WinVisor : A Hypervisor-Based Emulator For Windows x64

WinVisor is a hypervisor-based emulator designed to emulate Windows x64 user-mode executables.

It leverages the Windows Hypervisor Platform (WHP) API, introduced in Windows 10 (RS4), to create a virtualized environment for executing applications.

By utilizing WHP, WinVisor enables developers to emulate processes within a virtual CPU while maintaining compatibility with the host operating system.

Core Functionalities

1. Virtual CPU Creation:

• WinVisor employs WHP to create a virtual CPU that operates primarily in user mode (CPL3), with minimal kernel-mode (CPL0) execution for initialization.
• The CPU state is configured by setting control registers, MSRs, paging tables, and other essential structures before switching to CPL3 for application execution.

1. Memory Management:

• Virtual memory from the host process is mapped directly into the guest’s physical memory.
• A paging table maps virtual addresses to physical pages, allocating memory on demand and swapping older pages when necessary.

1. Process Initialization:

• Instead of manually constructing internal structures like the Process Environment Block (PEB), WinVisor clones the entire address space of a suspended target process, ensuring accurate memory layout.
• The emulator handles Import Address Table (IAT) and Thread Local Storage (TLS) adjustments to prevent premature DLL loading and callback execution.

1. System Call Handling:

• Syscalls are intercepted and forwarded to the host OS for execution, ensuring compatibility with native system behavior.
• Legacy interrupt-based syscalls are also managed through pre-configured interrupt descriptor table entries.

To run an application under WinVisor, execute the following command:

WinVisor.exe <target_executable_path>

For example:

WinVisor.exe c:\windows\system32\ping.exe 8.8.8.8

Ensure that the “Windows Hypervisor Platform” is enabled in Windows Features if initialization errors occur.

• Single-thread Support: Only one thread is virtualized; additional threads execute natively.
• Exception Handling: Virtualized software exceptions are not supported.
• Security Concerns: The shared memory model allows potential corruption of host hypervisor modules.
• Partial GUI Virtualization: Applications like notepad.exe are only partially virtualized due to nested GUI-related syscalls.