- Hyper-V internals researches
- MSDN and other Microsoft sources
- VBS\VSM researches
- Hyper-V related free and open source utilities, scripts, schemes
- Software and tools, working with Hyper-V
- Other sources, interesting links and Hyper-V related materials
| Date ____________ |
Name __________________________________ |
Contact _____________________ |
Title ______________________________________________ |
Links ________________ |
|---|---|---|---|---|
| 23.05.2006 | [Microsoft] Jake Oshins | Device Virtualization Architecture. WinHec 2006 | Link | |
| 01.08.2007 | [Microsoft] Brandon Baker | Windows Server Virtualization and The Windows Hypervisor | Link | |
| 19.01.2011 | Matthieu Suiche | [www.msuiche.com] | LiveCloudKd. Your cloud is on my pocket. BlackHat DC 2011 | Link |
| 14.06.2011 | Nicolas Economou | @nicoeconomou | Hyper-V Vmbus persistent DoS vulnerability | Link |
| 04.09.2013 | Arthur Khudyaev | @gerhart_x | Hyper-V debugging for beginners | Russian version English version |
| 08.01.2014 | Arthur Khudyaev | @gerhart_x | Hyper-V debugging for beginners. Part 2 or half disclosure of MS13-092 (1-day exploit research) | Russian version English version |
| 02.06.2014 | Felix Wilhelm Matthias Luft |
@_fel1x @uchi_mata |
Security Assessment of Microsoft Hyper-V. MS13-092 full disclosure | Link |
| 29.05.2014 | Felix Wilhelm Matthias Luft Enno Rey |
@_fel1x @uchi_mata @enno_insinuator |
Compromise-as-a-Service. Our PleAZURE. HitB Ams 2014 | Link |
| 27.03.2015 | Alex Ionescu | @aionescu | Ring 0 to Ring -1 Attacks. Hyper-V IPC Internals | Web Archive link |
| 04.01.2016 | Hyper-V vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow | Link | ||
| 04.01.2016 | Hyper-V vmswitch.sys VmsVmNicHandleRssParametersChange OOBR Guest to Host BugChecks | Link | ||
| 04.01.2016 | Hyper-V vmswitch.sys VmsPtpIpsecTranslateAddv2toAddv2Ex OOBR Guest to Host BugCheck | Link | ||
| 17.06.2017 | [Microsoft] Andrea Allievi | @aall86 | The Hyper-V Architecture and its Memory Manager | Link Web Archive link |
| 22.03.2017 | Aleksandr Bazhaniuk Mikhail Gorobets Andrew Furtak Yuriy Bulygin |
@ABazhaniuk @mikhailgorobets @c7zero |
Attacking hypervisors through hardware emulation | Link |
| 09.08.2017 | Arthur Khudyaev | @gerhart_x | Hyper-V sockets internals | Link English version |
| 19.06.2018 | [Microsoft] Benjamin Armstrong | @vbenarmstrong | Hyper-V API Overview | Link |
| 08.08.2018 | [Microsoft] Nicolas Joly [Microsoft] Joe Bialek |
@n_joly @josephbialek |
A Dive in to Hyper-V Architecture & Vulnerabilities | Link |
| 09.08.2018 | [Microsoft] Jordan Rabet | @smealum | Hardening Hyper-V through Offensive Security Research. CVE-2017-0075 | Link |
| 14.08.2018 | [Microsoft] | Hyper-V HyperClear Mitigation for L1 Terminal Fault | Link Update |
|
| 18.12.2018 | [Microsoft] Hari Pulapaka | @Hari_Pulapaka | Windows Sandbox | Link |
| 08.11.2018 | Yunhai Zhang | @f0rgetting | Dive Into Windows Defender Application Guard | Link |
| 10.12.2018 | [Microsoft] Saar Amar | @AmarSaar | First Steps in Hyper-V Research | Link |
| 27.01.2019 | Alex Ionescu | @aionescu | Writing a Hyper-V “Bridge” for Fuzzing — Part 2 : Hypercalls & MDLs | Link |
| 28.01.2019 | [Microsoft] | Fuzzing para-virtualized devices in Hyper-V | Link | |
| 15.02.2019 | Amardeep Chana | Ventures into Hyper-V - Fuzzing hypercalls | Link | |
| 15.02.2019 | [Microsoft] Daniel King [Microsoft] Shawn Denbow |
