tandasat

Hyper-V configurations (2025 edition)

The dumps of VMCB and VMCS by Hyper-V (10.0.26100.3470). Taken on Zen 4 and 12th gen processors using the hvext Windbg extension.

Logs are separated for each of these VM:

• NTOS = ASID/VPID 1
• SK = ASID/VPID 2
• Child partition = VPID 3

tandasat

#include <stdio.h>
#include <assert.h>
#include <Windows.h>

// Some of them were taken (and modified) from https://github.com/winsiderss/systeminformer

typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION
{
    BOOLEAN SecureKernelRunning : 1;
    BOOLEAN HvciEnabled : 1;

tandasat

kd> !dump_vmcs
0x0000000000000001 Virtual-processor identifier (VPID)
***** FAILED ***** Posted-interrupt notification vector
0x0000000000000000 EPTP index
***** FAILED ***** HLAT prefix size
***** FAILED ***** Last PID-pointer
0x000000000000002b Guest ES selector
0x0000000000000010 Guest CS selector
0x0000000000000018 Guest SS selector
0x000000000000002b Guest DS selector

tandasat

diff --git a/PCPTool.v11/exe/SDKSample.cpp b/PCPTool.v11/exe/SDKSample.cpp
index edcc966..984690f 100644
--- a/PCPTool.v11/exe/SDKSample.cpp
+++ b/PCPTool.v11/exe/SDKSample.cpp
@@ -1813,7 +1813,7 @@ log can be used to calculate the PCRs in the TPM.
     {
         goto Cleanup;
     }
-    if(FAILED(hr = Tbsi_Get_TCG_Log(hContext, NULL, &cbLog)))
+    if(FAILED(hr = Tbsi_Get_TCG_Log_Ex(TBS_TCGLOG_DRTM_CURRENT, NULL, &cbLog)))

tandasat

kd> !dump_ept
Current EPT pointer 0x11b8bc09e
GPA                          PA          Flags
         0x0 -       0x1000 -> Identity     ------WR
      0x1000 -       0x2000 -> Identity     ---U--WR
      0x3000 -      0x9f000 -> Identity     ---U--WR
     0x9f000 -     0x100000 -> Identity     ------WR
    0x100000 -     0xa46000 -> Identity     ---U--WR
    0xa47000 -    0x4c00000 -> Identity     ---U--WR
   0x5000000 -    0xa201000 -> Identity     ---U--WR

tandasat

/**
 * @brief Returns an array of physical memory address ranges on the system.
 *
 * @param This - The pointer to the platform API interface.
 * @param RangeCount - The pointer to receive the number of entries in the returned
 *      pointer on success.
 * @return The pointer to the array of ranges on success. This must be freed with
 *      Freed with FREE_CONTIGUOUS_PAGES. On failure, NULL.
 */
STATIC

tandasat

"use strict";

// This script implements the !dump_vmcs command that displays values of the all
// fields in the current VMCS. The processor must be in VMX-root operation with
// an active VMCS.
// 
// As a reference, there are some other implementations of the same concept. The
// author is now aware of those two at least. Check them out as it may fit your
// need better. 
// - https://github.com/ergot86/crap/blob/main/hyperv_stuff.js (Windbg JavaScript)

tandasat

from idautils import *
from idaapi import *
from idc import *

for funcea in Functions():
    functionName = get_func_name(funcea)
    for (startea, endea) in Chunks(funcea):
        print(f"{startea:08x} {GetDisasm(startea)} : {functionName}")

tandasat

/**
 * @file CheckGuestVmcsFieldsForVmEntry.c
 * @author Satoshi Tanda ([email protected])
 * @brief Checks validity of the guest VMCS fields for VM-entry as per
 *      26.3 CHECKING AND LOADING GUEST STATE
 * @version 0.1
 * @date 2021-02-20
 *
 * @details This file implements part of checks performed by a processor during
 *      VM-entry as CheckGuestVmcsFieldsForVmEntry(). This can be called on VM-exit

tandasat

/*!
    @file GuestAgent.c

    @brief GuestAgent code.

    @author Satoshi Tanda

    @copyright Copyright (c) 2020 - , Satoshi Tanda. All rights reserved.
 */
#include "GuestAgent.h"