
ffffa880302617b0 0000000000220000 : 0000000000220000 ffffe40ea36a7808 ffffcf813d681794 0000000000000200 : 0x1
ffffa880302617b8 0000000000220000 : ffffe40ea36a7808 ffffcf813d681794 0000000000000200 ffffcf813d03f000 : 0x220000
ffffa880302617c0 ffffe40ea36a7808 : ffffcf813d681794 0000000000000200 ffffcf813d03f000 000000000003f600 : 0x220000
ffffa880302617c8 ffffcf813d681794 : 0000000000000200 ffffcf813d03f000 000000000003f600 0000000000000005 : 0xffffe40ea36a7808 ffffa880302617d0 0000000000000200 : ffffcf813d03f000 000000000003f600 0000000000000005 ffffe40ea36a7107 : 0xffffcf813d681794
ffffa880302617d8 ffffcf813d03f000 : 000000000003f600 0000000000000005 ffffe40ea36a7107 0000000000220000 : 0x200
ffffa880302617e0 000000000003f600 : 0000000000000005 ffffe40ea36a7107 0000000000220000 0000000200000200 : 0xffffcf813d03f000 ffffa880302617e8 0000000000000005 : ffffe40ea36a7107 0000000000220000 0000000200000200 ffffe40ea36a71a0 : 0x3f600 ffffa880302617f0 ffffe40ea36a7107 : 0000000000220000 0000000200000200 ffffe40ea36a71a0 0000000000000001 : 0x5 ffffa880302617f8 0000000000220000 : 0000000200000200 ffffe40ea36a71a0 0000000000000001 ffffa88030261b20 : 0xffffe40ea36a7107
ffffa88030261800 0000000200000200 : ffffe40ea36a71a0 0000000000000001 ffffa88030261b20 0000000000006000 : 0x220000
ffffa88030261808 ffffe40ea36a71a0 : 0000000000000001 ffffa88030261b20 0000000000006000 ffffcf813d681286 : 0x0000000200000200 ffffa88030261810 0000000000000001 : ffffa88030261b20 0000000000006000 ffffcf813d681286 ffffe40ea36a7808 : 0xffffe40ea36a71a0
ffffa88030261818 ffffa88030261b20 : 0000000000006000 ffffcf813d681286 ffffe40ea36a7808 ffffa88030261a10 : 0x1
ffffa88030261820 0000000000006000 : ffffcf813d681286 ffffe40ea36a7808 ffffa88030261a10 ffffe40ea36a71a0 : 0xffffa88030261b20 ffffa88030261828 ffffcf813d681286 : ffffe40ea36a7808 ffffa88030261a10 ffffe40ea36a71a0 ffffe40ea36a7808 : 0x6000 ffffa88030261830 ffffe40ea36a7808 : ffffa88030261a10 ffffe40ea36a71a0 ffffe40ea36a7808 ffffe40ea36a7808 : 0xffffcf813d681286
ffffa88030261838 ffffa88030261a10 : ffffe40ea36a71a0 ffffe40ea36a7808 ffffe40ea36a7808 ffffcf813d682572 : 0xffffe40ea36a7808 ffffa88030261840 ffffe40ea36a71a0 : ffffe40ea36a7808 ffffe40ea36a7808 ffffcf813d682572 ffffffffffffffff : 0xffffa88030261a10
ffffa88030261848 ffffe40ea36a7808 : ffffe40ea36a7808 ffffcf813d682572 ffffffffffffffff ffffe40ea36a71a0 : 0xffffe40ea36a71a0 ffffa88030261850 ffffe40ea36a7808 : ffffcf813d682572 ffffffffffffffff ffffe40ea36a71a0 0000000000001000 : 0xffffe40ea36a7808
ffffa88030261858 ffffcf813d682572 : ffffffffffffffff ffffe40ea36a71a0 0000000000001000 ffffa88030261b20 : 0xffffe40ea36a7808 ffffa88030261860 ffffffffffffffff : ffffe40ea36a71a0 0000000000001000 ffffa88030261b20 0000001000001000 : 0xffffcf813d682572
ffffa88030261868 ffffe40ea36a71a0 : 0000000000001000 ffffa88030261b20 0000001000001000 ffffe40ea9c55748 : 0xffffffffffffffff ffffa88030261870 0000000000001000 : ffffa88030261b20 0000001000001000 ffffe40ea9c55748 0000000000000000 : 0xffffe40ea36a71a0
ffffa88030261878 ffffa88030261b20 : 0000001000001000 ffffe40ea9c55748 0000000000000000 ffffcf813d681db0 : 0x1000
ffffa88030261880 0000001000001000 : ffffe40ea9c55748 0000000000000000 ffffcf813d681db0 ffffe40ea36a71a0 : 0xffffa88030261b20 ffffa88030261888 ffffe40ea9c55748 : 0000000000000000 ffffcf813d681db0 ffffe40ea36a71a0 ffffa880348229d0 : 0x0000001000001000
ffffa88030261890 0000000000000000 : ffffcf813d681db0 ffffe40ea36a71a0 ffffa880348229d0 00000000001ad002 : 0xffffe40e`a9c55748

THREAD_SHA1_HASH_MOD_FUNC: b61f6390c98229687b65418b88421ef4a52369bb

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: a39f3b870a29025524265824a6eedad5e5609aba

THREAD_SHA1_HASH_MOD: d5e908d356bf8d04aac79332806776dc287dfa54

FOLLOWUP_IP:
nt!KeAccumulateTicks+1903f7
fffff803`850670f7 cc int 3

FAULT_INSTR_CODE: f68445cc

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!KeAccumulateTicks+1903f7

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 5ca31432

IMAGE_VERSION: 10.0.17134.706

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 1903f7

FAILURE_BUCKET_ID: 0x133_DPC_nt!KeAccumulateTicks

BUCKET_ID: 0x133_DPC_nt!KeAccumulateTicks

PRIMARY_PROBLEM_CLASS: 0x133_DPC_nt!KeAccumulateTicks

TARGET_TIME: 2019-04-14T21:24:51.000Z

OSBUILD: 17134

OSSERVICEPACK: 706

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 784

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2019-04-02 00:50:10

BUILDDATESTAMP_STR: 180410-1804

BUILDLAB_STR: rs4_release

BUILDOSVER_STR: 10.0.17134.1.amd64fre.rs4_release.180410-1804

ANALYSIS_SESSION_ELAPSED_TIME: 434f

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x133_dpc_nt!keaccumulateticks

FAILURE_ID_HASH: {88dc98ce-f842-4daa-98d0-858621db6b0f}

Followup: MachineOwner

CRASH on PHRestore

If I hook ntcreatethread and ntcreateprocess using PHHook then while unhooking BugCheck 19 occurs which says memory already corrupt.

