Hyper-V is a hypervisor created by Microsoft, run on x86-64 systems running Windows and originally known as “Viridian”. Many modern systems are running Hyper-V, with Windows (server and non-server editions) on top. This enables the use of Virtualization-Based Security (VBS) and many other subsystems that enhance security.
Hyper-V is of high interest from an exploitation perspective due to the opportunity to escape from the “sandbox” of modern Windows systems. Think achieving NT Authority/SYSTEM, but for the entire hypvervisor and all guest operating systems within.
This page serves as a reference guide (or collection) of resources to facilitate Hyper-V exploitation. Future posts will showcase step-by-step exploitation tutorials and may be linked here.
Note: these details were hastily transcribed from an ancient scroll from long ago. TODO(curt): needs refinement.
Two laptops were connected via ethernet to enable network debugging since COM serial debugging was too slow, and IP’s assigned by Automatic Private Internet Protocol Addressing (APIPA), giving each an IP of the range 169.254.0.0/16.
Three WinDbgs running on the debugger laptop were each talking out of a unique port attached from Laptop_1 to Laptop_2’s Hyper-V, Root kernel partition and Child kernel partition.
WinDbg ports used were: Hypervisor as 50001 Root partition as 50002 Guest partition as 50003 To enable hypervisor debugging on the Windows 10 root partition, in an elevated cmd.exe the following commands were run:
bcdedit /hypervisorsettings net hostip:<laptop_1_debugger_ip> port:50001 key:1.2.3.1
bcdedit /set hypervisordebug on
bcdedit /dbgsettings net hostip:<laptop_1_debugger_ip> port:50002 key:1.2.3.2
bcdedit /set dbgtransport kdnet.dll
bcdedit /debug on
bcdedit /set hypervisorlaunchtype auto
bcdedit /bootdebug on
And for child VM debugging, the following commands were run in the guest:
bcdedit /debug on
bcdedit /dbgsettings net hostip:<laptop_1_debugger_ip> port:50003 key:1.2.3.3
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /set nointegritychecks on
Microsoft Docs - Hyper-V Architecture - Words from the creators themselves. Always a good place to start. ;)
Microsoft - Hypercall Reference Doc - Callcodes and hypercalls in a table format.
Gerhart X - Hyper-V Internals - Highly detailed debug setup using WinDBG, IDA Pro, Radare2, Cutter, Ghidra; tons of great stuff. The whole site is a goldmine for Hyper-V details.
Gerhart X - Hyper-V memory internals. Guest OS memory access - Direct memory access for Hyper-V guest OS’s. Features many tools, methodology, and structures.
Akamai - hAFL1 – Our Journey of Fuzzing Hyper-V and Discovering a Critical 0-Day - Builing an in-house fuzzer to find a critical vulnerability in vmswitch.sys.
Alex Ionescu - Writing a Hyper-V “Bridge” for Fuzzing — Part 1: WDF - Writing drivers and messing with hypercalls.
shogunlab/awesome-hyper-v-exploitation - A list of Hyper-V exploitation resources (in my list of Hyper-V exploitation resources lol).