__vcpu* vcpu = g_vmm_context->vcpu_table[KeGetCurrentProcessorNumber()];

vcpu==0

此情况暂时在 win11下
cpu 配置为 i5-9400f

windows bluescreens when im trying to load airhv.sys, minidump file:

`
Microsoft (R) Windows Debugger Version 10.0.21349.1004 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\Minidump\061421-10859-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff8020ce00000 PsLoadedModuleList = 0xfffff8020da2a230
Debug session time: Mon Jun 14 22:24:21.834 2021 (UTC + 3:00)
System Uptime: 0 days 0:05:36.650
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.................................
Loading User Symbols
Loading unloaded module list
..........................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff8020d1f6c20 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff870029320910=0000000000000124
`

Hi ,im using windows 10 on VirtualBox, and when i start airhv server, virtual box must be BSOD
this is dump
092722-27046-01.zip

if winver<= win10(1809):
good.
winver >1909:
throw error at ept.cpp->hook_function->{hooked_page_info->entry_address->execute =0;}.

C:\Windows\system32>sc start airhv
[SC] StartService FAILED 647:

The driver was not loaded because it failed its initialization call.

Running in VirtualBox 7.0.8 Windows 10 x64

Hello Mr. Air

Is it possible to monitor the rwx accesses of a process memory range done by process itself using current state of AirHv (and log RIP, axx-ed mem addr to screen or file)? Does it work even if mem range is large(hundreds of MB)?

Thanks

Hi, just wanted to say that this is a very well put together project to learn about virtualization. There are only two problems that I have noticed so far.

First, if it fails at any point in these lines then it will return a nullptr and that memory will not be freed because when you check if the vcpu is valid it will return false. All you have to do is free all memory allocated up to this point and then return.

Second, I'm not sure if this is intentional because it wasn't working, but your invpcid handler has not been added to the vmexit handler array. If this was intentionally left out I would suggest adding a comment explicitly explaining this.

Thanks for reading, and good job on the project.

like: tandasat/HyperPlatform#26

cause this phenomenon to Air14/HyperHide#16

i don't think it has anything to do with rdtsc instruct.

maybe you should check the trap flag.
vmexit_cpuid_handler
vmexit_rdtsc_handler

你好，前辈。
运行 Airhv项目后，出现PG109，类型115
但是 Type 最大的解释值是 102.

这个错误经常出现在运行驱动后 30分钟左右出现bug

测试的cpu有
E5系列，i5-9400F，i7- 12700KF.

bool split_pml2(__ept_state& ept_state, void* pre_allocated_buffer, unsigned __int64 physical_address)

After running for a long period, the number of INTENTION_SPLIT_PML2 will be exhausted, reaching the limit of processor_count * 50. Therefore, it is necessary to restore the large pages.

Why does airhv use icebp as breakpoint type instead of int3? I feel that int3 breakpoint is easier to understand. Is there anything better about using icebp breakpoint type?

could be done via:

jmp [rip+0x0]

also your method does not support CET... (neither does but mine but...)

As soon as the on.bat script is executed and the drivers start, applications fail to communicate over the network, including localhost. Active connections drop, and new connections fail. No debugger running yet and all driver options were previously set to disabled (unchecked) and saved. Tcpview shows sockets are created for each attempted connection, however wireshark shows no traffic from the applications hitting the interface. Once the off.bat script is executed and the drivers stop, connectivity is restored in short order.

Is this known/expected behavior?

Windows 10 Pro 22H2.

I used airhv as Lib, and when I loaded hyperhide, I also ran airhv.