Following is windbg output which shows PFN and PTE Entries for both functions is same
2: kd> !pte nt!ntcreateprocess
VA fffff8037a4b90a0
PXE at FFFFF6FB7DBEDF80 PPE at FFFFF6FB7DBF0068 PDE at FFFFF6FB7E00DE90 PTE at FFFFF6FC01BD25C8
contains 0000000000704063 contains 0000000000705063 contains 000000013BA009E3 contains 0000000000000000
pfn 704 ---DA--KWEV pfn 705 ---DA--KWEV pfn 13ba00 -GLDA--KWEV LARGE PAGE pfn 13bab9

2: kd> !pte nt!ntcreatethread
VA fffff8037a4b911c
PXE at FFFFF6FB7DBEDF80 PPE at FFFFF6FB7DBF0068 PDE at FFFFF6FB7E00DE90 PTE at FFFFF6FC01BD25C8
contains 0000000000704063 contains 0000000000705063 contains 000000013BA009E3 contains 0000000000000000
pfn 704 ---DA--KWEV pfn 705 ---DA--KWEV pfn 13ba00 -GLDA--KWEV LARGE PAGE pfn 13bab9

what can we do to resolve this scenario?

Kernel Security Check Failure - On Driver Load

Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is:

THIS DUMP FILE IS PARTIALLY CORRUPT.
KdDebuggerDataBlock is not present or unreadable.

Unable to read PsLoadedModuleList

THIS DUMP FILE IS PARTIALLY CORRUPT.
KdDebuggerDataBlock is not present or unreadable.

KdDebuggerData.KernBase < SystemRangeStart
Windows 10 Kernel Version 17134 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Machine Name:
Kernel base = 0x0000000000000000 PsLoadedModuleList = 0xfffff80322a432b0
Debug session time: Sat Apr 13 00:43:33.573 2019 (UTC - 7:00)
System Uptime: 0 days 2:35:34.378

THIS DUMP FILE IS PARTIALLY CORRUPT.
KdDebuggerDataBlock is not present or unreadable.

Unable to read PsLoadedModuleList

THIS DUMP FILE IS PARTIALLY CORRUPT.
KdDebuggerDataBlock is not present or unreadable.

KdDebuggerData.KernBase < SystemRangeStart
Loading Kernel Symbols
Unable to read PsLoadedModuleList
GetContextState failed, 0xD0000147
CS descriptor lookup failed
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
For analysis of this file, run !analyze -v
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147

vmware win7 x64 unload BSOD

KiSystemServiceCopyEnd Sig

I am currently developing my own hypervisor with reference to hyperbone, which is the problem I found in the hyperbone source code:
for anyone want to update this source:
//win7 : F7 05 ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 41 FF D2
//win10_1809: F7 05 ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? F7 05 ?? ?? ?? ?? 40
thanks this good learn source save me a lot of time :)

Run in VMware will be fail and BSOD

hi.

when I Run in VMware will be fail and BSOD.

I think this problem appeared in inline *IntelRestoreCPU * function when *StartHV * fail.

because if StartHV fail but the StopHV have to run, but vmx is not start.

should change Vcpu->VmxState to VMX_STATE_OFF when __vmx_vmlaunch fail in VmxSubvertCPU.

so I add the code in VmxSubvertCPU like this:

    // Setup various VMCS fields by VmxSetupVmcs. This will cause the
    // processor to jump to the return address of RtlCaptureContext in
    // VmxInitializeCPU, which called us.
    InterlockedIncrement( &g_Data->vcpus );
    int res = __vmx_vmlaunch();
    InterlockedDecrement( &g_Data->vcpus );

//if launch fail,set state to off.
Vcpu->VmxState = VMX_STATE_OFF;

StartHV in VMware will be fail but have not BSOD.

(Intel I7 3930K) not support,Computer crash,

(Intel I7 3930K) not support,Computer crash

What time support AMD ？

Kernel security check failure - on load

trying to test in vmware 14 windows 10 1709 and I get "Kernel security check" failure which I believe maybe patchguard causing the crash?? rebooted and tried twice, happens every time

A hypervisor feature is not available to the user.

How do I fix this?

Crashing upon startup

My computer freezes upon starting hyperbone

Windows 10 v10.0.14393
I7-5930k

What does this project produce as a binary?

An executable? A driver? How to install it? Should it be signed to be usable on 64-bit Windows 7+? Can it work with Microsoft Hyper-Visor activated? And so on...

I think README.md should be more informative about how to use this project and its constraints.

[QUESTION] Controller

Hey,

is there a way to control the HyperVisor from a user program or do you plan to implement one?

DPC_WATCHDOG_VIOLATION

DPC_WATCHDOG_VIOLATION ISSUE
i Intel core i7 6700HQ supporting VT-x and EPT with driver signed but still bsod with DPC_WATCHDOG_VIOLATION ..how can i fix this?

Performance Issue

Hey!

I experience 50% loss of FPS in games like PUBG, H1z1 and CSGO.
Do you have any suggestions how to improve the performance?

I already integrated SimpleVisor's MTRR implementation, which sets the right Memory Type of a EPT. (https://github.com/ionescu007/SimpleVisor/blob/master/shvvmx.c Line 26)

I also thought about using 2MB Pages instead of 4KB to improve the overall performance.

NMI_HARDWARE_FAILURE - On Driver Load

minidump

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

NMI_HARDWARE_FAILURE (80)
This is typically due to a hardware malfunction.  The hardware supplier should
be called.
Arguments:
Arg1: 00000000004f4454
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 3

    Key  : Analysis.Elapsed.Sec
    Value: 15

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 66


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  18890.1000.amd64fre.rs_prerelease.190426-1618

SYSTEM_MANUFACTURER:  System manufacturer

SYSTEM_PRODUCT_NAME:  System Product Name

SYSTEM_SKU:  SKU

SYSTEM_VERSION:  System Version

BIOS_VENDOR:  American Megatrends Inc.

BIOS_VERSION:  3805

BIOS_DATE:  05/16/2018

BASEBOARD_MANUFACTURER:  ASUSTeK COMPUTER INC.

BASEBOARD_PRODUCT:  Z170-P

BASEBOARD_VERSION:  Rev X.0x

DUMP_TYPE:  1

BUGCHECK_P1: 4f4454

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

CPU_COUNT: 4

CPU_MHZ: fa8

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 5e

CPU_STEPPING: 3

CPU_MICROCODE: 6,5e,3,0 (F,M,S,R)  SIG: C6'00000000 (cache) C6'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  0x80

PROCESS_NAME:  System

CURRENT_IRQL:  d

ANALYSIS_SESSION_HOST:  DESKTOP-LG854SK

ANALYSIS_SESSION_TIME:  05-04-2019 19:09:56.0245

ANALYSIS_VERSION: 10.0.18869.1002 amd64fre

TRAP_FRAME:  fffff80060a4a580 -- (.trap 0xfffff80060a4a580)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=ffffffff80000034 rsp=ffffffff80000040 rbp=ffffffff8000002c
 r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up di pl nz ac po nc
0038:0034 ??              ???
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800604203c9 to fffff800603cba40

