Windows UEFI Blue Pill Type-1 Hypervisor in Rust (Codename: Illusion)

A lightweight, memory-safe, and blazingly fast Rust-based type-1 research hypervisor with hooks for Intel VT-x, focused on studying the core concepts of virtualization.

Features

PatchGuard Compatible Features

• ✅ Hidden System Call (Syscall) Hooks Via System Service Descriptor Table (SSDT).
• ✅ Hidden Kernel Inline Hooks.
• ✅ Hidden Model Specific Registers (MSR) Hooks.
• ❌ Hidden Interrupt Descriptor Table (IDT) Hooks.
• ❌ Hidden Hardware Debug Register Breakpoints.

Processor-Specific Features

• ✅ Extended Page Tables (EPT).
• ✅ Memory Type Range Registers (MTRRs).
• ❌ Intel Processor Trace (PT).

Microsoft Hyper-V Compatible Features

• ❌ Support for running as a nested hypervisor under Microsoft Hyper-V (Type-2) with Virtualization Based Security (VBS) Enabled.
• ❌ Support for running as the primary hypervisor on top of Microsoft Hyper-V (Type-1) with Virtualization Based Security (VBS) Enabled.

VM Exit Handling

• ✅ VM Exit Handling: ExceptionOrNmi (#GP, #PF, #BP, #UD) (0), InitSignal (3), StartupIpi (4), Cpuid (10), Getsec (11), Hlt (12), Invd (13), Vmcall (18), Vmclear (19), Vmlaunch (20), Vmptrld (21), Vmptrst (22), Vmresume (24), Vmxon (27), Vmxoff (26), Rdmsr (31), Wrmsr (32), MonitorTrapFlag (37), Rdtsc (49), EptViolation (48), EptMisconfiguration (50), Invept (53), Invvpid (55), Xsetbv (55).

Hypervisor Detection

• ❌ Neither basic nor advanced techniques to evade hypervisor detection will be implemented in the public version of this hypervisor.

Supported Hardware

• ✅ Intel processors with VT-x and Extended Page Tables (EPT) support.
• ❌ AMD processors with AMD-V (SVM) and Nested Page Tables (NPT) support.

Supported Platforms

• ✅ Windows 10 - Windows 11, x64 only.

Installation

• Install Rust from here.
• Install cargo-make: cargo install cargo-make.

Building the Project

• Debug: cargo make build-debug.
• Release: cargo make build-release.

Acknowledgments, References, and Motivation

Big thanks to the amazing people and resources that have shaped this project. A special shout-out to everyone listed below. While I didn't use all these resources in my work, they've been goldmines of information, super helpful for anyone diving into hypervisor development, including me.

• Daax Rynd (@daaximus): For his outstanding free series on hypervisor development, which is one of the best resources available and has greatly influenced my work with its thorough research and clear explanations. His support and answers to my questions were invaluable in getting me started with hypervisor development:

  • 7 Days to Virtualization.
  • MMU Virtualization via Intel EPT.

• Satoshi Tanda (@tandasat): Satoshi Tanda's guidance, projects, and structured training programs have been incredibly helpful. His detailed explanations and contributions on GitHub have significantly enhanced my understanding, making him a great mentor throughout my journey:

  • Hypervisor Development for Security Researchers.
  • Hypervisor 101 in Rust.
  • Additional Projects: Hello-VT-rp, DdiMon, HyperPlatform, MiniVisorPkg.

• Jess (@jessiep_): For his invaluable support and collaboration in several areas of this project, providing essential insights and expertise, and for his quick responses to my questions.

• Drew (@drew): For his help, guidance, and quick responses to my questions in various aspects of hypervisor development.

• Sina Karvandi (@Intel80x86): For his detailed free Hypervisor From Scratch series:

  • Tutorial Series.
  • GitHub Repository.

• Matthias (@not-matthias): For his impactful work on the amd_hypervisor project, which greatly inspired and influenced this research.

• Nick Peterson (@everdox) and Aidan Khoury (@ajkhoury): For their insightful explorations into hypervisor introspection and syscall hooking:

  • Patchguard: Hypervisor Based Introspection [P1].
  • Patchguard: Hypervisor Based Introspection [P2].
  • Syscall Hooking Via Extended Feature Enable Register (EFER).

Community and Technical Resources

• Secret Club: Insights into anti-cheat systems and hypervisor detection, which also inspired this project:

  • System emulation detection by @Daax, @iPower, @ajkhoury, @drew.
  • BattlEye hypervisor detection by @vmcall, @Daax.

• Other Essential Resources:

  • Intel's Software Developer's Manual.
  • Maurice Heumann's (@momo5502) Detecting Hypervisor-Assisted Hooking.
  • Guided Hacking's x64 Virtual Address Translation on YouTube.
  • UnKnoWnCheaTs forum post by @namazso.
  • RVM1.5, Barbervisor, rustyvisor, orange_slice, mythril, uhyve, maystorm.
  • AMD-V Hypervisor Development by Back Engineering, bluepill by @_xeroxz.
  • hvpp by @wbenny.
  • HyperHide by @Air14.
  • How AetherVisor works under the hood by M3ll0wN1ght.
  • Rust library to use x86 (amd64) specific functionality and registers (x86 crate for Rust).
  • DarthTon's HyperBone (based on the legendary Alex Ionescu's version) on UnknownCheats.
  • Joanna Rutkowska: Pioneering the Blue Pill Hypervisor Concept, one of the earliest proofs of concept.

Helpers and Collaborators

Special thanks to:

• Daax Rynd.
• Satoshi Tanda (@tandasat).
• Drew (@drew).
• iPower (@iPower).
• Namazso (@namazso).
• Jess (@jessiep_).
• Matthias @not-matthias.
• @felix-rs / @joshuа.
• Ryan McCrystal / @rmccrystal.
• Jim Colerick (@vmprotect).

License

This project is licensed under the MIT License. For more information, see the MIT License details.