@long123king @sdenbow_ |
Growing Hypervisor 0day with Hyperseed | Link |
| 25.03.2019 | Bruce Dang | @brucedang | Some notes on identifying exit and hypercall handlers in Hyper-V | Link Web Archive link |
| 08.08.2019 | [Microsoft] Joe Bialek | @josephbialek | Exploiting the Hyper-V IDE Emulator to Escape the Virtual Machine | Link |
| 04.09.2019 | Arthur Khudyaev | @gerhart_x | Hyper-V memory internals. Guest OS memory access | Russian version English version. [10.09.2019] |
| 11.09.2019 | [Microsoft] Saar Amar | @AmarSaar | Attacking the VM Worker Process | Link |
| 14.05.2020 | Alisa Shevchenko | @alisaesage | Hyper-V Linux integration services description | Link |
| 04.06.2020 | Damien Aumaitre | Fuzz and Profit with WHVP. | Link | |
| 19.06.2020 | Arthur Khudyaev | @gerhart_x | Hyper-V memory internals. EXO partition memory access. | English version Russian version [24.06.2020] |
| 03.09.2020 | Arthur Khudyaev | @gerhart_x | Windows Hyper-V Denial of Service vulnerability internals in nested virtualization component (CVE-2020-0890) | Link |
| 10.09.2020 | Daniel Fernandez Kuehr | @ergot86 | Microsoft Hyper-V Stack Overflow Denial of Service (CVE-2020-0751) | Link |
| 10.09.2020 | Daniel Fernandez Kuehr | @ergot86 | Microsoft Hyper-V Type Confusion leading to Arbitrary Memory Dereference (CVE-2020-0904) | Link |
| 14.11.2020 | Alisa Shevchenko | @alisaesage | Hypervisor vulnerability research (slides 35-60) | Link |
| 25.12.2020 | Arthur Khudyaev | @gerhart_x | Hyper-V debugging for beginners (2nd edition) | Russian version English version. [11.01.2021] |
| 15.02.2021 | Alisa Shevchenko | @alisaesage | Microsoft Hyper-V Virtual Network Switch VmsMpCommonPvtSetRequestCommon Out of Bounds Read | Link |
| 11.03.2021 | Alex Ilgayev | @alex_il | Playing in the Microsoft Windows Sandbox | Link |
| 20.04.2021 | @_xeroxz | Voyager - A Hyper-V Hacking Framework. | Link | |
| 31.05.2021 | Axel Souchet | @0vercl0k | CVE-2021-28476: a guest-to-host "Microsoft Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys (PoC) | Link |
| 02.06.2021 | Diane Dubois | @0xdidu | Hyntrospect: a fuzzer for Hyper-V devices (video and slides) | Link |
| 02.06.2021 | Daniel Fernandez Kuehr | @ergot86 | Microsoft Hyper-V: Multiple Vulnerabilities in vmswitch.sys (CVE-2021-28476) | Link |
| 28.07.2021 | Ophir Harpaz Peleg Hadar |
@OphirHarpaz @peleghd |
Critical 9.9 Vulnerability In Hyper-V Allowed Attackers To Exploit Azure | Link |
| 29.07.2021 | Salma el Mohib | @lychnis42 | A virtual journey: From hardware virtualization to Hyper-V's Virtual Trust Levels | Article Script from article |
| 04.08.2021 | Ophir Harpaz Peleg Hadar |
@OphirHarpaz @peleghd |
hAFL1 – Our Journey of Fuzzing Hyper-V and Discovering a Critical 0-Day | Link. Web archive link. Hyper-V’s virtual switch (vmswitch.sys) fuzzer. Black Hat 2021 presentation |
| 04.08.2021 | Zhenhao Hon Chuanjian Lia |
@rthhh17 |
Mobius Band: Explore Hyper-V Attack Interface through Vulnerabilities Internals | Blackhat 2021 Presentation Slides Video |
| 02.09.2021 | [Microsoft] Xinyang Ge [Microsoft] Ben Niu [Microsoft] Robert Brotzman [Microsoft] Yaohui Chen [Microsoft] HyungSeok Han [Microsoft] Patrice Godefroid [Microsoft] Weidong Cui |
HyperFuzzer: An Efficient Hybrid Fuzzer for Virtual CPUs | Link | |
| 04.01.2022 | Peter Hlavaty | @rezer0dai | Bug Bounties and HyperV RCE Research (CVE-2020-17095) | Link |
