NovaHypervisor

Description

NovaHypervisor is a defensive x64 Intel host based hypervisor. The goal of this project is to protect against kernel based attacks (either via Bring Your Own Vulnerable Driver (BYOVD) or other means) by safeguarding defense products (AntiVirus / Endpoint Protection) and kernel memory structures and preventing unauthorized access to kernel memory.

NovaHypervisor is written in C++ and Assembly, and is designed to be compatible with Hyper-V and run on Windows 10 and later versions. Please see the setup section for more information on how to use it.

[!WARNING]
This project is in a very early stage of development and is not yet ready for production use. It is intended for educational purposes and to demonstrate the concepts of a defensive hypervisor.
The project has been tested on the latest Windows 10, and while it should work on Windows 11, it has not been tested on that version yet.

Usage

To use the NovaHypervisor, you will need to create a kernel service and start it:

sc create NovaHypervisor type= kernel binPath= "C:\Path\To\NovaHypervisor.sys"

sc start NovaHypervisor

Then, you can add and remove the addresses that you want to protect using the NovaClient application:

REM Add an address to protect
NovaClient.exe protect 0x12345678 <r|w|x> <execution hook>

REM Remove an address from protection
NovaClient.exe unprotect 0x12345678

• protect: Protect a memory address from being accessed, you can specify the type of protection:
• r: Read protection
• w: Write protection

• x: Execute protection
  The protection that you give is the protection that the address will have. For example, if you want to remove execute privileges, do “rw”.

• unprotect: Remove protection from a memory address.

[!NOTE]
Execution hook via inline hook + EPT hooks are not supported and will not be supported for this project to prevent abuse.

Setup

Compiling the Project

The setup to compile the project requires you to have:

• Visual Studio 2022 or later.
• Windows Driver Kit (WDK) installed.

Target setup

To run the hypervisor, you will need to have a Windows 10 or later version installed on your machine. You will also need to have:

• Intel VT-x enabled.
• Virtualized IOMMU.

Logging and Debugging

Logging

NovaHypervisor uses WPP logging as it provides easy to use interface that works also in VMX root. To be able to see the logs, make sure to create a trace session once:

logman create trace "NovaHypervisorLogs" -p {e74c1035-77d4-4c5b-9088-77056fae3aa3} 0xffffffff 0xff -o C:\Path\To\NovaHypervisor.etl

Later on, whenever you want to start or end the logging session you can use:

logman start "NovaHypervisorLogs"
logman stop "NovaHypervisorLogs"

To view the logs you can use tools such as TraceView.

Debugging

To test and debug it in your testing environment run those commands with elevated cmd and then restart your machine:

bcdedit /set testsigning on
bcdedit /debug on
bcdedit /dbgsettings net hostip:<HOSTIP> port:55000 key:1.2.3.4

Where <HOSTIP> is the IP address of your host machine.

Resources

Hypervisor From Scratch

HyperDbg

Personal Thanks & Contributors

• Sinaei: For his help with answering questions I had and for his amazing work on HyperDbg and Hypervisor From Scratch.

• memN0ps: For his help with answering questions I had and pointing me to the right resources.