STACK_TEXT:  
ffffca01`2e1b9b08 fffff800`604203c9 : 00000000`00000133 00000000`00000000 00000000`00000501 00000000`00000500 : nt!KeBugCheckEx
ffffca01`2e1b9b10 fffff800`60283911 : 00008fe8`ff8e191b 00000000`00000000 fffff588`ca84ee00 00000000`00000000 : nt!KeAccumulateTicks+0x19dff9
ffffca01`2e1b9b70 fffff800`6104b232 : 00008fe8`ff8de9ef fffff588`ca84edd0 fffff588`ca84ee50 00000000`00000002 : nt!KeClockInterruptNotify+0x6c1
ffffca01`2e1b9f30 fffff800`60208145 : 000000cf`c57e2b51 ffffe106`b78d0b00 ffffe106`b78d0bb0 ffff248a`9a28ba37 : hal!HalpTimerClockInterrupt+0xf2
ffffca01`2e1b9f60 fffff800`603cd49a : fffff588`ca84ee50 ffffe106`b78d0b00 00000000`08100008 00000000`00000000 : nt!KiCallInterruptServiceRoutine+0xa5
ffffca01`2e1b9fb0 fffff800`603cd9e7 : 00000000`00000020 fffff800`60a4b948 00000000`0000914f 00000000`00000000 : nt!KiInterruptSubDispatchNoLockNoEtw+0xfa
fffff588`ca84edd0 fffff800`6022fe3b : fffff800`6022fb61 ffff9780`17fd1aa0 fffff800`60a4a580 00000000`00000000 : nt!KiInterruptDispatchNoLockNoEtw+0x37
fffff588`ca84ef68 fffff800`6022fb61 : ffff9780`17fd1aa0 fffff800`60a4a580 00000000`00000000 ffff9780`17fd1ad0 : nt!MiPfnLargeBitSet+0x2b
fffff588`ca84ef70 fffff800`6022f6eb : 00000000`00000000 fffff588`ca84f0c0 00000000`007ff08d 00000000`00000002 : nt!MiPfnsWorthTrying+0x101
fffff588`ca84efc0 fffff800`602f779e : 00000000`00000000 00000000`00989680 00000000`00000000 00000000`00001000 : nt!MiFindContiguousPages+0x2db
fffff588`ca84f170 fffff800`602f7569 : 8bd98b00`07e2cde8 89ec7589`fe8b0875 00000000`00000000 fffff800`60946395 : nt!MiAllocateContiguousMemory+0x222
fffff588`ca84f2f0 fffff800`6094c1ff : ffffffff`ffffffff 00000000`00000000 00000000`003ef000 ffffb4da`72805000 : nt!MmAllocateContiguousNodeMemory+0x89
fffff588`ca84f340 fffff802`4c9e19d2 : ffffca01`2e243240 fffff588`ca84f8f0 ffffca01`2e240180 fffff588`ca84f3e8 : nt!VerifierMmAllocateContiguousMemorySpecifyCache+0xbf
fffff588`ca84f390 fffff802`4c9e17ee : ffffe106`cf021aa8 ffffca01`41b14001 00000007`00000000 00000000`003ef000 : HyperBone!EptpAllocatePage+0x82 [C:\Users\bruker1\Documents\GitHub\HyperBone-master\src\Arch\Intel\EPT.c @ 108] 
fffff588`ca84f400 fffff802`4c9e192c : ffffe106`cf021aa8 ffffca01`40ff8000 00000007`00000001 00000000`003ef200 : HyperBone!EptUpdateTableRecursive+0x2ee [C:\Users\bruker1\Documents\GitHub\HyperBone-master\src\Arch\Intel\EPT.c @ 204] 
fffff588`ca84f4b0 fffff802`4c9e192c : ffffe106`cf021aa8 ffffca01`3193b000 00000008`00000002 00000000`003ef200 : HyperBone!EptUpdateTableRecursive+0x42c [C:\Users\bruker1\Documents\GitHub\HyperBone-master\src\Arch\Intel\EPT.c @ 221] 
fffff588`ca84f560 fffff802`4c9e1da4 : ffffe106`cf021aa8 ffffca01`3192d000 ffffe106`00000003 00000000`003ef200 : HyperBone!EptUpdateTableRecursive+0x42c [C:\Users\bruker1\Documents\GitHub\HyperBone-master\src\Arch\Intel\EPT.c @ 221] 
fffff588`ca84f610 fffff802`4c9e129e : ffffe106`cf021aa8 ffffca01`3192d000 ffffe106`e37f8000 00000000`00002000 : HyperBone!EptpFillTable+0x174 [C:\Users\bruker1\Documents\GitHub\HyperBone-master\src\Arch\Intel\EPT.c @ 243] 
fffff588`ca84f6b0 fffff802`4c9e37e0 : ffffe106`cf021aa8 00000000`00006000 ffffe106`00000004 fffff588`ca84f910 : HyperBone!EptBuildIdentityMap+0x4e [C:\Users\bruker1\Documents\GitHub\HyperBone-master\src\Arch\Intel\EPT.c @ 276] 
fffff588`ca84f6f0 fffff802`4c9e2b4f : ffffe106`cf021440 ffffe106`c14fa800 00000000`ffffffff 000000cf`b9905234 : HyperBone!VmxSubvertCPU+0x2d0 [C:\Users\bruker1\Documents\GitHub\HyperBone-master\src\Arch\Intel\VMX.c @ 271] 
fffff588`ca84f750 fffff802`4c9e4fed : ffffe106`cf021440 00000000`001ad002 ffffe106`c1d481f0 00000000`00000000 : HyperBone!VmxInitializeCPU+0xdf [C:\Users\bruker1\Documents\GitHub\HyperBone-master\src\Arch\Intel\VMX.c @ 189] 
fffff588`ca84f780 fffff802`4c9e4f2d : ffffe106`cf021440 00000000`001ad002 00000000`00000000 00000000`00000000 : HyperBone!IntelSubvertCPU+0x1d [C:\Users\bruker1\Documents\GitHub\HyperBone-master\src\Core\HVM.c @ 35] 
fffff588`ca84f7b0 fffff800`60235065 : ffffca01`2e245ce0 00000000`001ad002 fffff588`cb28f5d0 fffff588`cb28f5e0 : HyperBone!HvmpHVCallbackDPC+0x5d [C:\Users\bruker1\Documents\GitHub\HyperBone-master\src\Core\HVM.c @ 66] 
fffff588`ca84f7f0 fffff800`602346bf : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExecuteAllDpcs+0x305
fffff588`ca84f930 fffff800`603cf4f4 : 00000000`00000000 ffffca01`2e240180 ffffca01`2e251140 ffffe106`e8d67080 : nt!KiRetireDpcList+0x1ef
fffff588`ca84fb60 00000000`00000000 : fffff588`ca850000 fffff588`ca849000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x84


THREAD_SHA1_HASH_MOD_FUNC:  7f0939ef07c0c72ef2d436264958ffe076a53a2e

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  fe60ce8539ee6ede60b39086b34794281e6578c7

THREAD_SHA1_HASH_MOD:  254936003be6a35bd3d3b14e139235c217259f94

FOLLOWUP_IP: 
nt!KeAccumulateTicks+19dff9
fffff800`604203c9 cc              int     3