| 03.03.2022 | Diane Dubois | @0xdidu | Hyntrospect: a fuzzer for Hyper-V devices | Slides Video |
| 21.04.2022 | VictorV | @vv474172261 | Old School. New Story. Escape from Hyper-V by path traversal | Slides |
| 23.05.2022 | Connor McGarr | @33y0re | Exploit Development. Living The Age of VBS, HVCI, and Kernel CFG | Link |
| 11.08.2022 | Zhenhao Hon Ziming Zhang |
@rthhh17 @ezrak1e |
DirectX: The New Hyper-V Attack Surface | Link |
| 08.12.2022 | Andrew Ruddick Rohit Mothe |
@arudd1ck @rohitwas |
Exploring a New Class of Kernel Exploit Primitive | Link |
| 14.12.2022 | Ben Barnea | @nachoskrnl | CVE-2022-37998 and CVE-2022-37973 (DoS Microsoft Defender Application Guard, Sandbox) description | Link |
| 16.05.2023 | Aryan Xyrem | @Xyrem256 | Exploiting Windows vulnerabilities with Hyper-V: A Hacker’s swiss army knife | Link |
| 07.09.2023 | Francisco Falcon | @fdfalcon | Debugging Windows Isolated User Mode (IUM) Processes | Link |
| 15.09.2023 | Matt Hand | @matterpreter | Hypervisor Detection with SystemHypervisorDetailInformation | Link |
| 08.10.2023 | Junsu Lee l0ch |
@Pwndorei @l0ch |
Microsoft Hyper-V CVE-2018-0959 analysis | Part1 (Korean version) Part2 (Korean version) Part3 (Korean version) Part4 (Korean version) Video |
| 20.11.2023 | Satoshi Tanda | @standa_t | Microsoft Hyper-V CVE-2023-36427 vulnerability description and PoC | Link |
| 12.05.2024 | Junsu Lee | @Pwndorei | CVE-2023-36407 Analysis & Exploitation | Link |
| 01.09.2024 | Junsu Lee | @Pwndorei | Hyper-V 1-day Class: CVE-2024-38080 | Link Sources |
| 14.10.2024 | Dor00tkit | @Dor00tkit | Debugging the Windows Hypervisor: Inspecting SK Calls | Link |
[Microsoft] - research was made by employee of Hyper-V creators company
Managing Hyper-V hypervisor scheduler types: Link
Hyper-V top level functional specification (web-version): Link
Hyper-V top level functional specifications: Link
Linux kernel for Hyper-V root partition Link
OpenHCL: the new, open source paravisor Link. Sources
Modular, cross-platform Virtual Machine Monitor (VMM), written in Rust. Link
Linux kernel, contains mshv (Linux root partition) module. Link
Windows Powershell modules: Hyper-V sockets example
Hyperlight
Introducing Hyperlight: Virtual machine-based security for functions at scale. Link.
Hyperlight source code. Link.
Host Compute Network (HCN) service API for VMs and containers: Link
Windows classic samples (Hyper-V): Link
SkTool - Hypervisor / Secure Kernel / Secure Mitigations Parser Tool from Windows SDK
(Windows Internals book, Hyper-V TLFS, another MSDN docs are standard Hyper-V internals information sources)
- hypervdevicevirtualization.h
- VmbusKernelModeClientLibApi.h
- pcivirt.h
- vmsavedstatedump.h
- vmsavedstatedumpdefs.h
- WinHvEmulation.h
- WinHvPlatform.h
- WinHvPlatformDefs.h
- wmcontainer.h
- Wmcontainer.idl
I'm not specalized in VBS, which is Hyper-V based security mechanism, therefore i add links on papers, because they can contain some information about Hyper-V internals
[06.08.2015] Alex Ionescu (@aionescu). BATTLE OF SKM AND IUM. Link
[10.12.2015] Guillaume C. Windows 10 VSM Présentation des nouveautés et implémentations. Link
[04.08.2016] Rafal Wojtczuk. Analysis of the Attack Surface of Windows 10 Virtualization-Based Security]
[02.02.2017] Adrien Chevalier (@0x00_ach). Virtualization Based Security - Part 1: The boot process. Link. Web Archive
[13.02.2017] Adrien Chevalier (@0x00_ach). Virtualization Based Security - Part 2: kernel communications. Link. Web Archive
