SimpleSvm is a minimalistic educational hypervisor for Windows on AMD processors. It aims to provide small and explanational code to use Secure Virtual Machine (SVM), the AMD version of Intel VT-x, with Nested Page Tables (NPT) from a windows driver. SimpleSvm is inspired by SimpleVisor, an Intel x64/EM64T VT-x specific hypervisor for Windows, written by Alex Ionescu.
Tag: Satoshi Tanda
Monitoring & controlling kernel-mode events by HyperPlatform: Using VT-x with EPT technologies to provide new must-have tools for reverse-engineering. We presented a HyperPlatform, which is an advanced system monitoring platform for Windows Operating System (OS). Using Intel VT-x and Extended Page Table (EPT) technologies, this platform provides speedy monitoring of various events. HyperPlatform is hidden and resilient to modern anti-forensics techniques and can be easily extended for day-to-day reverse engineering work.[…]
EopMon: EoP detector for Intel VT-x
Satoshi Tanda has created EopMon, an elevation-of-privilege detector for Windows 7/8.1/10 on Intel x86 and x64 systems which support Intel VT-x and EBT.
EopMon is based his earlier project, HyperPlatform, which is also worth checking out, along with MemoryMon and GuardMon.
EopMon is a hypervisor-based elevation of privilege (EoP) detector. It can spots a process with a stolen system token and terminate it by utilizing hypervisor’s ability to monitor process context-swiching. […] While EopMon is tested against multiple EoP exploits carried out by in the wild malware, it is rather meant to be an educational tool to demonstrate a potential use case of a hypervisor for security research and not aimed for comprehensive exploit prevention. […] EopMon is meant to be an educational tool and not robust, production quality software which is able to handle various edge cases. […] For this reason, researchers are encouraged to use this project only as a reference to examine and develop ideas of using a hypervisor.