A lightweight, memory-safe, and blazingly fast Rust-based type-1 research hypervisor with hooks for Intel VT-x, focused on studying the core concepts of virtualization.
- ✅ Extended Page Tables (EPT): Support for Memory Type Range Registers (MTRR).
- ✅ VM Exit Handling: Handling of
ExceptionOrNmi (#GP, #PF, #BP, #UD),InitSignal,StartupIpi,Hlt,Cpuid,Getsec,Vmcall,Vmclear,Vmlaunch,Vmptrld,Vmptrst,Vmresume,Vmxon,VmxoffRdmsr,Wrmsr,Invd,Rdtsc,EptViolation,EptMisconfiguration,Invept,Invvpid,Xsetbv. - ❌ Hidden Kernel Inline Hooks: PatchGuard-compatible jump (
JMP) and breakpoint (int3) hooks. (Refer to Hooks in the Windows Blue Pill Type-2 Hypervisor in Rust (Codename: Matrix) for reusable code.) - ❌ Hidden System Call (Syscall) Hooks: PatchGuard-compatible jump (
JMP) and breakpoint (int3) hooks for System Service Descriptor Table (SSDT) function entries. (Refer to Hooks and SSDT in the Windows Blue Pill Type-2 Hypervisor in Rust (Codename: Matrix) for reusable code.)
- ✅ Intel processors with VT-x and Extended Page Tables (EPT) support.
- ❌ AMD processors with AMD-V (SVM) and Nested Page Tables (NPT) support.
- ✅ Windows 10 - Windows 11, x64 only.
- Install Rust from here.
- Switch to Rust Nightly:
rustup toolchain install nightlyandrustup default nightly. - Install Tools:
cargo install cargo-make cargo-expand cargo-edit cargo-workspaces.
- Development:
cargo build --target x86_64-unknown-uefi --profile dev. - Release:
cargo build --target x86_64-unknown-uefi --profile release.
Big thanks to the amazing people and resources that have shaped this project. A special shout-out to everyone listed below. While I didn't use all these resources in my work, they've been goldmines of information, super helpful for anyone diving into hypervisor development, including me.
-
Daax Rynd (@daaximus), Aidan Khoury (@ajkhoury), Nick Peterson (@everdox): For their comprehensive series on hypervisor development:
-
Sina Karvandi (@Intel80x86): For the extensive Hypervisor From Scratch series:
-
Satoshi Tanda(@tandasat): His work has significantly influenced this project:
- Hypervisor Development for Security Researchers
- Hypervisor 101 in Rust
- Additional Projects: Hello-VT-rp, DdiMon, HyperPlatform, MiniVisorPkg
-
Matthias @not-matthias: For his impactful work on the amd_hypervisor project, which greatly inspired and influenced this research.
-
Secret Club: Insights into anti-cheat systems and hypervisor detection, which also inspired this project:
-
Other Essential Resources:
- Intel's Software Developer's Manual
- Maurice Heumann's (@momo5502) Detecting Hypervisor-Assisted Hooking
- Guided Hacking's x64 Virtual Address Translation on YouTube
- UnKnoWnCheaTs forum post by @namazso
- RVM1.5, Barbervisor, rustyvisor, orange_slice, mythril, uhyve, maystorm
- AMD-V Hypervisor Development by Back Engineering, bluepill by @_xeroxz
- hvpp by @wbenny
- HyperHide by @Air14
- How AetherVisor works under the hood by M3ll0wN1ght
- Rust library to use x86 (amd64) specific functionality and registers (x86 crate for Rust)
- DarthTon's HyperBone (based on the legendary Alex Ionescu's version) on UnknownCheats.
- Joanna Rutkowska: Pioneering the Blue Pill Hypervisor Concept, one of the earliest proofs of concept
Special thanks to:
- Daax Rynd
- Satoshi Tanda (@tandasat)
- Drew (@drew)
- iPower (@iPower)
- Namazso (@namazso)
- Matthias @not-matthias
- @felix-rs / @joshuа
- Jess (@jessiep_)
- Ryan McCrystal / @rmccrystal
- Jim Colerick (@vmprotect)
This project is licensed under the MIT License. For more information, see the MIT License details.