[15.07.2017] Hans Kristian Brendmo. Live forensics on the Windows 10 secure kernel. Link
[27.06.2018] Alex Ionescu (@aionescu), David Weston @dwizzzleMSFT. Inside the Octagon. Analyzing System Guard Runtime Attestation. OPCDE 2018. Link
[04.07.2018] [Microsoft] Saar Amar (@AmarSaar). VBS and VSM Internals. BlueHat IL 2018. Link
[14.03.2019] Federal office for information security (Germany). (@BSI_Bund). Work Package 6: Virtual Secure Mode. Link
[14.03.2019] Federal office for information security (Germany). (@BSI_Bund). Work Package 7: Device Guard. Link
[22.05.2019] Dominik Phillips, Aleksandar Milenkoski (@milenkowski). Virtual Secure Mode: Initialization. Link
[22.05.2019] Aleksandar Milenkoski (@milenkowski). Virtual Secure Mode: Communication Interfaces. Link
[22.05.2019] Aleksandar Milenkoski (@milenkowski). Virtual Secure Mode: Architecture Overview. Link
[30.10.2019] Aleksandar Milenkoski (@milenkowski). Interfaces Virtual Secure Mode: Protections of Communication. Link
[30.10.2019] Lukas Beierlieb, Lukas Ifflander, Aleksandar Milenkoski (@milenkowski), Charles F. Goncalves, Nuno Antunes, Samuel Kounev. Towards Testing the Software Aging Behavior of Hypervisor Hypercall Interfaces. Link
[07.08.2020] [Microsoft] Andrea Allievi (@aall86). Introducing Kernel Data Protection, a new platform security technology for preventing data corruption. Link
[12.07.2020] Yarden Shafir (@yarden_shafir). Secure Pool Internals : Dynamic KDP Behind The Hood. Link
[04.08.2020] [Microsoft] Saar Amar (@AmarSaar), Daniel King (@long123king). Breaking VSM by Attacking Secure Kernel. Hardening Secure Kernel through Offensive Research. Link
[01.01.2022] Yarden Shafir (@yarden_shafir). HyperGuard – Secure Kernel Patch Guard: Part 1 – SKPG Initialization. Link
[17.01.2022] Yarden Shafir (@yarden_shafir). HyperGuard – Secure Kernel Patch Guard: Part 2 – SKPG Extents. Link
[19.04.2022] Yarden Shafir (@yarden_shafir). HyperGuard Part 3 – More SKPG Extents. Link
[08.09.2022] James Forshaw (@tiraniddo). Windows: Credential Guard KerbIumGetNtlmSupplementalCredential Information Disclosure. Link
[30.12.2022] Worawit Wang (@sleepya_). Code Execution against Windows HVCI. Link
[15.01.2024] Satoshi Tanda (@standa_t). Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability disclosure
(CVE-2024-21305). Link
[01.06.2024] Connor McGarr (@33y0re). Windows Internals: Dissecting Secure Image Objects - Part 1. Link
[29.06.2024] Andrea Allievi (@aall86), Satoshi Tanda (@standa_t). Hypervisor-enforced Paging Translation. Link
[07.08.2024] Alon Leviev (@_0xDeku). Windows Downdate: Downgrade Attacks Using Windows Updates (Bypassing VBS UEFI Lock). Link
[29.10.2024] Connor McGarr (@33y0re). Redefining Security Boundaries: Unveiling Hypervisor-Backed Security Features For Windows Security. Link
[2013-2024] Arthur Khudyaev (@gerhart_x)
- Files and scripts to "Hyper-V debugging for beginners (2013)" article. Link
- Files and scripts to "Hyper-V internals (2015)" article. Link
- Files and scripts to "Hyper-V debugging for beginners. 2nd edition (2020)" article. Link
- LiveCloudKd. Link
- Hyper-V memory manager plugin SDK. Link
- Native Hyper-V reading memory example driver. Link
- CVE-2020-0890 PoC sources with binary (Windows Hyper-V Denial of Service Vulnerability). Link
- Hyper-V integration plugin for MemProcFS by @UlfFrisk.
- Source code. Link.