In the virtual machine win10-1703 test, running for a long time, there will be two problems:

Here's a scenario:

win32kfull! AllocateHidData+0xbd

nt! KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffae01`ec27bb00)

win32u! NtUserFindWindowEx+0x14

USER32! FindWindowW+0xb3

In this case, the location of AllocateHidData+db in windbg is int 3

win32kfull! AllocateHidData+0xb0:

fffff9637e40252e ebe3 jmp win32kfull! AllocateHidData+0x9f (fffff9637e402513)

fffff963`7e402530 cc int 3

fffff963`7e402531 cc int 3

fffff963`7e402532 cc int 3

My understanding is that you enter the kernel by calling NtUserFindWindowEx, and you jump through ept_hook to the address of int 3,

Another problem is:

nt! DbgBreakPointWithStatus

nt! KiBugCheckDebugBreak+0x12

nt! KeBugCheck2+0x922

nt! KeBugCheckEx+0x107

nt! KiBugCheckDispatch+0x69

nt! KiSystemServiceHandler+0x7c

nt! RtlpExecuteHandlerForException+0xd

nt! RtlDispatchException+0x404

nt! KiDispatchException+0x1f6

nt! KiExceptionDispatch+0xce

nt! KiPageFault+0x217 (TrapFrame @ ffffae01`f196d1e0)

win32kfull! GetWindowBordersWithDpiAwareness

win32kfull! xxxInitSendValidateMinMaxInfoEx+0xb2

win32kfull! xxxAdjustSize+0x64

win32kfull! xxxCreateWindowEx+0xf4e

win32kfull! NtUserCreateWindowEx+0x557

nt! KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffae01`f196db00)

win32u! NtUserCreateWindowEx+0x14

USER32! CreateWindowExW+0x9aa

Page exception blue screen appears,
May I ask if these will appear when you test? In win7, hang up when quite normal.

After loading HyperHide, Cheet-Engine will not function properly and will not respond to its interface when attempting to open it

At this point, take the initiative to end the unresponsive Cheet-Engine process and close all XDbg routines. Then, execute \ Scripts \ off. bat and the screen will turn blue

这段代码：
current_hooked_page = current_hooked_page->Flink;

current_hooked_page->Flink; 是一个有效结构体数据
current_hooked_page 被赋值以后 值为0 或者一个无效值。这很奇怪。 是否和windbg的dump时机延迟有关系？

As the title says, CE is stuck when I load the driver.

I'm trying to get it working on a Kvm installation with nested virtualization enabled.

After about 30 seconds the system gets stuck. (If windbg is not connected, it gets stuck immediately).
I don't get any exceptions. It's more like an infinite loop. Windbg shows that Debuggee is running....
Even the windbg .reboot command doesn't work.
The system gets stuck even if I run only airhv.sys without HyperHideDrv.sys.

If I hit Break, the call stack is always the same(When both airhv.sys and HyperHideDrv.sys started):

nt!DbgBreakPointWithStatus
nt!KdCheckForDebugBreak+0x11045c
nt!KeAccumulateTicks+0x1ebcf5
nt!KiUpdateRunTime+0x5d
nt!KiUpdateTime+0x4a1
nt!KeClockInterruptNotify+0x2e3
nt!HalpTimerClockInterrupt+0xe2
nt!KiCallInterruptServiceRoutine+0xa5
nt!KiInterruptSubDispatchNoLockNoEtw+0xfa
nt!KiInterruptDispatchNoLockNoEtw+0x37
0xfffff8023b9b0000
nt!HvcallInitiateHypercall+0x61
nt!HvlNotifyLongSpinWait+0x24
nt!KeYieldProcessorEx+0x38
nt!KiGenericCallDpcWorker+0xd4
nt!KeGenericProcessorCallback+0x125
nt!KeGenericCallDpc+0x27
nt!EtwpFreeLoggerContext+0x173
nt!EtwpLogger+0x4a8
nt!PspSystemThreadStartup+0x55
nt!KiStartSystemThread+0x28

Where

0: kd> u fffff8023b9b0000
fffff8023b9b0000 0f01c1 vmcall
fffff8023b9b0003 c3 ret
fffff8023b9b0004 0000 add byte ptr [rax],al
fffff8023b9b0006 0000 add byte ptr [rax],al

Ofc I can't step into vmcall.
Cause I'm not very good at debug and hypervisor development, but I suspect I need to connect a second windbg for that.

