Stuck on kvm
SEtihu23785678235 opened this issue · 4 comments
I'm trying to get it working on a Kvm installation with nested virtualization enabled.
After about 30 seconds the system gets stuck. (If windbg is not connected, it gets stuck immediately).
I don't get any exceptions. It's more like an infinite loop. Windbg shows that Debuggee is running....
Even the windbg .reboot command doesn't work.
The system gets stuck even if I run only airhv.sys without HyperHideDrv.sys.
If I hit Break, the call stack is always the same(When both airhv.sys and HyperHideDrv.sys started):
nt!DbgBreakPointWithStatus
nt!KdCheckForDebugBreak+0x11045c
nt!KeAccumulateTicks+0x1ebcf5
nt!KiUpdateRunTime+0x5d
nt!KiUpdateTime+0x4a1
nt!KeClockInterruptNotify+0x2e3
nt!HalpTimerClockInterrupt+0xe2
nt!KiCallInterruptServiceRoutine+0xa5
nt!KiInterruptSubDispatchNoLockNoEtw+0xfa
nt!KiInterruptDispatchNoLockNoEtw+0x37
0xfffff8023b9b0000
nt!HvcallInitiateHypercall+0x61
nt!HvlNotifyLongSpinWait+0x24
nt!KeYieldProcessorEx+0x38
nt!KiGenericCallDpcWorker+0xd4
nt!KeGenericProcessorCallback+0x125
nt!KeGenericCallDpc+0x27
nt!EtwpFreeLoggerContext+0x173
nt!EtwpLogger+0x4a8
nt!PspSystemThreadStartup+0x55
nt!KiStartSystemThread+0x28
Where
0: kd> u fffff8023b9b0000
fffff8023b9b0000 0f01c1 vmcall
fffff8023b9b0003 c3 ret
fffff8023b9b0004 0000 add byte ptr [rax],al
fffff8023b9b0006 0000 add byte ptr [rax],al
Ofc I can't step into vmcall.
Cause I'm not very good at debug and hypervisor development, but I suspect I need to connect a second windbg for that.
Log:
[00:32:20.201] [INFORMATION] [perform_allocation:117] Allocation successful
[00:32:20.201] [INFORMATION] [perform_allocation:117] Allocation successful
[00:32:20.201] [INFORMATION] [perform_allocation:117] Allocation successful
[00:32:20.201] [INFORMATION] [perform_allocation:117] Allocation successful
[00:32:20.206] [INFORMATION] [perform_allocation:117] Allocation successful
[00:32:20.253] [INFORMATION] [init_vcpu:271] vcpu entry allocated successfully at FFFF9908CBF05190
[00:32:20.302] [INFORMATION] [init_vcpu:271] vcpu entry allocated successfully at FFFF9908CBF05270
[00:32:20.302] [INFORMATION] [init_logical_processor:367] vcpu 0 is now in VMX operation.
[00:32:20.302] [INFORMATION] [init_logical_processor:367] vcpu 1 is now in VMX operation.
[00:32:20.351] [INFORMATION] [DriverEntry:89] HyperVisor On
[00:32:20.351] [INFORMATION] [DriverEntry:94] Got offsets
[00:32:20.400] [INFORMATION] [DriverEntry:99] Got Ssdt
[00:32:20.475] [INFORMATION] [GetPfnDatabase:28] MmPfnDataBase address 0xffffee0000000000
[00:32:20.475] [INFORMATION] [DriverEntry:104] Hider Initialized
[00:32:20.475] [INFORMATION] [DriverEntry:112] PsSetCreateThreadNotifyRoutine succeded
[00:32:20.475] [INFORMATION] [DriverEntry:121] PsSetCreateProcessNotifyRoutine succeded
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtContinueEx is equal: 0xA1
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationThread is equal: 0xD
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationProcess is equal: 0x19
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryObject is equal: 0x10
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSystemDebugControl is equal: 0x1BF
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetContextThread is equal: 0x18D
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemInformation is equal: 0x36
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetContextThread is equal: 0xF3
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtClose is equal: 0xF
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationThread is equal: 0x25
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateThreadEx is equal: 0xC2
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateFile is equal: 0x55
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateProcessEx is equal: 0x4D
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtYieldExecution is equal: 0x46
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemTime is equal: 0x5A
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryPerformanceCounter is equal: 0x31
[00:32:20.995] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationJobObject is equal: 0x14B
[00:32:20.995] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateUserProcess is equal: 0xC9
[00:32:20.995] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetNextProcess is equal: 0xF8
[00:32:20.998] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenProcess is equal: 0x26
[00:32:20.998] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenThread is equal: 0x12F
[00:32:20.998] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationProcess is equal: 0x1C
[00:32:21.001] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserBuildHwndList is equal: 0x1C
[00:32:21.004] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserFindWindowEx is equal: 0x6C
[00:32:21.004] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserQueryWindow is equal: 0x10
[00:32:21.004] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserGetForegroundWindow is equal: 0x3C
[00:32:21.004] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserGetThreadState is equal: 0x0
[00:32:21.077] [INFORMATION] [GetKiUserExceptionDispatcherAddress:1878] KiUserExceptionDispatcher address: 0x7ff90c470e90
[00:32:21.175] [INFORMATION] [HookKiDispatchException:1905] KiDispatchException address: 0xfffff8023ecc9360
[00:32:21.175] [INFORMATION] [DriverEntry:132] Syscalls Hooked
[00:32:21.175] [INFORMATION] [DriverEntry:148] Driver initialized
Did you disable hyper-v?
Win11 23h2 have the same problem, can't get the dump file,because the driver loaded after 2 second the system was restarted. The bug relocated in vmm_init function.
Did you disable hyper-v?
Hello you, did you tested Windows11 23h2 22621?
Yes, in my case everything works fine.