SimpleSvm: hypervisor for AMD Windows systems

May 29, 2017 ~ hucktech ~ Leave a comment

Have AMD processors and interested in hypervisors? Learn how to program AMD-V including Nested Page Tables with: https://t.co/BEY8Ni0WEt

— Satoshi Tanda (@standa_t) May 27, 2017

Satoshi doing awesome work as always. Lucky to have him on my team 🙂 https://t.co/dYK9YZV01R

— Alex Ionescu (@aionescu) May 27, 2017

SimpleSvm is a minimalistic educational hypervisor for Windows on AMD processors. It aims to provide small and explanational code to use Secure Virtual Machine (SVM), the AMD version of Intel VT-x, with Nested Page Tables (NPT) from a windows driver. SimpleSvm is inspired by SimpleVisor, an Intel x64/EM64T VT-x specific hypervisor for Windows, written by Alex Ionescu.

https://github.com/tandasat/SimpleSvm

HyperPlatform

July 7, 2016 ~ hucktech ~ Leave a comment

GuardMon disables PatchGuard on Windows 10 x64 using VT-x.
details & code – https://t.co/mtcgUJExkv
video demo – https://t.co/BzudiS3baz

— Igor Korkin (@IgorKorkin) July 6, 2016

Monitoring & controlling kernel-mode events by HyperPlatform: Using VT-x with EPT technologies to provide new must-have tools for reverse-engineering. We presented a HyperPlatform, which is an advanced system monitoring platform for Windows Operating System (OS). Using Intel VT-x and Extended Page Table (EPT) technologies, this platform provides speedy monitoring of various events. HyperPlatform is hidden and resilient to modern anti-forensics techniques and can be easily extended for day-to-day reverse engineering work.[…]

http://igorkorkin.blogspot.com/2016/06/monitoring-controlling-kernel-mode.html
https://github.com/tandasat/HyperPlatform

See-also:

https://firmwaresecurity.com/2016/04/30/eopmon-eop-detector-for-intel-vt-x/

EopMon: EoP detector for Intel VT-x

April 30, 2016 ~ hucktech ~ Leave a comment

A simple elevation of privilege detector https://t.co/ud42LjvkhQ. Idea given by @halsten. Let me know your ideas on how VMM can be used for

— Satoshi Tanda (@standa_t) April 30, 2016

Satoshi Tanda has created EopMon, an elevation-of-privilege detector for Windows 7/8.1/10 on Intel x86 and x64 systems which support Intel VT-x and EBT.

EopMon is based his earlier project, HyperPlatform, which is also worth checking out, along with MemoryMon and GuardMon.

EopMon is a hypervisor-based elevation of privilege (EoP) detector. It can spots a process with a stolen system token and terminate it by utilizing hypervisor’s ability to monitor process context-swiching. […] While EopMon is tested against multiple EoP exploits carried out by in the wild malware, it is rather meant to be an educational tool to demonstrate a potential use case of a hypervisor for security research and not aimed for comprehensive exploit prevention. […] EopMon is meant to be an educational tool and not robust, production quality software which is able to handle various edge cases. […] For this reason, researchers are encouraged to use this project only as a reference to examine and develop ideas of using a hypervisor.

https://github.com/tandasat/EopMon
https://github.com/tandasat/HyperPlatform
https://github.com/tandasat/MemoryMon
https://github.com/tandasat/GuardMon