/airhv

Simple Intel VT-x hypervisor

Primary LanguageC++MIT LicenseMIT

airhv

airhv is a simple hypervisor based on Intel VT-x mainly focused on ept hooking

Features

  • Ept support with mapping of 2MB pages (splitted dynamicly to 4KB pages if needed)
  • Ability to run in VMWare which is using few IO ports for communication between vmtools and VMWare hypervisor
  • Ability to handle various VM-exit cases: CPUID RDTSC RDTSCP RDRAND RDSEED WBINVD/INVD IN/OUT XSETBV RDMSR WRMSR INVPCID MOV DR CR ACCESS EXCEPTIONS/NMI VMCALL INVLPG GDTR/IDTR ACCESS LDTR/TR ACCESS
  • Ability to perform inline hooking via ept
  • Included simple driver (airhvctrl) which is communicating with hypervisor via VMCALL to hook syscall (via ept). It hooks NtCreateFile and every time user when tries to create a file named test.txt it prevents user from doing that.

Future possible features

  • Ability to run under AMD-SVM
  • Ability to handle more VM-exit cases
  • Ability to make hypervisor not detectable via counters (rdtsc,rdtscp)
  • Ability to run nested VMs
  • MSR_LSTAR hooking

Compilation

Compile with Visual Studio 2019 (Requires WDK)

Supported hardware

Intel processors with VT-x and EPT support

Supported platforms

Windows 7 - Windows 10, x64 only

License

airhv is under MIT license.
Dependencies are licensed by their own licenses.