VT-X EPT experiment

I modified SimpleVisor (a small windows hypervisor implemented as a driver) to remove RW access to guest’s PML4. I remove RW access on every syscall (I’ve pml4 physical address from guest’s CR3). This causes an EPT violation immediately when accessing the kernel address space, which is ok. As a test, I handle this violation by restoring RW access to guest’s PML4 and continue guest.

This method works for 1-2s, then the OS hangs (vmware) or restarts after few seconds (bare metal). All debug output in windbg stops and windbg becomes unresponsive.

How is this possible? I’ve asserts in my code to break on GuestCR3 == HostCR3 and it’s not triggered. In what other situations above method is wrong? The hypervisor runs on IRQL=HIGH_LEVEL so it can’t be preempted by another thread – this eliminates concurrency issues, correct?

Running at HIGH_LEVEL only eliminates concurrency if you are running on a single core. You likely are running on multiple cores, and raising the IRQL does not synchronize between cores.

Jan

On 7/15/17, 12:21 PM, “xxxxx@lists.osr.com on behalf of xxxxx@gmail.com xxxxx@lists.osr.com” wrote:

The hypervisor runs on IRQL=HIGH_LEVEL so it can’t be preempted by another thread – this eliminates concurrency issues, correct?

I’m testing on single core.

Try disable all debug output. Frequent calls of DbgPrint can hang your system (using WPP can help with that).
And what does mean “I remove RW access on every syscall. This causes an EPT violation immediately when accessing the kernel address space, which is ok.”? You block every kernel page? Or all pages which contains functions from SDT?