Monitor everything you want (in Intel vt-x style)

Virtualization can be utilized to reach various goals as monitoring system, system resources and applications as well. It can be used for full system virtualuzation, but i like apporach using it just as a tool too . This post will shortly cover implementation of mini-hypervisor (which is now available on github) for intel vt-x on x64 platform, and demonstrate concept how-to-use-it.

My concept is based on hypervisors by :

Materials worth of reading :

  • Implementation : 

… PoC of hypervisor is shipped just for intel x64, and is compatible with win7 and win8 as well…

At the first phase it is necessary to initialize VMCS area host && guest, which is handled by VMX.h/.cpp component, and for further explanation are most educative articles – manuals from intel!

Next step is turning on hypervisor and handling enter to hypervisor mode. This is implemented by little bit ‘hacky’ way

From concept HyperVisor is an object, which has its own state { core_id, callback, exit_traps }, so i store this object to host stack for further usage  :

In this PoC is implemented as few events as possible, and all VM-exit handlers can be redefined :

And also mechanism for callbacks per vm-exit is implemented :

and can be utilized as you pleased :

  • Usage

How to use it, i demonstrates by program, which want to set own SYSCALL routine and also hunt for PatchGuard context. It is located on github, and this image describe it briefly :

In fact, it is easy as it looks :

  • Utilize as yo want

Hypervisor is great tool, if you have some ideas how to use it. it can be used not just as virtualization of system, malware / anti-malware solutions ..

  • DBI – monitor application
  • Monitor system
  • altering system
  • sanboxing

interesting projects are HyperDbg, HDBG, and a source of knowledge can be also bochs, NOVA

You can monitor & play with system / application in your own. You can use EPT for monitoring memory access, combine with another cpu features … if you set-up your hypervisor right, you can have callback at hypervisor level (and trasfered to non-root mode for free if you want) at event you want. VM-exit switch is not so cheap, but also it is no tragedy, and goal can easly overcome it

Leave a comment


  1. Great insight and the draft is really deep. I see Intel could have an offset to darker sides as well. Could you cover side channel attacks which could reside in Intel chips on L3 cache?

Leave a Reply

[ Ctrl + Enter ]

Go To Top

Get every new post delivered to your Inbox

Join other followers: