The dumps of VMCB and VMCS by Hyper-V (10.0.26100.3470). Taken on Zen 4 and 12th gen processors using the hvext Windbg extension.
Logs are separated for each of these VM:
- NTOS = ASID/VPID 1
- SK = ASID/VPID 2
- Child partition = VPID 3
Satoshi Tanda tandasat
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <assert.h> | |
| #include <Windows.h> | |
| // Some of them were taken (and modified) from https://github.com/winsiderss/systeminformer | |
| typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION | |
| { | |
| BOOLEAN SecureKernelRunning : 1; | |
| BOOLEAN HvciEnabled : 1; |
tandasat
/ hvci_vpid1.log
Created
February 9, 2024 16:51
VMCS configurations for NTOS w/ HVCI (VPID=1), Secure Kernel (VPID=2), and a child partition w/o HVCI (VPID=3)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kd> !dump_vmcs | |
| 0x0000000000000001 Virtual-processor identifier (VPID) | |
| ***** FAILED ***** Posted-interrupt notification vector | |
| 0x0000000000000000 EPTP index | |
| ***** FAILED ***** HLAT prefix size | |
| ***** FAILED ***** Last PID-pointer | |
| 0x000000000000002b Guest ES selector | |
| 0x0000000000000010 Guest CS selector | |
| 0x0000000000000018 Guest SS selector | |
| 0x000000000000002b Guest DS selector |
tandasat
/ parse_drtm_log.patch
Created
February 7, 2024 15:44
A patch for https://github.com/microsoft/TSS.MSR/tree/main to parse DRTM TPM logs (WBCL)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/PCPTool.v11/exe/SDKSample.cpp b/PCPTool.v11/exe/SDKSample.cpp | |
| index edcc966..984690f 100644 | |
| --- a/PCPTool.v11/exe/SDKSample.cpp | |
| +++ b/PCPTool.v11/exe/SDKSample.cpp | |
| @@ -1813,7 +1813,7 @@ log can be used to calculate the PCRs in the TPM. | |
| { | |
| goto Cleanup; | |
| } | |
| - if(FAILED(hr = Tbsi_Get_TCG_Log(hContext, NULL, &cbLog))) | |
| + if(FAILED(hr = Tbsi_Get_TCG_Log_Ex(TBS_TCGLOG_DRTM_CURRENT, NULL, &cbLog))) |
tandasat
/ !dump_ept.txt
Last active
June 21, 2023 00:23
EPT setup dumped on Windows 10.0.22621.1848 using hvext: https://github.com/tandasat/hvext
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kd> !dump_ept | |
| Current EPT pointer 0x11b8bc09e | |
| GPA PA Flags | |
| 0x0 - 0x1000 -> Identity ------WR | |
| 0x1000 - 0x2000 -> Identity ---U--WR | |
| 0x3000 - 0x9f000 -> Identity ---U--WR | |
| 0x9f000 - 0x100000 -> Identity ------WR | |
| 0x100000 - 0xa46000 -> Identity ---U--WR | |
| 0xa47000 - 0x4c00000 -> Identity ---U--WR | |
| 0x5000000 - 0xa201000 -> Identity ---U--WR |
tandasat
/ GetPhysicalMemoryRanges.c
Last active
April 29, 2023 14:56
Part of snapshot taking code in C
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * @brief Returns an array of physical memory address ranges on the system. | |
| * | |
| * @param This - The pointer to the platform API interface. | |
| * @param RangeCount - The pointer to receive the number of entries in the returned | |
| * pointer on success. | |
| * @return The pointer to the array of ranges on success. This must be freed with | |
| * Freed with FREE_CONTIGUOUS_PAGES. On failure, NULL. | |
| */ | |
| STATIC |
tandasat
/ dump_vmcs.js
Last active
November 28, 2023 19:09
Deprecated: see https://github.com/tandasat/hvext
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "use strict"; | |
| // This script implements the !dump_vmcs command that displays values of the all | |
| // fields in the current VMCS. The processor must be in VMX-root operation with | |
| // an active VMCS. | |
| // | |
| // As a reference, there are some other implementations of the same concept. The | |
| // author is now aware of those two at least. Check them out as it may fit your | |
| // need better. | |
| // - https://github.com/ergot86/crap/blob/main/hyperv_stuff.js (Windbg JavaScript) |
tandasat
/ list_first_instruction.py
Created
June 26, 2021 23:13
IDA script to show the first instruction of the all functions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from idautils import * | |
| from idaapi import * | |
| from idc import * | |
| for funcea in Functions(): | |
| functionName = get_func_name(funcea) | |
| for (startea, endea) in Chunks(funcea): | |
| print(f"{startea:08x} {GetDisasm(startea)} : {functionName}") |
tandasat
/ CheckGuestVmcsFieldsForVmEntry.c
Last active
March 29, 2025 09:50
Simulation of checks performed as per 26.3 CHECKING AND LOADING GUEST STATE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * @file CheckGuestVmcsFieldsForVmEntry.c | |
| * @author Satoshi Tanda ([email protected]) | |
| * @brief Checks validity of the guest VMCS fields for VM-entry as per | |
| * 26.3 CHECKING AND LOADING GUEST STATE | |
| * @version 0.1 | |
| * @date 2021-02-20 | |
| * | |
| * @details This file implements part of checks performed by a processor during | |
| * VM-entry as CheckGuestVmcsFieldsForVmEntry(). This can be called on VM-exit |
tandasat
/ GuestAgent.c
Created
July 26, 2020 19:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /*! | |
| @file GuestAgent.c | |
| @brief GuestAgent code. | |
| @author Satoshi Tanda | |
| @copyright Copyright (c) 2020 - , Satoshi Tanda. All rights reserved. | |
| */ | |
| #include "GuestAgent.h" |
NewerOlder