FAULT_INSTR_CODE:  f68445cc

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!KeAccumulateTicks+19dff9

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  2fd5b89a

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  19dff9

FAILURE_BUCKET_ID:  0x80_VRF_nt!KeAccumulateTicks

BUCKET_ID:  0x80_VRF_nt!KeAccumulateTicks

PRIMARY_PROBLEM_CLASS:  0x80_VRF_nt!KeAccumulateTicks

TARGET_TIME:  2019-05-04T16:49:52.000Z

OSBUILD:  18890

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  784

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  1995-06-07 16:32:58

BUILDDATESTAMP_STR:  190426-1618

BUILDLAB_STR:  rs_prerelease

BUILDOSVER_STR:  10.0.18890.1000.amd64fre.rs_prerelease.190426-1618

ANALYSIS_SESSION_ELAPSED_TIME:  3bd9

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x80_vrf_nt!keaccumulateticks

FAILURE_ID_HASH:  {5eb9c527-aa5f-d4d1-ce20-4e072060edc8}

Followup:     MachineOwner

Dead Lock on DriverUnload

Hi!
I found that a dead-lock happen on my Windows7 (VMWare)
via debug, it is mybe locked at EptFreeIdentityMap
so, try to this:

NTSTATUS EptFreeIdentityMap( IN PEPT_DATA pEPT )
{
	if (pEPT->PML4Ptr == NULL)
		return STATUS_SUCCESS;

	pEPT->PML4Ptr = NULL;

	// Reset used preallocations
	pEPT->Preallocations = 0;
	return STATUS_SUCCESS;
}

and free memory at FreeGlobalData

VOID FreeGlobalData( IN PGLOBAL_DATA pData )
{
	if (pData == NULL)
		return;

	ULONG cpu_count = KeQueryActiveProcessorCountEx(ALL_PROCESSOR_GROUPS);
	for (ULONG i = 0; i < cpu_count; i++)
	{
		PVCPU Vcpu = &pData->cpu_data[i];
		PLIST_ENTRY ListHead = &Vcpu->EPT.PageList;

		if (Vcpu->VMXON)
			MmFreeContiguousMemory(Vcpu->VMXON);
		if (Vcpu->VMCS)
			MmFreeContiguousMemory(Vcpu->VMCS);
		if (Vcpu->VMMStack)
			MmFreeContiguousMemory(Vcpu->VMMStack);

		for (ULONG j = 0; j < EPT_PREALLOC_PAGES; j++)
		{
			PVOID Ptr = Vcpu->EPT.Pages[j];

			if (Ptr != NULL)
				MmFreeContiguousMemory(Ptr);
		}

		// free here
		while (!IsListEmpty(ListHead))
		{
			PLIST_ENTRY pListEntry = RemoveHeadList(ListHead);
			PEPT_PAGES_ENTRY pEntry = CONTAINING_RECORD(pListEntry, EPT_PAGES_ENTRY, link);

			for (ULONG64 k = 0; k < pEntry->count; k++)
			{
				PVOID Ptr = pEntry->pages[k];

				if (Ptr != NULL)
					MmFreeContiguousMemory(Ptr);
			}

			ExFreePoolWithTag(pListEntry, HB_POOL_TAG);
		}
	}

	if (pData->Memory)
		ExFreePoolWithTag(pData->Memory, HB_POOL_TAG);
	if (pData->MSRBitmap)
		ExFreePoolWithTag(pData->MSRBitmap, HB_POOL_TAG);

	ExFreePoolWithTag(pData, HB_POOL_TAG);
}

now it is worked fine, is that right ?

Hook MSR with another method

Use "VM-Entry MSR Load" to hook MSR on VM-Entry, and "VM-Exit MSR Load" to restore MSR on VM-Exit.

cannot start uac program

physical machine cpu is i5-4210, my win7 x64 pro will stuck when start a uac program in vmware.
run well In other cases.

Windows 10 2004 VMLAUNCH failed

I tested it on Windows 10 2004 release and it BSODd with:

EXIT_REASON_INVALID_GUEST_STATE
Arguments:
Arg1: 0000000000000001
Arg2: 0000000000000021
Arg3: 0000000000000000
Arg4: 0000000000000000

VOID VmExitStartFailed( IN PGUEST_STATE GuestState )
{
    DPRINT(
        "HyperBone: CPU %d: %s: Failed to enter VM, reason %d, code %d\n",
        CPU_IDX, __FUNCTION__, 
        GuestState->ExitReason, GuestState->ExitQualification 
        );

    KeBugCheckEx( HYPERVISOR_ERROR, BUG_CHECK_INVALID_VM, GuestState->ExitReason, GuestState->ExitQualification, 0 );
}

Nesting is not supported?

This can't coexist with other VMs, hoping to nest

MSR_LSTAR syscall hook issue with parameters

So I mentioned this already in private but when you try hooking for example ZwQueryVirtualMemory which has more than 4 parameters (after RCX, RDX, R8, R9) aka some on the stack like the 5th and 6th for example, those parameters will be invalid in the hook and therefore the original call of the syscall will usually fail and screw the whole operating system up.

Testing done on windows 8.1, compiled with Visual Studio 2013 using MSR_LSTAR hooking method.

FIX DPC_WATCHDOG_VIOLATION

the DPC_WATCHDOG_VIOLATION reason is that the vmexit is always running at DPC level and windows will check is hypervisor exist , if is no(hyperbone didn't deal with it) will trigger DPC_WATCHDOG_VIOLATION
just skip irql elevate function and you will be fine

CLOCK_WATCHDOG_TIMEOUT on Windows 10 Insider Preview (14352)

Hello,

I get CLOCK_WATCHDOG_TIMEOUT while starting the driver.

OS: Windows 10 Insider Preview 14352
CPU: i7-2600

I thought that might be because of patterns or offsets from Tests does not match and commented out TestStart, TestPrintResults, TestStop however same thing happens.

I have bad network conditions, so couldn't test it with RTM version of Windows 10. However, I can get SimpleVisor https://github.com/ionescu007/SimpleVisor (I think they share a common here) work on my system.

Please tell me if you need a memory dump and the kind of the memory dump.

reserved identifier violation

I would like to point out that identifiers like “_EFLAGS” and “_CPU_VENDOR” do not fit to the expected naming convention of the C language standard.
Would you like to adjust your selection for unique names?

