Hyper-V Internals Research History

Collection (2006-2025)

Enter keywords to filter results

0

Research Papers

0

Years Covered

0

Tools & Utilities

Hyper-V Internals Researches

Date Name Contact Title Links
[Microsoft] - research by Hyper-V creators company employee

MSDN & Microsoft Sources

  • Managing Hyper-V hypervisor scheduler types: Link
  • Hyper-V top level functional specification: Link
  • Hyper-V TLFS specifications: Link
  • Linux kernel for Hyper-V root partition: Link
  • OpenHCL paravisor: Link | Sources
  • OpenVMM (Rust VMM): Link
  • Microsoft Hypervisor wrappers: Link
  • PowerShell Hyper-V sockets example: Link
  • HCN service API: Link
  • Windows Hyper-V samples: Link
  • SkTool - Hypervisor / Secure Kernel Parser Tool from Windows SDK
  • Msvm firmware project: Link
  • Hyperlight security: Source | Info
Headers from official Windows SDK/WDK:
WDK Headers:
  • hypervdevicevirtualization.h
  • VmbusKernelModeClientLibApi.h
  • pcivirt.h
SDK Headers:
  • vmsavedstatedump.h
  • WinHvPlatform.h
  • wmcontainer.h
  • enclaveapi.h
  • isolatedapplauncher.h

VBS\VSM Researches

VBS (Virtualization-Based Security) research containing Hyper-V internals information

