DownloadResearchTutorialhwdbg

Basic concepts in Intel VT-x

The things you should know before start using HyperDbg

Some keywords will be frequently used in HyperDbg, and you should know about them (Most of the definitions derived from Intel software developer’s manual, volume 3C).

Virtual Machine Monitor (VMM): VMM acts as a host and has full control of the processor(s) and other platform hardware. A VMM is able to retain selective control of processor resources, physical memory, interrupt management, and I/O.

Guest Software: Each virtual machine (VM) is a guest software environment.

VMX Root Operation and VMX Non-root Operation: A VMM will run in VMX root operation, and guest software will run in VMX non-root operation.

VMX transitions: Transitions between VMX root operation and VMX non-root operation.

VM entries: Transitions into VMX non-root operation.

Extended Page Table (EPT): A modern mechanism that uses a second layer to convert the guest's physical address to the host's physical address.

VM-exits: Transitions from VMX non-root operation to VMX root operation.

Virtual machine control structure (VMCS): is a data structure in memory that exists exactly once per VM (or more precisely one per each VCPU [Virtual CPU]), while the VMM manages it. With every change of the execution context between different VMs, the VMCS is restored for the current VM, defining the state of the VM’s virtual processor and VMM control Guest software using VMCS.

The VMCS consists of six logical groups:

  • Guest-state area: Processor state saved into the guest state area on VM exits and loaded on VM entries.

  • Host-state area: Processor state loaded from the host state area on VM exits.

  • VM-execution control fields: Fields controlling processor operation in VMX non-root operation.

  • VM-exit control fields: Fields that control VM exits.

  • VM-entry control fields: Fields that control VM entries.

  • VM-exit information fields: Read-only fields to receive information on VM exits describing the cause and the nature of the VM exit.

I found a great work that illustrates the VMCS.

The PDF version is also available here.

VMCS Layout
VMCS Layout

VMX Instructions

VMX introduces the following new instructions.

Intel/AMD Mnemonic
Description

INVEPT

Invalidate Translations Derived from EPT

INVVPID

Invalidate Translations Based on VPID

VMCALL

Call to VM Monitor

VMCLEAR

Clear Virtual-Machine Control Structure

VMFUNC

Invoke VM function

VMLAUNCH

Launch Virtual Machine

VMRESUME

Resume Virtual Machine

VMPTRLD

Load Pointer to Virtual-Machine Control Structure

VMPTRST

Store Pointer to Virtual-Machine Control Structure

VMREAD

Read Field from Virtual-Machine Control Structure

VMWRITE

Write Field to Virtual-Machine Control Structure

VMXOFF

Leave VMX Operation

VMXON

Enter VMX Operation

Life Cycle of VMM Software

VM Cycle

  • The following items summarize the life cycle of a VMM and its guest software, as well as the interactions between them:

    • Software enters VMX operation by executing a VMXON instruction.

    • Using VM entries, a VMM can then turn guests into VMs (one at a time). The VMM effects a VM entry using instructions VMLAUNCH and VMRESUME; it regains control using VM exits.

    • VM exits transfer control to an entry point specified by the VMM. The VMM can take action appropriate to the cause of the VM exit and can then return to the VM using a VM entry.

    • Eventually, the VMM may decide to shut itself down and leave VMX operation. It does so by executing the VMXOFF instruction.

PreviousConsiderationsNextVMX root-mode vs VMX non-root mode

Last updated