- Plugin description from @UlfFrisk. Link. Distributive
- LiveCloudKd EXDi plugin source code. Link
- LiveCloudKd EXDi plugin for Windows Secure Kernel debugging. Link
- LiveCloudKd EXDi static plugin for reading and writing Hyper-V memory. Link
- Hvcalls GUI - tool for extracting hypercalls from Windows Hyper-V binaries. Link
- Radare2 build for displaying Hyper-V internals information through kd connection. Link
- Hyper-V integration plugin for volatility. Link. Distributive
- Hyper Views - utility for viewing Hyper-V memory page tables. Link
- Scripts for Hyper-V researching: Link
- Script for hypercalls table creation in IDA PRO. Link
- Script for parsing VM_PROCESS_CONTEXT structure. [Pykd version], [JavaScript version]
- Script for displaying VMCS inside hvix64 (dynamic execution using WinDBG session in IDA PRO). Link
- Script for automatic configuration of Guest OS debugging, using embedded vmms.exe capabilities. Link
- Script for getting some information from Windows Secure Kernel in runtime (IDT, loaded modules, syscall, decyphering SkiSecureServiceTable). Link
- Script for some Hyper-V hypercalls codes and names automatic extraction on Powershell. Link
- Script for Hyper-V hypercalls codes and names automatic extraction with GUI on Powershell. Link
- Scripts for Hyper-V sockets analysis (scripts were written for Hyper-V sockets internals article)
- Hyper-V components scheme (Windows 11 23H2). Link
- Hyper-V Memory Manager plugin module for Powershell. Link
.png){kind=link}
[2014, 2024] Marc-André Moreau (@awakecoding).
- Hyper-V VmBusPipe Link
- Tool for recompiling Hyper-V manager. Link. Description
[2016] Yuriy Bulygin (@c7zero). Hyper-V VMBUS fuzzing. CHIPSEC: Platform Security Assessment Framework. Link
[2018] Windows Hypervisor Platform API for Rust. Link
[2018-2019] Alex Ionescu (@aionescu).
- Simpleator ("Simple-ator") is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803). Link.
- Hdk - Hyper-V development kit (unofficial). Link
[2018] Matthieu Suiche [www.msuiche.com]. LiveCloudKd Link
[2019, 2021] Axel Souchet (@0vercl0k).
- Pywinhv. Python binding for the Microsoft Hypervisor Platform APIs. Link
- What the fuzz. Cross-platform snapshot-based fuzzer designed for attacking user and or kernel-mode targets running on Microsoft Windows. Windows Hypervisor Platform APIs is supported Link
[2019, 2021] Behrooz Abbassi (@BehroozAbbassi)
- ia32_msr_decoder.py. Link
- IA32_VMX_Helper.py. Link
- HypervCpuidInfo.h. Get Hyper-V CPUIDs information Link
- VmwpMonitor. The VmwpMonitor is a DLL that must be injected to the vmwp.exe process to monitor the IO operations on the Emulated Devices between the Guest VM and the VM worker process. Link
[2020] (@commial). Configure Qemu-KVM for debugging SecureKernel Link
[2020] Dmytro "Cr4sh" Oleksiuk (@d_olex). Hyper-V backdoor, which allows to inspect Secure Kernel and run 3-rd party trustlets in the Isolated User Mode (a virtualization-based security feature of Windows 10). Link
[2020] Matt Miller (@epakskape) WHVP API based NOP-generator. Link
[2020] (@_xeroxz) Hyper-V Hacking Framework For Windows 10 x64 (AMD & Intel). Link
[2021] Diane Dubois (@0xdidu). Hyntrospect. This tool is a coverage-guided fuzzer targeting Hyper-V emulated devices (in the userland of Hyper-V root partition). Link
[2021] Peleg Hadar (@peleghd). hAFL2 is a kAFL-based hypervisor fuzzer. Link
[2022] Abdelhamid Naceri (@KLINIX5). Reverse RDP RCE example. Link
[2022] Kenji Mouri (Qi Lu) (@MouriNaruto).
- NanaBox - open-source Hyper-V client based on Host Compute System API. Link
- The lightweight library for Hyper-V guest interfaces. Link
[2023] Daniel Fernandoz Kuehr (@ergot86). JS script for dumping hypervisor related structures EPT, VMCS, etc
[2023] Aryan Xyrem (@Xyrem256). Hypercall - library that allows you to impersonate as Hyper-V and intercept hypercalls done by the Windows kernel. Link
[2023] Satoshi Tanda (@standa_t). JS script for dumping hypervisor related structures [EPT, VMCS, MSR etc]. Link
[2023] Or Ben-Porath (@OrBenPorath), CyberArk (@CyberarkLabs). Fuzzer-V. Link
[2024] Junsu Lee (@Pwndorei).
Linux Integration Services (LIS). Link
MemProcFS. Link
Qemu source code (WHPX support module).
Virtual Box source code.
Notes for using Host Compute System API from Kenji Mouri (Qi Lu) (@MouriNaruto). Link