Log:

[00:32:20.201] [INFORMATION] [perform_allocation:117] Allocation successful
[00:32:20.201] [INFORMATION] [perform_allocation:117] Allocation successful
[00:32:20.201] [INFORMATION] [perform_allocation:117] Allocation successful
[00:32:20.201] [INFORMATION] [perform_allocation:117] Allocation successful
[00:32:20.206] [INFORMATION] [perform_allocation:117] Allocation successful
[00:32:20.253] [INFORMATION] [init_vcpu:271] vcpu entry allocated successfully at FFFF9908CBF05190
[00:32:20.302] [INFORMATION] [init_vcpu:271] vcpu entry allocated successfully at FFFF9908CBF05270
[00:32:20.302] [INFORMATION] [init_logical_processor:367] vcpu 0 is now in VMX operation.

[00:32:20.302] [INFORMATION] [init_logical_processor:367] vcpu 1 is now in VMX operation.

[00:32:20.351] [INFORMATION] [DriverEntry:89] HyperVisor On
[00:32:20.351] [INFORMATION] [DriverEntry:94] Got offsets
[00:32:20.400] [INFORMATION] [DriverEntry:99] Got Ssdt
[00:32:20.475] [INFORMATION] [GetPfnDatabase:28] MmPfnDataBase address 0xffffee0000000000
[00:32:20.475] [INFORMATION] [DriverEntry:104] Hider Initialized
[00:32:20.475] [INFORMATION] [DriverEntry:112] PsSetCreateThreadNotifyRoutine succeded
[00:32:20.475] [INFORMATION] [DriverEntry:121] PsSetCreateProcessNotifyRoutine succeded
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtContinueEx is equal: 0xA1
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationThread is equal: 0xD
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationProcess is equal: 0x19
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryObject is equal: 0x10
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSystemDebugControl is equal: 0x1BF
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetContextThread is equal: 0x18D
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemInformation is equal: 0x36
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetContextThread is equal: 0xF3
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtClose is equal: 0xF
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationThread is equal: 0x25
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateThreadEx is equal: 0xC2
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateFile is equal: 0x55
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateProcessEx is equal: 0x4D
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtYieldExecution is equal: 0x46
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemTime is equal: 0x5A
[00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryPerformanceCounter is equal: 0x31
[00:32:20.995] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationJobObject is equal: 0x14B
[00:32:20.995] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateUserProcess is equal: 0xC9
[00:32:20.995] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetNextProcess is equal: 0xF8
[00:32:20.998] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenProcess is equal: 0x26
[00:32:20.998] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenThread is equal: 0x12F
[00:32:20.998] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationProcess is equal: 0x1C
[00:32:21.001] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserBuildHwndList is equal: 0x1C
[00:32:21.004] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserFindWindowEx is equal: 0x6C
[00:32:21.004] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserQueryWindow is equal: 0x10
[00:32:21.004] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserGetForegroundWindow is equal: 0x3C
[00:32:21.004] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserGetThreadState is equal: 0x0
[00:32:21.077] [INFORMATION] [GetKiUserExceptionDispatcherAddress:1878] KiUserExceptionDispatcher address: 0x7ff90c470e90
[00:32:21.175] [INFORMATION] [HookKiDispatchException:1905] KiDispatchException address: 0xfffff8023ecc9360
[00:32:21.175] [INFORMATION] [DriverEntry:132] Syscalls Hooked
[00:32:21.175] [INFORMATION] [DriverEntry:148] Driver initialized

i build airhv.sys and HyperHideDrv.sys,then sign them and copy them to folder
i run

sc delete airhv
sc create airhv type= Kernel binpath= C:\Windows\system32\drivers\airhv.sys

it is fine
then run

sc start airhv

but bsod
my OS is win10 22h2 19045.3086 Windows Feature Experience Pack 1000.19041.1000.0 ,VT is on,hypervisor is off,cpu is 9750H
windows sandbox :on virtual machine platform :on windows virtual machine monitor platform:on
dmp file
https://mega.nz/file/OJJHySbJ#aY5jGvL7NiSxsc3soLM7xiQVD8jQbDDgsPOEs_jUINk

It's the version committed early this morning.

win11 latest bsod on utis.cpp

	*(unsigned __int8*)memory_location == 0xCC ? kernel_code_cave_size++ : kernel_code_cave_size = 0;

bad memory, it seem like kernel base not find.

The blue screen dump is caused by an IRQL error in nt