Hypervisor Internals 1
Unravel the internals of Hypervisors to support reverse engineering, vulnerability research or hypervisor development.
Dive into modern x86-64 hypervisors via a mixture of reverse engineering, source code review and our own custom code.
Who should take this course?
This course is applicable for those who want to gain a working understanding of Hypervisors to the point of being comfortable navigating their source code, reverse engineering them for vulnerability research or feature identification, or to start their own hypervisor development project.
We not only walkthrough the designs of hypervisors at a high-level (mapping out their capabilities including supporting code that leverages hypervisors such as VMBUS and other backdoor or guest<->host communication methods), we also dive into low-level implementation details through direct methods such as reverse engineering, and through emulation and hypervisor based dynamic analysis where we leverage both hypervisor debugging capabilities and custom modifications to emulators such as Bochs or Qemu.
This course is the first in its series and assumes no prior hypervisor knowledge. The hypervisors we analyze will be x86-64 based and cover both Type 1 & 2 hypervisors, though many of the design concepts also apply to other architectures.
Upon course completion, students will have practical experience debugging and analyzing modern hypervisors such as Hyper-V and KVM, both statically and dynamically.
Students will also have a working understanding of various components that form hypervisors today, including various guest-to-host communication mechanisms such as VMBUS and existing code in KVM, Hyper-V and VMware that leverage these communication mechanisms to provide performance benefits or extra capabilities to “enlightened” guests.
Students will also have developed their own custom OS in Rust to leverage in our capstone project of fuzzing and rediscovering a hypervisor N-day, this builds upon our hypervisor knowledge to successfully interact with the various vulnerable components in the target hypervisor and trigger the bug.
Overall, this course serves as a strong and practical foundation of Hypervisor knowledge and hands-on experience to leverage in any field working with hypervisors.
Basic programming skills (any of C/C++/Rust) are beneficial, but not required.
Windows 11 (preferred) or Windows 10 machine with Hypervisor capabilities (Intel CPUs must have VT-x feature, AMD CPUs must have AMD-V. Majority of CPUs in the last 10 years should have these).
Virtualization software, either Hyper-V (preferred) or VMware (player or workstation).
Practical exercises targeting multiple hypervisors including VMware and Hyper-V.
Develop your own Rust-based OS from scratch.
Hands-on exercises modifying emulators and leveraging nested hypervisors for dynamic analysis
Recreate an N-day vulnerability with our custom OS.
Learn the various methods enabling guest OS enlightenment powering paravirtualized devices.
Understand the virtualization primitives leveraged in hypervisors for full-system snapshot fuzzing, malware analysis labs, hypervisor-based rootkits and more.
Course Syllabus
Initial Theory:
High-Level Overview
Open Source Analysis (KVM)
Open Source Analysis Pt.2 (Other)
Analysis via N-day Research
N-Day VM Escape Research
Bug Identification & Attack Plan (Custom OS)
Mapping the Vulnerability Trigger Steps
Custom Rust-Based OS Development & Triggering the Bug
Debugging Type-2 Hypervisors w/ Kernel Debugging
Fuzzing and Runtime Analysis
Discovering an N-day via Fuzzing
Full-System Emulation for Dynamic Analysis
Nested Virtualization & Hypervisor Debugging for Dynamic Analysis
Static Analysis of Closed-Source Hypervisors (VMware, Hyper-V)
Hyper-V, RE Headless Scripting & VM-Exit Handler Analysis
VMware Unpacking & Capability Mapping
VMBUS & Backdoor Communications
Next Steps (Advanced Concepts)
Designing Our Own VMBUS Client Implementation
Interrupts, GPAs, Hypercalls
Walkthrough not only the high-level designs of hypervisors but also the low-level logic and hardware primitives that drive them, utilizing our own custom code for dynamic analysis, including creating a custom OS from scratch in Rust and triggering a hypervisor N-day.
Course Benefits
Beginner & Advanced Content with Live Demonstrations
Community Environment to Engage in Discussions with Peers & Instructor
Live Q&A Sessions & Ongoing Support After the Course
Frequently Updated Content with the Latest Techniques & Tools
Custom Code Developed by Signal Labs for Students
(Optional) Assessments & Completion Certificates
A firsthand look at our innovative self-paced course content.
Self-Paced Training
$600.00 USD
- 12-month access to the course.
- Multiple hands-on exercises for each section.
- Targets common hypervisors incl. Hyper-V.
- Advanced custom tooling, including custom OS development.
- Modify emulators and work with nested hypervisors for analysis.
- Dedicated area for 1:1 discussions with instructors.
- Note: Training platform access supports Windows and MacOS machines only.
*For larger business teams, reach out for custom packages.
Instructor
Christopher Vella has extensive experience with hypervisors, both with custom hypervisor development and vulnerability research, including discovering multiple critical 0-days against Hyper-V while on Microsoft’s MORSE team.
Christopher also has advanced knowledge of Windows internals, kernel development, reverse engineering and emulator development, having contributed to bug fixes in virtualization emulation code for Bochs and developing hypervisors for stealth full-system debugging.
Strong Signals