SyscallEntryPoint

EXTERN HookEnabled:DB
EXTERN ArgTble:DB
EXTERN HookTable:DQ

EXTERN KiSystemCall64Ptr:DQ
EXTERN KiServiceCopyEndPtr:DQ

USERMD_STACK_GS = 10h
KERNEL_STACK_GS = 1A8h

MAX_SYSCALL_INDEX = 1000h

.CODE

; *********************************************************
;
; Determine if the specific syscall should be hooked
;
; if (SyscallHookEnabled[EAX & 0xFFF] == TRUE)
; jmp KiSystemCall64_Emulate
; else (fall-through)
; jmp KiSystemCall64
;
; *********************************************************
SyscallEntryPoint PROC
;cli ; Disable interrupts
swapgs ; swap GS base to kernel PCR
mov gs:[USERMD_STACK_GS], rsp ; save user stack pointer

cmp         rax, MAX_SYSCALL_INDEX      ; Is the index larger than the array size?
jge         KiSystemCall64              ;

lea         rsp, offset HookEnabled     ; RSP = &SyscallHookEnabled
cmp         byte ptr [rsp + rax], 0     ; Is hooking enabled for this index?
jne         KiSystemCall64_Emulate      ; NE = index is hooked

SyscallEntryPoint ENDP

; *********************************************************
;
; Return to the original NTOSKRNL syscall handler
; (Restore all old registers first)
;
; *********************************************************
KiSystemCall64 PROC
mov rsp, gs:[USERMD_STACK_GS] ; Usermode RSP
swapgs ; Switch to usermode GS
jmp [KiSystemCall64Ptr] ; Jump back to the old syscall handler
KiSystemCall64 ENDP

; *********************************************************
;
; Emulated routine executed directly after a SYSCALL
; (See: MSR_LSTAR)
;
; *********************************************************
KiSystemCall64_Emulate PROC
; NOTE:
; First 2 lines are included in SyscallEntryPoint

mov         rsp, gs:[KERNEL_STACK_GS]   ; set kernel stack pointer
push        2Bh                         ; push dummy SS selector
push        qword ptr gs:[10h]          ; push user stack pointer
push        r11                         ; push previous EFLAGS
push        33h                         ; push dummy 64-bit CS selector
push        rcx                         ; push return address
mov         rcx, r10                    ; set first argument value

sub         rsp, 8h                     ; allocate dummy error code
push        rbp                         ; save standard register
sub         rsp, 158h                   ; allocate fixed frame
lea         rbp, [rsp+80h]              ; set frame pointer
mov         [rbp+0C0h], rbx             ; save nonvolatile registers
mov         [rbp+0C8h], rdi             ;
mov         [rbp+0D0h], rsi             ;
mov         byte ptr [rbp-55h], 2h      ; set service active
mov         rbx, gs:[188h]              ; get current thread address
prefetchw   byte ptr [rbx+90h]          ; prefetch with write intent
stmxcsr     dword ptr [rbp-54h]         ; save current MXCSR
ldmxcsr     dword ptr gs:[180h]         ; set default MXCSR
cmp         byte ptr [rbx+3], 0         ; test if debug enabled
mov         word ptr [rbp+80h], 0       ; assume debug not enabled
jz          KiSS05                      ; if z, debug not enabled
mov         [rbp-50h], rax              ; save service argument registers
mov         [rbp-48h], rcx              ;
mov         [rbp-40h], rdx              ;
mov         [rbp-38h], r8               ;
mov         [rbp-30h], r9               ;

int         3                           ; FIXME (Syscall with debug registers active)
align       10h

KiSS05:
;sti                                    ; enable interrupts
_**mov         [rbx+1e0h], rcx             ;mov         [rbx+88h], rcx  ???
mov         [rbx+1f8h], eax              ;mov         [rbx+80h], eax ???**_

KiSystemCall64_Emulate ENDP

KiSystemServiceStart_Emulate PROC
mov [rbx+1d8h], rsp ; mov [rbx+90h], rsp
mov edi, eax
shr edi, 7
and edi, 20h
and eax, 0FFFh
KiSystemServiceStart_Emulate ENDP

KiSystemServiceRepeat_Emulate PROC
; RAX = [IN ] syscall index
; RAX = [OUT] number of parameters
; R10 = [OUT] function address
; R11 = [I/O] trashed

lea         r11, offset HookTable
mov         r10, qword ptr [r11 + rax * 8h]

lea         r11, offset ArgTble
movzx       rax, byte ptr [r11 + rax]   ; RAX = paramter count

jmp         [KiServiceCopyEndPtr]

