WinVisor : A Hypervisor-Based Emulator For Windows x64

WinVisor is a hypervisor-based emulator designed to emulate Windows x64 user-mode executables.

It leverages the Windows Hypervisor Platform (WHP) API, introduced in Windows 10 (RS4), to create a virtualized environment for executing applications.

By utilizing WHP, WinVisor enables developers to emulate processes within a virtual CPU while maintaining compatibility with the host operating system.

Core Functionalities

Virtual CPU Creation:

WinVisor employs WHP to create a virtual CPU that operates primarily in user mode (CPL3), with minimal kernel-mode (CPL0) execution for initialization.
The CPU state is configured by setting control registers, MSRs, paging tables, and other essential structures before switching to CPL3 for application execution.

Memory Management:

Virtual memory from the host process is mapped directly into the guest’s physical memory.
A paging table maps virtual addresses to physical pages, allocating memory on demand and swapping older pages when necessary.

Process Initialization:

Instead of manually constructing internal structures like the Process Environment Block (PEB), WinVisor clones the entire address space of a suspended target process, ensuring accurate memory layout.
The emulator handles Import Address Table (IAT) and Thread Local Storage (TLS) adjustments to prevent premature DLL loading and callback execution.

System Call Handling:

Syscalls are intercepted and forwarded to the host OS for execution, ensuring compatibility with native system behavior.
Legacy interrupt-based syscalls are also managed through pre-configured interrupt descriptor table entries.

To run an application under WinVisor, execute the following command:

WinVisor.exe <target_executable_path>

For example:

WinVisor.exe c:\windows\system32\ping.exe 8.8.8.8

Ensure that the “Windows Hypervisor Platform” is enabled in Windows Features if initialization errors occur.

Single-thread Support: Only one thread is virtualized; additional threads execute natively.
Exception Handling: Virtualized software exceptions are not supported.
Security Concerns: The shared memory model allows potential corruption of host hypervisor modules.
Partial GUI Virtualization: Applications like notepad.exe are only partially virtualized due to nested GUI-related syscalls.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.