flauteABC wrote:Hm is the code somewhere around?
Maybe I'm able to find binaries somewhere in my old archives (PM me if you need them and cannot be downloaded from anywhere), source code was not published. I played with their hypervisor about 7 years ago. That time it was for 32 bit platform, not x64. Intel only, not AMD. Their hypervisor shared virtual memory with kernel. One part interested me, that was the way how to notify OS when hypervisor captured sensitive thing. They used IoConnectInterrupt and hypervisor was creating interrupt (interrupt injection on vmentry) on sensitive event interception (that was disabling CR0.WP bit).
Maybe delivering alerts from hypervisor (ring -1) to kernel (ring0) could be done using another way when they both share the same paging tables (host CR3 = guest CR3) and system things (selectors, TSS, GDT, IDT, ...) because then hypervisor is able to call some kernel functions (just hypervisor runs in root mode with disabled interrupts... it is possible to enable flags.IF, but then you need to deliver external interrupts back to guest and that's again interrupt injection om vmentry).
If you create hypervisor with separated paging tables, separated system things, then delivering intercepted events from hypervisor to running OS is much more harder. IoConnectInterrupt was deprecated to use quite ago. And you need something like interrupt mechanism, injecting interrupt created by hypervisor into OS, but you cannot hook IDT either use IoConnectInterrupt. Quite hard to solve. You must develop something which works like interrupt but is not interrupt.
EP_X0FF, even abandoned way may inspire somebody else to continue in development and not to surrender. Just to see that another people are trying to do something new and you are not alone. Yes, sometimes we enter blind road on pedestrian crossroad, but judgement of history is always retrospective.