KiSystemServiceRepeat_Emulate ENDP

END

kd> u FFFFF80003E85640 l 0x1000
nt!KiSystemCall64:
fffff80003e85640 0f01f8 fffff80003e8564c fffff80003e85657 fffff80003e85661 6a33 fffff80003e85664 498bca fffff80003e8566b 55 fffff80003e85673 488dac2480000000 lea fffff80003e85682 4889bdc8000000 mov fffff80003e85690 c645ab02 fffff80003e8569d 0f0d8bd8010000 fffff80003e856a8 fffff80003e856b5 fffff80003e856c8 48894db8 fffff80003e856d0 f6430303 fffff80003e856d8 4c894dd0 fffff80003e856e7 7442 fffff80003e856e9 b9020100c0 fffff80003e856f0 48c1e220 fffff80003e856f7 483983b8000000 cmp fffff80003e85707 7422 fffff80003e85709 488b93b8010000 mov fffff80003e85715 66ff8bc4010000 dec fffff80003e85723 fb fffff80003e8572f 7409 fffff80003e85731 fffff80003e8573e 488b4db8 fffff80003e85746 4c8b45c8 fffff80003e8574e 6690 fffff80003e85751 48898be0010000 mov nt!KiSystemServiceStart: fffff80003e8575e 4889a3d8010000 mov fffff80003e85767 c1ef07 fffff80003e8576d 25ff0f0000 fffff80003e8578a 4d0f45d3 fffff80003e85793 0f83e9020000 fffff80003e85799 4e8b1417 fffff80003e857a1 498bc3 fffff80003e857a8 4d03d3 fffff80003e857ae 7550 fffff80003e857b0 4c8b9bb8000000 mov fffff80003e857bf 743f fffff80003e857c1 488945b0 fffff80003e857c9 488955c0 fffff80003e857d0 498bf9 fffff80003e857d6 ff15341f2300 fffff80003e857dc 488b45b0 fffff80003e857e4 488b55c0 fffff80003e857eb 4c8bcf fffff80003e857f1 fffff80003e85803 0f84b7000000 fffff80003e85809 c1e003 fffff80003e85811 488d7c2418 fffff80003e8581d 488d7620 fffff80003e85828 7416 fffff80003e8582a 483b35cf172300 cmp fffff80003e85831 fffff80003e85839 0f1f8000000000 nop fffff80003e8584a 41ffe3 nt!KiSystemServiceCopyStart: fffff80003e85850 488b4670 fffff80003e85858 488b4668 fffff80003e85860 488b4660 fffff80003e85868 488b4658 fffff80003e85870 488b4650 fffff80003e85878 488b4648 fffff80003e85880 488b4640 fffff80003e85888 488b4638 fffff80003e85890 488b4630 fffff80003e85898 488b4628 fffff80003e858a0 488b4620 fffff80003e858a8 488b4618 fffff80003e858b0 488b4610 fffff80003e858b8 488b4608 nt!KiSystemServiceCopyEnd: fffff80003e858c0 fffff80003e858ca 0f8550020000 fffff80003e858d0 41ffd2 nt!KiSystemServiceExit: fffff80003e858db 488b9dc0000000 mov fffff80003e858e9 488bb5d0000000 mov fffff80003e858f9 f685f000000001 fffff80003e8590a 410a8bf0010000 or fffff80003e85918 0f85ce010000 fffff80003e8591e fa fffff80003e85928 80797a00 fffff80003e85932 33c0 fffff80003e85938 488945c0 fffff80003e85940 488945d0 fffff80003e85948 488945e0 fffff80003e85950 0f2945f0 fffff80003e85958 0f294510 fffff80003e85960 0f294530 fffff80003e85968 b901000000 fffff80003e85971 fb fffff80003e85978 b900000000 fffff80003e85981 488b45b0 fffff80003e8598e f70100000240 fffff80003e8599a f6410202 fffff80003e859ae f6410340 fffff80003e859b8 4833c9 fffff80003e859c4 0fae55ac fffff80003e859cb 6683bd8000000000 cmp fffff80003e859d9 e8a2100000 fffff80003e859de fffff80003e859eb 488b8000010000 mov fffff80003e859f5 7418 fffff80003e859f7 6683bdf000000033 cmp fffff80003e85a08 488985e8000000 mov fffff80003e85a13 4c8b8500010000 mov fffff80003e85a21 33d2 fffff80003e85a27 660fefc9 fffff80003e85a2f 660fefdb fffff80003e85a37 660fefed fffff80003e85a42 4c8b9df8000000 mov fffff80003e85a4c 498be0 fffff80003e85a52 480f07 fffff80003e85a5c 498993d8010000 mov fffff80003e85a66 418893f6010000 mov fffff80003e85a6e 488be5 fffff80003e85a78 488ba42400010000 mov fffff80003e85a81 c3 fffff80003e85a85 755b fffff80003e85a87 894580 fffff80003e85a8e 48895590 fffff80003e85a96 4c894da0 fffff80003e85aa1 8b4580 fffff80003e85aa8 488b5590 fffff80003e85ab0 4c8b4da0 fffff80003e85abb 0f84b1fcffff fffff80003e85ac1 488d3dd81d2300 lea fffff80003e85ac8 8b7710 fffff80003e85ace 3bc6 fffff80003e85ad6 0fbe0438 fffff80003e85adc 0f8ef9fdffff fffff80003e85ae2 b81c0000c0 fffff80003e85af1 4533c9 fffff80003e85af8 450bc0 fffff80003e85b02 fffff80003e85b11 488b95e8000000 mov fffff80003e85b1b e860000000 fffff80003e85b20 4883ec50 fffff80003e85b29 4889542428 fffff80003e85b33 4c894c2438 fffff80003e85b3d 498bca fffff80003e85b4a 488b542428 fffff80003e85b54 4c8b4c2438 fffff80003e85b5e 4883c450 fffff80003e85b65 488945b0 fffff80003e85b6c e8df300e00 fffff80003e85b71 488b45b0 swapgs fffff80003e85643 654889242510000000 mov qword ptr gs:[10h],rsp 65488b2425a8010000 mov rsp,qword ptr gs:[1A8h] fffff80003e85655 6a2b push 2Bh 65ff342510000000 push qword ptr gs:[10h] fffff80003e8565f 4153 push r11 push 33h fffff80003e85663 51 push rcx mov rcx,r10 fffff80003e85667 4883ec08 sub rsp,8 push rbp fffff80003e8566c 4881ec58010000 sub rsp,158h rbp,[rsp+80h] fffff80003e8567b 48899dc0000000 mov qword ptr [rbp+0C0h],rbx qword ptr [rbp+0C8h],rdi fffff80003e85689 4889b5d0000000 mov qword ptr [rbp+0D0h],rsi mov byte ptr [rbp-55h],2 fffff80003e85694 65488b1c2588010000 mov rbx,qword ptr gs:[188h] prefetchw [rbx+1D8h] fffff80003e856a4 0fae5dac stmxcsr dword ptr [rbp-54h] 650fae142580010000 ldmxcsr dword ptr gs:[180h] fffff80003e856b1 807b0300 cmp byte ptr [rbx+3],0 66c785800000000000 mov word ptr [rbp+80h],0 fffff80003e856be 0f848c000000 je nt!KiSystemCall64+0x110 (fffff80003e85750) fffff80003e856c4 488945b0 mov qword ptr [rbp-50h],rax mov qword ptr [rbp-48h],rcx fffff80003e856cc 488955c0 mov qword ptr [rbp-40h],rdx test byte ptr [rbx+3],3 fffff80003e856d4 4c8945c8 mov qword ptr [rbp-38h],r8 mov qword ptr [rbp-30h],r9 fffff80003e856dc 7405 je nt!KiSystemCall64+0xa3 (fffff80003e856e3) fffff80003e856de e80d140000 call nt!KiSaveDebugRegisterState (fffff80003e86af0) fffff80003e856e3 f6430380 test byte ptr [rbx+3],80h je nt!KiSystemCall64+0xeb (fffff80003e8572b) mov ecx,0C0000102h fffff80003e856ee 0f32 rdmsr