Windows

WinVisor : A Hypervisor-Based Emulator For Windows x64

WinVisor is a hypervisor-based emulator designed to emulate Windows x64 user-mode executables.

It leverages the Windows Hypervisor Platform (WHP) API, introduced in Windows 10 (RS4), to create a virtualized environment for executing applications.

By utilizing WHP, WinVisor enables developers to emulate processes within a virtual CPU while maintaining compatibility with the host operating system.

Core Functionalities

  1. Virtual CPU Creation:
  • WinVisor employs WHP to create a virtual CPU that operates primarily in user mode (CPL3), with minimal kernel-mode (CPL0) execution for initialization.
  • The CPU state is configured by setting control registers, MSRs, paging tables, and other essential structures before switching to CPL3 for application execution.
  1. Memory Management:
  • Virtual memory from the host process is mapped directly into the guest’s physical memory.
  • A paging table maps virtual addresses to physical pages, allocating memory on demand and swapping older pages when necessary.
  1. Process Initialization:
  • Instead of manually constructing internal structures like the Process Environment Block (PEB), WinVisor clones the entire address space of a suspended target process, ensuring accurate memory layout.
  • The emulator handles Import Address Table (IAT) and Thread Local Storage (TLS) adjustments to prevent premature DLL loading and callback execution.
  1. System Call Handling:
  • Syscalls are intercepted and forwarded to the host OS for execution, ensuring compatibility with native system behavior.
  • Legacy interrupt-based syscalls are also managed through pre-configured interrupt descriptor table entries.

To run an application under WinVisor, execute the following command:

WinVisor.exe <target_executable_path>

For example:

WinVisor.exe c:\windows\system32\ping.exe 8.8.8.8

Ensure that the “Windows Hypervisor Platform” is enabled in Windows Features if initialization errors occur.

  • Single-thread Support: Only one thread is virtualized; additional threads execute natively.
  • Exception Handling: Virtualized software exceptions are not supported.
  • Security Concerns: The shared memory model allows potential corruption of host hypervisor modules.
  • Partial GUI Virtualization: Applications like notepad.exe are only partially virtualized due to nested GUI-related syscalls.
Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Install Python 3.7 on Ubuntu 18.04: apt and Source Build Methods

Python 3.7 was a significant release for the language. It introduced data classes, a decorator that automatically…

9 hours ago

Install Odoo 13 on Ubuntu 18.04: Python Venv and Nginx Guide

Odoo is a popular open-source suite of business applications. A single platform covers CRM, e-commerce, accounting,…

10 hours ago

Secure Apache with Let’s Encrypt on Ubuntu 18.04: Free SSL Guide

Let's Encrypt is a free, automated certificate authority run by the Internet Security Research Group…

10 hours ago

Install GCC on Ubuntu 18.04: C and C++ Compiler Setup Guide

GCC (GNU Compiler Collection) is a set of compilers and development libraries for C, C++, Fortran,…

10 hours ago

Install Python 3.8 on Ubuntu 18.04: apt and Source Build Methods

Python is one of the most widely used programming languages in the world. Its clean, readable…

10 hours ago

Install Tomcat 9 on Ubuntu 18.04: Systemd Service Setup Guide

Apache Tomcat is an open-source Java application server that implements the Java Servlet, JavaServer Pages, and…

1 day ago