    Hyper-V Utilities, Scripts & Schemes

    2013-2025 Arthur Khudyaev (@gerhart_x)
    • Files and scripts to "Hyper-V debugging for beginners (2013)" article. Link
    • Files and scripts to "Hyper-V internals (2015)" article. Link
    • Files and scripts to "Hyper-V debugging for beginners. 2nd edition (2020)" article. Link
    • LiveCloudKd. Link
    • Hyper-V memory manager plugin SDK. Link
    • Hyper-V memory manager plugin Python SDK. Link
    • Hyper-V memory manager plugin .Net SDK. Link
    • Hyper-V memory manager plugin SDK examples. Link
    • Native Hyper-V reading memory example driver. Link
    • CVE-2020-0890 PoC sources with binary (Windows Hyper-V Denial of Service Vulnerability). Link
    • Hyper-V integration plugin for MemProcFS by @UlfFrisk.
    • Source code. Link.
    • Plugin description from @UlfFrisk. Link. Distributive
    • LiveCloudKd EXDi plugin source code. Link
    • LiveCloudKd EXDi plugin for Windows Secure Kernel debugging. Link
    • LiveCloudKd EXDi static plugin for reading and writing Hyper-V memory. Link
    • Hvcalls GUI - tool for extracting hypercalls from Windows Hyper-V binaries. Link
    • Radare2 build for displaying Hyper-V internals information through kd connection. Link
    • Hyper-V integration plugin for volatility. Link. Distributive
    • Hyper Views - utility for viewing Hyper-V memory page tables. Link
    • Scripts for Hyper-V researching: Link
    • Script for hypercalls table creation in IDA PRO. Link
    • Script for parsing VM_PROCESS_CONTEXT structure. Pykd version, JavaScript version
    • Script for displaying VMCS inside hvix64 (dynamic execution using WinDBG session in IDA PRO). Link
    • Script for automatic configuration of Guest OS debugging, using embedded vmms.exe capabilities. Link
    • Script for getting some information from Windows Secure Kernel in runtime (IDT, loaded modules, syscall, decyphering SkiSecureServiceTable). Link
    • Script for some Hyper-V hypercalls codes and names automatic extraction on Powershell. Link
    • Script for Hyper-V hypercalls codes and names automatic extraction with GUI on Powershell. Link
    • Scripts for Hyper-V sockets analysis (scripts were written for Hyper-V sockets internals article)
    • AfdEndpointListHead parsing. Link
    • AfdTlTransportListHead parsing. Link
    • Hyper-V components scheme (Windows 11 23H2). Link.png)
    • Hyper-V Memory Manager plugin module for Powershell. Link
    • All hvlib-based projects in one solution. Link
    • AI generated software. This software was generated by AI systems (online or offline). I want to do minimum code changes after code generation and not will plan to do custom patches for it. If you want to use that software, you need to do additional tests for it, because AI systems are active developed at this time
    • Hyper-V Security Framework. Tool for analyzing security of Hyper-V environment. Link
    • Hyper-V Detector. Tool for making Hyper-V detection in user and kernel mode. Link
    • Spider Stone. Tool for listing files, which are installed for specifying Hyper-V optional features. Link
    2014, 2024 Marc-André Moreau (@awakecoding).
    2016 Yuriy Bulygin (@c7zero). Hyper-V VMBUS fuzzing. CHIPSEC: Platform Security Assessment Framework. Link
    2018 Windows Hypervisor Platform API for Rust. Link
    2018-2019 Alex Ionescu (@aionescu).
    • Simpleator ("Simple-ator") is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803). Link.
    • Hdk - Hyper-V development kit (unofficial). Link
    2018 Matthieu Suiche www.msuiche.com. LiveCloudKd. Link
    2019, 2021 Axel Souchet (@0vercl0k).
    • Pywinhv. Python binding for the Microsoft Hypervisor Platform APIs. Link
    • What the fuzz. Cross-platform snapshot-based fuzzer designed for attacking user and or kernel-mode targets running on Microsoft Windows. Windows Hypervisor Platform APIs is supported Link
    2019, 2021 Behrooz Abbassi (@BehroozAbbassi)
    • ia32_msr_decoder.py. Link
    • IA32_VMX_Helper.py. Link
    • HypervCpuidInfo.h. Get Hyper-V CPUIDs information Link
    • VmwpMonitor. The VmwpMonitor is a DLL that must be injected to the vmwp.exe process to monitor the IO operations on the Emulated Devices between the Guest VM and the VM worker process. Link
    2020 (@commial). Configure Qemu-KVM for debugging SecureKernel Link
    2020 Dmytro "Cr4sh" Oleksiuk (@d_olex). Hyper-V backdoor, which allows to inspect Secure Kernel and run 3-rd party trustlets in the Isolated User Mode (a virtualization-based security feature of Windows 10). Link
    2020 Matt Miller (@epakskape) WHVP API based NOP-generator. Link
    2020 (@_xeroxz) Hyper-V Hacking Framework For Windows 10 x64 (AMD & Intel). Link
    2021 Diane Dubois (@0xdidu). Hyntrospect. This tool is a coverage-guided fuzzer targeting Hyper-V emulated devices (in the userland of Hyper-V root partition). Link
    2021 Peleg Hadar (@peleghd). hAFL2 is a kAFL-based hypervisor fuzzer. Link
    2022 Abdelhamid Naceri (@KLINIX5). Reverse RDP RCE example. Link
    2022 Kenji Mouri (Qi Lu) (@MouriNaruto).
    • NanaBox - open-source Hyper-V client based on Host Compute System API. Link
    • The lightweight library for Hyper-V guest interfaces. Link
    2023 Daniel Fernandus Kuehr (@ergot86). JS script for dumping hypervisor related structures EPT, VMCS, etc
    2023 Aryan Xyrem (@Xyrem256). Hypercall - library that allows you to impersonate as Hyper-V and intercept hypercalls done by the Windows kernel. Link
    2023 Satoshi Tanda (@standa_t). JS script for dumping hypervisor related structures [EPT, VMCS, MSR etc]. Link
    2023 Or Ben-Porath (@OrBenPorath), CyberArk (@CyberarkLabs). Fuzzer-V. Link
    2024 Junsu Lee (@pwndorei).
    • CVE-2024-38080 Link
    • CVE-2023-36407 Link
    2025 Alessandro Iandoli (@MrAle_98). Proof of Concept of CVE-2025-21333 exploit in vkrnlintvsp.sys. Link
    2025 Ryan M. (@Grimdoomer). Xbox 360 Bad Update exploit, a software only hypervisor exploit for dashboard version 17559. Link
    2025 Noahware. Hyper-reV. Memory introspection and reverse engineering hypervisor powered by leveraging Hyper-V. Link
    2025 Connor McGarr (@33y0re)
    2025 (@cbwang505)
    • SecurekernelIUMDebug. Utility for debugging isolated usermode process on guest VM inside Hyper-V VM. Link

    Software & Tools

    Other Resources