shl rdx,20h fffff80003e856f4 480bc2 or rax,rdx qword ptr [rbx+0B8h],rax fffff80003e856fe 742b je nt!KiSystemCall64+0xeb (fffff80003e8572b) fffff80003e85700 483983b0010000 cmp qword ptr [rbx+1B0h],rax je nt!KiSystemCall64+0xeb (fffff80003e8572b) rdx,qword ptr [rbx+1B8h] fffff80003e85710 0fba6b4c0b bts dword ptr [rbx+4Ch],0Bh word ptr [rbx+1C4h] fffff80003e8571c 48898280000000 mov qword ptr [rdx+80h],rax sti fffff80003e85724 e8170b0000 call nt!KiUmsCallEntry (fffff80003e86240) fffff80003e85729 eb0f jmp nt!KiSystemCall64+0xfa (fffff80003e8573a) fffff80003e8572b f6430340 test byte ptr [rbx+3],40h je nt!KiSystemCall64+0xfa (fffff80003e8573a) f00fbaab0001000008 lock bts dword ptr [rbx+100h],8 fffff80003e8573a 488b45b0 mov rax,qword ptr [rbp-50h] mov rcx,qword ptr [rbp-48h] fffff80003e85742 488b55c0 mov rdx,qword ptr [rbp-40h] mov r8,qword ptr [rbp-38h] fffff80003e8574a 4c8b4dd0 mov r9,qword ptr [rbp-30h] xchg ax,ax fffff80003e85750 fb sti qword ptr [rbx+1E0h],rcx fffff80003e85758 8983f8010000 mov dword ptr [rbx+1F8h],eax qword ptr [rbx+1D8h],rsp fffff80003e85765 8bf8 mov edi,eax shr edi,7 fffff80003e8576a 83e720 and edi,20h and eax,0FFFh nt!KiSystemServiceRepeat: fffff80003e85772 4c8d15c7202300 lea r10,[nt!KeServiceDescriptorTable (fffff800040b7840)] fffff80003e85779 4c8d1d00212300 lea r11,[nt!KeServiceDescriptorTableShadow (fffff800040b7880)] fffff80003e85780 f7830001000080000000 test dword ptr [rbx+100h],80h cmovne r10,r11 fffff80003e8578e 423b441710 cmp eax,dword ptr [rdi+r10+10h] jae nt!KiSystemServiceExit+0x1a7 (fffff80003e85a82) mov r10,qword ptr [rdi+r10] fffff80003e8579d 4d631c82 movsxd r11,dword ptr [r10+rax4] mov rax,r11 fffff80003e857a4 49c1fb04 sar r11,4 add r10,r11 fffff80003e857ab 83ff20 cmp edi,20h jne nt!KiSystemServiceGdiTebAccess+0x49 (fffff80003e85800) r11,qword ptr [rbx+0B8h] nt!KiSystemServiceGdiTebAccess: fffff80003e857b7 4183bb4017000000 cmp dword ptr [r11+1740h],0 je nt!KiSystemServiceGdiTebAccess+0x49 (fffff80003e85800) mov qword ptr [rbp-50h],rax fffff80003e857c5 48894db8 mov qword ptr [rbp-48h],rcx mov qword ptr [rbp-40h],rdx fffff80003e857cd 498bd8 mov rbx,r8 mov rdi,r9 fffff80003e857d3 498bf2 mov rsi,r10 call qword ptr [nt!KeGdiFlushUserBatch (fffff800040b7710)] mov rax,qword ptr [rbp-50h] fffff80003e857e0 488b4db8 mov rcx,qword ptr [rbp-48h] mov rdx,qword ptr [rbp-40h] fffff80003e857e8 4c8bc3 mov r8,rbx mov r9,rdi fffff80003e857ee 4c8bd6 mov r10,rsi 666666666666660f1f840000000000 nop word ptr [rax+rax] fffff80003e85800 83e00f and eax,0Fh je nt!KiSystemServiceCopyEnd (fffff80003e858c0) shl eax,3 fffff80003e8580c 488d642490 lea rsp,[rsp-70h] lea rdi,[rsp+18h] fffff80003e85816 488bb500010000 mov rsi,qword ptr [rbp+100h] lea rsi,[rsi+20h] fffff80003e85821 f685f000000001 test byte ptr [rbp+0F0h],1 je nt!KiSystemServiceGdiTebAccess+0x89 (fffff80003e85840) rsi,qword ptr [nt!MmUserProbeAddress (fffff800040b7000)] 480f4335c7172300 cmovae rsi,qword ptr [nt!MmUserProbeAddress (fffff800040b7000)] dword ptr [rax] fffff80003e85840 4c8d1d79000000 lea r11,[nt!KiSystemServiceCopyEnd (fffff80003e858c0)] fffff80003e85847 4c2bd8 sub r11,rax jmp r11 fffff80003e8584d 0f1f00 nop dword ptr [rax] mov rax,qword ptr [rsi+70h] fffff80003e85854 48894770 mov qword ptr [rdi+70h],rax mov rax,qword ptr [rsi+68h] fffff80003e8585c 48894768 mov qword ptr [rdi+68h],rax mov rax,qword ptr [rsi+60h] fffff80003e85864 48894760 mov qword ptr [rdi+60h],rax mov rax,qword ptr [rsi+58h] fffff80003e8586c 48894758 mov qword ptr [rdi+58h],rax mov rax,qword ptr [rsi+50h] fffff80003e85874 48894750 mov qword ptr [rdi+50h],rax mov rax,qword ptr [rsi+48h] fffff80003e8587c 48894748 mov qword ptr [rdi+48h],rax mov rax,qword ptr [rsi+40h] fffff80003e85884 48894740 mov qword ptr [rdi+40h],rax mov rax,qword ptr [rsi+38h] fffff80003e8588c 48894738 mov qword ptr [rdi+38h],rax mov rax,qword ptr [rsi+30h] fffff80003e85894 48894730 mov qword ptr [rdi+30h],rax mov rax,qword ptr [rsi+28h] fffff80003e8589c 48894728 mov qword ptr [rdi+28h],rax mov rax,qword ptr [rsi+20h] fffff80003e858a4 48894720 mov qword ptr [rdi+20h],rax mov rax,qword ptr [rsi+18h] fffff80003e858ac 48894718 mov qword ptr [rdi+18h],rax mov rax,qword ptr [rsi+10h] fffff80003e858b4 48894710 mov qword ptr [rdi+10h],rax mov rax,qword ptr [rsi+8] fffff80003e858bc 48894708 mov qword ptr [rdi+8],rax f705be7d180040000000 test dword ptr [nt!PerfGlobalGroupMask+0x8 (fffff8000400d688)],40h jne nt!KiSystemServiceExit+0x245 (fffff80003e85b20) call r10 fffff80003e858d3 65ff042538220000 inc dword ptr gs:[2238h] rbx,qword ptr [rbp+0C0h] fffff80003e858e2 488bbdc8000000 mov rdi,qword ptr [rbp+0C8h] rsi,qword ptr [rbp+0D0h] fffff80003e858f0 654c8b1c2588010000 mov r11,qword ptr gs:[188h] test byte ptr [rbp+0F0h],1 fffff80003e85900 0f844f010000 je nt!KiSystemServiceExit+0x17a (fffff80003e85a55) fffff80003e85906 440f20c1 mov rcx,cr8 cl,byte ptr [r11+1F0h] fffff80003e85911 410b8bc4010000 or ecx,dword ptr [r11+1C4h] jne nt!KiSystemServiceExit+0x211 (fffff80003e85aec) cli fffff80003e8591f 65488b0c2588010000 mov rcx,qword ptr gs:[188h] cmp byte ptr [rcx+7Ah],0 fffff80003e8592c 7457 je nt!KiSystemServiceExit+0xaa (fffff80003e85985) fffff80003e8592e 488945b0 mov qword ptr [rbp-50h],rax xor eax,eax fffff80003e85934 488945b8 mov qword ptr [rbp-48h],rax mov qword ptr [rbp-40h],rax fffff80003e8593c 488945c8 mov qword ptr [rbp-38h],rax mov qword ptr [rbp-30h],rax fffff80003e85944 488945d8 mov qword ptr [rbp-28h],rax mov qword ptr [rbp-20h],rax fffff80003e8594c 660fefc0 pxor xmm0,xmm0 movaps xmmword ptr [rbp-10h],xmm0 fffff80003e85954 