- Not long after the release of VMX came a new feature called Extended Page Tables which significantly increased the functional power of hypervisors over the operating system.
- With EPT, hypervisors gained the ability to “virtualize” physical memory regions using a very similar kind of multilevel page tables that operating systems use to manage virtual memory.
- This allows a hypervisor to define and set memory protections for regions of memory at the physical memory level without any ability to interact from the guest operating system.
- In addition, EPT has a special ability to create “Execute-only” pages, or pages which can not be read or written to but can only be executed on the processor.
- This feature gave rise to a new kind of hooking mechanism, where a stealthy VMM can intercept attempts to execute a page and swaps in a modified page with new code.
- If something tries to verify the contents by reading to the code page, the VMM recieves a VM Exit due to the processor trying to read from an “Execute-only” page. This allows the VMM to quickly swap in a “clean” version of the page, making the reader believe that no code modification has taken place.
- This power over the underlying physical memory gives hypervisors total control of the code and data of the currently executing operating system.
Hypervisor with EPT hooking support. https://github.com/momo5502/hypervisor
http://www.phrack.org/issues/69/15.html https://rayanfam.com/topics/hypervisor-from-scratch-part-7/ https://revers.engineering/mmu-ept-technical-details/