WinVisor is a hypervisor-based emulator for Windows x64 user-mode executables that leverages the Windows Hypervisor Platform API to provide a virtualized environment for logging syscalls and enabling memory introspection.

Background

Hypervisor basics

WinVisor overview

Virtual CPU

Control registers

Model-specific registers

Global descriptor table

Task state segment

Interrupt descriptor table

Bootloader

Memory paging

Virtual address translation

Page faults

Host/guest memory mirroring

Syscall handling

Fast syscall (SYSCALL)

Legacy syscalls (INT 2E)

Syscall forwarding

Syscall logging

Syscall hooking

Interrupt handling

Hypervisor shared page bug

Demos

Limitations

Safety issues

Non-executable guest memory

Single-thread only

Software exceptions

Conclusion

Project links

A proof-of-concept hypervisor-based emulator for Windows x64 binaries

WinVisor – A hypervisor-based emulator for Windows x64 user-mode executables

Wi-Fi cameras are popular due to their affordability and convenience but often have security vulnerabilities that can be exploited.

Introduction

AJCloud: A Brief Introduction

Initial Vulnerability Research Efforts

Initial Hardware Hacking

Wansview Cloud for Windows

Exploring the network communications

Advanced Hardware Hacking

Building a P2P Client

Impact

What did the vendors do right?

What did the vendors do wrong?

Mitigations

Key Takeaways

Storm on the Horizon: Inside the AJCloud IoT Ecosystem

This research focuses on the importance of native audit logs in secure-by-design software, emphasizing the need for kernel-level ETW logging over user-mode hooks to enhance anti-tamper protections.

Preamble

Kernel ETW Events

Modern Kernel Event Providers

Legacy Kernel Event Providers

Modern Kernel Trace Providers

Legacy Kernel Trace Providers

Next Steps

Kernel ETW is the best ETW

Bring Your Own Vulnerable Driver (BYOVD) is an increasingly popular attacker technique whereby a threat actor brings a known-vulnerable signed driver alongside their malware, loads it into the kernel, then exploits it to perform some action within the kernel that they would not otherwise be able to do. Employed by advanced threat actors for over a decade, BYOVD is becoming increasingly common in ransomware and commodity malware.

Category

Perspectives

24 January 2025

WinVisor – A hypervisor-based emulator for Windows x64 user-mode executables

Storm on the Horizon: Inside the AJCloud IoT Ecosystem

Kernel ETW is the best ETW

Forget vulnerable drivers - Admin is all you need