0f294500 movaps xmmword ptr [rbp],xmm0 movaps xmmword ptr [rbp+10h],xmm0 fffff80003e8595c 0f294520 movaps xmmword ptr [rbp+20h],xmm0 movaps xmmword ptr [rbp+30h],xmm0 fffff80003e85964 0f294540 movaps xmmword ptr [rbp+40h],xmm0 mov ecx,1 fffff80003e8596d 440f22c1 mov cr8,rcx sti fffff80003e85972 e85947ffff call nt!KiInitiateUserApc (fffff80003e7a0d0) fffff80003e85977 fa cli mov ecx,0 fffff80003e8597d 440f22c1 mov cr8,rcx mov rax,qword ptr [rbp-50h] fffff80003e85985 65488b0c2588010000 mov rcx,qword ptr gs:[188h] test dword ptr [rcx],40020000h fffff80003e85994 742e je nt!KiSystemServiceExit+0xe9 (fffff80003e859c4) fffff80003e85996 488945b0 mov qword ptr [rbp-50h],rax test byte ptr [rcx+2],2 fffff80003e8599e 740e je nt!KiSystemServiceExit+0xd3 (fffff80003e859ae) fffff80003e859a0 e87b9f0900 call nt!KiCopyCounters (fffff80003f1f920) fffff80003e859a5 65488b0c2588010000 mov rcx,qword ptr gs:[188h] test byte ptr [rcx+3],40h fffff80003e859b2 740c je nt!KiSystemServiceExit+0xe5 (fffff80003e859c0) fffff80003e859b4 488d6580 lea rsp,[rbp-80h] xor rcx,rcx fffff80003e859bb e8000b0000 call nt!KiUmsExit (fffff80003e864c0) fffff80003e859c0 488b45b0 mov rax,qword ptr [rbp-50h] ldmxcsr dword ptr [rbp-54h] fffff80003e859c8 4d33d2 xor r10,r10 word ptr [rbp+80h],0 fffff80003e859d3 743e je nt!KiSystemServiceExit+0x138 (fffff80003e85a13) fffff80003e859d5 488945b0 mov qword ptr [rbp-50h],rax call nt!KiRestoreDebugRegisterState (fffff80003e86a80) 65488b042588010000 mov rax,qword ptr gs:[188h] fffff80003e859e7 488b4070 mov rax,qword ptr [rax+70h] rax,qword ptr [rax+100h] fffff80003e859f2 480bc0 or rax,rax je nt!KiSystemServiceExit+0x134 (fffff80003e85a0f) word ptr [rbp+0F0h],33h fffff80003e859ff 750e jne nt!KiSystemServiceExit+0x134 (fffff80003e85a0f) fffff80003e85a01 4c8b95e8000000 mov r10,qword ptr [rbp+0E8h] qword ptr [rbp+0E8h],rax fffff80003e85a0f 488b45b0 mov rax,qword ptr [rbp-50h] r8,qword ptr [rbp+100h] fffff80003e85a1a 4c8b8dd8000000 mov r9,qword ptr [rbp+0D8h] xor edx,edx fffff80003e85a23 660fefc0 pxor xmm0,xmm0 pxor xmm1,xmm1 fffff80003e85a2b 660fefd2 pxor xmm2,xmm2 pxor xmm3,xmm3 fffff80003e85a33 660fefe4 pxor xmm4,xmm4 pxor xmm5,xmm5 fffff80003e85a3b 488b8de8000000 mov rcx,qword ptr [rbp+0E8h] r11,qword ptr [rbp+0F8h] fffff80003e85a49 498be9 mov rbp,r9 mov rsp,r8 fffff80003e85a4f 0f01f8 swapgs sysretq fffff80003e85a55 488b95b8000000 mov rdx,qword ptr [rbp+0B8h] qword ptr [r11+1D8h],rdx fffff80003e85a63 8a55a8 mov dl,byte ptr [rbp-58h] byte ptr [r11+1F6h],dl fffff80003e85a6d fa cli mov rsp,rbp fffff80003e85a71 488badd8000000 mov rbp,qword ptr [rbp+0D8h] rsp,qword ptr [rsp+100h] fffff80003e85a80 fb sti ret fffff80003e85a82 83ff20 cmp edi,20h jne nt!KiSystemServiceExit+0x207 (fffff80003e85ae2) mov dword ptr [rbp-80h],eax fffff80003e85a8a 48894d88 mov qword ptr [rbp-78h],rcx mov qword ptr [rbp-70h],rdx fffff80003e85a92 4c894598 mov qword ptr [rbp-68h],r8 mov qword ptr [rbp-60h],r9 fffff80003e85a9a e85184ffff call nt!KiConvertToGuiThread (fffff80003e7def0) fffff80003e85a9f 0bc0 or eax,eax mov eax,dword ptr [rbp-80h] fffff80003e85aa4 488b4d88 mov rcx,qword ptr [rbp-78h] mov rdx,qword ptr [rbp-70h] fffff80003e85aac 4c8b4598 mov r8,qword ptr [rbp-68h] mov r9,qword ptr [rbp-60h] fffff80003e85ab4 4889a3d8010000 mov qword ptr [rbx+1D8h],rsp je nt!KiSystemServiceRepeat (fffff80003e85772) rdi,[nt!KeServiceDescriptorTableShadow+0x20 (fffff800040b78a0)] mov esi,dword ptr [rdi+10h] fffff80003e85acb 488b3f mov rdi,qword ptr [rdi] cmp eax,esi fffff80003e85ad0 7310 jae nt!KiSystemServiceExit+0x207 (fffff80003e85ae2) fffff80003e85ad2 488d3cb7 lea rdi,[rdi+rsi4] movsx eax,byte ptr [rax+rdi] fffff80003e85ada 0bc0 or eax,eax jle nt!KiSystemServiceExit (fffff80003e858db) mov eax,0C000001Ch fffff80003e85ae7 e9effdffff jmp nt!KiSystemServiceExit (fffff80003e858db) fffff80003e85aec b94a000000 mov ecx,4Ah xor r9d,r9d fffff80003e85af4 450f20c0 mov r8,cr8 or r8d,r8d fffff80003e85afb 7514 jne nt!KiSystemServiceExit+0x236 (fffff80003e85b11) fffff80003e85afd b901000000 mov ecx,1 450fb683f0010000 movzx r8d,byte ptr [r11+1F0h] fffff80003e85b0a 458b8bc4010000 mov r9d,dword ptr [r11+1C4h] rdx,qword ptr [rbp+0E8h] fffff80003e85b18 4c8bd5 mov r10,rbp call nt!KiBugCheckDispatch (fffff80003e85b80) sub rsp,50h fffff80003e85b24 48894c2420 mov qword ptr [rsp+20h],rcx mov qword ptr [rsp+28h],rdx fffff80003e85b2e 4c89442430 mov qword ptr [rsp+30h],r8 mov qword ptr [rsp+38h],r9 fffff80003e85b38 4c89542440 mov qword ptr [rsp+40h],r10 mov rcx,r10 fffff80003e85b40 e86b310e00 call nt!PerfInfoLogSysCallEntry (fffff80003f68cb0) fffff80003e85b45 488b4c2420 mov rcx,qword ptr [rsp+20h] mov rdx,qword ptr [rsp+28h] fffff80003e85b4f 4c8b442430 mov r8,qword ptr [rsp+30h] mov r9,qword ptr [rsp+38h] fffff80003e85b59 4c8b542440 mov r10,qword ptr [rsp+40h] add rsp,50h fffff80003e85b62 41ffd2 call r10 mov qword ptr [rbp-50h],rax fffff80003e85b69 488bc8 mov rcx,rax call nt!PerfInfoLogSysCallExit (fffff80003f68c50) mov rax,qword ptr [rbp-50h] fffff80003e85b75 e959fdffff jmp nt!KiSystemServiceCopyEnd+0x13 (fffff80003e858d3) fffff80003e85b7a 660f1f440000 nop word ptr [rax+rax]

darthton / hyperbone Goto Github PK

hyperbone's Introduction

HyperBone

Minimalistic VT-X hypervisor with hooks

Features, all PG-compatible

Supported hardware

Supported platforms

License

hyperbone's People

Contributors

Stargazers

Watchers

Forkers

hyperbone's Issues

Followup: MachineOwner

Debugging Details:

Followup: MachineOwner

Debugging Details:

Followup: MachineOwner

Recommend Projects

Recommend Topics

Recommend Org